Last updated: 2026-05-05

1. Introduction

This Privacy Policy explains how PivotDesk collects, uses, shares, and protects personal data when you visit the website, create an account, purchase an offer, or use the Service.

Data Controller: Whimsy OÜ, Estonia
Registration Number: 17495721
Contact Email: [email protected]
Registered Address: Jalgpalli tn 21, 11312, Tallinn, Estonia

2. Personal Data We Collect

Depending on how you use PivotDesk, we may collect personal data you provide directly, information collected automatically, and limited information from third-party providers.

Information you provide directly may include name, email address, login credentials, account details, billing information, billing country, invoice details, payment status, job-search goals, company targets, contact names, outreach drafts, notes, resumes, questionnaires, support interactions, advisory interactions, and communications you send to us.

Information collected automatically may include device and browser information, IP address and approximate location derived from IP, log data, timestamps, basic usage events, saved cookie-preference choices, and page, campaign, referral, and interaction information about how the website, pricing pages, signup flows, or marketing pages are accessed or used where such collection is enabled.

We may receive limited information from payment processors, analytics providers, advertising or remarketing partners, authentication providers, scheduling tools, AI providers, or other service providers we use to operate PivotDesk.

3. How We Use Personal Data

We use personal data to provide, operate, and maintain the Service; create and manage accounts; process payments, taxes, invoices, refunds, and guarantee reviews; deliver Sprint and Advisor features and support; improve product functionality, performance, and reliability; detect, prevent, and investigate fraud, abuse, and security incidents; communicate with you about your account, purchases, updates, and support; send marketing communications where permitted by law and consistent with your preferences; measure website usage, performance, campaign effectiveness, and related analytics where permitted; support advertising audience creation, remarketing, attribution, and campaign measurement where permitted and based on consent where required; comply with legal, tax, accounting, and regulatory obligations; and establish, exercise, or defend legal claims.

4. Legal Bases for Processing

If GDPR or similar law applies, we rely on one or more of the following legal bases:

• Contract: to provide the Service you requested and administer your purchase.
• Legitimate interests: to secure, improve, support, and analyze the Service and manage our business responsibly.
• Legal obligation: to comply with tax, accounting, consumer, and other legal duties.
• Consent: where required, for example for certain cookies, analytics, advertising technologies, or optional marketing communications.

5. How We Share Personal Data

We do not sell personal data.

We may share personal data with service providers and subprocessors that help us run the Service; with payment and tax providers, including Stripe and Stripe Tax; with hosting, analytics, advertising, email, scheduling, customer support, authentication, and AI providers; where required by law, regulation, legal process, or government request; in connection with a merger, acquisition, asset sale, financing, or business reorganization; and to protect our rights, users, systems, and lawful interests.

Current subprocessors and service providers expected for launch:

• Hosting, CDN, DNS, and security: Cloudflare
• Website analytics and tag management: Google Analytics and Google Tag Manager
• Advertising, remarketing, audience building, and campaign measurement: Google, LinkedIn, and Meta, activated only where permitted and subject to consent where required
• Authentication and application backend: Supabase
• Email delivery and business email: Resend and Google Workspace
• Payment processing, tax calculation, and invoicing: Stripe and Stripe Tax
• AI routing and model providers: OpenRouter, with model providers that may include Anthropic, Google Gemini, OpenAI, and other supported models as the available model mix changes over time

6. International Transfers

Some of our providers may process personal data outside the European Economic Area. Where required, we will use appropriate safeguards for international transfers, such as adequacy decisions, contractual safeguards, or another lawful transfer mechanism.

7. Data Retention

We retain personal data for as long as reasonably necessary to provide the Service and for related business purposes.

In general, account and workspace data are retained during your active access period and for a limited period afterward. After the access period, users may view but not modify their data until it is archived or deleted per our retention schedule. Billing, tax, and transaction records may be retained as long as required by applicable law. Support and security records may be retained as needed to resolve disputes, prevent fraud, and enforce these Terms.

After the access period ends, account and workspace data are generally retained for up to 90 days before archival or deletion, unless a longer retention period is reasonably needed for legal, tax, accounting, security, dispute-resolution, backup, or legitimate business purposes.

8. Security

We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security.

9. Your Rights

Depending on where you live, you may have the right to access your personal data, correct inaccurate personal data, delete personal data, restrict or object to certain processing, withdraw consent where processing is based on consent, receive a portable copy of certain personal data, and lodge a complaint with a supervisory authority.

To exercise rights, contact [email protected]. We may need to verify your identity before acting on a request.

If you are in the EEA, you may also complain to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or the data protection authority in your country of residence.

10. Cookies and Similar Technologies

We use cookies, localStorage, and similar technologies for authentication, security, site functionality, saved privacy choices, analytics, performance, and, where enabled, advertising or remarketing purposes.

Our cookie preferences are grouped into three categories:

• Necessary: required for core site functionality and saved privacy choices. These are always enabled.
• Analytics: used to measure site usage and performance.
• Advertising: used to support audience building, remarketing, attribution, and campaign measurement on platforms such as Google, LinkedIn, and Meta.

Analytics and advertising technologies are off by default and are activated only after consent where required by law. You can accept all cookies, use only necessary cookies, or manage analytics and advertising preferences through the cookie preferences control on the website.

11. Marketing Communications

We may send service-related emails that are necessary for account, billing, support, or legal reasons.

If we send optional marketing messages, you can unsubscribe at any time using the unsubscribe link or by contacting us.

12. Children’s Privacy

PivotDesk is not intended for children under 18, and we do not knowingly collect personal data from children.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted with a revised effective date.

14. Contact

Entity: Whimsy OÜ
Registration Number: 17495721
Privacy Email: [email protected]
Address: Jalgpalli tn 21, 11312, Tallinn, Estonia