Cookies Policy

How HM Kapital uses cookies and similar tracking technologies on hmkapital.ee, the legal bases for their use, and how you can manage your consent.

Effective Date: 14 May 2026 · Version: 1.0

1. Identification of the Data Controller

This Cookies Policy is issued by and applies to the website hmkapital.ee (the "Website"), operated by:

Legal name: HM KAPITAL OÜ
Registration number: 11639834
Registered address: Veskiposti 2, 10138 Tallinn, Republic of Estonia
Telephone: +372 6415 000
Email: info@hmkapital.ee

HM KAPITAL OÜ ("HM Kapital", "we", "us", "our") acts as the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") for all personal data processed via cookies and similar tracking technologies deployed on the Website.

2. Scope of This Policy

2.1 Purpose

This Policy explains how HM Kapital uses cookies and similar tracking technologies on the Website, what categories of data they collect, the legal basis for their use, how you may exercise your rights, and how you may manage or withdraw consent.

2.2 Technologies Covered

This Policy applies to all client-side and server-supported tracking mechanisms, including but not limited to:

HTTP cookies (both session and persistent);
First-party and third-party cookies;
HTML5 local storage, session storage, and IndexedDB;
Pixels, web beacons, and clear GIFs;
SDK identifiers embedded in third-party scripts;
Device fingerprinting techniques (see Section 3.5).

2.3 Relationship to Other Policies

This Policy supplements and should be read together with our Privacy Policy, which governs the broader processing of personal data by HM Kapital pursuant to Articles 12–14 GDPR.

3. What Cookies and Tracking Technologies Are

3.1 HTTP Cookies

A cookie is a small text file placed on your device by a web server. Cookies allow the Website to recognise your device and store limited information about your session or preferences.

Session cookies expire when you close your browser.
Persistent cookies remain on your device for a defined retention period or until manually deleted.

3.2 First-Party vs Third-Party Cookies

First-party cookies are set directly by hmkapital.ee.
Third-party cookies are set by external domains (e.g., analytics or advertising providers) whose scripts are loaded on the Website.

3.3 Local Storage and IndexedDB

These are browser-based storage mechanisms that retain data on your device beyond a single session. They are functionally equivalent to persistent cookies and are treated under Article 5(3) ePrivacy Directive on the same basis.

3.4 Pixels and Web Beacons

Pixels (also called "tracking pixels" or "web beacons") are 1×1 transparent images or scripts embedded in pages or emails that record whether content was accessed and may transmit technical metadata (IP address, user-agent, timestamp).

3.5 Device Fingerprinting

Fingerprinting refers to the passive collection of device, browser, and network attributes (screen resolution, installed fonts, time-zone, canvas rendering) to produce a quasi-unique identifier.

HM Kapital does not use device fingerprinting for marketing, profiling, or cross-site tracking purposes. Any fingerprint-like signals processed by our security provider are used strictly for fraud prevention and bot detection under the strictly-necessary category.

4. Legal Basis for the Use of Cookies

4.1 Article 5(3) ePrivacy Directive

The storing of information, or accessing of information already stored, on a user's terminal equipment is permitted only with the user's prior informed consent, except where strictly necessary for the provision of an information-society service explicitly requested by the user. This rule is set out in Article 5(3) of Directive 2002/58/EC (as amended by Directive 2009/136/EC) and transposed into Estonian law via the Electronic Communications Act (Elektroonilise side seadus).

4.2 Articles 6 and 7 GDPR

Where cookies process personal data within the meaning of Article 4(1) GDPR, an additional legal basis under Article 6(1) GDPR is required:

Strictly necessary cookies: Article 6(1)(f) GDPR (legitimate interest) and/or Article 6(1)(b) (performance of a contract / service requested), in conjunction with the ePrivacy exemption.
All non-essential cookies: Article 6(1)(a) GDPR — explicit, informed, specific, freely given, and unambiguous consent, meeting the standards of Article 7 GDPR and EDPB Guidelines 05/2020 on consent.

