Privacy Policy & Cookie Policy

Last Updated: January 27, 2025

Effective Date: January 27, 2025

1. CONTROLLER INFORMATION

1.1 Data Controller

The data controller responsible for your personal information under this Privacy Policy is:

• Legal Entity: OutsmartPerformance OU
• Registration Number: 17128885
• Registered Address: Sepapaja tn 6, Tallinn 11415, Estonia, Harju maakond
• Operating Location: Tallinn, Estonia
• Website: beyondconvert.com
• Email: general@beyondperform.com

1.2 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy:

• Name: Derek Blum
• Email: derek.b@beyondperform.com
• Role: Data Protection Officer & Privacy Compliance Manager

You have the right to contact our DPO directly regarding any privacy-related questions, concerns, or requests.

2. INFORMATION WE COLLECT

2.1 Personal Information Categories

We may collect and process the following categories of personal information:

2.1.1 Identity and Contact Data

• First name, last name, and middle name
• Professional title and job position
• Company name and business information
• Email addresses (personal and business)
• Phone numbers (mobile and business)
• Postal addresses and business locations
• Social media profile information
• Professional credentials and certifications

2.1.2 Technical and Usage Data

• IP addresses and device identifiers
• Browser type, version, and settings
• Operating system and device information
• Screen resolution and display preferences
• Website usage patterns and navigation paths
• Page views, session duration, and bounce rates
• Referral sources and campaign tracking
• Search terms and keywords used
• Time zone and language preferences
• Cookie and tracking technology data

2.1.3 Transaction and Financial Data

• Payment information and billing details
• Credit card details (processed by third parties)
• Banking information for wire transfers
• Transaction history and purchase records
• Invoices and payment receipts
• Tax identification numbers (when required)
• Billing addresses and preferences

2.1.4 Communication Data

• Messages sent through contact forms
• Email correspondence and attachments
• Phone call records and notes
• Video conference recordings (with consent)
• Chat messages and support tickets
• Survey responses and feedback
• Marketing communication preferences

2.1.5 Professional and Business Data

• Industry sector and business model information
• Company size and revenue information
• Current affiliate program status
• Marketing challenges and objectives
• Technical infrastructure details
• Competitive information and benchmarks
• Performance metrics and KPIs

2.2 Special Categories of Data

We do not generally collect special categories of personal data (sensitive data) such as health information, religious beliefs, political opinions, or biometric data. If we ever need to collect such information, we will obtain your explicit consent and implement additional security measures.

3. HOW WE COLLECT INFORMATION

3.1 Direct Collection

We collect information directly from you when you:

• Register for an account or sign up for services
• Complete contact forms or request information
• Subscribe to newsletters or marketing communications
• Schedule consultations or book meetings
• Make purchases or payments
• Participate in surveys, polls, or feedback requests
• Attend webinars, events, or training sessions
• Contact our customer support or sales teams
• Apply for job positions or partnership opportunities

3.2 Automatic Collection

We automatically collect certain information when you visit our website or use our services through:

• Cookies and similar tracking technologies
• Web beacons and pixel tags
• Server logs and analytics tools
• Mobile device identifiers
• Location data (with permission)
• Social media tracking pixels

3.3 Third-Party Sources

We may obtain information from third-party sources including:

• Social media platforms (LinkedIn, Twitter, Facebook)
• Business directories and professional databases
• Data brokers and lead generation services
• Partner companies and referral sources
• Public records and government databases
• Event organizers and conference providers
• Analytics and marketing service providers

4. LEGAL BASIS FOR PROCESSING

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

4.1 Consent (Article 6(1)(a) GDPR)

We process your data based on consent when:

• You opt-in to receive marketing communications
• You agree to cookies and tracking technologies
• You voluntarily provide information through forms
• You consent to recording of calls or meetings
• You participate in surveys or research

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.2 Contract Performance (Article 6(1)(b) GDPR)

We process your data when necessary to perform a contract with you or to take steps prior to entering into a contract:

• Providing requested services and deliverables
• Processing payments and managing accounts
• Communicating about service delivery
• Managing customer support and technical issues
• Fulfilling contractual obligations

4.3 Legitimate Interests (Article 6(1)(f) GDPR)

We process your data when necessary for our legitimate interests, provided these interests are not overridden by your rights:

• Operating and improving our business and services
• Analyzing website usage and performance
• Preventing fraud and ensuring security
• Direct marketing to existing customers
• Managing business relationships
• Protecting our legal rights and interests

