Skip to content

Legal

Privacy Policy

Last updated. 2026-04-22

This page explains what personal data 2060 OÜ collects through 2060.io, why we collect it, how long we keep it, and what rights you have under the EU General Data Protection Regulation (GDPR). The policy covers the contact form on /contact and any cookies or anti-abuse signals set by the site.

2060.io does not sell data and does not run ad targeting or remarketing. The only data we collect is what you explicitly send us via the contact form, what our hosting provider logs for security, and the aggregated usage measurements captured by Google Analytics 4 so we can see which pages people read.

Data controller

Who is responsible

2060 OÜAhtri tn 12, 10151 Tallinn, Estonia
Registry code
16853041 (Estonia)
VAT
EE102810457
Founded
2023

Contact for privacy matters. Use the contact form with inquiry type General inquiry and begin the message with "Legal:". We do not publish a direct email for privacy requests; routing is handled internally.

Data we collect

What We Collect and Why

Contact form submissions

When you submit the form on /contact, we receive the fields you fill in:

  • Required. Inquiry type, name, email, message, consent checkbox.
  • Conditionally required. Organization (for investor, enterprise, or press inquiries).
  • Optional. Role or title, LinkedIn or website, referral source.

We also receive automatically, as part of submission security:

  • IP address and user-agent string, from our hosting provider, used only for per-IP rate limiting and honeypot-based abuse detection. Not used for tracking or profiling.

No third-party anti-bot, captcha, or browser-fingerprinting service is used on this form.

Purpose. The sole purpose of this data is to reply to your inquiry and route it to the correct person on the team. We do not use it for marketing, profiling, or automated decision-making.

Legal basis. Your explicit consent, collected via the consent checkbox at submission (GDPR Article 6(1)(a)), and our legitimate interest in responding to inbound business inquiries (GDPR Article 6(1)(f)).

Cookies and analytics

Google Analytics 4 (GA4). On your first visit the site shows a cookie dialog with two choices, OK or Cancel. The GA4 tag (measurement ID G-9H5406F02W) is loaded only if you click OK. If you click Cancel, or close the banner without choosing, no GA4 tag is injected and no analytics cookies are set. When GA4 is allowed it uses two first-party cookies to count pageviews and track navigation between pages:

  • _ga — distinguishes unique browsers. Expires after 2 years.
  • _ga_9H5406F02W — persists session state for this specific GA4 property. Expires after 2 years.

GA4 anonymizes IP addresses before storage by default, so no full IP is retained against your session. We use the standard GA4 configuration only: no Google Signals, no remarketing, no ad personalization, no Google Ads linkage, no user-ID joins across devices. The data we receive is aggregate (page popularity, referrer, rough geography, device class).

No other cookies. The contact form's anti-abuse measures (honeypot, time-to-submit check, rate limit, disposable-email blocklist) are all server-side and set no cookies. No anti-bot cookies, no session cookies, no preference cookies beyond GA4.

Remembering your choice. Your OK / Cancel answer is stored under the key 2060-cookie-consent in your browser's localStorage so the banner does not reappear on every page. That entry is not a cookie, is not transmitted to any server, and is scoped to this origin only. Clearing site data for 2060.io in your browser will reset the dialog on your next visit.

No ad networks. No cross-site trackers. GA4 is the only third-party tag on the site.

Clicking Cancel in the banner is the simplest way to opt out. As a belt-and-braces alternative, browser-level blockers like uBlock Origin or the official Google Analytics Opt-out Browser Add-on will also prevent the GA4 script from loading. We do not contest either choice and the site functions identically.

Processing location

Where Data Is Processed

Site hosting

The site is hosted by OVHcloud from its datacenter in Beauharnois, Québec, Canada ("BHS"). No CDN is used. Static assets are served directly from the OVHcloud datacenter, and request metadata (IP address, user-agent) is therefore logged in Canada only. Canada holds an adequacy decision from the European Commission (Commission Decision 2002/2/EC of 20 December 2001, applicable to commercial organisations subject to PIPEDA), which means transfers of personal data from the EEA to the OVHcloud Canada datacenter do not require Standard Contractual Clauses.

Contact-form submissions

Handled by an internal submission processor. The mechanism is not email-based; no email-sending provider (Resend, Postmark, Amazon SES, or equivalent) is used to route submissions, and no internal email alias is created or published. The exact submission-handling mechanism is to be specified during site implementation and will be listed on this page once finalized.

Anti-bot protection

Spam protection is fully self-hosted using server-side measures inside the OVHcloud Canada datacenter (honeypot field, time-to-submit check, per-IP rate limiting, disposable-email-domain blocklist). No third-party anti-bot service (Cloudflare Turnstile, hCaptcha, reCAPTCHA, or equivalent) is used; no spam-protection data leaves the hosting datacenter.

Google Analytics 4

Aggregate site-usage measurements are processed by Google LLC (United States) and Google Ireland Limited, in the Google Analytics 4 infrastructure. Transfers from the EEA to the United States are covered by the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023), for which Google LLC is a certified participant. IP addresses are anonymized before storage. No ad personalization, remarketing, or Google Signals is enabled.

Future sub-processors

If any future sub-processor is located in a country without an EC adequacy decision or DPF coverage, transfer will be governed by the European Commission's Standard Contractual Clauses (SCCs) and any supplementary safeguards required. An up-to-date list of sub-processors is maintained on this page.

Retention

How Long We Keep It

Data categoryRetention
Contact-form submissions, active business correspondence (investor, enterprise, press, general)Up to 24 months from the last interaction, then deleted or anonymized unless required for an ongoing engagement.
Contact-form submissions, hiring inquiries, not proceedingUp to 6 months after the final reply, then deleted.
Contact-form submissions, hiring inquiries, candidate in processUntil the role closes; retention then follows the above.
Spam-protection logs (IP, user-agent)Up to 30 days, then deleted.
Submission-handler processing logsPer the handler's default policy, to be specified during implementation; targeted retention: ≤ 30 days.
Google Analytics 4 event and user-property data2 months (the minimum GA4 retention setting). Aggregate reports derived from that data are kept indefinitely but contain no identifiers.

No contact-form data is retained indefinitely. No data is sold or shared with third parties except the processors listed above.

Your rights

What You Can Ask Us To Do

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten") where we no longer have a lawful basis to keep it.
  • Restrict or object to processing.
  • Portability: receive a machine-readable copy of the data you gave us.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Lodge a complaint with a supervisory authority. Ours is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): aki.ee ↗.

To exercise any of these rights, use the contact form with inquiry type General inquiry and begin the message with "Legal:". We respond within 30 days.

Changes

Changes to This Policy

We update this page when our data practices change, for example when a processor is added or retention periods are revised. The Last updated date at the top reflects the most recent change.

This policy has no retroactive effect; prior submissions remain governed by the version in force at the time they were sent, archived in the site's Git history.