Privacy Policy

1. Introduction

This Privacy Policy describes how IT Partners EU OÜ ("we", "us", "our") collects, uses, discloses, and protects the personal data of users of the website https://eu.ms-licenses.com/ in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection legislation of the European Union and the European Economic Area.

This Policy applies to all website visitors, prospective and existing customers, as well as other individuals whose personal data is processed through our website and related online services.

2. Data Controller and Contact Details

Data Controller: IT Partners EU OÜ

Registered Address: Harju maakond, Kesklinna linnaosa, Ahtri tn 12, Tallinn 10151, Estonia

Contact for data protection inquiries and data subject requests:
Email: sales@ms-licenses.com
Phone: +44 20 8142 5752

At the time of publication, a dedicated EU Representative and Data Protection Officer (DPO) have not been appointed; this information will be updated upon their appointment.

3. Categories of Personal Data We Collect

We may process the following categories of personal data:

Identification Data

• First name, last name
• Company name, job title
• Country/region

Contact Details

• Email address
• Phone number
• Postal address for invoicing and documentation

Order and Payment Data

• Details of ordered products/services (licences)
• Amount, currency, order status
• Transaction ID, invoice/billing details
• Billing information (without storing full payment card details — these are processed by our payment provider Stripe)

Data Provided via Forms

• Content of inquiries, comments, application text
• Preferences regarding products and services
• Specific fields related to licensing and IT infrastructure parameters, if voluntarily provided by the user

Marketing and Communication Data

• Information about newsletter subscriptions
• History of email opens and link clicks
• Existence and date of consent for marketing communications

Technical and Analytics Data

• IP address, including truncated where analytics settings require
• Date and time of visit, requested URLs, HTTP headers including User-Agent and Referer
• Device and session identifiers, e.g., client-ID in Google Analytics 4
• Data on viewed pages, products, and events, including add_to_cart, begin_checkout, purchase, and others

Cookies and Similar Technologies

• Strictly necessary cookies, including session, shopping cart, interface settings, and cookie consent preferences
• With consent — analytical and marketing cookies

We do not intentionally collect special categories of personal data under Article 9 GDPR or data concerning criminal convictions; if such data appears in free-text comments, we process it only to the extent necessary to respond and do not use it for profiling.

4. Sources of Personal Data

Your personal data may be obtained from the following sources:

• Directly from you when completing forms on the website, placing orders, or corresponding via email or phone;
• Automatically when visiting the website, including via cookies, log files, and analytics tools;
• From third-party service providers, such as payment provider Stripe and CRM/Zoho, if you have previously interacted with us through these systems;
• From publicly available sources, such as your company website or professional network profiles, if you have voluntarily provided them when contacting us.

5. Purposes of Processing and Legal Bases

We process personal data for the following purposes and on the following legal bases in accordance with Article 6 GDPR:

5.1. Processing Requests and Contract Performance

• Responding to your inquiries and preparing commercial proposals
• Order processing, invoicing, licence management
• Account or user profile management, where applicable

Legal basis: Performance of a contract or taking steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR).

5.2. Billing, Accounting, and Legal Compliance

• Maintaining records and reporting
• Compliance with tax and other legal requirements

Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR).

5.3. Technical Operation and Website Security

• Maintaining service functionality and performance
• Error diagnostics, protection against abuse and cyberattacks
• Maintaining technical server and application logs

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) in ensuring the security and stability of our services.

5.4. Web Analytics and Service Improvement

• Analysis of traffic, conversions, and user journeys
• Optimisation of content, interfaces, and marketing channels

Legal basis:

• For non-strictly necessary cookies and analytics — your consent (Article 6(1)(a) GDPR);
• In limited cases — legitimate interests, taking into account applicable ePrivacy requirements, where permitted by configuration settings.

5.5. Marketing and Remarketing

• Sending newsletters and offers via email where you have subscribed
• Displaying personalised or segmented advertising, remarketing, and lookalike audiences

Legal basis: Your consent (Article 6(1)(a) GDPR); you may withdraw consent at any time.

5.6. Customer Relationship Management (CRM)

• Maintaining customer and lead databases, interaction history
• Sales planning and analysis, service quality monitoring

Legal basis: Performance of a contract and legitimate interests in business development (Article 6(1)(b), 6(1)(f) GDPR).

Where we rely on legitimate interests, we conduct a balancing test to ensure that your rights and freedoms do not override our interests.

6. Cookies and Similar Technologies

The website uses cookies and similar technologies to ensure proper functionality, analyse traffic, and, where consent is given, support marketing activities.

Only strictly necessary cookies — ensuring session management, shopping cart functionality, interface settings, and storage of your cookie preferences — are activated prior to obtaining your consent.

Analytical and marketing cookies, including Google Analytics 4 and Google Ads, are activated only after explicit consent via the cookie banner and may be disabled at any time via settings.

A detailed description of the cookies used, their categories, retention periods, and management options is provided in our separate Cookie Policy, accessible via the link in the website footer.

