Privacy policy.

Maintoro OÜ ("Maintoro", "we", "us") is a private limited company registered in Estonia (registry code 16735423), with its registered office at Tallinn, Estonia. We build and operate the Maintoro CMMS platform — a SaaS application for maintenance teams, available at maintoro.com.

For the purposes of GDPR, Maintoro is the controller of personal data submitted via our public website and marketing communications, and a processor of the personal data that our customers upload into the application.

We collect only what we need to operate the service. There are three categories:

Account & identity

• Name, email address, password (hashed with bcrypt), profile photo (optional)
• Organization name, role, and language preference
• Phone number if you choose to add one for SMS notifications

Operational data (entered by you)

• Work orders, preventive maintenance schedules, asset records, parts inventory
• Photos, comments, and documents you attach to work orders or assets
• QR code & NFC tag scan events (anonymized for unauthenticated scans)

Technical & usage data (collected automatically)

• IP address, browser type, device type, operating system, timezone
• Pages visited, features used, error logs (for debugging and abuse prevention)
• Cookies & local storage (see cookies section)

We use your data to:

• Operate the service — authenticate you, deliver work orders, sync mobile data, generate reports
• Communicate with you — send work order notifications, security alerts, billing receipts, and occasional product updates (you can opt out anytime)
• Improve the product — aggregated usage analytics, feature performance, bug reports
• Protect the service — detect abuse, prevent fraud, enforce our Terms of Service
• Comply with law — respond to lawful requests from authorities

We never sell or rent your personal data. We never train AI models on your private operational data without explicit, opt-in consent.

Under GDPR Art. 6, we process personal data on one or more of these grounds:

• Contract — processing is necessary to provide the service you signed up for
• Legitimate interests — product improvement, security, fraud prevention
• Consent — marketing emails, optional analytics cookies (you can withdraw consent at any time)
• Legal obligation — tax records, regulatory compliance

We share personal data only with vetted sub-processors who help us operate the service. All sub-processors are bound by Data Processing Agreements and process data only on our instructions.

Current sub-processors

• Amazon Web Services (AWS) — hosting (eu-central-1, Frankfurt)
• Stripe — payment processing (subscription billing)
• Postmark — transactional email delivery
• Twilio — SMS notifications (only if you enable them)
• Cloudflare — CDN, DDoS protection, WAF
• Sentry — error tracking (self-hosted in EU)

We never share your operational data (work orders, assets, photos) with anyone outside your organization except as required to deliver the service. We never share data with advertisers.

• Active accounts — for as long as your subscription is active
• Cancelled accounts — 60 days grace period, then deleted (you can request immediate deletion)
• Backups — up to 30 days after deletion (then automatically purged)
• Billing records — 7 years (Estonian tax law)
• Anonymized usage analytics — up to 24 months

If you are in the EU/EEA (and equivalent for the UK, Switzerland), you have the right to:

• Access the personal data we hold about you
• Rectify data that is incorrect or incomplete
• Erase your personal data ("right to be forgotten")
• Restrict how we process your data
• Object to processing based on legitimate interests
• Data portability — export your data in JSON or CSV at any time
• Withdraw consent at any time, where consent is the basis for processing
• Lodge a complaint with your local supervisory authority (in Estonia: aki.ee)

To exercise any right, email privacy@maintoro.com. We respond within 30 days.

We take security seriously and apply industry-standard controls:

• TLS 1.3 for all data in transit; AES-256 for data at rest
• Daily encrypted backups with off-site replication
• Two-factor authentication (TOTP, optional and recommended)
• Role-based access controls inside the application
• SOC 2 Type II audit in progress (target: Q4 2026)
• Annual third-party penetration tests
• Security incident response plan; we notify affected customers within 72 hours of a confirmed breach

We use cookies and local storage on maintoro.com. Optional tools load only after you choose Accept all or enable categories in Customize:

• Strictly necessary — authentication (HTTP-only session cookies), security, and language preference (NEXT_LOCALE). These always run; no consent banner choice needed for them.
• Analytics (optional) — with your consent: Google Analytics (G-QY3VZ6GSB8), Microsoft Clarity, and PostHog on marketing pages. Used to measure traffic and improve conversion. You can reject these in the cookie banner.
• Marketing (optional) — with your consent: Crisp live chat, LinkedIn Insight Tag, and Google Ads conversion tags. Used for support and campaign measurement. Reject anytime via Cookie settings in the footer or on our cookie policy.

We do not load optional analytics or marketing scripts before you consent. Change your choice anytime: footer → Cookie settings, or clear maintoro_cookie_consent in browser storage.

Maintoro is a B2B SaaS product not intended for children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

All Maintoro production data is hosted in the EU (AWS Frankfurt, eu-central-1). For sub-processors that may transfer data outside the EU (e.g. Stripe, Twilio), we rely on the European Commission’s Standard Contractual Clauses (SCCs) and only work with vendors offering equivalent protection.

We will update this policy if our practices change. The "Last updated" date at the top of this page reflects the most recent revision. For material changes affecting how we use your personal data, we will notify active customers by email at least 30 days before the changes take effect.

Privacy questions, data requests, or concerns: