Privacy Policy

This Privacy Policy explains how Talv Capital OÜ (“we”, “us”, “our”) processes personal data when you use our dashboard and API software-as-a-service (together, the “Service”). It also covers how we handle user-uploaded PSD files and rendered outputs stored in our secure AWS storage.

1) Roles & scope

• Account/Website data (controller): For accounts, billing, support, and marketing, Talv Capital OÜ is the data controller.
• Customer Content via API (processor): For PSD uploads, renders, and related metadata you send to 'api.talvbase.com', you (the customer) are typically the controller and we act as your processor under applicable data protection laws (e.g., GDPR).

2) Data we collect

A) Account & Subscription (dashboard at 'talvbase.com')

• Identification: name, company, email address.
• Authentication: password-based login (passwords stored using industry-standard hashing), session identifiers.
• Subscription & billing: plan, status, tax info, invoices, transaction IDs.
• Communications: support requests, email preferences.

B) Payment (Paddle)

We do not collect or store full payment card numbers. Payments are processed by Paddle. We receive limited billing details (payer name, email, address, tax/VAT IDs, purchase amounts) for accounting and support.

C) API usage ('api.talvbase.com')

• Customer Content: PSD files you upload and rendered images/derivatives we generate.
• Metadata: file names, sizes, MIME types, timestamps, job status, template/parameter choices.
• Operational logs: API key/tenant ID, request/response timestamps, IP address, user agent, error traces (minimized).

D) Device & service logs (both domains)

IP address, browser/OS, referrer, pages/actions, timestamps, and cookies necessary for authentication and security.

3) Purposes & legal bases

• Provide the Service (create accounts, authenticate users, process API jobs, store uploads/renders). Legal basis: contract performance; legitimate interests.
• Billing & subscriptions (manage plans, taxes, invoices through Paddle). Legal basis: contract performance; legal obligation.
• Security, abuse & fraud prevention (rate-limiting, intrusion detection, API key management). Legal basis: legitimate interests; legal obligation.
• Support & communications (respond to requests, status updates). Legal basis: contract performance; legitimate interests.
• Product improvement & analytics (aggregate, non-identifying metrics). Legal basis: legitimate interests.
• Marketing (optional) (product announcements). Legal basis: consent where required; opt-out anytime.

4) Cookies & similar technologies

We use strictly necessary cookies for login sessions, CSRF protection, and preferences, plus first-party analytics/server logs for reliability and security. You can control non-essential cookies via your browser settings; core session cookies are required to use the dashboard.

5) Storage locations & transfers

• Uploads & renders: stored in a secure AWS bucket
• International transfers: Where GDPR applies and data leaves the EEA/UK, we rely on Standard Contractual Clauses or equivalent safeguards.

6) Security

• TLS for data in transit; encrypted storage for uploads/renders at rest.
• Role-based access controls; least-privilege access to production systems.
• Passwords stored using industry-standard hashing.
• Audit logs for access to Customer Content.

No method is 100% secure, but we continuously improve our controls.

7) Retention

• Account & billing: retained while your account is active and as needed for legal/accounting obligations (generally up to 7 years for financial records).
• API logs: typically 180 days for troubleshooting and abuse prevention, unless required longer for legal reasons.
• Uploads & renders (Customer Content): retained until you delete them via the dashboard/API. After account termination, we aim to delete or anonymize Customer Content within 90 days, subject to backups and legal holds.

8) Sharing & subprocessors

We do not sell personal data. We share data only with trusted subprocessors and service providers necessary to run the Service:

9) Your rights

Depending on your location (e.g., EEA/UK/California), you may have rights to access, rectify, erase, restrict or object to processing, port data, and withdraw consent (for marketing) without affecting prior processing.

For Customer Content where we act as processor, please contact your organization (the controller). For controller requests (accounts, billing, website), contact us at support@talvbase.com. You can also lodge a complaint with your local data protection authority.

10) Children

The Service is not intended for children under the age required by local law (e.g., 16 under GDPR). We do not knowingly collect data from such children.

11) API keys, PSD content & confidentiality

• Keep your API keys confidential; you are responsible for their use.
• PSD uploads and renders are processed only to provide the Service (rendering, delivery, caching where necessary).
• Employee access is limited to authorized personnel for support, security, and maintenance.

12) Third-party links

The dashboard or documentation may link to third-party sites/services. Their privacy practices are governed by their own policies (e.g., Paddle’s privacy policy).

13) Changes to this policy

We may update this policy from time to time. Material changes will be notified via the dashboard or email. Continued use of the Service after an update constitutes acceptance of the revised policy.

14) Contact

Talv Capital OÜ
Email: support@talvbase.com
Please include your account email, workspace/tenant ID, and a clear description of your request.

Annex: GDPR processor terms (summary)

• We process Customer Content only on your documented instructions and for rendering/storage/delivery.
• We maintain confidentiality, apply appropriate security measures, and assist with data subject requests and incident notifications.
• We use subprocessors listed above and ensure equivalent protections via written contracts.
• On termination, we delete or return Customer Content as described in Retention.

For a full Data Processing Addendum (DPA), contact support@talvbase.com.