Privacy Policy

GPO OU Privacy Policy

Privacy Policy

GPO OÜ - Software and Hardware Development Services

Effective Date: January 28, 2026
Last Updated: January 28, 2026

1. Introduction

GPO OÜ ("GPO," "we," "us," or "our"), a company registered in Estonia, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software and hardware development services, visit our website (https://gpo-tech.com), or interact with our products and applications.

As an EU-based company, we comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Contact Information:

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, and password when you create an account
  • Business Information: Company name, business address, VAT number, and billing information for B2B clients
  • Communication Data: Messages, inquiries, and feedback you send to us
  • Project Data: Requirements, specifications, and materials you provide for development projects

2.2 Information Collected Automatically

  • Device Information: Device identifiers, operating system, browser type, and version
  • Usage Data: How you interact with our services, features used, and access times
  • Log Data: IP addresses, server logs, and error reports
  • Analytics Data: Aggregated statistics about service usage and performance

2.3 IoT and Smart Device Data

For users of our IoT products (smart thermostats, heating systems, GPO Home app):

  • Sensor Data: Temperature readings, energy consumption metrics, and environmental data
  • Device Status: Firmware versions, connection status, and diagnostic information
  • Usage Patterns: Heating schedules, preferences, and automation settings
  • Third-Party Data: Energy pricing data (e.g., Nord Pool) and weather data for optimization features

3. How We Use Your Information

We process your personal data for the following purposes:

Purpose Legal Basis (GDPR)
Providing and maintaining our services Contract performance
Processing orders and payments Contract performance
Customer support and communication Legitimate interest
Service improvement and development Legitimate interest
Security and fraud prevention Legitimate interest
Legal compliance Legal obligation
Marketing communications Consent
Analytics and research Legitimate interest

4. Data Sharing and Disclosure

We may share your information with:

4.1 Service Providers

  • Cloud Infrastructure: Hetzner (EU), AWS, Google Cloud Platform
  • Payment Processors: Stripe, Wise, PayPal
  • Analytics Services: Google Analytics
  • Communication Tools: Email service providers

4.2 Third-Party Integrations

When you choose to enable integrations:

  • Google Assistant (voice control)
  • Apple services (authentication)
  • Energy market data providers (Nord Pool)

4.3 Legal Requirements

We may disclose information when required by law, court order, or to protect our rights and safety.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

5. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for countries with equivalent data protection standards
  • Binding Corporate Rules where applicable

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy:

Data Type Retention Period
Account data Duration of account + 3 years
Transaction records 7 years (legal requirement)
IoT device data 1-5 years (based on service tier)
Communication logs 2 years
Analytics data 26 months

7. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
  • Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise these rights, contact us at: gpowork@gpo-tech.com

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (TLS/HTTPS, MQTTS)
  • Secure authentication mechanisms
  • Access controls and role-based permissions
  • Regular security assessments
  • Incident response procedures
  • Employee data protection training

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies:

  • Essential Cookies: Required for website functionality
  • Analytics Cookies: Help us understand how visitors use our site
  • Marketing Cookies: Used for advertising (with your consent)

You can manage cookie preferences through your browser settings or our cookie consent tool.

10. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data promptly.

11. Third-Party Links

Our services may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by:

  • Posting the updated policy on our website
  • Updating the "Last Updated" date
  • Sending email notification for material changes

13. Contact Us

For privacy-related inquiries or to exercise your rights:

Data Protection Contact:

Supervisory Authority:
If you are unsatisfied with our response, you may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

14. Specific Provisions for Software and Hardware Development Services

14.1 Client Project Data

For B2B software and hardware development projects:

  • Project data is processed solely for the contracted purpose
  • We maintain strict confidentiality under NDA agreements
  • Source code and intellectual property remain as specified in contracts
  • Development environments are isolated and secure

14.2 Embedded Systems and IoT Development

For hardware and embedded systems development:

  • Firmware and device data are secured with industry-standard practices
  • Edge AI processing occurs locally where possible to minimize data transfer
  • Device testing data is anonymized for quality assurance

14.3 White-Label Solutions

For clients using our white-label IoT platform:

  • End-user data is controlled by the client (data controller)
  • GPO acts as a data processor under a Data Processing Agreement
  • Data isolation is maintained between different client implementations

This Privacy Policy was last updated on January 28, 2026.

GPO OÜ - Green Power Oriented
Estonia, European Union

Tell us about your project

Ready to create something together? Our experienced developers will help bring your ideas to life. Contact us for a consultation.

Email icon

Email

gpowork@gpo-tech.com
Phone icon

Phone

+372 5760 6060

Quick Actions

Schedule a Meeting

Choose a convenient time to consult with our experts

Schedule

Request a Quote

Get a detailed proposal and cost estimate for your project

Schedule