GDPR Compliance
Last updated: July 2026
Owl Owl OÜ operates all of its services from within the European Union and processes personal data in accordance with Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — and the Estonian Personal Data Protection Act.
This page explains our role under the GDPR, the legal bases we rely on, your rights as a data subject, and how to exercise them. For a plain-language overview of what we collect, see our Privacy Policy.
Data Controller
The data controller responsible for personal data processed across our services is:
- Email: [email protected]
- Company: Owl Owl OÜ
- Address: Sepapaja tn 6, 15551 Tallinn, Estonia
- Phone:: +372 6850186
For data protection enquiries, contact us at [email protected] with the subject line “GDPR Request”.
Scope
This statement covers the websites and platforms operated by Owl Owl OÜ:
- C.IM — Mastodon
- P.LU — PeerTube
- R.NF — Lemmy
- Image.Hosting — Image hosting
Each platform also publishes its own platform-specific policy with additional detail.
Legal Bases for Processing
We only process personal data where the GDPR (Article 6) gives us a lawful basis to do so:
- Performance of a contract (Art. 6(1)(b)) — to create and operate your account and deliver the service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — to keep our platforms secure, prevent abuse and fraud, and maintain service reliability. We balance these interests against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)) — to respond to lawful requests from competent authorities and to meet our retention and accounting duties.
- Consent (Art. 6(1)(a)) — where we ask for it explicitly, for example optional communications. You may withdraw consent at any time.
We do not carry out advertising, behavioural profiling, or automated decision-making that produces legal effects.
Categories of Data
Depending on the service, we may process:
- Account data such as username, email address, and profile information
- Public content you create (posts, videos, comments, uploads)
- Technical data such as IP address, browser type, and access logs used for security and abuse prevention
We do not use third-party advertising cookies or behavioural tracking on this website.
Your Rights as a Data Subject
Under the GDPR you have the right to:
- Access (Art. 15) — obtain a copy of the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion of your account and personal data (“right to be forgotten”).
- Restriction (Art. 18) — limit how we process your data in certain cases.
- Data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Object (Art. 21) — object to processing based on our legitimate interests.
- Withdraw consent (Art. 7(3)) — where processing is based on consent.
All of our platforms let you edit your profile, export your data, and delete your account directly. For anything else, email [email protected].
We respond to verified requests within one month, as required by Article 12(3). This period may be extended by two further months for complex requests, in which case we will inform you.
International Data Transfers
Our infrastructure and data are hosted within the European Union / European Economic Area. Where a sub-processor or recipient is located outside the EEA, we rely on an adequacy decision or appropriate safeguards such as the European Commission’s Standard Contractual Clauses (Art. 46).
Sub-Processors & Data Processing Agreement
Where you use our services on behalf of an organisation that is itself a data controller (for example, an institution running an account), Owl Owl OÜ acts as a data processor under Article 28 GDPR. For these cases we provide a standard Data Processing Agreement (DPA):
Download the Data Processing Agreement (PDF)
To execute a signed DPA, download the document, complete the controller details, and return it to [email protected].
Data Retention
We keep personal data only for as long as necessary for the purposes described above. When you delete your account, associated personal data is removed from our active systems, subject to short technical backup retention and any legal obligation to retain certain records.
Data Breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Art. 33), and affected users without undue delay where required (Art. 34).
Supervisory Authority
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Estonian supervisory authority:
- Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
- Address: Tatari 39, 10134 Tallinn, Estonia
- Website: aki.ee
- Email: [email protected]
You may also contact the supervisory authority in your country of residence.
Contact Us
For any GDPR or data protection question, contact:
- Email: [email protected]
- Company: Owl Owl OÜ
- Address: Sepapaja tn 6, 15551 Tallinn, Estonia
- Phone:: +372 6850186