How it Works Pricing SEO Guide Etsy Fee Calculator
Get Started

GDPR Compliance Statement

Effective Date: June 24, 2026 • Company: BRANTELO OÜ (reg. 17282632) • Email: support@listsgenie.comJurisdiction: Estonia EU

1. Data Controller & Commitment to GDPR

BRANTELO OÜ (registry code 17282632), Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia, operating the ListsGenie brand, is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). We collect, process, and store personal data responsibly, lawfully, and transparently.

As the data controller for ListsGenie.com, we are established in Estonia, an EU member state. Our lead supervisory authority is the Estonian Data Protection Inspectorate (AKI). We operate in accordance with EU data protection law and the Estonian Personal Data Protection Act.

Contact for all data protection matters: support@listsgenie.com

2. Lawful Basis for Data Processing

We process personal data only where a valid legal basis under Article 6 of the GDPR applies:

  • Contractual necessity — to deliver the ListsGenie service
  • Legitimate interests — service improvement, fraud prevention
  • Consent — for non-essential cookies and marketing communications
  • Legal obligations — e.g., accounting, tax compliance

3. Data Subjects' Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Delete your data ("right to be forgotten")
  • Restrict or object to processing
  • Withdraw consent at any time
  • Data portability — receive your data in a structured format

To exercise these rights, contact:
📧 support@listsgenie.com or use the Support section in your dashboard to open a ticket.

We respond to all GDPR requests within 30 days.

4. Data Collection & Storage

We collect and store the following categories of personal data:

  • Name, email address, and hashed password
  • Subscription details and payment data (via Stripe)
  • AI usage activity (non-personal)
  • IP address and browser metadata

Data is stored on secure servers located in the United States, operated by GDPR-compliant infrastructure providers. We ensure that appropriate safeguards (such as encryption and limited access) are in place for transatlantic data storage.

5. Sub-Processors

We work only with GDPR-compliant sub-processors. The following table lists our current sub-processors, their country of establishment, the transfer mechanism used, and the data they may process:

Sub-Processor Location Transfer Mechanism Data Processed
OpenAI, Inc. USA SCCs (EU Commission) Etsy listing data (no personal data sent in prompts)
Stripe, Inc. USA / EU SCCs + PCI-DSS Payment card data, billing address, transaction records
DigitalOcean, LLC USA / EU SCCs All platform data (hosting, databases, backups)
Google Analytics (Google LLC) USA SCCs + IP anonymisation Anonymised website usage statistics (with consent)
Etsy API (Etsy, Inc.) USA OAuth 2.0 / Etsy DPA Shop data, listing data (only with user authorisation)

All sub-processors are bound by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where applicable.

6. International Data Transfers

As our primary infrastructure is located in the United States, personal data may be transferred outside the European Economic Area (EEA).

We ensure lawful international data transfers under:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Supplementary safeguards, including data encryption, limited access, and secure transit
  • Due diligence and audits of subprocessors to verify compliance

We do not transfer sensitive or special-category data under Article 9 of GDPR.

7. Data Security Measures

  • SSL encryption (HTTPS)
  • Encrypted storage and backups
  • Limited internal access to personal data
  • Role-based access control
  • Regular security reviews

8. Data Retention

We retain data:

  • As long as your account remains active
  • Up to 6 months after account closure (for legal compliance)
  • Transactional records may be kept longer for audit and taxation

9. Data Breach Notification

In the event of a personal data breach (as defined in Article 4(12) GDPR), BRANTELO OÜ will:

  • Notify the Estonian Data Protection Inspectorate (AKI) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms (Article 33 GDPR);
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR);
  • Document all breaches in an internal breach register, regardless of whether notification to the authority is required.

If you discover or suspect a data breach involving your personal data, please contact us immediately at support@listsgenie.com.

10. Supervisory Authority

If you believe your rights under GDPR have been violated, you have the right to file a complaint with your national data protection authority.

As BRANTELO OÜ is established in Estonia, our lead supervisory authority is:

Estonian Data Protection Inspectorate (AKI)

Website: Estonian Data Protection Inspectorate (aki.ee)

Questions about GDPR compliance?
Contact: support@listsgenie.com
BRANTELO OÜ — Tornimäe tn 5, 10145 Tallinn, Estonia