top of page
Weicher Farbverlauf-Horizont

PRIVACY

1. Introduction & Scope

 

This Privacy Policy explains how The KMR Brands OÜ and the affiliated agencies and websites that operate under it (together, “KMR,” “we,” “us,” “our”) collect, use, share, and protect personal data.

It applies to every website, application, and service operated by KMR or by any agency within the KMR group, regardless of the country from which you access it or the country in which you are located.

We may update this Policy from time to time — for example, to reflect a new service provider, a change in law, or a change in how KMR operates.

 
2. Our Privacy Commitments

 

Before the legal detail, here is what matters most:

  • We only collect the personal data we actually need to run our business and deliver our services.

  • We do not sell personal data — and we never will.

  • We do not use advertising or analytics cookies. Most of the personal data we hold comes directly from you, not from passive tracking (Section 7).

  • We only share personal data with the specific service providers who need it to do a defined job for us — never with unrelated third parties (Section 11).

  • Wherever you are in the world, we apply the same core standard of protection described in this Policy, built around the EU General Data Protection Regulation (GDPR), as our baseline (Section 15).

 
3. The Data Controller

 

The KMR Brands OÜ, registered as an osaühing (private limited company) under Estonian law, at Tornimäe tn 5, 10145 Tallinn, is the controller, within the meaning of the GDPR, for the personal data described in this Policy, including personal data processed on behalf of its affiliated agencies.

For any questions or requests relating to this Policy, please contact us at privacy@kmr.email.

 
4. Legal Bases We Rely On

 

Under Article 6(1) GDPR, we only process personal data where we can rely on one of the following legal bases. Where a specific activity described later in this Policy relies on an additional basis — for example, explicit consent for special category data — we say so in that section.

  • Consent (Art. 6(1)(a)) — you have given clear, informed consent for a specific purpose, which you may withdraw at any time without affecting processing carried out before the withdrawal.

  • Contract (Art. 6(1)(b)) — the processing is necessary to perform a contract with you, or to take steps at your request before entering into one.

  • Legal obligation (Art. 6(1)(c)) — we must process the data to comply with a legal duty, such as tax and accounting law.

  • Vital interests (Art. 6(1)(d)) — necessary to protect someone’s life.

  • Legitimate interests (Art. 6(1)(f)) — necessary for a legitimate interest of ours or a third party, which does not override your rights and freedoms. Where we rely on this basis, you have the right to object (Section 14).

 
5. The Personal Data We Collect
 
5.1 What you give us directly

 

Most of the personal data we hold is given to us directly: when you fill in a contact or lead form, request a proposal, sign a contract, apply for a role, or message us. Depending on the context, this can include your name, contact details, company and role, the content of your communications with us, contractual and billing details, and — where relevant to verifying who you are or delivering a specific service — identity or payment information.

 
5.2 What we generate while providing our services

 

Where we perform a contract for you or a client relationship, we generate records of that work: project and communication history, invoices, and — only where you have been informed and, where required, have consented — meeting notes and recordings.

 
5.3 What we don’t do

 

We do not use advertising or analytics cookies to build profiles of website visitors, and we do not buy personal data from data brokers. Section 7 explains the very limited cookies we do use.

 
6. How We Use Third-Party Service Providers

 

To run KMR and deliver our services, we rely on a small number of carefully chosen service providers (“processors”). Each one receives only the personal data it needs to perform its specific function for us, under a data processing agreement (Art. 28 GDPR) or equivalent contractual safeguards. None of them may use your data for their own purposes, and we are not paid by any of them for access to your data.

The specific provider behind each category below — together with its registered location and applicable transfer safeguard — is listed in our Service Providers page. Keeping that detail on a separate page, rather than in this section, means it can be kept current as our tools change without needing to revise this Policy. For transfers of personal data outside the European Economic Area (EEA), see Section 8.

6.1 Website & Content Hosting

 

Our public-facing websites are built and hosted on a third-party website platform. It processes the technical data needed to serve our websites and, where you submit a form on one of our sites, the information you enter.

 

Legal basis: performance of a contract with you (Art. 6(1)(b)) where you contact us through the site, and our legitimate interest in operating a functioning, secure website (Art. 6(1)(f)).

