Privacy Policy
Last Update: 12.06.2025
Table of Contents
This Privacy Policy describes how Diletta Luna OÜ (registry code 14646450), located at Sepapaja 6, 15551 Tallinn, Estonia ("we", "us", or "our"), processes personal data when you use our In A Nutshell service. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.
1. Data Controller
Diletta Luna OÜ acts as the data controller for your personal data. For any privacy-related inquiries, please use our contact form.
2. Personal Data We Process
We collect and process the following categories of personal data:
- • Account information: email address, password (encrypted), account settings
- • Payment information: transaction records (payment amounts, dates) - note that actual payment processing is handled by Stripe
- • Usage data: IP address, browser type, device information, interaction with our service
- • Communication data: support requests, feedback, correspondence with us
- • Technical data: cookies, log files, device identifiers
- • Analytics data: service usage patterns, feature interaction statistics
- • Video queries: YouTube URLs and related conversation data for service provision
For users under 13 years of age: We do not knowingly collect or process personal data from children under 13 years old. If you become aware that a child has provided us with personal data, please contact us immediately.
3. Legal Basis and Purposes
We process your personal data based on the following legal grounds:
- • Contract performance: To provide you with video analysis and chat services
- • Legal obligations: To comply with accounting and tax laws
- • Legitimate interests: To improve our services, ensure security, and enhance service personalization
- • Consent: For marketing communications (where applicable)
We use your data specifically to:
- • Process payments and maintain transaction records
- • Provide customer support and respond to inquiries
- • Analyze YouTube videos and generate summaries
- • Improve and optimize our service functionality
- • Ensure security and prevent fraud
- • Send service-related notifications
For AI-powered features, which are core to our service, we rely on:
- • Contract performance (Article 6(1)(b) GDPR) as these features are essential to providing our services
- • Legitimate interests (Article 6(1)(f) GDPR) for continuous service improvement and personalization
Since AI processing is fundamental to how In A Nutshell operates, you cannot opt out of AI-powered features while using our service. If you do not wish to have your data processed by AI systems, you will need to discontinue using In A Nutshell.
4. International Data Transfers
We may transfer your personal data to countries outside the European Economic Area (EEA). When we do, we ensure appropriate safeguards are in place:
- • Standard Contractual Clauses (SCCs) approved by the European Commission
- • Adequacy decisions issued by the European Commission
- • Binding Corporate Rules where applicable
- • Additional technical measures to ensure data security
Our primary data processing occurs within the EU, but some services may involve transfers to:
- • United States (for AI processing and certain cloud services)
- • Other countries where our service providers operate
You can request information about specific transfer mechanisms by contacting us.
5. Security Measures
We implement appropriate technical and organizational measures following Article 32 of the GDPR to ensure data security:
- • End-to-end encryption for data in transit
- • Multi-factor authentication (MFA) for admin account access where possible
- • Regular automated security scanning and vulnerability assessments
- • Strict access controls based on the principle of least privilege
- • Comprehensive incident response and breach notification procedures
- • Automated system monitoring and intrusion detection
- • Secure development practices and code reviews
We conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities and maintain ISO 27001 aligned security practices.
In case of a personal data breach that risks your rights and freedoms, we will notify:
- • The Estonian Data Protection Inspectorate within 72 hours
- • Affected individuals without undue delay
- • Our Data Protection Officer immediately
6. Data Sharing and Processors
We share your personal data with these categories of processors:
- • Payment processing: Stripe handles all payment processing
- • Data storage: Netcup and Hetzner for secure data storage and backups
- • Email delivery: Postmark for sending transactional emails
- • AI processing: Anthropic (Claude) and OpenAI for video analysis and chat functionality
- • Analytics services (with pseudonymized data)
All our processors are bound by Data Processing Agreements that ensure GDPR compliance and appropriate data protection measures. We carefully select our service providers to ensure they meet our security and privacy standards.
6.1 Records of Processing Activities
In accordance with Article 30 of the GDPR, we maintain detailed records of our processing activities, including:
- • Categories of processing activities
- • Purposes of processing
- • Categories of data subjects and personal data
- • Categories of recipients
- • International transfers and safeguards
- • Retention periods
- • Technical and organizational security measures
These records are available to supervisory authorities upon request and help us maintain accountability for our data processing activities.
7. Data Retention
We retain your personal data for as long as necessary to provide our services and comply with legal obligations. This includes:
- • Account and service data: For as long as needed to provide our services
- • Transaction records: As required by applicable tax and accounting laws
- • Usage data: Up to 12 months for service optimization
- • Communication records: As needed for support and service improvement
- • Video conversation data: Stored temporarily for service provision and improvement
7.1 Data Minimization
We follow data minimization principles by:
- • Only collecting data necessary for our services
- • Automatically deleting unnecessary data
- • Regularly reviewing and updating data retention periods
- • Providing options to limit data processing
8. Your Rights
Under the GDPR, you have the following rights:
- • Access your personal data
- • Correct inaccurate data
- • Request deletion of your data
- • Restrict or object to processing
- • Data portability
- • Withdraw consent for marketing
To exercise these rights, please use our contact form. We'll respond within one month. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee).
10. Changes to This Policy
We may update this policy occasionally to reflect changes in our practices or legal requirements. We'll notify you of significant changes through our service or by email. Continued use of our service after such changes constitutes acceptance of the updated policy.
11. Contact Information and Data Protection Officer
For any privacy-related questions, to exercise your rights, or to contact our Data Protection Officer:
Diletta Luna OÜ
Attn: Data Protection Officer
Sepapaja 6
15551 Tallinn
Estonia
Please use our contact form for all inquiries.
12. Salvatory Clause
If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired. Any invalid, illegal, or unenforceable provision shall be deemed to be modified to the extent necessary to render it valid, legal, and enforceable while preserving its intent, or if such modification is not possible, shall be severed from this Privacy Policy.