Built for European
privacy standards.
Sarona is operated by an Estonian company under the EU's General Data Protection Regulation. We treat privacy as a first-class product requirement, not a compliance afterthought.
Our commitment to GDPR
K&G Media OÜ is an Estonian company (registry code 16170827) operating within the European Union. GDPR is the baseline for how we design, build, and operate the Sarona platform — not an external requirement we bolt on.
Every feature, data flow, and subprocessor relationship is evaluated through a privacy-by-design lens before it ships to tenants.
Lawful basis for processing
Sarona processes B2B contact data under Legitimate Interest as defined in GDPR Article 6(1)(f). This is the standard legal basis for business-to-business outreach within the EU and has been validated through a formal balancing test:
- Our interest — identifying and contacting decision-makers at companies likely to benefit from our tenants' offerings
- The individual's interest — receiving relevant business communication in a role where such outreach is expected and common
- Necessity — the data processed is the minimum required to deliver a relevant message (name, role, company, work email)
- Safeguards — no consumer data, no sensitive categories, no profiling for automated decisions, full opt-out available
If you are a contacted prospect and wish to object to processing, email privacy@sarona.dev or use the unsubscribe link in any message. Your request will be honoured within 30 days and propagated across all tenant systems.
Data subject rights
GDPR grants you eight rights over your personal data. You can exercise any of them by emailing privacy@sarona.dev — we respond within 30 days at no cost.
Receive a copy of the personal data we hold about you, in a readable format.
Correct inaccurate or incomplete personal data we hold about you.
Request deletion of your data, also known as the "right to be forgotten."
Limit how we use your data while a dispute or correction is being resolved.
Receive your data in a structured, machine-readable format to transfer elsewhere.
Object to processing based on legitimate interest, including direct marketing.
Not be subject to decisions based solely on automated processing. We do not do this.
Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Subprocessors
We use a small number of trusted third parties to deliver the Sarona platform. Every subprocessor is bound by a Data Processing Agreement and, where applicable, Standard Contractual Clauses for international transfers.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Anthropic | AI email drafting & analysis | USA | SCCs |
| Apollo.io | Lead data enrichment | USA | SCCs |
| Amazon Web Services | Cloud hosting | EU (Frankfurt) | EU Adequacy |
| Microsoft | Email delivery | EU | EU Adequacy |
Data Processing Agreement
Our Data Processing Agreement covers roles of processor and controller, security measures, subprocessor notifications, breach reporting timelines, and tenant data-return procedures. Request your copy by emailing privacy@sarona.dev.
Supervisory authority
You have the right to lodge a complaint with our supervisory authority at any time:
- Andmekaitse Inspektsioon (Estonian Data Protection Authority)
- Website: www.aki.ee
- For EU residents outside Estonia, you may also contact your local DPA.
Privacy Policy · Terms of Service · GDPR · Sign in