 
6.2 Lead Generation & Landing Pages

 

For landing pages and lead-capture forms, we use a dedicated landing-page tool. When you submit an enquiry through one of these pages, we collect the details you provide — for example, name, email, company, and message — to respond to you.

 

Legal basis: pre-contractual or contractual measures (Art. 6(1)(b)) or, for marketing sign-ups, your consent (Art. 6(1)(a)).

 
6.3 Scheduling

 

We use a scheduling tool, hosted in Europe, to let clients and partners book meetings with us directly. When you book a meeting, we process your name, email address, and the date and time you select, together with any information you choose to add.

 

Legal basis: performance of a contract or legitimate interest in coordinating and confirming meetings (Art. 6(1)(b)/(f)).

 
6.4 Email Communication

 

We use a business email and communication platform. When you email us, we process the content of that communication and your contact details.

 

Legal basis: performance of a contract or responding to your enquiry (Art. 6(1)(b)), or our legitimate interest in running our business communications (Art. 6(1)(f)).

 
6.5 Business Messaging

 

Where you contact us, or we correspond with you, via a business messaging app, we process your phone number and the content of the conversation.

 

Legal basis: performance of a contract or legitimate interest in responding to your enquiry (Art. 6(1)(b)/(f)), or your consent where a message is promotional.

 
6.6 Video Meetings

 

We conduct video calls using one or more video-conferencing platforms. We process meeting metadata — participants, time, duration — and, where a call is recorded, its content.

 

Legal basis: performance of a contract or legitimate interest in conducting business meetings (Art. 6(1)(b)/(f)).

 
6.7 Call & Meeting Recording

 

Where we record a call or walkthrough for reference — for example, to share with a client who could not attend — we use a dedicated recording tool. Recordings are only made with the knowledge of participants and, where required by applicable law, their consent.

 

Legal basis: your consent (Art. 6(1)(a)), or our legitimate interest in accurately documenting a meeting you have already agreed to attend (Art. 6(1)(f)). Some recordings may be automatically transcribed by a sub-processor; only the transcript text — not video or audio — is shared for that limited purpose, and it is not used to train third-party models.

 
6.8 Identity Verification

 

Where we are required, or it is necessary for a contract, to verify a client’s or partner’s identity, we use a specialised identity-verification service. This may involve matching a photo of you against an identity document using biometric matching technology — a special category of personal data under Article 9 GDPR.

 

Legal basis: performance of a contract or compliance with a legal obligation such as anti-fraud or know-your-customer requirements (Art. 6(1)(b)/(c)); where biometric matching is used, we additionally rely on your explicit consent (Art. 9(2)(a) GDPR).

 
6.9 Contracts & E-Signature

 

We use a contract and e-signature platform to prepare, send, and collect signatures on proposals and contracts.

 

Legal basis: performance of a contract (Art. 6(1)(b)).

 
6.10 Payments & Banking

 

We hold accounts and process payments through banking and payment-processing providers. These providers process payment details, transaction data, and, where legally required — for example, for anti-money-laundering purposes — identity information.

 

Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with financial-services legal obligations (Art. 6(1)(c)).

 
6.11 Invoicing

 

We use an invoicing and accounting platform.

 

Legal basis: performance of a contract and compliance with our accounting and tax obligations (Art. 6(1)(b)/(c)).

 
6.12 Accounting, Bookkeeping & Tax Filings

 

We use a professional accounting firm to handle our bookkeeping, prepare our annual reports, and file our VAT declarations. This may include personal data relating to clients, suppliers, or staff to the extent it appears in our financial records — for example, in invoices or payroll.

 

Legal basis: performance of a contract and compliance with our accounting, tax, and company-law obligations (Art. 6(1)(b)/(c)).

 
6.13 Internal Operations, Collaboration & Storage

 

We use a small set of collaboration, productivity, and file-storage tools to run our internal operations, store business records, and collaborate as a team. This may include personal data relating to clients, candidates, partners, or our own staff.

 

Legal basis: legitimate interest in running our business efficiently and securely (Art. 6(1)(f)), performance of contracts with clients or staff (Art. 6(1)(b)), and, where relevant, legal obligations relating to record-keeping (Art. 6(1)(c)).

