Privacy Policy
Effective date: 10.6.2026 Last updated: 10.6.2026
This Privacy Policy explains how GettingData OÜ ("Funktio", "we", "us", or "our") collects, uses, and shares personal data when you use Software Factory (the "Service"), our AI-assisted service for designing and building custom software, and when you visit our marketing website at funktio.ai.
We are the controller of the personal data described in this Policy. Where you provide us with personal data about other people (for example, within materials or data you upload), you are the controller of that data and we act as your processor under the terms described in Section 11.
1. Who we are & how to contact us
| Controller | GettingData OÜ, Estonian registry code 16805326, Lõõtsa tn 2a, Lasnamäe linnaosa, 11415 Tallinn, Harju maakond, Estonia |
| Contact | johannes@funktio.ai |
| Supervisory authority | Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). You may also contact your local data protection authority. |
2. Personal data we collect
We collect the following categories of personal data:
- Contact and identity information — such as your name, email address, and company name.
- Project information — the descriptions, requirements, specifications, and other information you provide when defining your project, including your conversations with our scoping assistant.
- Materials you upload — files and content you provide to support your project, such as documents, data files, and brand or design assets. These may contain personal data about you or others.
- Communications — the content of emails and other messages you exchange with us.
- Payment information — details necessary to process payments, handled by our payment processor as described in Section 5. We do not receive or store your full payment-card number.
- Usage and technical information — information generated automatically when you use the Service, such as log data, device and connection information, and identifiers needed to operate, secure, and troubleshoot the Service.
- Analytics and advertising-measurement data — where you consent (see Section 8), we collect product-analytics events (such as pages viewed and features used) and advertising-measurement identifiers (such as the Google Ads click identifier, "gclid", and campaign parameters) so we can understand how our website and marketing perform and improve them. When you place an order, we also send a hashed (irreversible) version of your email address to Google to help match the conversion to your ad click ("enhanced conversions").
We do not intentionally collect special categories of personal data (such as health, biometric, racial or ethnic, political, religious, or sexual-orientation data). Please do not include such data in the materials you provide unless we have agreed appropriate safeguards in advance.
3. How we use personal data and our legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| To provide the Service — operate the scoping assistant, build, deploy, revise, and deliver your application, and host it during the agreed period | Performance of a contract (Art. 6(1)(b)) |
| To communicate with you about your project and account | Performance of a contract (Art. 6(1)(b)) |
| To process payments and prevent fraud | Performance of a contract and legitimate interests (Art. 6(1)(b), (f)) |
| To operate, secure, maintain, and improve the Service | Legitimate interests (Art. 6(1)(f)) |
| To measure how our website and advertising perform through product analytics and advertising-measurement technologies | Consent (Art. 6(1)(a)), which you can withdraw at any time |
| To comply with our legal obligations (e.g. tax and accounting) | Legal obligation (Art. 6(1)(c)) |
| To establish, exercise, or defend legal claims | Legitimate interests (Art. 6(1)(f)) |
We do not sell your personal data, and we do not use your data to train our own or third parties' AI models.
4. Artificial intelligence and your data
Providing the Service necessarily involves sending your project information and uploaded materials to third-party AI providers that generate and build your application on our behalf. These providers act as our sub-processors (see Section 6), process the data only to provide their services to us, and do not use it to train their models by default. We rely on this processing being necessary to perform our contract with you (Art. 6(1)(b) GDPR).
5. Payments
We use a third-party payment processor (Stripe) to handle payments. When you pay, you provide your payment details directly to Stripe, and Stripe processes them under its own privacy notice (https://stripe.com/privacy). We receive confirmation of payment and limited transaction details (such as amount, currency, status, and the email address used), but not your full card number.
6. Sub-processors and service providers
We share personal data with trusted service providers who process it on our behalf to deliver the Service. Each is bound by contractual data-protection obligations. The current list is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, and file storage | United Kingdom |
| Anthropic, PBC | AI model used to scope and build applications | United States |
| Anysphere, Inc. (Cursor) | AI coding agents used to build and deploy applications | United States |
| Stripe | Payment processing | Ireland / global |
| Google LLC | Email delivery and receipt | Global |
| Google Cloud Platform | Cloud infrastructure for builds and deployments | European Union |
| Railway Corp. | Application (Service) hosting | United States |
| Vercel, Inc. | Marketing-site hosting and privacy-friendly, cookieless site analytics | United States / global |
| PostHog, Inc. | Product analytics for our website and Service | European Union (EU Cloud) |
| Google LLC (Google Ads) | Advertising-measurement and conversion reporting (we import conversions to Google Ads, including a hashed email address for enhanced conversions; see Section 8) | United States |
| GitHub, Inc. | Source-code hosting and delivery | United States |
| Braintrust Data, Inc. | LLM observability and quality evaluation for the AI that scopes and builds applications | United States |
We will provide notice of changes to this list by updating this page at least 14 days before a new sub-processor begins processing your data.
