Privacy Policy

Sydcup is a software engineering company registered in Estonia (EU). Our registered address is Sepapaja tn 6, Lasnamae, Tallinn, Harju county, 15551, Estonia.

We are the data controller for any personal data collected through this website. You can reach us at [email protected] for any privacy-related questions.

We collect very little data. Here is exactly what we process and why:

Contact Form Submissions

When you use our contact form, we collect the information you provide: your name, email address, company name (optional), subject, and message. We use this solely to respond to your inquiry.

Spam Protection

We use Cloudflare Turnstile to protect the contact form from automated spam. Turnstile may process your IP address and browser signals to verify you are human. This data is processed by Cloudflare under their privacy policy.

Theme Preference

We store your light/dark theme preference in your browser's local storage. This never leaves your device and is not transmitted to our servers.

What We Don't Collect

We do not use analytics trackers, advertising cookies, social media pixels, or any third-party tracking. We do not create user accounts. We do not sell or share personal data with anyone for marketing purposes.

Under the GDPR, we process personal data on the following bases:

• Legitimate interest — responding to business inquiries you initiate through our contact form (Article 6(1)(f))
• Legal obligation — retaining business correspondence as required by Estonian commercial law (Article 6(1)(c))

You can object to processing based on legitimate interest at any time by contacting us.

Your contact form data is processed through Cloudflare Pages Functions (our form submission handler) and delivered to our team via email through Mailgun (Sinch Email), our email delivery provider. Both Cloudflare and Mailgun act as data processors under Data Processing Agreements that comply with GDPR requirements.

We do not share your personal data with any other third parties, advertisers, or data brokers. We do not sell personal data.

If we are ever legally compelled to disclose data (e.g., by a court order), we will do so only to the extent required by law.

• Contact form submissions — retained for up to 24 months, then deleted
• Client project data — retained for 7 years as required by Estonian commercial and tax law
• Job applications — retained for up to 12 months after the application, then deleted unless you consent to longer retention

You can request deletion of your data at any time. We will comply unless we have a legal obligation to retain it.

Under the GDPR, you have the right to:

• Access your personal data and receive a copy
• Correct inaccurate or incomplete data
• Delete your data ("right to be forgotten")
• Restrict processing in certain circumstances
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interest

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you believe we are not handling your data properly, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee, or with your local supervisory authority if you are in another EU/EEA country.

When you make a payment for our services, card and bank transfer payments are processed by Wise (TransferWise Ltd), a regulated payment provider. Sydcup does not collect, store, process, or have access to your credit or debit card details at any time.

All payment card data is handled entirely by Wise in accordance with PCI DSS (Payment Card Industry Data Security Standard) requirements. For more information on how Wise handles your data, please refer to Wise's Privacy Statement.

We use HTTPS across the entire website. Contact form submissions are transmitted over encrypted connections and processed through Cloudflare's infrastructure. Access to submitted data is limited to authorized team members.

No system is perfectly secure. If we ever discover a breach affecting your personal data, we will notify you and the relevant supervisory authority as required by the GDPR.

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will make reasonable efforts to notify affected individuals.

If you have questions about this policy, contact us at [email protected].