4.3 Planet49 (CJEU C-673/17)

In accordance with the Court of Justice of the European Union's judgment in Planet49 GmbH v Bundesverband der Verbraucherzentralen (C-673/17, 1 October 2019), consent must be obtained through an active opt-in. Pre-ticked checkboxes, implied consent, or continued browsing do not constitute valid consent.

4.4 Compliance with EDPB Guidelines 03/2022 on Dark Patterns

Our consent interface is designed to avoid misleading or coercive design patterns. The "Reject All" option is presented with equal prominence to the "Accept All" option, and refusal entails no detriment to the user's access to the Website.

5. Categories of Cookies Used

We classify cookies according to the EDPB taxonomy and the AKI (Andmekaitse Inspektsioon) guidance on cookies and online tracking.

5.1 Strictly Necessary Cookies (Always Active)

Purpose: Enable core functionality including session management, security (CSRF protection), load balancing, and storage of cookie-consent preferences.
Legal basis: Article 5(3) ePrivacy exemption; Article 6(1)(f) GDPR.
Consent required: No.
Retention: Typically session-only or up to 12 months for consent records.

5.2 Functional / Preferences Cookies

Purpose: Remember user-selected preferences such as language and region.
Legal basis: Article 6(1)(a) GDPR consent, where the preference is not strictly necessary to deliver the requested service.
Consent required: Yes (opt-in).
Retention: Up to 12 months.

5.3 Analytics / Performance Cookies

Purpose: Aggregate usage statistics, page-flow analysis, performance metrics.
Legal basis: Article 6(1)(a) GDPR consent.
Consent required: Yes (opt-in).
Retention: Up to 14 months.

5.4 Marketing / Advertising Cookies

Purpose: Campaign measurement, conversion tracking, retargeting on third-party platforms.
Legal basis: Article 6(1)(a) GDPR consent.
Consent required: Yes (opt-in).
Retention: Up to 13 months.

Manage Your Cookie Preferences

Toggle non-essential categories below. Changes save instantly to your device only.

Strictly Necessary Always active. Required for core site function and security.

Functional / Preferences Remembers language and region settings.

Analytics Aggregate usage statistics for site improvement.

Marketing Campaign measurement and retargeting via third-party providers.

6. Cookie Inventory

The following table reflects the cookies and similar technologies currently deployed on hmkapital.ee. The inventory is updated when new technologies are deployed. Where a third-party provider is listed, the third party may set additional cookies under its own privacy policy.

Cookie / Storage Key	Provider	Purpose	Category	Type	Duration
`hmkapital-consent`	hmkapital.ee (first-party)	Stores the user's cookie consent choices (localStorage)	Strictly Necessary	Persistent	12 months

This inventory reflects technologies currently deployed at the time of this Policy's effective date. The site does not currently deploy any third-party analytics, advertising, or marketing cookies. Should Google Analytics, LinkedIn Insight, Meta Pixel, or comparable technologies be introduced in the future, they will only load after the relevant category consent is granted, and this inventory will be updated accordingly with each new deployment.

The live inventory and your consent state are managed via the "Cookie Settings" link in the Website footer or the preferences widget below.

7. Consent Management

7.1 How Consent Is Collected

On your first visit to the Website, a cookie banner appears presenting:

A clear description of the categories of cookies used;
Equally prominent "Accept All", "Reject All", and "Manage Preferences" buttons;
A link to this Cookies Policy.

No non-essential cookies are placed prior to obtaining your explicit opt-in, in accordance with the Planet49 judgment and EDPB Guidelines 05/2020.

7.2 How Consent Is Withdrawn

You may withdraw consent at any time and with no detriment by clicking the "Cookie Preferences" link located in the footer of every page, or by using the controls in Section 5 above. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).

7.3 No Cookie Walls

In accordance with EDPB Guidelines 05/2020, paragraphs 38–41, access to the Website is not conditioned on acceptance of non-essential cookies. Refusing optional cookies has no impact on your ability to access or use informational content.