4.4 Legal Compliance (Article 6(1)(c) GDPR)

We process your data when required to comply with legal obligations:

• Tax and accounting requirements
• Anti-money laundering regulations
• Data protection law compliance
• Employment law obligations
• Consumer protection regulations
• Court orders and legal proceedings

5. HOW WE USE YOUR INFORMATION

5.1 Service Delivery and Customer Management

• Providing and delivering requested services and products
• Managing customer accounts and relationships
• Processing orders, payments, and refunds
• Providing customer support and technical assistance
• Scheduling appointments and managing consultations
• Sending service-related notifications and updates
• Managing access to digital products and resources
• Facilitating project communication and collaboration

5.2 Business Operations and Administration

• Operating our website and maintaining functionality
• Managing user accounts and authentication
• Conducting business analytics and reporting
• Maintaining records and documentation
• Managing vendor and partner relationships
• Conducting financial management and accounting
• Managing employee and contractor relationships

5.3 Marketing and Communications

• Sending marketing communications and newsletters
• Personalizing content and service recommendations
• Conducting market research and surveys
• Managing social media presence and engagement
• Organizing events, webinars, and training sessions
• Measuring campaign effectiveness and ROI
• Building customer profiles and segmentation

5.4 Product and Service Improvement

• Analyzing user behavior and preferences
• Testing new features and functionalities
• Conducting A/B tests and optimization
• Gathering feedback and testimonials
• Developing new products and services
• Improving user experience and interface design

5.5 Security and Compliance

• Preventing fraud and unauthorized access
• Monitoring for security threats and vulnerabilities
• Conducting internal audits and compliance checks
• Investigating and resolving disputes
• Protecting intellectual property rights
• Ensuring regulatory compliance

6. INFORMATION SHARING AND DISCLOSURE

6.1 Service Providers and Processors

We share personal information with trusted service providers who assist us in operating our business. These processors are contractually bound to protect your information and may only use it as instructed by us:

6.1.1 Technology and Infrastructure Services

• Web Hosting: Cloud hosting providers for website and application hosting
• Content Delivery Networks (CDNs): For website performance optimization
• Database Services: Secure data storage and management providers
• Backup Services: Data backup and disaster recovery providers
• Security Services: Cybersecurity and monitoring service providers

6.1.2 Analytics and Marketing Services

• Google Analytics: Website traffic and user behavior analysis
• Google Tag Manager: Marketing and analytics tag management
• PiwikPro: Privacy-compliant web analytics
• TruConversion: Conversion tracking and optimization
• Microsoft Clarity: User session recording and heatmaps
• MixPanel: Product analytics and user tracking
• Facebook Pixel: Social media advertising and remarketing
• LinkedIn Insight Tag: Professional network advertising
• Google Ads: Online advertising and conversion tracking

6.1.3 Communication and Customer Support

• Email Service Providers: For sending transactional and marketing emails
• CRM Systems: Customer relationship management and support
• Help Desk Software: Customer support ticket management
• Video Conferencing: Virtual meetings and consultations
• Scheduling Tools: Appointment booking and calendar management (TidyCal)

6.1.4 Payment and Financial Services

• Stripe: Credit card and online payment processing
• PayPal: Alternative payment processing
• Banking Partners: Wire transfer and international payment processing
• Accounting Software: Financial record keeping and tax compliance

6.2 Business Partners and Affiliates

We may share information with business partners for:

• Joint marketing campaigns and partnerships
• Referral programs and affiliate marketing
• Co-sponsored events and webinars
• Strategic business collaborations

6.3 Legal Requirements and Business Transfers

We may disclose personal information when required by law or in good faith belief that such disclosure is necessary to:

• Comply with legal obligations, court orders, or regulatory requirements
• Protect and defend our rights, property, or safety
• Protect the rights, property, or safety of our customers or third parties
• Prevent or investigate fraud or other illegal activities
• Respond to emergency situations involving threats to personal safety

In the event of a merger, acquisition, sale of assets, or bankruptcy, personal information may be transferred as part of the business transaction, subject to equivalent privacy protections.

6.4 Data Processing Agreements

All third-party processors are bound by data processing agreements that require them to:

• Process data only according to our instructions
• Implement appropriate security measures
• Maintain confidentiality of all data processed
• Assist with data subject rights requests
• Report any data breaches promptly
• Delete or return data upon termination of services

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfer Mechanisms

Your personal information may be transferred to and processed in countries outside the European Economic Area (EEA) that may not have equivalent data protection laws. We ensure adequate protection through:

7.1.1 Adequacy Decisions

We transfer data to countries recognized by the European Commission as providing adequate levels of data protection.