7. Recipients of Personal Data and Third-Party Services

We may disclose personal data to third parties to the extent necessary to achieve the purposes outlined above:

Hosting Providers and Infrastructure

• Hetzner Online GmbH (Germany, EU) — hosting of website servers and infrastructure

Web Analytics and Marketing

• Google Ireland Limited / Google LLC (Google Analytics 4, Google Tag Manager, Google Ads, Google Search Console)

CRM and Automation

• Zoho and/or similar CRM/marketing platforms — storage of customer, lead, and subscriber data, and communication logic

Payment Services

• Stripe — payment processing, billing data, and transaction security

Email Services and Communication Providers

• Email newsletter providers and SMTP servers used to send transactional and marketing communications

Consultants and Outsourcing Partners

• IT contractors, marketing and legal consultants supporting the website and business processes, with whom confidentiality and data processing agreements are in place

All such recipients process data solely on our instructions and in accordance with Data Processing Agreements (DPAs) ensuring an appropriate level of protection.

8. International Data Transfers

As the data controller is established in Estonia and uses various international services, your data may be transferred outside the European Economic Area (EEA).

Website servers are located in Germany (EU); however, data may be processed and stored in other jurisdictions where our providers' data centres are located, such as Google, Zoho, and Stripe.

For transfers of personal data to countries outside the EEA, we rely on GDPR-compliant safeguards, such as Standard Contractual Clauses (SCCs) and other appropriate measures, unless an adequacy decision applies.

Additional information regarding specific transfer mechanisms may be requested by contacting us using the details provided above.

9. Data Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law:

• Inquiry and correspondence data — typically up to 3 years after the last interaction;
• Contract, invoice, and accounting data — for the period required by tax and accounting legislation, generally 5 to 10 years;
• Account and customer data in CRM — for the duration of the active business relationship and a reasonable period thereafter, or until deletion upon request where permitted by law;
• Analytics and cookie data — in accordance with the settings of the systems used, e.g., typical retention periods in GA4 range from 14 to 26 months, or until consent is withdrawn;
• Backup copies — for a limited technical period, e.g., 7–90 days, necessary for system recovery purposes.

Upon expiry of the relevant retention periods, data is deleted or anonymised.

10. Data Subject Rights (EU/EEA)

If you are located in the European Union or the EEA, you have the following rights under the GDPR:

Right of Access

To obtain confirmation as to whether your personal data is being processed and, where applicable, access to that data.

Right to Rectification

To request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")

To request deletion of your data in circumstances set out in Article 17 GDPR, for example where the data is no longer necessary for the purposes of processing or where you have withdrawn consent.

Right to Restriction of Processing

To request temporary restriction of processing where you contest the accuracy of the data, the lawfulness of processing, or object to processing.

Right to Data Portability

To receive your data in a structured, commonly used, and machine-readable format and/or to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

Right to Object

To object to processing based on legitimate interests on grounds relating to your particular situation;
To object at any time to processing of your personal data for direct marketing purposes, including profiling related to such marketing.

Rights Regarding Automated Decision-Making

Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except in cases permitted by law.

11. How to Exercise Your Rights

To exercise your rights, you may contact us via email at sales@ms-licenses.com or using the other contact details provided above.

When submitting a request, we may ask for additional information to verify your identity to prevent unauthorised access to personal data.

We aim to respond to requests without undue delay and in any event within one month of receipt. Where necessary, this period may be extended by a further two months taking into account the complexity and number of requests; we will notify you of any such extension.

12. Withdrawal of Consent

Where we process your personal data based on consent, you have the right to withdraw that consent at any time:

• For email communications — via the "unsubscribe" link in the email or by contacting us directly;
• For cookies and marketing/analytics trackers — via the cookie banner settings or relevant browser settings.

Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

13. Obligation to Provide Data and Consequences of Refusal

Provision of certain personal data may be necessary for the conclusion or performance of a contract, for example to purchase licences, issue an invoice, or fulfil our legal obligations.

If you do not provide such data, we may be unable to conclude a contract or provide the requested service. On website forms, mandatory fields are clearly marked as such; all other fields are optional and may be completed at your discretion.

14. Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR.

Personalisation mechanisms used — such as storing interface language, shopping cart contents, and on-site recommendations — serve to enhance user experience and do not constitute legally significant decisions.

15. Security of Processing

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Such measures include, in particular:

• Use of secure HTTPS protocol (SSL/TLS);
• Restriction of access to administrative panels and databases on a need-to-know basis;
• Use of individual user accounts and access logs;
• Regular software updates and security monitoring;
• Data backups with restricted access to backup files.

Despite the measures we take, no method of data transmission over the internet or storage can be guaranteed as absolutely secure; however, we strive to maintain a high level of protection in line with industry standards.

16. Complaints and Supervisory Authorities

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a competent data protection supervisory authority in the EU or EEA Member State of your habitual residence, place of work, or the place of the alleged infringement.

You may also contact us directly at any time, and we will endeavour to address your complaint or concern promptly.

17. Children

Our website and services are not intended for children under the age of 16, and we do not knowingly collect personal data of such individuals without parental or guardian consent.

If you believe that we have inadvertently processed a child's data without appropriate consent, please contact us so that we may delete the relevant information.

18. Changes to This Privacy Policy

We may periodically update this Privacy Policy to reflect changes in our practices, technologies, or legal requirements.

Material changes will be communicated to users via on-site notices or other appropriate means.

The date of the last update is indicated at the top or bottom of this document.

Date of entry into force and last update: 20.03.2026