GDPR Compliance
Our commitment
Samarkand Industries OÜ is a European company built on the principle that data sovereignty is not a compliance burden — it is a foundation of trust. We are subject to the General Data Protection Regulation (EU 2016/679) as a company established in Estonia, a member state of the European Union. Waretto is operated under this framework.
1. We are an EU data controller
Samarkand Industries OÜ is registered in Estonia. All core platforms operate within EU jurisdiction. We are not a US company with a European subsidiary. We do not have a dual-structure that places key processing decisions outside EU oversight.
We maintain an internal register of processing activities as required by GDPR Article 30.
2. Data residency
All personal data processed through Waretto is stored and processed within the European Economic Area. We do not use US-based cloud infrastructure for personal data storage. Where any third-party processor is outside the EEA, we apply Standard Contractual Clauses and conduct transfer impact assessments.
3. Data minimisation
We collect only what we need for specified, explicit purposes. Analytics configurations anonymise IP addresses. API logs store identifiers, not personal data in payloads.
4. Processors and DPAs
All third-party processors are bound by GDPR Article 28 data processing agreements specifying scope, security obligations, subprocessing restrictions, data subject rights assistance, and 24-hour breach notification. Enterprise customers may request a DPA with Samarkand Industries OÜ.
5. Security measures
Technical: TLS 1.2+ in transit · AES-256 at rest · Role-based access and MFA · Regular penetration testing · Network segmentation · Daily encrypted backups (EEA) tested quarterly.
Organisational: Need-to-know access controls · Data protection training · Documented incident response · DPIAs for high-risk processing.
6. Breach notification
In the event of a personal data breach, we will:
- assess within 24 hours;
- notify the Estonian Data Protection Inspectorate within 72 hours where required (GDPR Art. 33);
- notify affected individuals without undue delay where high risk exists (GDPR Art. 34);
- document all breaches in our internal register.
7. Data subject rights
| Right | How to exercise | Response time |
|---|---|---|
| Access (Art. 15) | Email privacy@waretto.com | 30 days |
| Rectification (Art. 16) | Email or account settings | 30 days |
| Erasure (Art. 17) | Email privacy@waretto.com | 30 days |
| Restriction (Art. 18) | Email privacy@waretto.com | 30 days |
| Portability (Art. 20) | Email privacy@waretto.com | 30 days |
| Object (Art. 21) | Email privacy@waretto.com | 30 days |
| Withdraw consent (Art. 7) | Cookie manager or email | Immediate |
No charge for requests. Identity verification may be required.
8. Children's data
Waretto is not directed at children under 16. We do not knowingly collect data from minors and will delete any such data promptly on discovery.
9. Automated decision-making
We do not make decisions about individuals based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22). Algorithmic outputs of the Sentinel Alpha Engine and Super Waretto optimiser are informational and do not determine your legal status, access to financial services, or any similarly significant outcome.
10. Supervisory authority
Andmekaitse Inspektsioon (Data Protection Inspectorate)
Tatari 39, 10134 Tallinn · aki@aki.ee · aki.ee
Data subjects in other EU member states may contact their national supervisory authority.
11. Contact
Samarkand Industries OÜ — Data Protection
privacy@waretto.com · Narva mnt 5, 10117 Tallinn, Estonia