Controller and scope
The controller of personal data described in this policy is Lusfera OÜ. Xencra is a service brand operated by Lusfera OÜ.
This policy applies to xencra.com, the project request form and project-related communication initiated through the website or published contact details.
Personal data we process
We process only the information reasonably needed to respond to enquiries, assess projects, provide services, operate the website and meet legal obligations.
Please do not send special-category or otherwise sensitive personal data unless it is necessary for the project and has been agreed in advance.
- Contact details such as your name, email address, telephone number, company and role.
- Project information, selected project type and status, budget range, decision authority, business requirements, attachments and other content included in your project request or correspondence.
- Communication history, including emails, meeting notes and decisions related to a potential or active project.
- Contract, invoicing and transaction information if a commercial relationship begins.
- Technical request data such as IP address, browser type, requested URL, timestamp, response status and security events.
Purposes and legal bases
We process personal data only where there is an appropriate legal basis.
- To answer enquiries, evaluate project fit, prepare proposals and take steps requested before entering into a contract.
- To perform contracts, deliver services, manage projects and communicate with clients.
- To operate, maintain and secure the website and technical infrastructure based on our legitimate interests.
- To prevent misuse, investigate security incidents and establish, exercise or defend legal claims based on our legitimate interests.
- To comply with accounting, tax, regulatory and other legal obligations.
- On the basis of consent where consent is specifically requested. Consent may be withdrawn at any time.
Website and server logs
When you access the website, the web server or infrastructure provider may automatically record technical request information. This is standard operational data used to deliver the requested page, troubleshoot errors and protect the service.
Technical logs are not used by Xencra to build advertising profiles or to make automated decisions about visitors.
Recipients and service providers
Access to personal data is limited to people and service providers who need it for the purposes described in this policy.
We do not sell personal data.
- Hosting, server and infrastructure providers.
- Email and communication service providers.
- Technical contractors or subcontractors involved in an agreed project.
- Accounting, legal and professional advisers where necessary.
- Public authorities where disclosure is required by law.
International data transfers
Where a service provider processes personal data outside the European Economic Area, we use an applicable adequacy decision, contractual safeguards or another lawful transfer mechanism where required.
Information about relevant safeguards can be requested by contacting info@xencra.com.
Retention
Project enquiries and submitted attachments that do not result in an engagement are generally deleted or anonymised within 24 months after the last meaningful contact, unless longer retention is necessary for legal claims, security investigation or another lawful reason.
Client, contract, project and financial records are retained for the duration of the relationship and afterwards for the periods required by applicable contract, accounting, tax and limitation rules.
Technical logs are retained only for as long as reasonably necessary for service operation, troubleshooting, security monitoring or incident investigation.
Your data protection rights
Depending on the circumstances, you may request access to your personal data, correction of inaccurate data, deletion, restriction of processing, data portability or object to processing based on legitimate interests.
Where processing is based on consent, you may withdraw that consent without affecting processing carried out before the withdrawal.
These rights are not absolute and may be limited where continued processing is required by law or is necessary for legal claims.
You may also lodge a complaint with the Estonian Data Protection Inspectorate.
Security
We use reasonable technical and organisational safeguards intended to protect personal data against unauthorised access, loss, alteration or disclosure.
No internet transmission or storage system can be guaranteed to be completely secure. If a relevant personal data breach occurs, we will assess and handle it in accordance with applicable law.
External links and policy changes
The website may link to third-party websites. Their privacy practices are controlled by those third parties and should be reviewed separately.
We may update this policy when our services, technology or legal obligations change. The latest version and its update date will be published on this page.
Privacy contact
Privacy and data requests
Email us to exercise your rights or ask how your personal data is processed.