8. Third-Party Cookies and Processors

When third-party cookies are loaded (subject to your consent), the relevant provider acts as an independent controller or joint controller for its own processing. We recommend reviewing each provider's privacy notice:

Google Analytics / Google Ireland Ltd. — policies.google.com/privacy
Matomo (where deployed via self-hosted or cloud instance) — matomo.org/privacy-policy
Meta Platforms Ireland Ltd. — facebook.com/policy.php
LinkedIn Ireland Unlimited Company — linkedin.com/legal/privacy-policy

Engagement of any new third-party tracking processor is subject to a prior data-protection impact assessment where required under Article 35 GDPR.

9. International Data Transfers

Certain third-party cookie providers (notably Google LLC and Meta Platforms Inc.) may transfer personal data to third countries outside the European Economic Area (EEA), primarily the United States.

Such transfers are carried out under one or more of the following safeguards pursuant to Chapter V GDPR:

EU–US Data Privacy Framework adequacy decision (where the recipient is certified);
Standard Contractual Clauses adopted by the European Commission (Decision 2021/914);
Supplementary technical and organisational measures where required by Schrems II (CJEU C-311/18).

Detailed information on transfer mechanisms is set out in our Privacy Policy.

10. Your Rights Under the GDPR

In relation to personal data processed via cookies, you have the following rights under Articles 15–22 GDPR:

Right of access (Article 15);
Right to rectification (Article 16);
Right to erasure / "right to be forgotten" (Article 17);
Right to restriction of processing (Article 18);
Right to data portability (Article 20);
Right to object (Article 21);
Right not to be subject to solely automated decisions, including profiling (Article 22);
Right to withdraw consent at any time (Article 7(3)).

To exercise any of these rights, please contact info@hmkapital.ee. Full procedural details are provided in our Privacy Policy.

11. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR or Estonian data-protection law, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate:

Andmekaitse Inspektsioon (AKI)
Address: Tatari 39, 10134 Tallinn, Estonia
Telephone: +372 627 4135
Email: info@aki.ee
Website: www.aki.ee

You may also lodge a complaint with the supervisory authority of your habitual residence or place of the alleged infringement.

12. Browser Controls

In addition to our on-site consent tool, you may manage or delete cookies through your browser settings. Note that disabling strictly necessary cookies may impair the functioning of the Website.

Google Chrome: support.google.com/chrome/answer/95647
Mozilla Firefox: support.mozilla.org
Apple Safari: support.apple.com/guide/safari
Microsoft Edge: support.microsoft.com

13. Do Not Track Signals

There is no consensus EU-wide industry standard for interpreting browser-based "Do Not Track" (DNT) signals. Accordingly, the Website does not currently respond to DNT headers. Users wishing to opt out of non-essential cookies should use our on-site consent management tool, which provides granular, auditable controls compliant with Article 7 GDPR.

We monitor developments concerning the proposed ePrivacy Regulation and the Global Privacy Control (GPC) signal, and will update this Policy if and when binding standards emerge.

14. Children

The Website is not directed at children under the age of 16. We do not knowingly deploy tracking technologies to profile minors. Where a user is identified as a minor, all non-essential processing is suspended and the data is deleted in accordance with Article 8 GDPR and §8 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, 2018).

15. Updates to This Policy

We may amend this Cookies Policy from time to time to reflect changes in applicable law, regulatory guidance, or our use of tracking technologies. Material changes will be communicated via:

A prominent notice on the Website;
A re-prompt of the consent banner where the change affects the categories of cookies used or the basis for processing;
Update of the effective date and version log below.

We encourage you to review this Policy periodically.

16. Contact

Questions, requests, or complaints regarding this Cookies Policy may be addressed to:

HM KAPITAL OÜ · Veskiposti 2, 10138 Tallinn, Estonia · +372 6415 000 · info@hmkapital.ee

17. Version Log

Version	Effective Date	Summary of Changes
1.0	14 May 2026	Initial publication.