7. International transfers
Some of our sub-processors are located outside the European Economic Area and United Kingdom, including in the United States. Our product analytics (PostHog) are processed within the European Union, so they do not involve an international transfer. Advertising-measurement data we import to Google Ads, and data processed by our other US-based sub-processors, may be transferred to the United States. Where we transfer personal data internationally, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the EU-US Data Privacy Framework where applicable. You may request a copy of the relevant safeguards by emailing johannes@funktio.ai.
8. Cookies and similar technologies
Our websites use cookies and similar technologies, which we group as follows:
- Strictly necessary — required to provide the Service, keep you signed in, and maintain the security of your session. These are always active and do not require consent.
- Analytics — we use PostHog (EU Cloud) to understand how our website and Service are used, such as which pages are viewed and which features are used, so we can improve them. This sets a first-party cookie that is shared across our domains (funktio.ai and its subdomains) to recognise the same visit as you move between our marketing site and the Service.
- Advertising measurement — when you arrive from one of our ads, we store advertising identifiers (such as the Google Ads click identifier, "gclid", and campaign parameters) in a first-party cookie and associate them with any resulting order, so we can measure which campaigns lead to sign-ups. We then import these conversion events to Google Ads. To improve the accuracy of this matching, we use Google's enhanced conversions: when you place an order, we send Google a hashed (irreversible) version of your email address, which Google uses only to match the conversion to your ad click. We do not place third-party advertising or remarketing tags on our site, and we do not use cookies to build advertising profiles of you across other websites.
Your consent and how to control it. Analytics and advertising-measurement technologies (including enhanced conversions) are used only if you opt in through the cookie banner we present before any such cookie is placed. You may accept or reject them, and rejecting does not affect your ability to use our website or the Service. You can change or withdraw your choice at any time using the "Cookie preferences" link in our website footer. We rely on your consent (Art. 6(1)(a) GDPR and applicable ePrivacy rules) for these technologies; strictly necessary cookies do not require consent.
9. Data retention
We keep personal data only as long as necessary for the purposes described in this Policy, after which we delete or anonymise it.
| Data | Retention period |
|---|---|
| Abandoned scoping sessions (anonymous, no order placed) | Deleted automatically after 30 days |
| Scoping sessions from signed-in users that do not result in an order | 12 months after last activity |
| Order, project, and communication records | Duration of the engagement plus 24 months after final delivery |
| Payment, invoicing, and tax records | 7 years (as required by Estonian accounting law) |
| Operational and security logs | 90 days |
| Product-analytics events (PostHog) | 12 months |
| Advertising-measurement identifiers (gclid / campaign parameters stored with an order) | Retained with the order record; deleted when that record is deleted |
| Backups | Rolling; superseded backups deleted within 30 days |
We may retain data longer where required by law or where necessary to establish, exercise, or defend legal claims.
10. Your rights
Subject to applicable law, you have the right to access, correct, delete, restrict, or object to our processing of your personal data, to data portability, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority.
To withdraw consent for analytics and advertising-measurement cookies specifically, use the "Cookie preferences" link in our website footer (see Section 8). To exercise any other right, email johannes@funktio.ai. We will respond within the time required by applicable law (under GDPR, normally within one month).
If you are a California resident, you have the rights to know, delete, and correct your personal information, and to opt out of its "sale" or "sharing." We do not sell or share personal information for cross-context behavioural advertising, and we will not discriminate against you for exercising your rights.
11. When we act as your processor
Where the materials or data you provide contain personal data about other individuals (for example, your own customers or employees), you remain the controller of that data and we process it only on your instructions to provide the Service. These obligations are set out in our Data Processing Addendum (DPA), which is incorporated into our Terms of Service. By providing such data, you confirm you have a lawful basis to share it with us.
12. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, isolation of customer environments, and audit logging. No system is completely secure; if a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the relevant authority and affected individuals as required by law.
13. Children
The Service is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.
14. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date reflects the latest revision. For material changes, we will provide notice as required by law before they take effect.
15. Contact
GettingData OÜ (Estonian registry code 16805326) Lõõtsa tn 2a, Lasnamäe linnaosa, 11415 Tallinn, Harju maakond, Estonia Contact: johannes@funktio.ai