Privacy Policy

Effective: 2026-04-23 · Last updated: 2026-04-23

1. Who we are

Anvil MDM ("Anvil", "we", "us") is operated by P3Consulting OÜ, a limited company registered in Estonia (D-U-N-S 988008963). This Privacy Policy explains how we collect, use, and protect personal data when you visit anvilmdm.com or use our software and services.

For the purposes of the EU General Data Protection Regulation (GDPR), P3Consulting OÜ is the data controller for data collected via our website and for account data of our direct customers. When customers use Anvil MDM to manage their own end-user devices, the customer is the data controller and P3Consulting OÜ acts as a data processor.

2. What we collect

a) Website visitors

• Email address, if you join the waitlist or contact us.
• Technical data from your browser: IP address, user agent, referrer, approximate location derived from IP.
• Cookies and similar technologies strictly necessary for the site to function, plus privacy-respecting analytics (see §6).

b) Customer accounts

• Business contact data (name, work email, company, role).
• Authentication data (hashed passwords, OAuth tokens).
• Billing information, processed by our payment provider — we do not store card numbers.
• Usage logs: actions performed in the console, timestamps, IP addresses, for security and audit purposes.

c) Managed devices (processor role)

When you enroll Android devices, Anvil MDM processes device metadata provided through the Google Android Management API: device identifiers (IMEI, serial, hardware model), OS version, compliance state, configured policies, network status, battery health, and geolocation only when you explicitly enable that feature. Anvil MDM does not read the content of messages, photos, or personal files on managed devices.

3. Why we collect it (legal bases)

• Contract performance (GDPR Art. 6(1)(b)): to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)): to secure our platform, detect abuse, improve reliability, and send service-critical notifications.
• Consent (Art. 6(1)(a)): for the waitlist, optional marketing emails, and non-essential analytics. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): accounting, tax, and mandatory security-incident reporting.

4. Who we share it with

We do not sell personal data. We share it only with:

• Sub-processors acting on our behalf under written DPAs: cloud hosting (EU region), database backups, transactional email providers, payment processors, error tracking. A current list is available on request at privacy@anvilmdm.com.
• Google LLC, via the Android Management API, because managed-device operations inherently transit Google's infrastructure.
• Authorities, when legally required by a valid order.

5. International transfers

Our primary infrastructure is hosted in the European Union. Some sub-processors (including Google LLC) are established outside the EEA. In those cases we rely on the European Commission's adequacy decisions or the EU Standard Contractual Clauses (SCCs, 2021/914) as the legal transfer mechanism.

6. Cookies and analytics

We use:

• Strictly necessary cookies for authentication, session management, and CSRF protection.
• Optional privacy-respecting analytics (no cross-site tracking, no advertising ID) to understand aggregate usage.

We do not use third-party advertising cookies. You can manage cookies through your browser settings.

7. How long we keep it

• Waitlist email: until you unsubscribe, or 24 months after signup if we have not launched, whichever is first.
• Account data: for the duration of the contract, plus up to 12 months after termination for backup rotation.
• Audit and security logs: 12 months by default.
• Invoices and accounting records: 7 years, as required by Estonian law.

8. Your rights (EU/EEA/UK residents)

Under GDPR you have the right to: access your data, correct it, delete it ("right to be forgotten"), restrict or object to processing, request data portability, and withdraw consent. To exercise any of these, email privacy@anvilmdm.com. We respond within 30 days.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or the supervisory authority in your EU country of residence.

9. Security

We apply appropriate technical and organizational measures including: TLS encryption in transit, encryption at rest for sensitive fields, role-based access control, least-privilege service accounts, audit logging, regular security reviews, and mandatory MFA for privileged access. No system is perfectly secure — if we become aware of a breach affecting your data we will notify you and the relevant authority within 72 hours as required by GDPR Art. 33.

10. Children

Anvil MDM is a business-to-business product and is not directed to individuals under 16. We do not knowingly collect data from children.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced by email to active customers and via a notice on this page at least 14 days before they take effect. The "Last updated" date above always reflects the current version.

12. Contact