 
6.14 Automation & Integrations

 

We use a workflow-automation tool to connect the other services listed in this section.

 

Legal basis: legitimate interest in running efficient, low-error business processes (Art. 6(1)(f)). Because this tool sits between other services, it may process any category of personal data that flows through the automations we configure, always solely to execute that automation.

 
6.15 Documentation Platform

 

Internal and, where applicable, client-facing documentation is hosted on a dedicated documentation platform, which processes limited technical data needed to serve documentation pages.

 

Legal basis: legitimate interest in maintaining accurate, accessible documentation (Art. 6(1)(f)).

 
6.16 Email Marketing

 

Where you have opted in to receive marketing communications from us, we send them using a dedicated email marketing platform.

 

Legal basis: your consent (Art. 6(1)(a)), which you may withdraw at any time using the unsubscribe link in any message.

 
6.17 Branded URL Shortening

 

We use a URL-shortening service to create short, branded links for the resources we share — for example, in emails, social media posts, or presentations.

 

When someone clicks one of these links, the service processes technical data such as IP address, device and browser type, and approximate location.

 

Legal basis: legitimate interest in understanding how our shared resources are used (Art. 6(1)(f)).

 
6.18 Recruitment

 

Where we are hiring, we use a recruitment platform to manage applications and candidate communication.

 

Legal basis: taking steps at a candidate’s request prior to entering into an employment contract (Art. 6(1)(b)).

 
6.19 Domain Registration

Our domain names are registered through a domain registrar. This relationship primarily concerns KMR’s own registrant information rather than the personal data of website visitors or clients, but we list it for transparency.

 

Legal basis: legitimate interest in maintaining our online infrastructure (Art. 6(1)(f)).

 
7. Cookies & Similar Technologies

 

Unlike many businesses, we do not run advertising or analytics cookies on our websites. We do not build behavioural profiles of visitors, and we do not use tools such as Google Analytics.

The only cookies we use are:

  • Strictly necessary cookies set by our website platforms to remember your session, keep our sites secure, and — where you make a choice — record your cookie consent.

  • The cookie consent management tools built into those platforms, used solely to record and honour the choices you make.

 

These necessary cookies do not require your consent, because they are essential to the site working properly. If this ever changes — for example, if an agency within KMR begins using analytics or marketing cookies — we will update this Policy and ask for your consent through a cookie banner before any non-essential cookie is set.

 
8. International Data Transfers

 

KMR is established in Estonia, within the European Economic Area (EEA). Some of the service providers listed on our Service Providers page are located outside the EEA. Where that is the case, we rely on the following safeguards, in order of preference:

  • Adequacy decisions. Where the European Commission has recognised a country as providing an adequate level of protection, no additional safeguard is required. This currently applies, among others, to the United Kingdom (adequacy renewed on 19 December 2025, valid until 27 December 2031) and Israel. EEA member states, including Norway, are not “third countries” for this purpose.

  • Standard Contractual Clauses (SCCs). For transfers to countries without an adequacy decision — including the United States and Singapore — we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), supplemented, where our risk assessment identifies a need, with additional technical and organisational measures.

  • EU–U.S. Data Privacy Framework (DPF). Some of our US providers additionally self-certify under the DPF. As of the date of this Policy, the DPF’s adequacy decision is subject to significant legal uncertainty: following a June 2026 US Supreme Court ruling affecting the independence of the US Federal Trade Commission, the advocacy group noyb has announced its intention to challenge the DPF before the Court of Justice of the European Union.

 

Because of this, we treat Standard Contractual Clauses — not the DPF — as our primary safeguard for US transfers, so our compliance does not depend on the outcome of that challenge. We will update this Policy as the situation develops.

 
9. Data Retention

 

We keep personal data only for as long as necessary for the purpose it was collected for, or as required by law, whichever is longer:

  • Contractual, invoicing, and accounting records are generally retained for seven years after the end of the relevant financial year, in line with the Estonian Accounting Act (Raamatupidamise seadus).

  • Recruitment data is retained for the duration of the hiring process and a limited period afterwards, in case a related dispute arises, then deleted.

  • Marketing consent and communication records are retained until you withdraw consent or unsubscribe, plus a short period to record that withdrawal.

  • Data we no longer need, and are not required to keep, is deleted or irreversibly anonymised.

