Effective date: April 27, 2026

Privacy Policy

Effective Date: April 27, 2026
Version: 2.1

This Privacy Policy describes how ITT Developers OÜ ("Company", "we", "us", or "our") collects, uses, shares, and protects information about you when you use Insporta ("Platform"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Estonian Personal Data Protection Act.

1. Data Controller

The data controller responsible for your personal data is:

ITT Developers OÜ
Laeva 7, 10151 Tallinn, Estonia
Registry code: 16784321
Email: privacy@insporta.com

2. Information We Collect

We collect the following categories of personal data:

2.1 Information you provide directly

• Account information: name or username, email address, password (stored only as a one-way hash)
• Profile information (optional): avatar, date of birth, gender, country, favourite club, fitness level, sport preferences
• Communication data: messages, feedback, and support requests you send us

2.2 Information collected automatically

• Usage data: tests started/completed, answers given (including the first option you tapped before submitting), time spent per question, XP points, streaks, league standings
• Device and technical data: IP address, browser type and version, operating system, device type, language preference
• Marketing attribution: UTM parameters and referral sources from URLs you click
• Cookies and similar technologies: see our Cookie Policy for details

2.3 Information from third parties

• Authentication providers: when you sign in with Google, Facebook, Apple, or other identity providers (when available), we receive your name, email, and profile picture, subject to their respective privacy policies

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)): to provide the Platform and the services you have requested
• Legitimate interests (Art. 6(1)(f)): to improve the Platform, maintain security, prevent fraud, and conduct internal analytics on aggregated and pseudonymous data; we balance these interests against your rights
• Consent (Art. 6(1)(a)): for marketing communications and any optional features that require consent
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws (e.g., responding to lawful requests, tax record-keeping)

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. How We Use Your Information

We use your personal data to:

• Create and manage your account, authenticate logins, and provide the Platform's core features
• Track your test progress, generate leaderboards, and award XP, levels, and achievements
• Personalise your experience, including recommending content based on your preferences and usage
• Send you transactional notifications (e.g., password reset, account confirmation) and, with your consent, marketing communications
• Analyse usage patterns to improve the Platform — including aggregated metrics on question difficulty, popular topics, and user engagement (using only data stored in our own database; we do not currently use third-party analytics services)
• Detect, prevent, and respond to fraud, abuse, security incidents, or violations of our Terms of Service
• Train and improve our internal models for adaptive learning, difficulty calibration, and content recommendations (see Section 5)
• Comply with legal obligations

5. Profiling and Automated Decision-Making

The Platform uses limited automated processing to enhance your learning experience, including:

• Suggesting tests and content based on your past activity, sport preferences, and difficulty performance
• Calibrating question difficulty based on aggregated user response data (which questions are answered correctly, average time spent)
• Computing leaderboard rankings, XP, and streak metrics from your usage

None of these processes currently produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. We do not use your personal data for fully automated decisions that affect your legal rights.

If we introduce profiling that may produce significant effects (for example, automated talent-scoring for B2B clients), we will: (i) update this Policy, (ii) inform affected users in advance, (iii) provide opt-out mechanisms, and (iv) honour your right to human review under Article 22 GDPR.

6. Data Sharing

We do not sell your personal data. We share data only as described below:

6.1 Service providers (data processors)

We use the following service providers to operate the Platform. Each is bound by a Data Processing Agreement (DPA) under Article 28 GDPR:

• Hetzner Online GmbH (Germany, EU) — hosting infrastructure
• Resend, Inc. (USA) — transactional email delivery (EU–US Data Privacy Framework)
• Anthropic, PBC (USA) — AI services for content generation, classification, and translation; we do not send personally identifying user data to Anthropic; we only send content (e.g., source materials, draft questions) for processing

If we add new data processors (e.g., third-party analytics services) in the future, we will update this Policy in advance.

6.2 Authentication providers

When you log in via a third-party identity provider (Google, Facebook, Apple, etc., when available), data is shared between us according to their published privacy policies.

