How we handle your data.

Who we are

This site is operated by Evercraft OÜ, an Estonian limited company (registry number 17244344), with its registered office at Liikuri 42-55, 13618 Tallinn, Estonia. We are the data controller for the personal data described here.

Privacy contact: hello@evercraft.ee

Scope

This policy applies to data we collect when you visit evercraft.ee or submit a form on this site. It does not cover the third-party platforms our shops sell on (e.g., Etsy) — those have their own privacy policies.

What we collect

Two streams of data:

• Form submissions — what you give us via forms:
  • Contact form — name, email, subject, message.
  • Designer intake — name, email, portfolio URL, optional social URL, short pitch.
  • Direct email — whatever you choose to send.
• Analytics & marketing data — anonymized site-usage data (page views, traffic sources, anonymized IP, device type) and audience-measurement signals via third-party providers (Google Analytics, Microsoft Clarity, LinkedIn Insight Tag, Meta Pixel). These are set only after you accept the relevant category in the cookie banner. See Cookie Policy for the full inventory.

Fields marked optional in any form may be left blank. Fields marked required are needed for us to respond — if you choose not to provide them, we cannot follow up on your request, but no other consequence follows.

Why we use it

Only for the purpose you provided it:

• To respond to your inquiry, evaluate a designer collaboration, or process press / partnership requests.
• To keep records of correspondence as needed for legitimate follow-up.
• To meet legal obligations.

The lawful basis is your consent (when you submit a form), our legitimate interest in responding (when you write to us directly), or a legal obligation (when the law requires it). Where we rely on legitimate interests, we have weighed your privacy rights against our need to respond to ordinary correspondence and concluded that standard reply-to-an-email processing does not unreasonably impact your rights. You may object at any time using the contact details below.

Where it's stored

Form submissions are stored in EU-region infrastructure (Frankfurt) via Neon. Transactional email is sent through Brevo, an EU-resident provider (France). DNS, edge routing, and hosting run on Cloudflare and Vercel. Of these, Vercel and Cloudflare may process data in the United States — we rely on the EU–US Data Privacy Framework and the European Commission's Standard Contractual Clauses for those transfers.

Where you accept analytics or marketing cookies, the relevant providers (Google, Microsoft, LinkedIn, Meta) operate globally and may transfer data outside the EEA under the same DPF / SCC mechanisms. Their own privacy notices, linked in our Cookie Policy, describe their transfer arrangements in detail.

How long

• Designer applications — up to 24 months, then deleted unless an active engagement begins.
• Contact / press / partnership inquiries — up to 6 months unless an ongoing thread is active.

Who we share with

We do not sell or rent your personal data. We share it with a small set of vendors needed to run the site, host data, and measure how it's used:

• Infrastructure (always active): Vercel (hosting), Neon (database), Brevo (transactional email), Cloudflare (DNS / edge).
• Analytics & marketing (only after you accept the relevant consent): Google Analytics, Microsoft Clarity, LinkedIn Insight Tag, Meta Pixel (Facebook / Instagram).

These vendors are bound by written data-processing terms. Some of them transfer data to the United States under recognized transfer mechanisms (the EU–U.S. Data Privacy Framework or Standard Contractual Clauses). We may also disclose data when required by law.

Your rights

Depending on where you live, you may have some or all of the following:

• Access — confirmation of whether we hold data about you, and a copy.
• Rectification — correction of inaccurate data.
• Erasure — deletion when the legal basis no longer applies.
• Restriction — limiting how we process your data.
• Portability — a machine-readable copy of data you provided.
• Objection — to processing based on legitimate interests.
• Withdrawal of consent — at any time, where processing is consent-based.
• No automated decision-making — we don't use automated decisions or profiling.

The exact rights you have depend on where you live. EU residents have the full set above under GDPR and Estonian law. Residents of California (and other US states with equivalent laws), Japan (APPI), and Brazil (LGPD) have similar rights — to know what we hold, to ask for deletion, and to opt out of "sale" or "sharing" of data. Evercraft does not sell or share personal data as those terms are commonly defined.

How to exercise your rights

Email hello@evercraft.ee with "Data Subject Request" in the subject line. We respond within 30 days.

You may also lodge a complaint with the supervisory authority in your country. In Estonia, that's the Estonian Data Protection Inspectorate.

Jurisdiction-specific information

The body of this notice describes our practices under the EU GDPR — the framework we treat as our default. Specific jurisdictions add or restate rights as follows.

California residents (CCPA / CPRA)

• Categories of personal information we collect: identifiers (name, email), commercial information you choose to submit (portfolio links, pitches), internet activity (page views and traffic sources via analytics, when consented). We do not collect sensitive personal information as defined by CPRA (e.g., government IDs, financial-account numbers, geolocation, race/religion/health data).
• Sources: directly from you (forms, email) and from our cookie / analytics providers when you have accepted those categories.
• Business purposes: responding to inquiries, evaluating designer collaborations, audience measurement (when consented).
• "Do Not Sell or Share My Personal Information": we do not sell personal information for money. We do "share" personal information in the CPRA sense — cross-context behavioral advertising via Meta Pixel and similar measurement tags — but only when you have accepted the Marketing cookie category. You can opt out at any time by clicking Cookie settings in the footer and unchecking Marketing, or by clicking Reject non-essential in the cookie banner.
• Right to limit use of sensitive personal information: not applicable — we do not collect sensitive PI.
• Right to non-discrimination: we will not deny services, charge different prices, or provide a lower quality of service because you exercised any CCPA / CPRA right.
• How to exercise your rights: email hello@evercraft.ee. We may ask for information that helps us verify your identity (typically by confirming the email address used to contact us).

Japanese residents (APPI)

Personal data of Japanese residents is processed by Evercraft OÜ, the business operator named at the top of this notice, for the purposes described in Why we use it. You may request disclosure, correction, suspension of use, or deletion of your personal information by emailing hello@evercraft.ee. Where data is transferred outside Japan, we rely on the recipient's compliance with equivalent personal-data protection standards.

Brazilian residents (LGPD)

Evercraft OÜ acts as the controller (controlador) of personal data submitted by Brazilian residents. The contact for personal-data matters is hello@evercraft.ee. Brazilian residents have rights of access, correction, anonymization, deletion, portability, and information about the entities with which we share data — exercise any of them by writing to that address. International transfers occur under mechanisms recognized by the ANPD (typically standard contractual clauses or equivalent safeguards in the destination jurisdiction).

Security

HTTPS for all pages, encrypted form submissions at rest, rate limiting and bot challenges on form endpoints. If a personal-data breach affects you, we will notify you and the relevant authorities promptly — within 72 hours where required.

Children

This site is not directed at children under 16 and we don't knowingly collect data from anyone under that age. Estonian law (Personal Data Protection Act §8) sets the digital age of consent at 13; our 16-year self-imposed standard is stricter. If you believe a child has submitted data, email hello@evercraft.ee and we'll delete it.

Changes

We may update this notice when our practices change or when law requires it. The "Last updated" date at the top reflects the current version.