Government Data Request Policy

1) Legality review

• CityShop OÜ reviews every government or public authority request for legal sufficiency, scope, and jurisdiction.
• Only written requests citing a valid legal basis are considered.

2) Challenge process

• We will challenge or seek to narrow requests that are unlawful, overbroad, or unsupported.
• Where appropriate, we will request clarification, limit the scope, or refuse the request.

3) Data minimization

• We disclose only the minimum amount of information necessary to comply with a valid request.
• When feasible and lawful, we prefer aggregated, anonymized, or redacted data.

4) Documentation and transparency

• We document each request, including the legal basis, reviewer, decision, any disclosures, and timestamps.
• Records are retained for audit and compliance purposes.

5) Notification

Where permitted by law, we will notify affected customers before disclosure to allow them to seek legal remedies.

6) Jurisdictions and hosting

Production infrastructure is hosted in the EU. Requests from non‑EU authorities are reviewed for applicability and jurisdiction before any action.