Privacy policy

This Policy was last updated on: December 22, 2025

1. Introduction

Welcome to LegitGrails OÜ (“LegitGrails,” “we,” “us,” or “our”).

We respect your privacy and are committed to protecting your personal data. This Privacy Policy (“Policy”) explains how we collect, use, store, share, and protect information about you when you interact with our websites, mobile applications, or related services (together, the “Services”).

Our aim is to be transparent about what data we handle and why, and to help you understand your rights and choices. Please take a moment to read this Privacy Policy carefully so you know how we process your personal data and how you can contact us if you have any questions.

Where we rely on your consent—for example, for marketing communications or optional analytics—we will always ask for it clearly and give you an easy way to withdraw it at any time.

If you have any questions about this Policy or how we handle your data, you can reach us at: support@legitgrails.com 

2. Who We Are

LegitGrails OÜ is a company registered in Estonia. We provide independent authentication of branded goods, educational courses on authentication, and API-based authentication services for business clients. 

Company Name: LegitGrails OÜ
Address: Ahtri 12, 10151 Tallinn, Estonia
Email: support@legitgrails.com 

When you use our websites, apps, or related services, LegitGrails acts as the data controller — meaning we determine how and why your personal data is processed. In some cases, we work with trusted third-party service providers (for example, for hosting, analytics, or payments). These providers act as data processors under our instructions and are bound by data protection agreements to keep your information secure.

LegitGrails operates completely independently and is not affiliated with, sponsored by, or endorsed by any of the brands we authenticate or reference in our materials.

3. Scope of This Policy

This Privacy Policy explains how we handle personal data when you interact with LegitGrails through any of our websites, mobile applications, or related digital services (together, the “Services”).

For example, this Privacy Policy applies when you a) visit or browse our websites, including legitgrails.com, account.legitgrails.com, or any connected pages; b) purchase authentication services, enroll in educational courses, or use our API-based services as a business client; c) communicate with us by email, chat, or through customer support; d) interact with our marketing, social media, or advertising content.

This Policy covers personal data that we collect directly from you or through third-party integrations we use to deliver our Services. It does not apply to anonymized or aggregated data that can no longer identify you. If you access third-party websites, apps, or platforms through our Services (for example, by clicking external links or viewing embedded content), those services are governed by their own privacy policies, and we are not responsible for how they handle your data.

4. Definitions 

In this Privacy Policy, the following terms have the meanings set out below:

  • Personal data – any information that identifies, relates to, or can reasonably be used to identify a person, either directly or indirectly. Examples include your name, email address, billing details. 

  • Processing – any operation performed on personal data, whether automated or not. This includes collecting, recording, organizing, storing, altering, using, disclosing, transmitting, or deleting personal data. 

  • Data subject – the natural person to whom the personal data relates (for example, a customer, website visitor, or course participant). 

  • Controller – the person or organization that determines the purposes and means of processing personal data. For all data collected through LegitGrails’ Services, the controller is LegitGrails OÜ

  • Processor – a third party that processes personal data on behalf of the controller, following its documented instructions and under a binding data processing agreement. 

  • Services – all websites, mobile applications, online platforms, APIs, and related tools operated or managed by LegitGrails, including authentication services, educational courses, and API integrations. 

  • Cookies and similar technologies – small files or tracking technologies stored on your device (e.g., browser cookies, pixels, or tags) that help us operate the website, remember preferences, measure usage, or personalize content and advertising. 

  • Supervisory authority – an independent public authority responsible for monitoring the application of data protection law (for example, the Estonian Data Protection Inspectorate or another EU authority, depending on your location). 

  • Applicable law – all laws and regulations governing data protection and privacy that apply to LegitGrails’ operations, including the EU General Data Protection Regulation (GDPR) and national implementations thereof.

5. What Data We Collect

We collect different types of personal data depending on how you use our Services. This includes information you share with us directly, data we collect automatically when you use our websites or apps, and data we receive from trusted third parties that help us run our business.

