The data is yours. We process only what we need.

Apointoo is a product operated by Vizuh OÜ, a private limited company (osaühing) registered in Estonia under registry code 16587160, with its registered office at Sakala tn 7-2, Tallinn 10141, Estonia. Vizuh OÜ is the controller of personal data covered by this policy.

Data Protection Contact: hugo@vizuh.com. Vizuh OÜ has not appointed a formal Data Protection Officer under GDPR Art. 37 because the volume and nature of personal data processed do not meet the thresholds requiring designation.

Apointoo is offered to businesses only and is not directed to individual consumers. Vizuh OÜ does not appoint a UK Article 27 representative under UK GDPR because services are not offered to UK individual data subjects in their personal capacity. UK business users may contact the controller directly at the address above.

Apointoo collects two sets of personal data. The first is what you send us directly via the access-request form on the home page:

• Email address.
• Phone number.
• Site or product URL you intend to track.
• Approximate number of clients or products.

The second is the attribution signal your browser stores in sessionStorage during your visit and attaches to the form on submit: click identifiers (gclid, fbclid, msclkid, gbraid, wbraid), UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), the page URL of submission, and the referrer.

We do not collect payment card numbers or government ID via the marketing site. The Apointoo dashboard (dash.apointoo.com) handles additional data — covered by the dashboard’s own policy.

We process the data above on the following legal bases and for the following purposes:

• Pre-contractual steps (GDPR Art. 6.1.b / UK GDPR Art. 6.1.b / LGPD Art. 7º.V): to review your access request and reply with a decision.
• Legitimate interest (GDPR Art. 6.1.f / UK GDPR Art. 6.1.f / LGPD Art. 7º.IX): to understand which marketing campaign brought your request, size operations, and prevent form abuse.
• Consent (GDPR Art. 6.1.a / UK GDPR Art. 6.1.a / LGPD Art. 7º.I): for the analytics and advertising cookies set via Google Tag Manager, described in the Cookies policy.

Form submissions flow to the Apointoo operational dashboard (dash.apointoo.com), which is the source of truth for tracking the request. The dashboard is operated by the same Vizuh team.

Processors acting on our behalf:

• Vercel Inc. — hosting the marketing site.
• Google LLC — Google Tag Manager, Google Ads, and Google Analytics 4 (subject to your consent; see the Cookies policy).
• Brevo (with Mailchimp on some workflows) — provider that delivers operational notification of the request to the team.

We do not sell, rent, or transfer personal data to third parties for marketing purposes.

Hosting and processing may take place outside your country, subject to Standard Contractual Clauses of the European Commission, the UK International Data Transfer Agreement, and equivalent mechanisms under the LGPD. Applicable jurisdiction is Estonia.

Access requests and the attribution data attached to them are retained for up to 24 months after the last interaction. That period covers auditing of campaign attribution and disputing refunds with ad platforms.

After that, data is deleted or irreversibly anonymized, unless a longer retention period is required by law.

You can exercise the rights granted by GDPR Arts. 15-22, UK GDPR Arts. 15-22, and LGPD Art. 18 at any time:

• Confirmation of processing and access to your data.
• Rectification of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or erasure of unnecessary or unlawfully processed data.
• Portability to another provider.
• Erasure of data processed on the basis of consent.
• Information about public and private entities with which we share data.
• Withdrawal of consent at any time.
• Lodging a complaint with the lead supervisory authority — the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI) — or with your local national authority (ICO in the UK; your member-state DPA in the EU; ANPD in Brazil).

To exercise any right, write to the DPO at hugo@vizuh.com. We reply within 15 business days.

Data in transit is protected by TLS 1.2 or higher. Sensitive keys and secrets are kept out of the client bundle. Access to the operational dashboard is gated by tenant key and audited. Security incidents affecting personal data are reported to the competent authorities and to data subjects as required by applicable law.

This policy may change to reflect new features, regulatory requirements, or supervisory authority guidance. The version in force always shows the last-updated date at the top. Material changes are communicated by email to active data subjects with at least 30 days’ notice.