Privacy and Cookies Policy

Last updated on 25 May 2019

We, Sihtasutus (a foundation) Citizen OS (COS), have prepared this privacy and cookies policy (the Policy) to inform you about our practices in connection with the collection, use and disclosure of the personal information you make available to us by visiting our website, located at and using our platform with tools and services we provide you (altogether Services). By using our Services, you accept the privacy practices described in this Policy. This Policy also applies to our marketing leads.

Our Policy is a legal statement that explains how we may collect information from you, how we may share your information, and how you can limit our sharing of your information. This Policy does not form a contract between an individual and COS. This Policy is incorporated into, and is subject to, the COS Terms of Use. This Policy applies only to information collected by our Services.

As we are a company registered in the Republic of Estonia, the processing of your personal data shall be governed by the laws of the Republic of Estonia.

Please take your time to read this Policy and contact us if you have any questions or feedback regarding our Policy. You have many rights that you can use to control your privacy and we respect those rights. We want to help you exercise your rights, so you will find details on how to do so below.

You will see terms in our Policy that are capitalized. These terms have meanings as described in the Definitions section below.


  • Public Area means the Services that can be accessed both by Users and Visitors, without needing to log in.
  • Restricted Area means the area of the Services that can be accessed only by Users, and where access requires logging in.
  • Visitor means an individual other than a User, who uses the Public Area and has no access to the Restricted Area. The Visitor corresponds to the Data Subject.
  • Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
  • Usage Data means automatically collected data either generated by the use of the Services or from the Services infrastructure itself (for example, the duration of a page visit).
  • Data Controller means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Policy, we are a Data Controller of your data.
  • Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.
  • Data Subject means any living individual who is the subject of Personal Data.
  • User means an individual other than a Visitor, who has the access to the Restricted Area. The User corresponds to the Data Subject.

Which Personal Data we collect

Personal Data

While using our Services, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personal Data may include, but is not limited to name, personal identification code, e-mail address, mobile phone number, population register registered municipality of residence, opinions and comments, voting results, digital signatures, and the data that you enter by using the Services by virtue of the nature of the Services, when any such information is linked to information that identifies a specific individual.
You may provide us with Personal Data in various ways. For example, when you register for an account, use the Services or send us User service related requests.
We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send.

Usage Data
We may also collect information how the Services is accessed and used. This usage data may include information such as your preferences for COS website and services, IP address, device, operating system, and browser data, browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

How we use collected Personal Data

Data protection principles
First and foremost, it is important for us to emphasize that we comply with all relevant data protection principles when processing Personal Data. These principles relate to:

  • Lawfulness, fairness and transparency – we process your Personal Data lawfully, fairly and in a transparent manner;
  • Purpose limitation – we only collect your Personal Data for a specific, explicit and legitimate purpose and only for as long as necessary to complete that purpose;
  • Data minimization – we do ensure that your Personal Data we process is adequate, relevant and limited to what is necessary in relation to our processing purpose;
  • Accuracy – we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous information that relates to you, and we will do so within a month;
  • Storage limitation – we delete your Personal Data when we no longer need it;
  • Integrity and confidentiality – we keep your Personal Data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate and reasonable technical or organizational measures.

Purposes and legal basis

We collect several different types of information for various purposes to provide and improve our Services to you. Our legal basis for collecting and using the personal information described in this Policy depends on the Personal Data we collect and the specific context in which we collect it.

COS may process your Personal Data because (a) we need to perform a contract with you; (b) you have given us your consent to do so; (c) the processing is in our legitimate interests and it´s not overridden by your rights and/or (d) to comply with the law.

We use the collected data for various purposes:

  • to provide, maintain and enhance you with the best Services possible;
  • to notify you about changes to our Services;
  • to gather analysis or valuable information so that we can improve our Services;
  • to monitor the usage of our Services;
  • to create and manage a user account;
  • to provide User support;
  • for compilation of anonymous usage statistics;
  • to detect, prevent and address technical issues;
  • for legal requirements and supervisory authorities;
  • to answer your own queries;
  • to contact you for administrative purposes to address relevant issue related to you.

We do not use your personal information for your profiling and do not allow your personalized profiling to third parties.

Cookies and Tracking technologies

We use automatically collected information and other information collected on our Services through cookies and similar technologies to: (i) personalize our Services, such as remembering a User’s or Visitor’s information so that the User or Visitor will not have to re-enter it during a visit or on subsequent visits; (ii) provide customized advertisements, content, and information; (iii) monitor and analyze the effectiveness of Services and third-party marketing activities; (iv) monitor aggregate site usage metrics such as total number of visitors and pages viewed; and (v) track your entries, submissions, and status in any promotions or other activities on the Services. You can obtain more information about cookies by visiting

Some web browsers may give you the ability to enable a “do not track” feature that sends signals to the services you visit, indicating that you do not want your online activities tracked. This is different than blocking or deleting cookies, as browsers with a “do not track” feature enabled may still accept cookies. There is currently no industry standard for how companies should respond to “do not track” signals, although one may develop in the future. We do not respond to “do not track” signals at this time, but if we do so in the future, we will describe how in this Policy.
You can instruct your browser to block all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services.