5.1 Information you provide to us

We collect the information you share with us when you create an account, place an order, take a course, or contact us for support. This may include:   

  • Account details – your name, email address, and password (stored securely in encrypted form). 

  • Billing and contact information – your billing address, company name and VAT number (if applicable), and other details needed to complete your order. 

  • Authentication data – photos and descriptions of items you submit for authentication. All photos are processed securely and stripped of metadata (such as EXIF data). Authentication photos may occasionally contain incidental personal data (e.g., a hand, background). These are processed only for the purpose of delivering the service.

  • Educational data – details about your course enrollment, quiz results, and certificates issued after completion. 

  • Payment information – limited payment details such as the payment method, card brand, last four digits, and billing country or address. We never store full card numbers or CVC codes — payments are handled securely by our providers (e.g., Stripe and Shopify). 

  • Communications – emails, chat messages, or support tickets you send us. 

  • Marketing preferences – your choices about receiving newsletters, offers, or updates.

5.2 Information we collect automatically

When you visit our websites or use our apps, we automatically collect certain data to help us keep the platform secure, improve performance, and understand how people use our Services. This may include:

  • Technical data – your IP address, browser type, device model, operating system, time zone, and the pages you visit. 

  • Usage data – interactions with our website or app, such as logins, actions performed, or time spent on a page. 

  • Cookies and similar technologies – small files that help the site work properly, remember your preferences, and analyze performance. You can learn more in Section 9 and our separate Cookie Policy.

5.3 Information we receive from others

We also receive some data from third-party partners and services that help us operate smoothly. For example:

  • Payment processors (like Stripe and Shopify) send us confirmation of successful or failed payments. 

  • Analytics and advertising partners (like Google, Meta, Microsoft) help us measure performance and improve our website. 

  • Business clients and API users may share limited information when using our authentication service through integrations. 

  • Cloud and AI service providers (like AWS, OpenAI, Google Cloud Vision, or Amazon Rekognition) process de-identified images to help with authentication workflows.

We do not collect any sensitive personal data such as health information, political opinions, or biometric data.

6. Why We Use Your Data

We only use your personal data when we have a valid legal reason to do so — for example, to provide our services, meet legal requirements, or improve your experience.

Below are the main reasons we collect and process your data, together with the legal bases that allow us to do so under the GDPR:

Purpose

Description

Legal Basis

To provide our services

To create and manage your account, process authentication orders, issue certificates, and deliver educational courses.

Performance of a contract

To process payments

To handle billing, complete transactions, and issue invoices through our secure payment partners (e.g., Stripe, Shopify).

Performance of a contract / Legal obligation

To communicate with you

To respond to your inquiries, provide customer support, and send order updates or service notifications.

Legitimate interests

To improve our services

To analyze how users interact with our website or app, fix errors, and make our platform faster and more reliable.

Legitimate interests

To ensure security and prevent misuse

To protect our platform, detect fraudulent activity, and ensure compliance with our Terms of Service.

Legitimate interests / Legal obligation

To send marketing and updates (if you opt in)

To send you newsletters, offers, or product updates that you’ve chosen to receive. You can unsubscribe anytime.

Consent

To manage cookies and analytics

To remember preferences, understand site performance, and improve marketing relevance.

Consent

To comply with laws and regulations

To meet accounting, tax, and legal obligations that apply to our business.

Legal obligation

To support AI-assisted workflows

To use AI tools for image quality checks or metadata enrichment. Images are de-identified, and no automated decisions are made that affect you.

Legitimate interests

We do not use your personal data for any automated decision-making that produces legal or similarly significant effects on you.

7. Third-Party Services and Processors

To deliver our Services, we rely on carefully selected third-party providers that help us operate securely and efficiently — for example, to host our infrastructure, process payments, or manage analytics.

Each provider processes personal data only to the extent necessary to perform its functions and is contractually bound by data protection terms that comply with applicable data protection laws and reflect recognized industry standards.

