Legal
Privacy Policy
Last updated: 23 April 2026
This policy explains how dotCan OÜ handles your personal data when you use .Portal. We've tried to keep it in plain language. If anything is unclear, email us at hello@dotcan.com.
1. Who we are
DOTCAN OÜ (registry code 17268416, VAT EE102969612), Tähe 131C, 51008 Tartu, Estonia, is the data controller responsible for your personal data on the .Portal platform.
Contact for any privacy questions or requests: hello@dotcan.com
2. What data we collect
When you create an account and place orders, we collect:
- Account information: name, email address, password (stored hashed, never in plain text)
- Order information: shipping address, phone number, order history, your custom can designs and uploaded artwork
- Payment information: handled directly by Montonio; we store only the payment reference and status, not your card or bank details
- Technical data: session cookie, IP address, and browser information recorded in server logs for security and debugging
We do not collect data from third parties, use tracking cookies, or run any analytics or advertising tools.
3. Why we process your data and our legal basis
| Purpose | Legal basis |
|---|---|
| Creating and maintaining your account | Performance of a contract |
| Processing and delivering your orders | Performance of a contract |
| Sending transactional emails (order confirmation, shipping updates) | Performance of a contract |
| Fraud prevention, security, and debugging | Legitimate interest |
| Keeping invoices and accounting records | Legal obligation (Estonian Accounting Act) |
We do not currently send marketing emails. If we ever do, it will be opt-in and you'll be able to unsubscribe at any time.
4. Who we share your data with
We only share your data with the partners we need to operate the service:
- Cannery (Estonia) — our production and fulfilment partner, and the legal seller of the cans. Receives your order details, shipping address, phone number, and can design files so they can produce and ship your order. Cannery is a separate data controller for the purposes of fulfilment, invoicing, and accounting.
- Montonio (Estonia) — payment processing. Receives the order amount and reference.
- Render (United States) — hosting and database infrastructure.
- Cloudflare (global) — DNS, content delivery, and file storage (design uploads).
- Resend (United States) — sending transactional emails.
We do not sell your data to anyone and we do not share it for advertising.
5. International data transfers
Our primary infrastructure providers are configured to host your data within the European Economic Area:
- Render (hosting and database) — EU region (Frankfurt, Germany)
- Resend (transactional email) — EU region (Ireland)
Cloudflare operates a global network. DNS resolution and content delivery are handled by the nearest Cloudflare data center worldwide, which may be outside the EEA. File storage (Cloudflare R2) is configured for EU jurisdiction where possible.
Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework to ensure your data receives an equivalent level of protection.
6. How long we keep your data
- Account data: while your account is active, plus 1 year after you delete it
- Order and shipping data: 3 years (matches the limitation period for consumer claims)
- Invoices and accounting records: 7 years (required by the Estonian Accounting Act)
- Uploaded design files: deleted when you delete your account, or after 3 years, whichever comes first
- Server logs: 6 months
7. Your rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data (subject to legal retention obligations, e.g. invoices)
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent where processing is based on consent
To exercise any of these rights, email hello@dotcan.com. We'll respond within 30 days.
If you're not satisfied with how we handle your request, you can file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee).
8. Cookies
.Portal uses only essential cookies needed to keep you logged in and your session secure. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent banner is required because we only use strictly necessary cookies.
9. Security
We take reasonable technical and organisational measures to protect your data:
- All traffic is encrypted in transit (HTTPS/TLS)
- Passwords are hashed using industry-standard algorithms
- Database access is restricted and credentials are rotated
- File uploads are stored on encrypted infrastructure (Cloudflare R2)
- Only authorised personnel have access to production systems
No system is perfectly secure, but we work to keep your data safe and will notify you if a breach affects your data.
10. Age
.Portal is not directed at people under 16. If you are under 16, you need your parent's or guardian's permission to use the service. If you believe someone under 16 has created an account without such permission, contact hello@dotcan.com and we will remove the account.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we'll notify you by email and update the “Last updated” date at the top. Continued use of .Portal after changes means you accept the updated policy.
12. Contact
For any privacy questions, data requests, or concerns, email hello@dotcan.com.
Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — aki.ee.