7.1.2 Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use European Commission-approved Standard Contractual Clauses to ensure appropriate safeguards.

7.1.3 Certification Schemes

Some of our processors hold certifications under approved schemes such as Privacy Shield successor programs or equivalent frameworks.

7.2 Specific Transfer Situations

• United States: Transfers to US-based processors under Standard Contractual Clauses
• United Kingdom: Transfers based on UK adequacy decision
• Canada: Transfers based on adequacy decision for commercial organizations
• Other Countries: Case-by-case assessment with appropriate safeguards

7.3 Your Rights Regarding International Transfers

You have the right to:

• Request information about specific transfers of your data
• Obtain copies of appropriate safeguards (where not commercially sensitive)
• Object to transfers in certain circumstances
• Request that transfers be limited or restricted

8. DATA RETENTION

8.1 Retention Principles

We retain personal information only for as long as necessary to fulfill the purposes outlined in this policy or as required by law. Our retention periods are based on:

• The type and sensitivity of the information
• The purpose for which we collected the information
• Legal and regulatory requirements
• The existence of an ongoing relationship
• Business and operational needs

8.2 Specific Retention Periods

8.2.1 Customer and Transaction Data

• Active Customer Data: Duration of business relationship plus 7 years
• Financial Records: 10 years (Estonian accounting law requirement)
• Tax Records: 7 years from the end of the tax year
• Contract Data: Duration of contract plus 6 years (limitation period)
• Payment Information: As required by financial regulations (up to 7 years)

8.2.2 Marketing and Communications Data

• Marketing Consents: Until consent is withdrawn
• Newsletter Subscriptions: Until unsubscription plus 1 year
• Email Communications: 3 years from last interaction
• Inactive Prospects: 3 years from last contact

8.2.3 Technical and Usage Data

• Website Analytics: 26 months (Google Analytics standard)
• Server Logs: 12 months
• Security Logs: 2 years
• Cookie Data: As specified in cookie notices (typically 13 months)

8.2.4 Legal and Compliance Data

• Legal Claims: 6 years from resolution
• Regulatory Reports: As required by specific regulations
• Data Breach Records: 5 years from incident resolution
• Consent Records: 3 years after withdrawal

8.3 Data Deletion Procedures

When retention periods expire, we:

• Securely delete or anonymize personal information
• Remove data from all systems and backups
• Instruct third-party processors to delete data
• Document deletion activities for compliance purposes

9. YOUR RIGHTS UNDER GDPR

9.1 Overview of Rights

Under GDPR, you have the following rights regarding your personal data:

9.1.1 Right of Access (Article 15)

You have the right to request:

• Confirmation that we process your personal data
• A copy of your personal data we hold
• Information about how we use your data
• Details about data recipients and retention periods
• Information about your other rights

9.1.2 Right of Rectification (Article 16)

You have the right to:

• Request correction of inaccurate personal data
• Request completion of incomplete data
• Update outdated information

9.1.3 Right of Erasure/"Right to be Forgotten" (Article 17)

You may request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis
• You object to processing and there are no overriding interests
• The data has been unlawfully processed
• Deletion is required for legal compliance

9.1.4 Right to Restriction of Processing (Article 18)

You may request restriction when:

• You contest the accuracy of data (during verification)
• Processing is unlawful but you prefer restriction to deletion
• We no longer need the data but you need it for legal claims
• You've objected to processing (pending verification of grounds)

9.1.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your data in a structured, commonly used format
• Transmit your data to another controller
• Request direct transmission where technically feasible

9.1.6 Right to Object (Article 21)

You may object to processing based on:

• Legitimate interests (including profiling)
• Direct marketing purposes
• Scientific, historical research, or statistical purposes

9.1.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to purely automated decision-making, including profiling, that significantly affects you, unless it's:

• Necessary for contract performance
• Authorized by law with appropriate safeguards
• Based on your explicit consent

9.2 Exercising Your Rights

9.2.1 How to Make Requests

To exercise your rights, contact us through:

• Email: general@beyondperform.com
• Data Protection Officer: derek.b@beyondperform.com
• Subject Line: "GDPR Rights Request - [Type of Request]"