 
10. Data Security

 

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or misuse, including access controls, encryption in transit, and contractual security obligations on our service providers. No system is completely secure, but we review our safeguards regularly and require our processors to maintain equivalent standards under their data processing agreements with us.

 
11. No Sale of Data & Data Sharing With Partners

 

We do not sell personal data, and we never have. We do not share personal data for cross-context behavioural advertising, and we do not allow the service providers described in Section 6 to use your personal data for their own purposes.

We only share personal data with a third party where:

  • that third party is one of the service providers described in this Policy, engaged strictly to help us deliver a specific part of our service to you, under a data processing agreement;

  • the disclosure is necessary to comply with a legal obligation, court order, or lawful request from a public authority;

  • the disclosure is necessary to establish, exercise, or defend a legal claim; or

  • you have given us specific consent to a disclosure not otherwise described in this Policy.

 

If KMR or an affiliated agency is ever involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to the protections described in this Policy.

 
12. Children’s Privacy

 

Our services are directed at businesses and professionals, not at children. We do not knowingly collect personal data from children below the applicable digital age of consent — 13 in Estonia, and generally between 13 and 16 in other EEA member states, depending on local law. If we become aware that we have collected personal data from a child without appropriate consent, we will delete it. If you believe a child has provided us with personal data, please contact us using the details in Section 3.

 
13. Automated Decision-Making

 

We do not use your personal data to make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. If this changes, we will update this Policy and, where required, obtain your explicit consent.

 
14. Your Rights as a Data Subject

 

As a data subject under the GDPR, you can exercise the following rights by contacting us using the details in Section 3:

 
14.1 Right of Access, Rectification & Erasure

 

You may ask for confirmation of whether we process your personal data, a copy of it, its correction if inaccurate, and its erasure where one of the grounds in Article 17 GDPR applies.

 
14.2 Right to Restriction of Processing

 

You may ask us to restrict processing — so that, other than storage, your data is only processed with your consent or for legal claims — while we verify its accuracy, while an objection is being assessed, or where processing is unlawful but you prefer restriction to deletion.

 
14.3 Right to Object

 

Where we process your data based on legitimate interests, you may object at any time for reasons relating to your particular situation; we will stop unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is needed for legal claims. Where we process your data for direct marketing, you may object at any time and we will stop, with no need to justify the objection.

 
14.4 Right to Data Portability

 

Where processing is based on your consent or on a contract and is carried out by automated means, you may ask to receive your data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.

 
14.5 Right to Withdraw Consent

 

Where processing is based on consent, you may withdraw it at any time; this does not affect the lawfulness of processing carried out before the withdrawal.

 
14.6 Right to Lodge a Complaint

 

You may lodge a complaint with a supervisory authority — in particular in the country of your habitual residence, place of work, or the place of the alleged infringement — without prejudice to any other remedy. See Section 15.1 for our lead supervisory authority.

 
15. Additional Rights for Specific Regions
 
15.1 European Economic Area & United Kingdom

 

The rights in Section 14 apply in full. Because KMR is established in Estonia, our lead supervisory authority is the Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate), Tatari 39, 10134 Tallinn, Estonia (info@aki.ee, www.aki.ee).

 

If you are in the UK, the UK GDPR applies alongside this Policy, and you may instead lodge a complaint with the Information Commissioner’s Office (ICO) or your local EEA supervisory authority — in particular in the country of your habitual residence, place of work, or the place of the alleged infringement.

 

This does not affect your right to seek a judicial remedy.

 
15.2 United States

 

If you are a resident of California or another US state with a comprehensive consumer privacy law — including Virginia, Colorado, Connecticut, Utah, and others — you have rights that typically include the right to know what personal information we hold about you, to access or obtain a copy of it, to correct or delete it, and to opt out of its sale or use for targeted advertising.

 

Because KMR does not sell personal information and does not use it for targeted advertising, several of these rights are already met by default.

 

To exercise any of these rights, contact us using the details in Section 3.

 
15.3 Rest of the World

 

Wherever you are located, we apply the standard of protection described in this Policy as our baseline, regardless of whether local law requires a lower standard.

 

If local law grants you additional rights not otherwise described here, you may exercise them by contacting us.

bottom of page