Privacy and Cookies Policy

Last updated on 25 May 2019

We, Sihtasutus (a foundation) Citizen OS (COS), have prepared this privacy and cookies policy (the Policy) to inform you about our practices in connection with the collection, use and disclosure of the personal information you make available to us by visiting our website, located at and using our platform with tools and services we provide you (altogether Services). By using our Services, you accept the privacy practices described in this Policy. This Policy also applies to our marketing leads.

Our Policy is a legal statement that explains how we may collect information from you, how we may share your information, and how you can limit our sharing of your information. This Policy does not form a contract between an individual and COS. This Policy is incorporated into, and is subject to, the COS Terms of Use. This Policy applies only to information collected by our Services.

As we are a company registered in the Republic of Estonia, the processing of your personal data shall be governed by the laws of the Republic of Estonia.

Please take your time to read this Policy and contact us if you have any questions or feedback regarding our Policy. You have many rights that you can use to control your privacy and we respect those rights. We want to help you exercise your rights, so you will find details on how to do so below.

You will see terms in our Policy that are capitalized. These terms have meanings as described in the Definitions section below.


Which Personal Data we collect

Personal Data
While using our Services, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personal Data may include, but is not limited to name, personal identification code, e-mail address, mobile phone number, population register registered municipality of residence, opinions and comments, voting results, digital signatures, and the data that you enter by using the Services by virtue of the nature of the Services, when any such information is linked to information that identifies a specific individual.
You may provide us with Personal Data in various ways. For example, when you register for an account, use the Services or send us User service related requests.
We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send.

Usage Data
We may also collect information how the Services is accessed and used. This usage data may include information such as your preferences for COS website and services, IP address, device, operating system, and browser data, browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

How we use collected Personal Data

Data protection principles
First and foremost, it is important for us to emphasize that we comply with all relevant data protection principles when processing Personal Data. These principles relate to:

Purposes and legal basis

We collect several different types of information for various purposes to provide and improve our Services to you. Our legal basis for collecting and using the personal information described in this Policy depends on the Personal Data we collect and the specific context in which we collect it.

COS may process your Personal Data because (a) we need to perform a contract with you; (b) you have given us your consent to do so; (c) the processing is in our legitimate interests and it´s not overridden by your rights and/or (d) to comply with the law.

We use the collected data for various purposes:

We do not use your personal information for your profiling and do not allow your personalized profiling to third parties.

Cookies and Tracking technologies

We use automatically collected information and other information collected on our Services through cookies and similar technologies to: (i) personalize our Services, such as remembering a User’s or Visitor’s information so that the User or Visitor will not have to re-enter it during a visit or on subsequent visits; (ii) provide customized advertisements, content, and information; (iii) monitor and analyze the effectiveness of Services and third-party marketing activities; (iv) monitor aggregate site usage metrics such as total number of visitors and pages viewed; and (v) track your entries, submissions, and status in any promotions or other activities on the Services. You can obtain more information about cookies by visiting

Some web browsers may give you the ability to enable a "do not track" feature that sends signals to the services you visit, indicating that you do not want your online activities tracked. This is different than blocking or deleting cookies, as browsers with a "do not track" feature enabled may still accept cookies. There is currently no industry standard for how companies should respond to "do not track" signals, although one may develop in the future. We do not respond to "do not track" signals at this time, but if we do so in the future, we will describe how in this Policy.
You can instruct your browser to block all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services.

Cookies we use:

How we may share Personal Data

Transfer of Personal Data
COS may share your personal data with COS API partners, all located in the European Union, for the purposes described above. The full list of API partners can be found here

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. We will comply with GDPR requirements providing adequate protection for the transfer of Personal Data.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Your consent to this Policy followed by your submission of such information represents your agreement to that transfer.

Service Providers
We may employ third party companies and individuals to facilitate our Services, to provide services on our behalf, to perform related services or to assist us in analyzing how our Services are used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

The Services may contain features or links to websites and services provided by third parties. Any information you provide on third-party websites or services is provided directly to the operators of such services and is subject to those operators’ policies, if any, governing privacy and security, even if accessed through the Services. We are not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through the Services. We encourage you to learn about third parties’ privacy and security policies before providing them with information.