9.2.2 Request Requirements

When making a request, please provide:

• Clear identification of the right you wish to exercise
• Sufficient information to locate your data
• Proof of identity (to prevent unauthorized access)
• Specific details about your request when applicable

9.2.3 Response Timelines

• Standard Response: Within one month of receipt
• Extended Response: Up to three months for complex requests (with notification)
• Urgent Requests: Expedited handling when possible

9.2.4 Fees

Most requests are processed free of charge. We may charge a reasonable fee for:

• Manifestly unfounded or excessive requests
• Multiple copies of the same information
• Administrative costs for complex requests

9.3 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you may lodge a complaint with:

9.3.1 Estonian Data Protection Inspectorate

• Name: Andmekaitse Inspektsioon
• Website: aki.ee
• Email: info@aki.ee
• Address: Väike-Ameerika 19, 10129 Tallinn, Estonia

9.3.2 Other EU Supervisory Authorities

You may also contact the supervisory authority in your country of residence or where the alleged violation occurred. A list of EU supervisory authorities is available at: edpb.europa.eu

10. DATA SECURITY

10.1 Security Framework

We implement comprehensive security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

10.1.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Controls: Multi-factor authentication and role-based access controls
• Network Security: Firewalls, intrusion detection systems, and VPN access
• Vulnerability Management: Regular security scans and penetration testing
• Secure Development: Security by design principles and code review processes
• Data Loss Prevention: Automated systems to prevent unauthorized data exfiltration

10.1.2 Administrative Safeguards

• Security Policies: Comprehensive information security policies and procedures
• Employee Training: Regular privacy and security awareness training
• Background Checks: Screening of personnel with access to personal data
• Incident Response: Formal procedures for handling security incidents
• Third-Party Management: Security assessments of service providers

10.1.3 Physical Safeguards

• Facility Security: Secure data centers with access controls
• Equipment Security: Encrypted storage devices and secure disposal
• Environmental Controls: Climate control and power backup systems

10.2 Data Backup and Recovery

• Automated daily backups with encryption
• Geographically distributed backup storage
• Regular backup restoration testing
• Business continuity and disaster recovery plans

10.3 Security Monitoring and Auditing

• 24/7 security monitoring and alerting
• Regular security audits and assessments
• Compliance with security frameworks (ISO 27001 principles)
• Continuous improvement of security measures

10.4 Employee Security Obligations

All employees and contractors with access to personal data are bound by:

• Confidentiality agreements and privacy training
• Security policies and procedures
• Incident reporting requirements
• Regular security awareness updates

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience and understand how our website is used.

11.2 Types of Cookies We Use

11.2.1 Essential Cookies

These cookies are necessary for the website to function properly and cannot be switched off:

• Session management and authentication
• Security and fraud prevention
• Load balancing and performance optimization
• Cookie consent preferences

11.2.2 Performance and Analytics Cookies

These cookies help us understand how visitors interact with our website:

• Google Analytics: Website traffic and user behavior analysis
• PiwikPro: Privacy-compliant web analytics
• Microsoft Clarity: User session recordings and heatmaps
• TruConversion: Conversion tracking and optimization

11.2.3 Functional Cookies

These cookies enable enhanced functionality and personalization:

• Language and region preferences
• User interface customizations
• Form auto-completion
• Chat and support widget functionality

11.2.4 Marketing and Advertising Cookies

These cookies are used to deliver relevant advertisements:

• Google Ads: Advertising targeting and conversion tracking
• Facebook Pixel: Social media remarketing
• LinkedIn Insight Tag: Professional network advertising
• Third-party advertising networks: Behavioural advertising

11.3 Other Tracking Technologies

11.3.1 Web Beacons and Pixels

Small transparent images used to track email opens, webpage visits, and user interactions.

11.3.2 Local Storage

Browser storage mechanisms for maintaining user preferences and session information.

11.3.3 Device Fingerprinting

Collection of device characteristics for security and analytics purposes.

