Menu

Legal

Privacy Statement

Version: 29 October 2025

Timmermans Media OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia
Reg. Nr: 16561396, VAT: EE102530070, IBAN: BE80 9674 2346 4677
Email: info@timmermansmedia.com, Website: www.timmermansmedia.com

1. Who we are and how to reach us

Timmermans Media OÜ provides Generative Engine Optimization (GEO), SEO, web design and development, web applications, and AI workflows and automations. For privacy-related questions you can email info@timmermansmedia.com. We have not appointed a formal data protection officer. For privacy matters, the point of contact is M. Timmermans via the email address above.

2. Who this statement applies to

This statement applies to visitors of our website, prospects and clients, suppliers and other business contacts. Our services are aimed at adults acting in a professional or business capacity. We do not target children under the age of 16.

3. What personal data we process

Depending on your relationship with us, we process the following categories of data:

  • Identification and contact: first name, last name, company name, job title, business email address, business phone number, country.
  • Contract and billing: business address, VAT number, payment details on invoices, invoice history.
  • Project and support: briefings, tickets, feedback, log files, test data you provide, user role and access rights in systems we manage.
  • Website and communication: IP address, device and browser information, cookie and consent preferences, session and usage data from our site, opened emails and click behaviour in newsletters if you have subscribed.
  • AI and automations in client projects: input that you or your system provides to AI prompts and workflow steps, output generated by the system, technical metadata such as timestamps and error messages.

We do not request special categories of personal data. Please do not share such data through our channels. If you believe we have received such data, please contact us so we can delete it where appropriate.

4. Purposes and legal bases

We process data for the following purposes:

  • Quotes and pre-contractual communications. Legal basis: legitimate interest.
  • Performance of agreements, delivery of projects, hosting and support. Legal basis: performance of a contract.
  • Invoicing and tax administration. Legal basis: legal obligation.
  • Client communication and service messages. Legal basis: performance of a contract or legitimate interest.
  • Marketing to business contacts who have provided their details themselves or are existing clients. Legal basis: legitimate interest. You can unsubscribe at any time.
  • Security, incident detection, logging and abuse prevention. Legal basis: legitimate interest.
  • AI workflows and automations as part of your assignment. Legal basis: performance of a contract and legitimate interest. Where we explicitly request your consent for a specific processing activity, the legal basis is consent.

We do not make decisions with legal effects based solely on automated processing without human involvement.

5. Retention periods

We do not retain data longer than necessary. Guidelines are as follows:

  • Quote and prospect data up to 24 months after last contact.
  • Client and project administration up to 7 years after the financial year in accordance with tax retention obligations.
  • Project files and documentation up to 24 months after termination of the contract, unless otherwise agreed.
  • Support tickets and system logs up to 12 months, security logs up to 24 months where necessary.
  • Backups according to project agreement, standard rotation up to 30 days.
  • Newsletter and marketing profiles until you unsubscribe or after 24 months of inactivity.

6. Sharing with third parties and categories of recipients

We only share data when necessary for the purposes described above, with:

  • Hosting and cloud providers and managed service providers.
  • Email, communication and project management tools.
  • Payment and invoicing services and accountants.
  • AI model providers and workflow platforms when this is part of your assignment.
  • Legal advisors and regulatory authorities where required by law.

We enter into data processing agreements with processors. They process data solely in accordance with our instructions.

7. International transfers

Our suppliers may be located outside the EEA. For international transfers we use appropriate safeguards such as European Standard Contractual Clauses and supplementary measures where necessary. Information about these safeguards is available upon request.

8. Cookies and similar technologies

We use necessary cookies for the functioning of the site, analytical cookies that do not unduly infringe on your privacy, and, only with your consent, additional analytical or marketing cookies.

  • You can choose your preferences on your first visit and change them later via the cookie settings on our website.
  • You can block or delete cookies through your browser. Please note that the site may not function optimally in that case.
  • Retention periods vary per cookie. Functional cookies typically expire at the end of the session or within a few months. Analytical and marketing cookies may persist longer, but not longer than necessary.

A detailed cookie overview and up-to-date list of cookies used can be found in our cookie statement on the website.

9. AI workflows and automations in client projects

When we deploy AI services as part of your assignment:

  • We process the input you provide and the output generated by the model solely for your project.
  • Where possible, we configure settings so that provider data is not used to train general models.
  • Output may contain errors or bias. You review the output before using it.
  • We document the models and sub-processors used in the SOW or data processing agreement.

10. Security

We take appropriate technical and organisational measures, including encrypted transport connections, access control based on the principle of least privilege, password policies and multi-factor authentication where appropriate, logging and monitoring, separation of environments and backups as agreed. No security measure is absolute. Please report security vulnerabilities or suspected misuse to info@timmermansmedia.com.

11. Your privacy rights

Within the limits of the law, you have the right to:

  • Access your data.
  • Rectification of inaccurate data.
  • Erasure of data.
  • Restriction of processing.
  • Portability of data you have provided.
  • Object to processing based on legitimate interest or to direct marketing.
  • Withdrawal of previously given consent.

Send your request to info@timmermansmedia.com. We will respond as soon as possible and within one month at the latest. Before processing your request, we may ask for additional information to verify your identity. When providing copies of identity documents, please redact the photo, MRZ, document number and national identification number.

12. Complaints

You can submit a complaint to us via info@timmermansmedia.com. You also have the right to lodge a complaint with the Estonian supervisory authority, the Estonian Data Protection Inspectorate. Information about how to reach them and their procedures is available on the supervisory authority's website. If you reside in another EU country, you can also contact your national data protection authority.

13. Third-party links and services

Our website may contain links to third-party websites or services. We are not responsible for their privacy practices. Always read the privacy statement of those parties.

14. Changes to this statement

We may update this statement. The most recent version is always available on our website with an updated date. In the event of material changes that noticeably affect you, we will actively inform you where appropriate.

Data Processing Agreement for client projects

When we process personal data on your behalf, we enter into a data processing agreement covering topics such as the purpose and duration of processing, categories of data and data subjects, security measures, sub-processors, international transfers, assistance with data subject requests and data breaches, audits, and the deletion or return of data upon completion.