Privacy Policy

Who We Are

This Privacy Policy describes how Arvane Holdings OÜ ("Arvane Holdings", "Atheris", "we", "us", "our") collects, uses, and safeguards personal data in connection with our website atheris.ee, our dashboard, APIs, and related proxy services (the "Services").

• Legal entity: Arvane Holdings OÜ
• Jurisdiction: Republic of Estonia
• Address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117
• Contact: [email protected]

We operate under the requirements of the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and other applicable laws. Our primary customers are business users (B2B), but this policy also explains rights available to individuals under EU law.

1. Scope & Roles

• • When we process your account, billing, and support data, Arvane Holdings OÜ acts as the data controller.
• • When you route network traffic through our infrastructure, you (or your client) act as the controller, and we act as your processor.
• • For routing activities, we are a mere conduit under Estonian and EU law and do not monitor payload content except when required for security, abuse prevention, or legal compliance.

2. Data We Collect

Account & Business Information

Name, email, password (hashed), company name, VAT number, business registration details, billing address, payment information (processed via secure third-party processors).

Operational & Service Data

IP address used for authentication, connection timestamps, proxy node/region used, session duration, bytes transferred, authentication result, error codes, automated abuse-prevention flags.

Website & Analytics

Essential cookies (functional, security, session management). Non-essential cookies (analytics, A/B testing, marketing) are only used after your consent.

Support Data

Communications with our support team, ticket/chat content, and any files you voluntarily provide.

Sanctions & Compliance Screening

Basic identifiers may be checked against EU/UN/OFAC sanctions and watchlists before or during your use of the Service.

We do not intentionally collect special categories of personal data (Art. 9 GDPR) or data from children under 16.

3. How We Collect Data

• • Directly from you (registration, payment, support)
• • Automatically via our systems (logs, security telemetry, cookies—where consented)
• • From trusted third parties (payment processors, sanctions screening providers, company/VAT registers)

4. Purposes & Legal Bases

We process data for:

1. 1. Service delivery — to provide, maintain, and support the Service (GDPR Art. 6(1)(b) — contract).
2. 2. Security & abuse prevention — to detect and prevent fraud, abuse, and technical issues (Art. 6(1)(f) — legitimate interest).
3. 3. Legal compliance — to meet tax, accounting, sanctions, and other legal obligations (Art. 6(1)(c)).
4. 4. Analytics & marketing (optional) — with your consent (Art. 6(1)(a)), revocable at any time.

5. How We Handle Network Traffic

• • We do not inspect or store payload content beyond transient technical processing.
• • We store minimal metadata for billing, performance, and security purposes.
• • Automated systems may temporarily block or rate-limit traffic that triggers abuse detection.
• • Enterprise clients may request custom retention controls under a Data Processing Agreement (DPA).

6. Data Sharing & Recipients

We may share your data with:

• • Infrastructure providers — hosting, DDoS protection, network operators.
• • Payment processors — for billing and transaction handling.
• • Support tools — ticketing and communication platforms.
• • Regulatory bodies or law enforcement — when legally required.
• • Corporate successors — in case of merger, acquisition, or sale of assets.

All third-party processors are bound by contracts that meet GDPR requirements.

7. International Transfers

Where data is transferred outside the EEA, we implement Standard Contractual Clauses (SCCs) and additional safeguards as required by GDPR.

8. Cookies & Tracking

• • Essential cookies are always active.
• • Non-essential cookies require your prior consent via our cookie banner.
• • You can change your cookie preferences anytime via our Cookie Settings page.

9. Data Retention

• • Account & billing data — kept for up to 7 years after account closure (legal requirement).
• • Operational logs — retained for 30 days unless required longer for abuse investigations or legal purposes.
• • Support tickets — retained for up to 24 months.

We delete or anonymize data once it's no longer needed.

10. Security Measures

We apply layered security, including encryption in transit, access control, key rotation, and monitoring. If a personal data breach occurs that is likely to affect you, we will notify you and the Estonian Data Protection Inspectorate without undue delay.

11. Your GDPR Rights

You have the right to:

• • Access your data
• • Rectify inaccuracies
• • Request erasure ("right to be forgotten")
• • Restrict or object to processing
• • Port your data to another provider
• • Withdraw consent at any time for consent-based processing

Contact [email protected] to exercise your rights. We may request verification of identity.

12. Sanctions Compliance & Lawful Use

We comply with EU/UN sanctions and prohibit use of the Service in violation of applicable export controls or sanctions regimes. Accounts flagged for sanctions risks may be suspended.

13. Consumers

While we primarily serve businesses, if you are an EU consumer: You may have a 14-day withdrawal right for distance contracts unless you request immediate activation of a digital service, in which case the right is waived after activation. We comply with the EU Consumer Rights Directive where applicable.

14. Changes to This Policy

We may update this policy from time to time. Changes will be announced via our dashboard and/or email. Continued use of the Service after updates means you accept the changes.

15. Contact

Supervisory authority: Estonian Data Protection Inspectorate — www.aki.ee