Cookies we use:

  • Authentication cookies to tell us when you´re logged in, so we can show you the appropriate experience and features such as your account information and to edit your account settings.
  • Security and site integrity cookies to support or enable security features to help keep COS safe and secure. For example, they enable us to remember when you are logged into a secure area of the Service and help protect your account from being accessed by anyone other than you.
  • Localization cookies to help us provide a localized experience. For example, we may store information in a cookie that is placed on your browser or device so you will see the site in your preferred language.
  • Site features and service cookies to provide functionality that help us deliver products and Service. For example, cookies help you log in by pre-filling fields. We may also use cookies and similar technologies to help us provide you and others with social plugins and other customized content and experiences, such as making suggestions to you and others.
  • Analytics and research cookies to understand, improve, and research products and Service, including when you access the Service and related Services and apps from a computer or mobile device.

How we may share Personal Data

Transfer of Personal Data
COS may share your personal data with COS API partners, all located in the European Union, for the purposes described above.

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. We will comply with GDPR requirements providing adequate protection for the transfer of Personal Data.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Your consent to this Policy followed by your submission of such information represents your agreement to that transfer.

Service Providers
We may employ third party companies and individuals to facilitate our Services, to provide services on our behalf, to perform related services or to assist us in analyzing how our Services are used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

The Services may contain features or links to websites and services provided by third parties. Any information you provide on third-party websites or services is provided directly to the operators of such services and is subject to those operators’ policies, if any, governing privacy and security, even if accessed through the Services. We are not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through the Services. We encourage you to learn about third parties’ privacy and security policies before providing them with information.

Disclosure of Personal Data
Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency). We also reserve the right to disclose Personal Data or other information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the Services and any facilities or equipment used to make the Services available, or (v) protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.

We will notify users of inquiries made by public authorities to the maximum extent permitted by law through our communication channels.

Rights of Users and Visitors

You, as individual whose Personal Data is processed as described in this Policy, have a number of rights which are summarized in broad terms as laid down in the following list. Please note that exercising these rights is subject to certain requirements and conditions as set forth in applicable law.

If you wish to access Personal Data about you or exercise any of the rights listed below, please submit a request to us, by using the contact details identified in the “Contact us” section below.

Please note that we may ask you to verify your identity before responding to such requests.

Right to withdraw consent: if you have given your consent for any personal data processing activities as described in this Policy, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to withdrawal of the consent.
Right of access: you have the right to obtain confirmation as to whether or not your Personal Data is processed, and, if so, to request access to such personal data as well as other information about such processing that are also contained in this policy.
Right to rectification: you have the right to have inaccurate personal data about you rectified or completed if it is incomplete.
Right to erasure (‘right to be forgotten’): you have the right to request that we erase your Personal Data. If Personal Data is erased at your request, we will only retain such copies of the information as are necessary to protect our or third party legitimate interests, comply with governmental orders, resolve disputes, troubleshoot problems, or enforce any agreement you have entered into with us.
Right to restriction of processing: you have the right to request from us that we limit the way we use your personal data.
Right to data portability: you have the right to receive the personal data you provided, in a structured, commonly used and machine-readable form and to transmit that data to another controller or to have it transmitted directly from us to another controller.
Right to object: you have the right to object, on grounds relating to your particular situation, at any time, to the processing of your Personal Data and we may have to stop processing your data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).


We are committed to ensuring that your Personal Data is secure. In order to prevent accidental or unlawful destruction or accidental loss, misuse, unauthorized access, disclosure, alteration or destruction, and against any other unlawful form of processing of Personal Data as defined by applicable data protection laws, we have put in place – and required that any third-party services providers and/or processors processing personal data on our behalf and under our instructions put in place – appropriate and reasonable technical, organizational and physical measures to safeguard and secure the personal data we collect and process online or otherwise in the context of your use of this Services. This includes, for example, firewalls, password protection and other access and authentication controls.

However, please note that no electronic transmission or storage of information is 100% secure. Therefore, despite the security measures that we have put in place to protect Personal Data about you, we cannot guarantee that loss, misuse, or alteration of data will never occur. If you believe your Personal Data has been compromised, please contact us as set forth in the “Contact Us” section.

If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.

Although we may allow you to adjust your privacy settings to limit access to certain Personal Data, please be aware that no security measures are perfect or impenetrable. We are not responsible for circumvention of any privacy settings or security measures on the Services. Additionally, we cannot control the actions of other individuals with whom you may choose to share your information. Further, even after information posted on the Services is removed, caching and archiving services may have saved that information, and other users or third parties may have copied or stored the information available on the Services. We cannot and do not guarantee that information you post on or transmit to the Services will not be viewed by unauthorized persons.

How long we may keep Personal Data

Your personal data will not be kept for longer than necessary for the purposes identified herein, or as required to comply with our legal obligations under applicable law, resolve disputes, and enforce our legal agreements and policies. We only retain the Personal Data collected from a User for as long as the User´s account is active or other or a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it, unless otherwise required by law.

We will retain data as follows:

  • the contents of closed accounts are deleted within 3 months of the date of closure;
  • backups are kept for 3 months;
  • IP addresses are kept for 3 months.

Data Controller and Data Processor

This Policy does not apply to the Personal Data processed in the contents by our Users using the Services. In such case, the User acts as a Data Controller as regards such Personal Data and is responsible for the processing thereof. We process such Personal Data on behalf of the User and act as a Data Processor.

Contact Us

If you wish to exercise your rights and request the Personal Data we have on you or you have any questions about this Policy or any other question related to privacy at COS, please send us and e-mail to or

Change to this Policy

We may update our Policy from time to time. We will notify you of any changes by posting the new Policy on this page.

We will let you know via email and/or a prominent notice on our Services, prior to the change becoming effective and update the “last updated date” at the top of this Policy.

You are advised to review this Policy periodically for any changes. Changes to this Policy are effective when they are posted on this page

General Search