11.4 Cookie Management

11.4.1 Cookie Consent

We obtain your consent before placing non-essential cookies. You can:

• Accept all cookies
• Accept only essential cookies
• Customize cookie preferences by category
• Withdraw consent at any time

11.4.2 Browser Controls

You can manage cookies through your browser settings:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Settings > Privacy > Manage Website Data
• Edge: Settings > Cookies and Site Permissions

11.4.3 Third-Party Opt-Outs

You can opt out of specific third-party tracking:

• Google: adssettings.google.com
• Facebook: facebook.com/settings?tab=ads
• LinkedIn: linkedin.com/psettings

11.5 Cookie Retention Periods

• Session Cookies: Deleted when browser is closed
• Persistent Cookies: Various periods from 30 days to 2 years
• Analytics Cookies: Typically 13-26 months
• Marketing Cookies: Usually 30 days to 1 year

12. THIRD-PARTY SERVICES

12.1 Integrated Services

Our website and services integrate with various third-party platforms, each with their own privacy policies:

12.1.1 Analytics and Performance

• Google Analytics: policies.google.com/privacy
• Google Tag Manager: policies.google.com/privacy
• Microsoft Clarity: privacy.microsoft.com
• PiwikPro: piwik.pro/privacy-policy

12.1.2 Communication and Scheduling

• TidyCal: tidycal.com/privacy
• Email Service Providers: Various providers with GDPR compliance

12.1.3 Payment Processing

• Stripe: stripe.com/privacy
• PayPal: paypal.com/privacy

12.2 Social Media Integration

We may integrate social media features that collect information about your interaction:

• LinkedIn: linkedin.com/legal/privacy-policy
• Facebook: facebook.com/policy
• Twitter: twitter.com/privacy

12.3 Third-Party Links

Our website may contain links to external websites. We are not responsible for the privacy practices of these sites and encourage you to review their privacy policies.

13. CHILDREN'S PRIVACY

13.1 Age Restrictions

Our services are not intended for individuals under 18 years of age (or 16 in some EU countries). We do not knowingly collect personal information from children.

13.2 Parental Rights

If you are a parent or guardian and believe your child has provided us with personal information:

• Contact us immediately at general@beyondperform.com
• We will delete the information within a reasonable time
• We will implement additional safeguards if necessary

13.3 School and Educational Contexts

If we provide services in educational contexts, we comply with applicable laws such as FERPA (US) and equivalent EU regulations for student data protection.

14. DATA BREACH PROCEDURES

14.1 Breach Response Plan

We have implemented a comprehensive data breach response plan that includes:

• Immediate containment and assessment procedures
• Investigation and impact analysis protocols
• Notification procedures for authorities and affected individuals
• Remediation and recovery actions
• Post-incident review and improvement processes

14.2 Notification Timelines

• Supervisory Authority: Within 72 hours of becoming aware of the breach
• Affected Individuals: Without undue delay if high risk to rights and freedoms
• Internal Stakeholders: Immediate notification for response team activation

14.3 Breach Documentation

We maintain records of all data breaches, including:

• Facts surrounding the breach
• Effects and consequences of the breach
• Remedial actions taken
• Communications sent to authorities and individuals

15. CHANGES TO THIS PRIVACY POLICY

15.1 Policy Updates

We may update this Privacy Policy periodically to reflect:

• Changes in our business practices
• New legal or regulatory requirements
• Technological developments
• Best practice recommendations

15.2 Notification of Changes

We will notify you of material changes through:

• Email notification to registered users
• Prominent notice on our website
• Update to the "Last Updated" date
• Direct communication for significant changes

15.3 Your Options

When we make material changes:

• We will provide at least 30 days' notice before changes take effect
• You may object to changes or withdraw consent
• You may terminate services if you disagree with changes
• Continued use constitutes acceptance of modified terms

16. CONTACT INFORMATION

16.1 General Privacy Inquiries

For questions about this Privacy Policy or our data practices:

• Email: general@beyondperform.com
• Subject Line: "Privacy Policy Inquiry"
• Response Time: Within 5 business days

16.2 Data Protection Officer

For specific data protection matters:

• Name: Derek Blum
• Email: derek.b@beyondperform.com
• Role: Data Protection Officer
• Response Time: Within 3 business days

16.3 Rights Requests

To exercise your GDPR rights:

• Email: general@beyondperform.com
• Subject Line: "GDPR Rights Request - [Specific Right]"
• Required Information: Identity verification and specific request details
• Response Time: Within 1 month (extendable to 3 months for complex requests)

16.4 Complaint Procedures

To file a privacy-related complaint:

• Internal: derek.b@beyondperform.com
• External: Estonian Data Protection Inspectorate (info@aki.ee)
• EU-wide: Your local supervisory authority

16.5 Business Address

OutsmartPerformance OU
Sepapaja tn 6
Tallinn 11415
Estonia, Harju maakond