About
Blog
Join

Privacy Policy

Privacy Policy

Last updated 20.02.2026


1. Introduction

This Privacy Policy explains how Metsa AI Travel OÜ (“Metsa AI”, “we”, “us”, “our”) collects and uses your personal data when you visit our website and when you sign up to hear from us.

Metsa AI Travel OÜ is a private limited company incorporated in Estonia with the following details: 
• Company name: Metsa AI Travel OÜ

• Registry code: 17359030

• Registered address: Algi St 29, Tallinn 12916, Harju county, Estonia

• E-mail: info@metsa.ai. / privacy@metsa.ai

For the purposes described in this Privacy Policy, Metsa AI acts as the data controller, i.e. we decide how and why your personal data is processed. If you have any questions about this Privacy Policy or our use of your personal data, you can contact us at privacy@metsa.ai.

2. Scope of this Privacy Policy
This Privacy Policy applies to personal data we collect when you:
(a) visit or interact with our website at https://www.metsa.ai/  (the “Website”);

(b) complete and submit our sign-up / waitlist form;

(c) communicate with us using the contact details made available on the Website.

This Privacy Policy does not apply to any future Metsa AI products or services that may be launched separately (such as full travel platforms or mobile apps). Separate privacy policies will apply to those services.

Our use of cookies and similar technologies on the Website is explained in more detail in our Cookie Policy.

3. Personal data we collect

3.1. Data you provide via the Website
When you submit information through our sign-up / waitlist form, we may collect:
identity data – first name, last name;
contact data – e-mail address;
location data – country of residence;
preference data – interests, preferred product features or types of travel experiences, and any other information you choose to share in free text fields.
If you contact us by e-mail or otherwise, we collect the content of your communication and any contact details you provide.

3.2. Technical and usage data
When you visit the Website, we automatically collect certain technical data from your browser or device, such as:
IP address;
device identifiers, operating system and browser type;
general location (for example, country or city based on IP address);
information about how you use the Website, such as the pages visited and links clicked.
We collect this data through cookies and similar technologies. More information is provided in our Cookie Policy.

3.3. Email engagement data
If you sign up to receive email updates, we may collect information about your interaction with those emails, such as:
if and when you opened the email;
which links you clicked;
whether an email bounced or you unsubscribed.


4. Purposes and legal bases of processing
We only process your personal data where we have a valid legal basis under the General Data Protection Regulation (GDPR). For the Website, these are:

4.1. Operating and securing the Website
We process technical and usage data to operate, maintain and secure the Website, troubleshoot issues, prevent abuse and ensure network and information security.
Legal basis: our legitimate interest in running a secure and reliable website (Article 6(1)(f) GDPR). We have performed a short legitimate interest assessment considering user rights and expectations.

4.2. Managing your sign-up / waitlist registration
We process identity, contact, location and preference data to register your interest, manage your sign-up, and respond to any questions in your submission.
Legal basis: performance of a contract or taking steps at your request before entering into a contract (Article 6(1)(b) GDPR) and/or our legitimate interest in building and managing our early-access community (Article 6(1)(f) GDPR).

4.3. Sending you email updates and marketing communications
We use your contact details and preferences to send you email updates about the development of the Metsa AI platform, early-access invitations, campaigns and other marketing communications.
Legal basis: your consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time by clicking “unsubscribe” in any email or by contacting us.

4.4. Analytics and improving our Website and communications
We use cookie data and email engagement data to understand how visitors use our Website and communications, and to improve user experience and the relevance of our content.
Legal basis: our legitimate interest in improving our Website and communications (Article 6(1)(f) GDPR) and, where non-essential cookies are used, your consent (Article 6(1)(a) GDPR).

4.5. Compliance, record-keeping and legal claims
We may process any of the data categories above to comply with our legal obligations (for example accounting and corporate record-keeping) and to establish, exercise or defend legal claims.
Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR) and our legitimate interest in protecting our rights (Article 6(1)(f) GDPR).
If we intend to use your personal data for any purpose that is not compatible with those listed above, we will inform you and, where required, ask for your consent in advance.

4.6. Processing business contact data (Hotels and partners)

We may process business contact details (such as name, work email, job title and company) of Hotel representatives and other partners for the purposes of:

  • establishing or managing potential cooperation;
  • informing them about inclusion in our directory;
  • handling correction or removal requests.

Legal basis: our legitimate interest in operating and developing our travel platform (Article 6(1)(f) GDPR).

We retain such data only for as long as necessary for business communication and legal compliance. We aim to handle all business data respectfully and transparently, ensuring partners can contact us for updates, corrections, or removal requests at any time.


