Privacy Policy

1. General Provisions

1.1. This privacy policy governs the principles regarding the collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the data controller Eia Ross OÜ (hereinafter the data processor).

1.2. The data subject in the context of this privacy policy is a customer or any other individual whose personal data is processed by the data processor.

1.3. A customer, in the context of this privacy policy, is anyone who purchases goods or services from the data processor’s website.

1.4. The data processor follows the data processing principles set out in applicable legislation, ensuring that personal data is processed lawfully, fairly, and securely. The data processor can confirm that personal data is processed in accordance with legal requirements.

2. Collection, Processing, and Storage of Personal Data

2.1. The personal data collected, processed, and stored by the data processor is primarily collected electronically via the website and email. 

2.2. By sharing their personal data, the data subject grants the data processor the right to collect, organize, use, and manage the personal data for the purposes specified in this privacy policy, which is provided directly or indirectly by the data subject when purchasing goods or services from the website.

2.3. The data subject is responsible for ensuring that the data provided is accurate, correct, and complete. The submission of knowingly false information is considered a violation of the privacy policy. The data subject is obligated to notify the data processor immediately if their information changes.

2.4. The data processor is not liable for any damage caused by incorrect information provided by the data subject to the data subject or third parties.

3. Processing of Customer Personal Data

3.1. The data processor may process the following personal data of the data subject:

3.1.1. First and last name;

3.1.2. Date of birth;

3.1.3. Phone number;

3.1.4. Email address;

3.1.5. Delivery address;

3.1.6. Bank account number;

3.1.7. Credit card details;

3.2. In addition to the above, the data processor may collect data about the customer from public registers.

3.3. The legal basis for processing personal data is in accordance with Article 6, paragraph 1 of the General Data Protection Regulation (GDPR):

a) The data subject has given consent for the processing of their personal data for one or more specific purposes;

b) The processing of personal data is necessary for the performance of a contract with the data subject or for taking steps prior to entering into a contract, at the data subject’s request;

c) The processing of personal data is necessary for compliance with a legal obligation of the data processor;

f) The processing of personal data is necessary for the legitimate interests pursued by the data processor or a third party, except where such interests are overridden by the data subject’s rights and freedoms, particularly where the data subject is a child.

3.4. Personal data processing for specific purposes:

3.4.1. Processing purpose – Security and safety Maximum retention period for personal data – according to statutory time limits

3.4.2. Processing purpose – Order processing Maximum retention period for personal data – 365 days

3.4.3. Processing purpose – Ensuring the operation of the e-store services Maximum retention period for personal data – 365 days

3.4.4. Processing purpose – Customer management Maximum retention period for personal data – 365 days

3.4.5. Processing purpose – Financial activities, accounting Maximum retention period for personal data – according to statutory time limits

3.4.6. Processing purpose – Marketing Maximum retention period for personal data – 365 days

3.5. The data processor has the right to share customer personal data with third parties, such as authorized data processors, accountants, transport and courier companies, and payment service providers. The data processor is the data controller. The data processor may share personal data required for processing payments with the authorized processor Maksekeskus AS.

3.6. The data processor applies organizational and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, or any other unlawful processing.

3.7. The data processor retains the data subject’s data for no longer than necessary for the purpose of processing, and no longer than 3 years.

4. Rights of the Data Subject

4.1. The data subject has the right to access their personal data and to review it.

4.2. The data subject has the right to obtain information about the processing of their personal data.

4.3. The data subject has the right to correct or amend inaccurate data.

4.4. If the data processor processes personal data based on the data subject’s consent, the data subject has the right to withdraw their consent at any time.

4.5. The data subject can exercise their rights by contacting customer support at info@eiaross.com.

4.6. The data subject has the right to submit a complaint to the Data Protection Inspectorate to protect their rights.

5. Final Provisions

5.1. These data protection terms have been created in accordance with the European Parliament and Council Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and the repeal of Directive 95/46/EC (General Data Protection Regulation), the Estonian Personal Data Protection Act, and the legal acts of the Republic of Estonia and the European Union.

5.2. The data processor has the right to modify these data protection terms partially or entirely, notifying the data subjects of any changes via the website www.EiaRoss.com.