Privacy Policy

(pursuant to Article 13 of Regulation (EU) 2016/679 - GDPR)

Last updated: 8 April 2026

1. Data Controller

The Data Controller is:

Aldo Gustavo Malasomma
Kreutzwaldi 22-2
10147 Tallinn, Estonia
Email: support@toyb.space

The startup is not yet formally incorporated. Therefore, personal data are processed directly by the Data Controller as a natural person.

2. Categories of Personal Data Processed

Through the landing page, the following personal data are collected:

• Email address
• Consent information (waitlist consent, marketing consent if provided, confirmation of age 16+, timestamp of consent)
• Analytics data, only if you accept analytics cookies (for example page views, navigation events, browser and device information)

Pursuant to Article 4 GDPR, personal data means any information relating to an identified or identifiable natural person.

The following data are not collected:

• Special categories of data (Art. 9 GDPR)
• Data relating specifically to minors
• Profiling data
• Behavioral tracking data
• Analytics or advertising cookies before consent

3. Purpose of Processing

The email address is processed for the following purposes:

1. Registration on the product waitlist
2. Early access (beta / early access programs)
3. Communications regarding the development status of the project
4. If explicitly consented to, sending promotional communications and newsletters related to the launch of the product, including potential crowdfunding campaigns
5. Measuring site traffic and improving the site, only if analytics consent is given

Marketing communications are sent only to users who have provided separate and explicit consent.

4. Legal Basis for Processing

Processing is based on:

• Consent of the data subject (Art. 6(1)(a) GDPR)

Separate consent is collected for:

• Waitlist registration
• Marketing communications (if applicable)

Users must declare that they are at least 16 years old before submitting their email address, in accordance with Article 8 GDPR.

Consent may be withdrawn at any time by contacting support@toyb.space or by using the unsubscribe mechanism included in communications.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

5. Nature of Data Provision

Providing an email address is voluntary.

Failure to provide it prevents registration to the waitlist and receipt of project-related communications.

Providing marketing consent is optional and does not affect waitlist registration.

6. Processing Methods and Security Measures

Data processing is carried out using electronic and telematic tools, in compliance with the principles set out in Article 5 GDPR (lawfulness, fairness, transparency, data minimization, integrity and confidentiality).

Appropriate technical and organizational measures are implemented pursuant to Article 32 GDPR, including:

• Encrypted data transmission (HTTPS/TLS)
• Access-restricted administrative environments
• Logical separation of marketing and waitlist consents
• Consent logging with timestamp

7. Data Storage and Infrastructure

Personal data are processed using the following service providers:

• Supabase - Database hosting and storage
• Resend - Transactional and marketing email delivery
• Google Analytics - Website traffic measurement, only after analytics consent

These providers act as Data Processors pursuant to Article 28 GDPR and process personal data solely on behalf of the Data Controller under contractual agreements compliant with GDPR requirements.

The consent banner stores your choice locally so the site can remember whether you accepted or rejected analytics. Google Analytics is loaded only after acceptance. No advertising pixel or automated profiling system is used.

8. Transfers Outside the European Economic Area

Some technical providers may process data outside the European Economic Area.

This may include Google Analytics if analytics consent is given. In that case, appropriate transfer safeguards apply where required.

Where applicable, transfers are carried out in compliance with Articles 44 et seq. GDPR through:

• European Commission adequacy decisions; or
• Standard Contractual Clauses (SCCs) approved by the European Commission

9. Data Retention Period

Personal data are retained until:

• Withdrawal of consent; or
• Termination of the project; or
• Incorporation of the company, at which time an updated privacy policy will be provided.
• Deletion of analytics data according to Google Analytics retention settings and consent status

Data are periodically reviewed to ensure they remain necessary for the stated purposes.

10. Data Subject Rights

Data subjects may exercise the rights provided under Articles 15-22 GDPR, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Right to withdraw consent

Data subjects also have the right to lodge a complaint with the competent supervisory authority.

For Estonia, this is:

• Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

11. Automated Decision-Making

No automated decision-making or profiling pursuant to Article 22 GDPR is carried out.