Privacy Policy
Last updated: 26 March 2026
1. Data Controller
GIJA HUB MB
Polocko g. 4B-20, Vilnius, Lithuania
Company code: 306627690
Email: agne@gijahub.com
If you have questions about how we process your personal data, contact us at the address above.
2. What personal data do we collect?
We collect only the minimum data required to deliver the service:
- Email address — used for login, job status notifications, and newsletter (if you have subscribed).
- Password — stored exclusively as a cryptographic hash. We cannot see your password.
- IP address and session data — logged for security purposes (see section 5).
- Payment reference — we receive a payment ID from Stripe. We do not store card numbers or other payment details directly.
- Drone images — your uploaded ZIP files and results are stored securely on 100% European, GDPR-compliant servers for 1 year, after which they are deleted automatically. You can ask us to delete them sooner by contacting us.
We do not collect your name, address, phone number, or other identifying information beyond your email.
3. Website visits and analytics
We use Umami Cloud for anonymous, cookieless website analytics. Umami collects no personal data and sets no cookies. The data collected (page views, clicks, navigation patterns) is aggregated and cannot identify individuals. Because this data is anonymous and does not constitute personal data, GDPR does not apply to the analytics data itself.
We use no advertising cookies, tracking pixels, or fingerprinting.
4. Cookies
We set a single session cookie to keep you logged in. The cookie contains no personal information and is deleted when you log out or close your browser.
No third-party cookies, advertising cookies, or tracking cookies are set.
5. Legal basis and purposes of processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Creating and managing a user account | Performance of contract (Art. 6(1)(b)) |
| Delivering the drone data processing service | Performance of contract (Art. 6(1)(b)) |
| Payment processing via Stripe | Performance of contract (Art. 6(1)(b)) |
| Security logging (IP addresses, sessions) | Legitimate interest (Art. 6(1)(f)) |
| Anonymous website analytics (Umami) | Legitimate interest (Art. 6(1)(f)) — no personal data involved |
| Newsletter | Consent (Art. 6(1)(a)) — requires explicit opt-in |
6. Retention periods
| Data type | Retention period |
|---|---|
| Account data (email, hashed password) | Until account deletion |
| Security logs (IP addresses, sessions, events) | 90 days |
| Payment records | As required by applicable financial regulations (typically 5 years) |
| Drone images and results (EU cloud) | 1 year, then deleted automatically — or sooner on request |
Result files are delivered via a publicly accessible share link (see Terms of Service). The link is protected solely by the URL token — it is not password-protected. You are responsible for protecting the confidentiality of this link.
7. Sub-processors
We use the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | S3 object storage and cloud VMs for drone imagery processing | Helsinki, Finland (EU) |
| Hetzner Storage Share | Orthophoto delivery to clients | EU |
| Stripe Payments Europe Ltd | Payment processing | EU |
| Brevo | Transactional emails (status notifications) | France (EU) |
| Umami Software Inc. | Anonymous, cookieless website analytics | USA |
| Cap (self-hosted) | CAPTCHA protection against automated attacks | Our EU infrastructure |
Umami Cloud is operated by Umami Software Inc. (USA). Because the analytics data transferred is anonymous and does not constitute personal data, this does not represent an international transfer of personal data under GDPR.
8. International transfers
Except for the anonymous analytics data sent to Umami Cloud, all your personal data and drone imagery is processed on EU-based servers (Hetzner, Helsinki, Finland).
9. Your rights
Under GDPR you have the following rights:
- Access — the right to see what data we hold about you
- Rectification — the right to have inaccurate data corrected
- Erasure — the right to have your data deleted ("right to be forgotten")
- Restriction — the right to restrict processing in certain circumstances
- Data portability — the right to receive your data in a machine-readable format
- Objection — the right to object to processing based on legitimate interest
To exercise your rights, including requesting account deletion, contact us at agne@gijahub.com. We will respond within 30 days.
10. Automated decision-making and profiling
We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects for you.
11. Right to lodge a complaint
If you believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with the Lithuanian supervisory authority:
Valstybinė duomenų apsaugos inspekcija (VDAI)
L. Sapiegos g. 17, Vilnius, Lithuania
12. Changes to this policy
We may update this privacy policy if our practices change. We will notify you by email for any material changes.