1. 1. General provisions

1.1. This Privacy Policy sets out the principles governing the collection, processing and storage of personal data. Personal data is collected and stored by the controller Loodu OÜ (registry code 14992146) (hereinafter referred to as the controller).

1.2. For the purposes of this Privacy Policy, a data subject means the client or another natural person whose personal data are processed by the controller.

1.3. For the purposes of this Privacy Policy, a client means anyone who purchases goods or services on the controller’s website.

1.4. The controller complies with the data processing principles set out in legislation, including processing personal data lawfully, fairly and securely. The controller is able to confirm that the personal data have been processed in accordance with the law.

2. Collection, processing and storage of personal data

2.1. The personal data collected, processed and stored by the controller have been collected electronically, mainly via the website and e-mail.

2.2. By sharing their personal data, the data subject grants the controller the right collect, organise, use and manage the personal data that the data subject shares directly or indirectly when purchasing goods or services from the website for the purposes specified in the Privacy Policy.

2.3. It is the responsibility of the data subject to ensure that the information they provide is accurate, correct and complete. Submission of knowingly false data is regarded as a breach of the Privacy Policy. The data subject is required to immediately notify the controller of any changes to the data submitted.

2.4. The controller is not responsible for any damage caused by the submission of false information by the data subject to the data subject or third parties.

3. Processing of customers’ personal data

3.1. The controller may process the following personal data of the data subject:

3.1.1. Given name and surname

3.1.2. Date of birth

3.1.3. Telephone number

3.1.4. E-mail address

3.1.5. Delivery address

3.1.6. Bank account number

3.1.7. Payment card details

3.2. In addition to the foregoing, the controller has the right to collect data about the customer that are available in public registers.

3.3. The legal basis for the processing of personal data is clauses (a), (b), (c) and (f) of Article 6(1) of the General Data Protection Regulation:

a) the data subject consented to the processing of their personal data for one or more specific purposes

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

c) processing is necessary for compliance with a legal obligation to which the controller is subject

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests override the interests of the data subject or the fundamental rights and freedoms for which the personal data must be protected, in particular if the data subject is a child

3.4. Processing of personal data according to the purpose of processing:

3.4.1. Purpose of processing – security and safety Maximum period of storage of personal data – according to the terms specified by law

Maximum period of storage of personal data – according to the terms specified by law

3.4.2. Purpose of processing – processing of orders Maximum storage period for keeping personal data – ten years

Maximum storage period for keeping personal data – ten years

3.4.3. Purpose of processing – ensuring the functioning of online shop services Maximum storage period for keeping personal data – ten years

Maximum storage period for keeping personal data – ten years

3.4.4. Purpose of processing – client management

Maximum storage period for keeping personal data – ten years

3.4.5. Purpose of processing – financial activities, accounting

Maximum period of storage of personal data – according to the terms specified by law

3.4.6. Purpose of processing – marketing

Maximum storage period for keeping personal data – five years

3.5. The controller has the right to share customers’ personal data with third parties, such as authorised controllers, accountants, transport and courier companies and companies providing transfer services. The controller processes personal data. The controller forwards the personal data necessary for the execution of payments to the authorised processor Montonio Finance UAB and to the transport company for the transport of the goods.

3.6. When processing and storing the personal data of the data subject, the controller implements organisational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure and any other unlawful forms of processing.

3.7. The controller keeps the data of the data subjects for a period of time depending on the purpose of the processing, but for no longer than ten years.

3.8. The controller may collect non-personal data that cannot be directly linked to a specific individual (gender, age, preferred language, location). The controller may also collect data about customer activities on the website. These data are aggregated and used to identify which parts of the website, goods and services are of most interest. Aggregate data are treated as non-personal data in this Privacy Policy.

4. Rights of data subjects

4.1. The data subject has the right to gain access to and examine their personal data.

4.2. The data subject has the right to obtain information on the processing of their personal data.

4.3. The data subject has the right to modify or rectify inaccurate data.

4.4. If the controller processes the data of the data subject on the basis of the data subject’s consent, the data subject has the right to withdraw the consent at any time.

4.5. To exercise their rights, the data subject can contact the customer support of the Online Shop by writing to info@loodu.ee.

4.6. To protect their rights, the data subject can file a complaint with the Data Protection Inspectorate.

5. Final provisions

5.1. These Data Protection Terms and Conditions have been drawn up in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection), the Personal Data Protection Act of the Republic of Estonia and the legislation of the Republic of Estonia and the European Union.

5.2. The controller has the right to change the data protection conditions in part or in full by informing the data subjects of these changes via the website loodu.ee.