Privacy Policy

1. Who we are

Built in Baltics ("we", "us", "our") operates the platform at builtinbaltics.com — a community hub for AI and tech builders in Estonia, Latvia, and Lithuania. We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

Contact: info@builtinbaltics.com

2. Data we collect

2.1 Account data

When you create an account we collect:

• Email address and password (hashed; or OAuth token via Google / GitHub)
• Display name, country (EE / LV / LT), and professional role

2.2 Profile data

You may optionally provide:

• Bio, nationality, skills, avatar photo
• Social links (GitHub, LinkedIn, X / Twitter, website)
• Messaging handles (Telegram, Discord)
• Contact email and collaboration preferences

2.3 User-generated content

• Projects (title, description, images, tags, links)
• Discussions and replies
• Events (title, description, location, dates, cover image)
• Collaboration posts
• Comments on projects, events, and discussions

2.4 Behavioural data

• Votes / upvotes on projects, discussions, and replies
• Bookmarks (saved projects, discussions, events)
• Event RSVPs (going / interested)
• Connection requests and messages between users

2.5 Technical data

• Authentication cookies — Supabase session cookies (httpOnly, strictly necessary for login)
• Referral cookie — a ref_code cookie (30-day expiry) if you arrive via a referral link
• Anonymous page-view analytics — via Plausible Analytics, which is cookieless and does not collect personal identifiers

3. How we use your data

• Provide the service — display your profile, projects, and content to the community
• Authentication — manage sign-in sessions and account security
• Notifications — send you in-app and email notifications about activity on your content (stars, comments, replies, connection requests)
• Email communications — welcome email, unread notification digest, event reminders, and email change confirmations
• Referral tracking — credit referrals to the referring user
• Analytics — understand aggregate usage patterns (page views, popular content) via cookieless Plausible Analytics
• Moderation — review content for compliance with our Terms of Service

4. Legal basis for processing

• Contract performance — processing necessary to provide you with the platform (account, content hosting, connections)
• Legitimate interest — analytics, moderation, platform security, and referral attribution
• Consent — optional email notifications (digest, event reminders) which you can opt out of at any time in Settings

5. Who we share data with

We do not sell your personal data. We work with a small number of trusted service providers to run the platform:

• Supabase — database, authentication, and file storage (EU-hosted)
• Resend — email delivery
• Plausible — cookieless, privacy-first analytics
• Vercel — hosting

We may also disclose data if required by law or to protect the safety of our users.

6. Data retention

We retain your personal data for as long as your account is active. When you delete your account, all associated data — profile, content, images, connections, bookmarks, votes, and notifications — is permanently deleted via cascading database rules. Backup copies may persist for up to 30 days before being purged.

7. Your rights under GDPR

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — update or correct your data via your dashboard Settings at any time
• Erasure — delete your account and all associated data from Settings > Delete Account
• Restriction — request that we limit processing of your data
• Portability — request your data in a structured, machine-readable format
• Object — object to processing based on legitimate interest
• Withdraw consent — opt out of email notifications at any time in Settings

To exercise any of these rights, contact us at info@builtinbaltics.com. We will respond within 30 days.

8. Cookies

We use only strictly necessary cookies that are exempt from consent under the ePrivacy Directive:

• Supabase session cookies (sb-*) — maintain your authenticated session
• Referral cookie (ref_code) — stores a referral code for up to 30 days so it persists through sign-up

We do not use any advertising, tracking, or third-party cookies. Our analytics provider (Plausible) is entirely cookieless.

9. Security

We implement appropriate technical and organisational measures to protect your data, including:

• Passwords are hashed using industry-standard algorithms (bcrypt via Supabase Auth)
• All data is transmitted over HTTPS/TLS
• Row-level security (RLS) policies restrict database access to authorised users
• File storage uses per-user folder isolation with RLS
• Admin actions require verified admin role

10. International data transfers

Our primary infrastructure is hosted in the EU. Some service providers (Resend, Vercel) may process data in the United States under standard contractual clauses or equivalent safeguards compliant with GDPR Chapter V.

11. Children

Built in Baltics is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The "Effective date" at the top reflects the latest revision.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: info@builtinbaltics.com

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g. the Data State Inspectorate of Latvia, Estonian Data Protection Inspectorate, or Lithuanian State Data Protection Inspectorate).