Disclosure of Personal Data
Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency). We also reserve the right to disclose Personal Data or other information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the Services and any facilities or equipment used to make the Services available, or (v) protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.

We will notify users of inquiries made by public authorities to the maximum extent permitted by law through our communication channels.

Rights of Users and Visitors

You, as individual whose Personal Data is processed as described in this Policy, have a number of rights which are summarized in broad terms as laid down in the following list. Please note that exercising these rights is subject to certain requirements and conditions as set forth in applicable law.

If you wish to access Personal Data about you or exercise any of the rights listed below, please submit a request to us, by using the contact details identified in the “Contact us" section below.

Please note that we may ask you to verify your identity before responding to such requests.

Right to withdraw consent: if you have given your consent for any personal data processing activities as described in this Policy, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to withdrawal of the consent.
Right of access: you have the right to obtain confirmation as to whether or not your Personal Data is processed, and, if so, to request access to such personal data as well as other information about such processing that are also contained in this policy.
Right to rectification: you have the right to have inaccurate personal data about you rectified or completed if it is incomplete.
Right to erasure ('right to be forgotten'): you have the right to request that we erase your Personal Data. If Personal Data is erased at your request, we will only retain such copies of the information as are necessary to protect our or third party legitimate interests, comply with governmental orders, resolve disputes, troubleshoot problems, or enforce any agreement you have entered into with us.
Right to restriction of processing: you have the right to request from us that we limit the way we use your personal data.
Right to data portability: you have the right to receive the personal data you provided, in a structured, commonly used and machine-readable form and to transmit that data to another controller or to have it transmitted directly from us to another controller.
Right to object: you have the right to object, on grounds relating to your particular situation, at any time, to the processing of your Personal Data and we may have to stop processing your data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).


We are committed to ensuring that your Personal Data is secure. In order to prevent accidental or unlawful destruction or accidental loss, misuse, unauthorized access, disclosure, alteration or destruction, and against any other unlawful form of processing of Personal Data as defined by applicable data protection laws, we have put in place – and required that any third-party services providers and/or processors processing personal data on our behalf and under our instructions put in place – appropriate and reasonable technical, organizational and physical measures to safeguard and secure the personal data we collect and process online or otherwise in the context of your use of this Services. This includes, for example, firewalls, password protection and other access and authentication controls.

However, please note that no electronic transmission or storage of information is 100% secure. Therefore, despite the security measures that we have put in place to protect Personal Data about you, we cannot guarantee that loss, misuse, or alteration of data will never occur. If you believe your Personal Data has been compromised, please contact us as set forth in the “Contact Us” section.

If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.

Although we may allow you to adjust your privacy settings to limit access to certain Personal Data, please be aware that no security measures are perfect or impenetrable. We are not responsible for circumvention of any privacy settings or security measures on the Services. Additionally, we cannot control the actions of other individuals with whom you may choose to share your information. Further, even after information posted on the Services is removed, caching and archiving services may have saved that information, and other users or third parties may have copied or stored the information available on the Services. We cannot and do not guarantee that information you post on or transmit to the Services will not be viewed by unauthorized persons.

How long we may keep Personal Data

Your personal data will not be kept for longer than necessary for the purposes identified herein, or as required to comply with our legal obligations under applicable law, resolve disputes, and enforce our legal agreements and policies. We only retain the Personal Data collected from a User for as long as the User´s account is active or other or a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it, unless otherwise required by law.

We will retain data as follows:

Data Controller and Data Processor

This Policy does not apply to the Personal Data processed in the contents by our Users using the Services. In such case, the User acts as a Data Controller as regards such Personal Data and is responsible for the processing thereof. We process such Personal Data on behalf of the User and act as a Data Processor.

Contact Us

If you wish to exercise your rights and request the Personal Data we have on you or you have any questions about this Policy or any other question related to privacy at COS, please send us and e-mail to or

Change to this Policy

We may update our Policy from time to time. We will notify you of any changes by posting the new Policy on this page.

We will let you know via email and/or a prominent notice on our Services, prior to the change becoming effective and update the “last updated date” at the top of this Policy.

You are advised to review this Policy periodically for any changes. Changes to this Policy are effective when they are posted on this page.