Data Protection

  1. Overview
  2. Legal
  3. Data Protection

Last Updated: 17 November 2025

1. Introduction and Purpose

fortheworld OÜ ("we," "us," "our") is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data. This Data Protection Policy outlines our commitment to safely, lawfully, and securely processing personal data in accordance with our legal obligations, including the General Data Protection Regulation (EU) 2016/679 (GDPR).

This policy details the principles, responsibilities, and procedures we follow to ensure the protection of all personal data we process.

2. Scope

This policy applies to all personal data processed by fortheworld OÜ, including data related to our customers, employees, partners, contractors, and any other individuals. It applies to all our employees, contractors, and any third parties who have access to or process personal data on our behalf.

3. Data Protection Principles

We adhere to the principles relating to the processing of personal data set out in the GDPR. All personal data must be:

  • Processed lawfully, fairly, and in a transparent manner (Lawfulness, Fairness, and Transparency).

  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose Limitation).

  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Data Minimization).

  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay (Accuracy).

  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Storage Limitation).

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (Integrity and Confidentiality).

  • The controller shall be responsible for, and be able to demonstrate compliance with, the principles (Accountability).

4. Lawful Basis for Processing

We will only process personal data where we have a valid lawful basis to do so. The primary lawful bases we rely on include:

  • Consent: Where the individual has given clear, unambiguous consent for us to process their personal data for a specific purpose.

  • Contractual Necessity: Where processing is necessary for the performance of a contract with the individual or to take steps at their request before entering into a contract.

  • Legal Obligation: Where processing is necessary for us to comply with the law (e.g., for tax or employment purposes).

  • Legitimate Interests: Where processing is necessary for our legitimate interests (or those of a third party), provided that these interests are not overridden by the rights and freedoms of the individual.

5. Data Subject Rights

We uphold the rights of data subjects as guaranteed by the GDPR. Any individual whose personal data we process has the right to:

  • The right to be informed about the collection and use of their personal data.

  • The right of access to their personal data and supplementary information.

  • The right to rectification of inaccurate personal data.

  • The right to erasure (the 'right to be forgotten') in certain circumstances.

  • The right to restrict processing in certain circumstances.

  • The right to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.

  • The right to object to processing based on legitimate interests or for direct marketing.

  • Rights in relation to automated decision-making and profiling.

Individuals can exercise these rights at any time by contacting us at support@sustainable.support. We will respond to all such requests within one month, in accordance with GDPR requirements.

6. Data Security

We are committed to ensuring the security of personal data. We have implemented appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of personal data where appropriate.

  • Access controls to limit access to personal data to authorized personnel only.

  • Regular security assessments and reviews of our information collection, storage, and processing practices.

  • Employee training on data protection and security best practices.

7. Data Breach Notification

In the event of a personal data breach, we have a procedure in place to identify, assess, and manage the incident. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to individuals, we will also inform the affected individuals without undue delay.

8. International Data Transfers

Where we transfer personal data outside the European Economic Area (EEA), we will ensure that appropriate safeguards are in place to protect the data to a standard equivalent to that provided by the GDPR. These safeguards may include:

  • Transferring data to countries that the European Commission has deemed to have an "adequate" level of data protection.

  • Using Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Roles and Responsibilities

All employees and contractors of fortheworld OÜ have a responsibility to comply with this policy and to protect the personal data they handle. The management of fortheworld OÜ is responsible for ensuring the organization's overall compliance with data protection laws. Our designated point of contact for all data protection matters is available at support@sustainable.support.

10. Policy Review

This Data Protection Policy will be reviewed at least annually, and more frequently if necessary, to ensure it remains up-to-date with legal and operational changes. Any updates will be communicated internally and, where appropriate, to our users and partners.

Was this article helpful?