5. Cookies and similar technologies
We use cookies and similar technologies on the Website. These may be strictly necessary cookies (required for the Website to function), as well as analytics and, in the future, advertising or social media cookies.

Non-essential cookies are used only with your consent, which you can give and withdraw through the cookie banner and settings. Details about the cookies we use and how long they are stored are provided in our Cookie Policy.


6. With whom do we share your personal data
We only share your personal data with parties that need to process it for the purposes described in this Privacy Policy and who are subject to appropriate confidentiality and security obligations, including:
1. our employees and consultants authorized by us to process personal data for the purposes described in this Privacy Policy;
2. service providers who provide us with hosting, cloud infrastructure, email delivery, marketing automation, analytics, IT and security services;
3. professional advisers (lawyers, auditors, consultants) where reasonably necessary to obtain advice or protect our rights;
4. public authorities, regulators and courts where we are required to do so by law, or where this is necessary to establish, exercise or defend legal claims;
5. group companies within the Metsa group (if applicable) involved in developing or marketing the Metsa AI platform.

We do not sell your personal data.


7. International transfers
Our company is established in the European Economic Area (EEA). Some of our service providers may be located outside the EEA or may store data on servers outside the EEA. If this involves transferring your personal data to a country that does not provide an equivalent level of data protection, we will ensure that appropriate safeguards are in place in accordance with GDPR, such as:
1. an adequacy decision by the European Commission; or
2. Standard Contractual Clauses approved by the European Commission, supplemented where necessary by additional technical, contractual, or organizational measures to ensure an adequate level of protection.

You can contact us if you would like more information about the safeguards applied to international transfers.


8. How long we keep your personal data
We keep your personal data only for as long as necessary for the purposes for which it was collected or in order to comply with legal obligations. In general, the following retention periods apply:
1. sign-up / waitlist data: kept until you withdraw your consent or unsubscribe from our communications, or for up to 3 years after your last interaction with us (last e-mail open/click or last Website submission), whichever comes first, unless a longer period is required by law;
2. consent and opt-out records: kept for up to 3 years after you unsubscribe or withdraw your consent, or longer if required by law, to demonstrate compliance;
3. communication data: kept for up to 3 years from the last relevant communication;
4. technical and log data: kept for up to 12 months, or longer if necessary for security, fraud prevention, or legal reasons;
5. cookies: stored for the duration indicated in our Cookie Policy.

After the relevant retention period expires, we will delete or irreversibly anonymise your personal data.


9. Your rights
Subject to certain conditions and exceptions, you have the following rights with regard to your personal data:
1. Right of access – to obtain confirmation whether we process your personal data and to receive a copy of the data.
2. Right to rectification – to have inaccurate or incomplete personal data corrected.
3. Right to erasure – to request deletion of your personal data in certain circumstances (for example where it is no longer necessary for the purposes for which it was collected).
4. Right to restriction – to request that we restrict processing of your personal data in certain circumstances, for example where the accuracy of the data is contested or processing is unlawful but you oppose erasure.
5. Right to data portability – to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit it to another controller where processing is based on consent or contract and carried out by automated means.
6. Right to object – you may object at any time to the processing of your personal data for direct marketing purposes and, in certain cases, to processing based on our legitimate interests.
7. Right to withdraw consent – where our processing is based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before the withdrawal or processing based on another legal basis.

You can exercise your rights by contacting us at privacy@metsa.ai. We may need to verify your identity before responding to your request.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), but you may also contact the data protection authority in your country of residence or place of work.


10. Minors
The Website and our sign-up form are not directed at minors under 18 years of age and we do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will delete or anonymise such data without undue delay.
Parents or guardians who believe that their child has submitted personal data to us may contact us at privacy@metsa.ai to request deletion.


11. Security
We take appropriate technical and organisational measures, including encryption in transit, access control, logging, and least privilege, to protect personal data against unauthorised access, accidental or unlawful destruction, loss, alteration or disclosure. However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security.


12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities or in applicable law. When we make material changes, we will update the “Last updated” date at the top of this Privacy Policy and, where appropriate, provide additional notice on the Website or by email.


13. Governing law and complaints
This Privacy Policy and any complaints related to it are governed by the laws of the Republic of Estonia, without prejudice to your rights under GDPR or mandatory consumer protection laws.

If you have a concern about how we process your personal data, we encourage you to contact us first so that we can try to resolve the matter amicably. If a resolution cannot be reached, you may contact the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) regarding issues related to personal data processing or the exercise of your GDPR rights.

Consumers residing in another EU or EEA Member State may also bring a complaint to the competent supervisory authority or courts in their country of residence, in accordance with applicable consumer protection and data protection rules.