We engage such providers for purposes including cloud hosting and data storage; payment processing and e-commerce; customer support and communication tools; analytics, marketing, and consent management; automation, reporting, and AI-based image analysis to support authentication workflows.

These providers maintain their own robust security and compliance programs, and we periodically review their practices to ensure they remain appropriate and effective.

We do not sell, rent, or trade personal data with any third parties. If you would like to know more about the specific service providers we work with, you can contact us at support@legitgrails.com

8. Data Transfers Outside the EEA

Some of our trusted service providers are located, or store data, outside the European Economic Area (EEA). When this happens, we take all necessary steps to make sure your personal data remains protected and is processed in line with European data protection standards.

We rely on one or more of the following safeguards to ensure compliance with the GDPR: a) Adequacy decisions issued by the European Commission, confirming that the destination country offers an equivalent level of data protection; b) Standard Contractual Clauses (SCCs) approved by the European Commission, which legally require our partners outside the EEA to protect your data to EU standards; c) Additional contractual, organizational, and technical measures, such as encryption and access control, to safeguard data during transfer and storage.

Our key infrastructure and processing partners, such as cloud hosting and AI service providers, may process data in the United States or other non-EEA locations. These transfers are always subject to appropriate safeguards designed to ensure the security and lawfulness of processing in accordance with applicable data protection laws.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website (including legitgrails.com and account.legitgrails.com) to make it work properly, understand how it is used, and improve your overall experience.

9.1 What cookies are

Cookies are small text files placed on your device (computer, tablet, or phone) when you visit a website. They help remember your actions and preferences — such as login details or language — for a period of time. Some cookies are essential for the website to function, while others are used for analytics or marketing.

9.2 How we use cookies

We use cookies and similar technologies for the following purposes:

  • Essential cookies – required for the basic operation of the website, such as keeping items in your cart, enabling secure login, or saving cookie preferences. 

  • Analytics cookies – help us understand how visitors use our website and improve performance (for example, via Google Analytics or Microsoft Clarity). 

  • Marketing cookies – used to deliver relevant ads and measure the effectiveness of our marketing across platforms such as Google, Meta, Bing, and LinkedIn. 

  • Consent cookies – store your cookie choices and preferences through the Pandectes GDPR consent management banner.

9.3 Managing your preferences

When you first visit our website, you will see a cookie banner, which allows you to choose whether to accept or reject non-essential cookies. You can change or withdraw your consent at any time using the banner or through your browser settings. Please note that disabling certain cookies may affect website functionality or limit your experience.

For a detailed list of the cookies currently used on our website — including their names, providers, purposes, and storage durations — please see our Cookie Policy, which is available at any time in the website footer.

10. Data Retention

We keep personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy or to comply with legal, accounting, or regulatory requirements.
 When data is no longer needed, we securely delete or anonymize it.

Type of Data

Typical Retention Period

Purpose / Notes

Account and order information

Up to 24 months after your last activity (or longer if required by law)

To manage your account, process transactions, and meet tax or accounting obligations.

Uploaded images and authentication-related content

Normally 6–12 months after authentication completion

To allow for post-verification review or customer inquiries. Deleted sooner upon request.

Customer support communications

Up to 24 months after issue resolution

To maintain service records and improve support quality.

Marketing preferences and consents

Until you unsubscribe or withdraw consent

To manage subscriptions and comply with marketing regulations.

Analytics and technical logs

As defined by our cookie and analytics settings (generally up to 13 months)

To monitor website performance and security.

If we must keep certain information longer (for example, to comply with tax or legal retention rules), it will be stored only for the minimum time required and securely deleted afterward. 

Copies of data may remain temporarily in encrypted system backups for continuity and recovery purposes. These backups are automatically overwritten on a regular cycle and are accessible only to authorized personnel under strict security controls.

11. Your Rights

Under the EU General Data Protection Regulation (GDPR) and other applicable data protection laws, you have several important rights in relation to your personal data.