6.3 Legal disclosures

We may disclose data when required by law, court order, or governmental request, or to protect our legal rights, the safety of users, or the integrity of the Platform.

6.4 Business transfers

If we are involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you and provide options as required by law.

7. International Data Transfers

Your data is primarily stored on servers located in the European Union (Hetzner data centres in Germany). Where we transfer data outside the EU/EEA (for example, to Anthropic or Resend in the USA), we rely on:

• Adequacy decisions of the European Commission, where applicable
• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU–US Data Privacy Framework, where applicable

You may request a copy of the safeguards applied to international transfers by emailing privacy@insporta.com.

8. Cookies and Tracking Technologies

We use only essential cookies required for the Platform to function — such as session management, security tokens (CSRF protection), and your language preference. These cookies do not require consent under EU law as they are strictly necessary to provide the service you requested.

We do not currently use third-party analytics, advertising, or tracking cookies. If we introduce such technologies in the future, we will update this Policy, our Cookie Policy, and present a cookie consent banner before activating them. You will be able to opt in or out at that time.

9. Data Retention

We retain your personal data for as long as necessary for the purposes described in this Policy:

• Account data: while your account is active, plus up to 12 months after deletion (for legal and audit purposes)
• Usage data: while your account is active, then anonymised or deleted
• Aggregated/anonymised data: retained indefinitely for statistical and improvement purposes (cannot be linked back to you)
• Communication records: up to 3 years from last contact, unless legally required for longer
• Legal/compliance records: as required by Estonian law (typically 7 years for accounting documents)

You may request earlier deletion via Section 10.

10. Your Rights (GDPR)

As a data subject under GDPR, you have the right to:

• Access — request a copy of your personal data we hold
• Rectification — correct inaccurate or incomplete data
• Erasure ("right to be forgotten") — request deletion under certain conditions
• Restriction — limit how we process your data
• Data portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests, including direct marketing
• Withdraw consent — at any time, where processing is based on consent
• Not be subject to automated decision-making with significant effects (Article 22)

To exercise these rights, contact us at privacy@insporta.com. We will respond within 30 days (extendable by 60 days for complex requests).

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate:
Andmekaitse Inspektsioon (AKI)
Tatari 39, 10134 Tallinn, Estonia
Web: www.aki.ee

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of passwords using industry-standard one-way hashing (bcrypt)
• Encrypted (HTTPS/TLS) connections for all data in transit
• Regular security updates and patching of our infrastructure
• Access controls limiting personnel access to your data on a need-to-know basis
• Logging and monitoring of system access

No system is 100% secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by Article 33 GDPR.

12. Children's Privacy

The Platform is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13.

If you are between 13 and the age of digital consent in your country (typically 16 in EU member states; 13 in Estonia), you must have parental or guardian consent to use the Platform.

If we become aware that we have collected personal data from a child under 13 without proper parental consent, we will delete it promptly. Parents or guardians who believe their child has provided personal data to us can contact us at privacy@insporta.com.

13. Mobile Applications and Push Notifications

If you use a mobile application version of Insporta (when available), we may collect additional data such as device identifiers and, with your consent, send push notifications. You can disable push notifications through your device settings at any time.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes (changes that affect how we collect, use, or share your data), we will notify you at least 30 days in advance via email and/or a prominent notice on the Platform. The "Effective Date" at the top of this Policy reflects the latest revision.

Version history

• 2.1 (April 27, 2026): Clarified that no third-party analytics or tracking cookies are currently used; removed Google Analytics references pending future activation with consent banner.
• 2.0 (April 27, 2026): Major rewrite with full GDPR alignment — added profiling/automated decision-making, AI provider disclosure, EU-US transfer mechanisms, retention schedule, expanded user rights.
• 1.0 (April 22, 2026): Initial version.

15. Contact Us

For privacy-related questions, requests, or complaints, contact our Data Protection Lead:

ITT Developers OÜ
Laeva 7, 10151 Tallinn, Estonia
Email: privacy@insporta.com