Privacy Policy
Last updated
This Privacy Policy explains how Equate Instruments processes personal data when you visit our website, create an account, place an order or request a quotation, contact us, or otherwise interact with us. We are committed to processing your data lawfully, fairly and transparently in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018, and applicable United States privacy laws (such as the California Consumer Privacy Act, as amended).
On this page
1. Controller identity & contact
The controller responsible for your personal data is:
Equate Instruments
- Email: info@equateinstruments.com
- Phone: +358 41 584 8098
- Registered office: Finland
- Registered company name: Equate Instruments
- Registered office addresses: Helsinki (Finland); Tallinn (Estonia); Nottingham (United Kingdom); Safety Harbor, Florida (United States); Sialkot (Pakistan).
2. Data protection contact
For any question about this policy or to exercise your rights, you can contact our Data Protection Officer (DPO), Mr. Hassan N., at hassan.n@equateinstruments.com.
3. What data we collect
Depending on how you interact with us, we may process the following categories of personal data:
- Account data: name, work email, password (stored hashed), company, role, country and account preferences.
- Order & billing data: billing and delivery addresses, purchased items, order history, VAT/business identifiers, and payment status (we do not store full card numbers).
- Request-for-quotation (RFQ) data: product interests, quantities, target markets and any information you include in your request.
- Contact-form & support data: your name, email, phone number and the content of your message and correspondence.
- Newsletter data: email address and subscription status, where you have opted in.
- Technical & analytics data: IP address, device and browser type, pages viewed and, subject to your consent, aggregated performance and usage metrics.
We do not intentionally collect special categories of data (Article 9 GDPR). Please do not include health or other sensitive personal data in free-text fields.
4. Why we process your data & legal basis
We only process personal data where we have a lawful basis under Article 6(1) GDPR:
| Purpose | Legal basis (Art. 6(1) GDPR) |
|---|---|
| Creating and managing your customer account | Performance of a contract (b) |
| Processing and fulfilling orders, invoicing and delivery | Performance of a contract (b) |
| Responding to RFQs, quotations and enquiries | Steps prior to entering a contract (b) / legitimate interests (f) |
| Customer support and correspondence | Performance of a contract (b) / legitimate interests (f) |
| Sending newsletters and marketing to subscribers | Consent (a); existing-customer soft opt-in under ePrivacy |
| Accounting, tax and statutory record-keeping | Legal obligation (c) |
| Website security, fraud prevention and improving our services | Legitimate interests (f) |
| Optional analytics and performance measurement | Consent (a) |
Where we rely on legitimate interests, we balance those interests against your rights and freedoms; you may object at any time (see Your rights).
5. Recipients & processors
We share personal data only with service providers who process it on our behalf under a written data processing agreement, and with third parties where necessary to fulfil your order:
- Supabase — authentication and database hosting for accounts, orders and RFQs.
- Resend — transactional and notification email delivery.
- Vercel — website hosting, content delivery and optional analytics / performance insights.
- Banks and payment institutions — processing of invoice and bank-transfer payments (we do not use a third-party card-payment processor).
- Logistics and carrier partners (as separately agreed for each shipment) — shipping and delivery.
- Professional advisers, auditors and authorities where required by law.
We do not sell your personal data.
6. International transfers
Some of our processors are established outside the European Economic Area (EEA) or process data on infrastructure that may involve transfers outside the EEA. Where this happens, we rely on an appropriate safeguard under Chapter V GDPR:
- Resend and Vercel: transfers to the United States are covered where the recipient is certified under the EU–U.S. Data Privacy Framework (DPF), supplemented by Standard Contractual Clauses (SCCs) where applicable.
- Supabase: transfers are governed by the EU Standard Contractual Clauses together with a transfer impact assessment (TIA) and, where relevant, EEA/UK data-region hosting.
You may request a copy of the relevant safeguards by contacting our DPO at hassan.n@equateinstruments.com.
7. Retention
We keep personal data only for as long as necessary for the purposes for which it was collected:
- Account data: for the life of your account and 12 months thereafter.
- Order, invoicing and accounting records: for the statutory retention period under applicable accounting and tax law (generally up to 6–7 years).
- RFQ and enquiry data: 24 months from last contact.
- Marketing data: until you withdraw consent or unsubscribe.
8. Your rights
Subject to the conditions in the GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erasure of your data in certain circumstances (Art. 17).
- Restrict processing in certain circumstances (Art. 18).
- Object to processing based on legitimate interests or direct marketing (Art. 21).
- Data portability for data you provided, where processing is based on consent or contract (Art. 20).
- Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3)).
To exercise any right, contact our DPO at hassan.n@equateinstruments.com. We will respond within one month, as required by Article 12(3) GDPR.
9. Right to lodge a complaint
If you believe our processing infringes data protection law, you may lodge a complaint with the data protection supervisory authority in your country — for example, your local supervisory authority in the EEA, the UK Information Commissioner's Office (ICO), or the applicable data protection or consumer authority in the United States. We would, however, appreciate the chance to address your concerns first.
10. Automated decision-making
We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.
11. Changes & effective date
We may update this Privacy Policy from time to time. The date at the top of this page indicates when it was last revised. Material changes will be communicated through the website or, where appropriate, by email.