You can exercise these rights at any time by contacting us at support@legitgrails.com

Your Right

What It Means

Access

You can request a copy of the personal data we hold about you.

Correction

You can ask us to correct or update inaccurate or incomplete information.

Erasure (“Right to be Forgotten”)

You can request the deletion of your personal data where there is no valid reason for us to keep it.

Restriction of Processing

You can ask us to temporarily stop using your data while we verify or resolve a concern.

Data Portability

You can request your data in a structured, commonly used, and machine-readable format so it can be transferred to another provider.

Objection

You can object to the processing of your personal data where it’s based on legitimate interests or for direct marketing purposes.

Withdraw Consent

If we process your data based on consent (for example, for marketing or cookies), you can withdraw it at any time.

Lodge a Complaint

You can contact your local data protection authority if you believe your rights have been violated. 

How to Exercise Your Rights

To make a privacy request, please email us at support@legitgrails.com  with a short description of your request and the email address linked to your account or order. We may ask you to provide additional information to verify your identity before we can process the request, to protect your data from unauthorized access.

We will confirm receipt and respond as soon as possible — and always within one month. If your request is complex or involves large volumes of data, we may need more time, but we will always inform you of the delay and explain the reason.

For business clients and API integrations, LegitGrails processes personal data under contractual arrangements with those partners. In such cases, we act in line with the relevant data processing agreement and applicable law to ensure that data subject rights can still be exercised properly through the client or integration partner. 

12. Marketing Communications

We may occasionally send you marketing or promotional messages about LegitGrails services — for example, updates on authentication features, new courses, or special offers that we believe may be relevant to you. We rely on our legitimate interest in keeping existing customers and users informed about our own similar products and services. This applies only if you have purchased from us before or provided your contact details in connection with a LegitGrails service.

You are always in control of your preferences. You can unsubscribe at any time by clicking the “Unsubscribe” link included in every marketing email, or by contacting us directly at support@legitgrails.com
 

We send our communications through professional email platforms (such as Klaviyo and Postmark) that process your contact information only on our behalf and under strict data-protection agreements.

We do not sell, rent, or share your contact details with third parties for their own marketing purposes.

13. Data Security

We take the security of your personal data very seriously and use a combination of technical and organizational measures to protect it against unauthorized access, loss, misuse, or disclosure.

These measures typically include:

  • Encryption of data in transit and at rest; 

  • Access controls and authentication procedures that limit access to authorized personnel only; 

  • Regular monitoring and security reviews of our systems and infrastructure; 

  • Hosting on trusted cloud providers with strong data-protection standards; and 

  • Internal guidelines and confidentiality agreements for all team members and contractors who handle personal data.

While we do everything reasonably possible to keep your information secure, no online service can guarantee absolute security. If we ever become aware of a personal data breach that poses a risk to your rights or freedoms, we will notify the relevant supervisory authority and affected individuals as required by law.

14. Children’s Privacy

Our Services are not intended for children under 16 years of age, and we do not knowingly collect or process personal data from anyone under this age.

If you are under 16, please do not provide any personal data through our websites, mobile apps, or other communication channels.

If we become aware that we have collected personal data from a child without verified parental consent, we will delete that information as soon as possible.

Parents or guardians who believe their child may have provided us with personal data can contact us at support@legitgrails.com to request deletion.

15. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements.

When we make significant updates, we will let you know by posting a clear notice on our website or by sending you an email before the changes take effect. The “Last Updated” date at the top of this page always shows when this Policy was last revised.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

16. Contact Us

If you have any questions about this Privacy Policy, how we handle your personal data, or wish to exercise your privacy rights, please contact us:

LegitGrails OÜ
Ahtri 12, 10151 Tallinn, Estonia
Email: support@legitgrails.com 

Authenticate now Verify your certificate Authentication guides
What we authenticate
Handbags Clothing Shoes Jewelry Watches Eyewear Toys & Collectibles Trading Cards
Business solutions Authentication courses Our experts Reviews