Privacy Policy

Effective date: 1 October 2025

Who we are

Indrek Pari & Co ("we", "us", "our") provides technical diligence, advisory, and interim or fractional CTO services. This policy explains how we handle personal information for clients, prospective clients, portfolio companies, investors, collaborators, and site visitors across our locations.

Scope and roles

  • When we decide why and how to process your personal data (for example, when you contact us or we manage our relationship with you), we act as data controller.
  • When client materials include personal data (for example, repository metadata, incident logs, stakeholder lists) that we handle to deliver services, we act as data processor and process that data strictly under the client's instructions and our Data Processing Addendum (DPA).

1. Data we collect

From you

  • Contact details: name, work email, phone, role, company, and anything you submit via forms or direct outreach.
  • Engagement inputs: stakeholder lists, read-only repository access, cloud billing exports, backlog snapshots, incident logs, org charts, and similar artifacts.
  • Communications: meeting invites, call notes, recordings or transcripts (if you consent to recording), and decision logs.

From systems we use

  • Operational metadata: email headers, scheduling history, invoice and receipt records, and audit trails in our tools (for example, document access logs).
  • Web telemetry: standard server logs (IP, user agent, timestamps). We do not use advertising cookies or tracking pixels.

From public or third-party sources

  • Professional profiles, company registers, breach databases, compliance registers, and investor or portfolio materials you or your investors provide.

Special categories. We do not seek sensitive data (for example, health or biometric data). If such data appears in client artifacts, we expect it to be redacted; if not, we process it only if strictly necessary and lawful.

2. How and why we use data (GDPR/UK GDPR legal bases)

  • Respond to inquiries; evaluate and scope work - Legitimate interests (to operate a consultancy) or consent where required.
  • Deliver contracted work (assessments, diligence, execution support) - Contract performance (with you) or legitimate interests (where we contract with your company).
  • Quality assurance, record-keeping, compliance, and billing - Legal obligation (tax and accounting) and legitimate interests.
  • Security (access controls, audit, incident response) - Legitimate interests and legal obligation.
  • Updates and insights you opt into - Consent. You can withdraw at any time.
  • Benchmarks and aggregated insights - Legitimate interests. We aggregate and de-identify first.

We do not sell personal data and we do not allow third parties to market to our clients. We do not engage in "selling" or "sharing" for cross-context behavioral advertising under the California Privacy Rights Act (CPRA).

We do not use automated decision-making that produces legal or similarly significant effects.

3. Tooling, AI, and confidentiality

We use reputable vendors for communication, storage, scheduling, transcription, and secure data rooms. When we use AI-assisted tools for drafting or analysis, we do so under enterprise terms that contractually prohibit training on your data and provide a DPA and adequate transfer safeguards. We do not paste secrets, regulated data, or client code into consumer AI tools. Access is restricted to the delivery team on a need-to-know basis.

All client materials remain confidential under our engagement agreement and mutual NDA.

4. Sharing and international transfers

We share personal data only with:

  • Sub-processors necessary to deliver the engagement (for example, secure data rooms, e-signature, transcription, communications, storage, accounting).
  • Advisers (legal, audit) under confidentiality.
  • Parties you instruct us to work with (for example, your vendors, auditors, or investors).
  • Authorities when legally required.

We operate internationally. Where data leaves your jurisdiction (for example, EEA or UK to outside the EEA or UK), we use EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, plus risk assessments and additional safeguards such as encryption and access controls.

We maintain a current list of sub-processors upon request or at /subprocessors (if published).

5. Portfolio clinics and diligence specifics

For investor-led portfolio clinics, we provide roll-up heatmaps and prioritized remediation lists to the sponsoring fund. We aim to aggregate and de-identify information unless a company has consented to share identified findings. For buyer or investor diligence, we share findings with the instructing party under the agreed scope and NDA.

6. Security

We enforce encryption in transit and at rest, device encryption, multi-factor authentication, least-privilege access, role-based permissions, secure secrets management, and activity logging. We run vendor due diligence, apply change control, and restrict long-term data copies. If a personal-data breach is likely to result in risk to individuals, we will notify affected clients without undue delay and, where required, notify regulators (for example, within 72 hours under GDPR).

7. Retention

We keep data only as long as needed for the purposes above:

  • Assessment or diligence archives: 7 years (or sooner at your request unless legal obligations or litigation holds require longer).
  • Contracts, invoices, ledgers: 7-10 years (tax and accounting laws).
  • Proposals and scoping notes (non-clients): 24 months.
  • Meeting recordings or transcripts (if any): 12 months unless required longer for the engagement, then archived with the matter.
  • Access logs and security logs: 12-24 months.
  • Marketing subscriptions: until you unsubscribe; we retain a minimal suppression list to honor opt-outs.

When we delete, we also request deletion from relevant sub-processors where feasible.

8. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object, and port your data, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority (for example, in the EEA your local authority or the Estonian Data Protection Inspectorate; in the UK the ICO; in California the CPPA).

Requests: email [email protected]. For security, we may ask you to verify identity and confirm relationship or context. If we process your data as a processor for a client, we will redirect your request to that client (the controller).

9. Your choices

  • Access, correction, or deletion: email [email protected].
  • Opt out of updates: use the unsubscribe link in emails or email us.
  • Security or privacy concerns: escalate directly to the managing partner at [email protected].

Please avoid sending secrets or regulated data through website forms; we will provide secure upload channels during onboarding.

10. Cookies and site telemetry

We use no advertising cookies and no tracking pixels. Our site uses strictly necessary cookies only (if any) and standard server logs for security and reliability. If we later adopt privacy-preserving analytics, we will update this policy and our cookie notice accordingly.

11. Children

Our services and site are intended for professionals. We do not knowingly collect personal data from children under the age applicable in their jurisdiction.

12. Updates to this policy

We review this policy at least annually and when our practices change. We will post the updated version here and update the effective date. If changes materially affect your rights, we will notify you through appropriate channels. Your continued use of our services after an update signifies acceptance of the revised policy.

Contact

Indrek Pari & Co
Email: [email protected]
Security & privacy escalation: [email protected]