Privacy Policy
1. General Provisions
1.1. This Privacy Policy governs the principles regarding the collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the data controller Torenurm OÜ (hereinafter referred to as the "Data Processor").
1.2. In the context of this Privacy Policy, the data subject refers to a customer or any other natural person whose personal data is processed by the Data Processor.
1.3. A customer, as defined in this Privacy Policy, refers to anyone who purchases goods or services from the Data Processor's website.
1.4. The Data Processor follows the principles of data processing set forth in applicable legislation, including ensuring that personal data is processed lawfully, fairly, and securely. The Data Processor confirms that personal data is processed in accordance with the legal requirements.
2. Collection, Processing, and Storage of Personal Data
2.1. Personal data collected, processed, and stored by the Data Processor is gathered electronically, primarily through the website and email.
2.2. By sharing their personal data, the data subject grants the Data Processor permission to collect, organize, use, and manage personal data for the purposes defined in this Privacy Policy, which the data subject shares directly or indirectly through purchasing goods or services on the website.
2.3. The data subject is responsible for ensuring that the data they provide is accurate, correct, and complete. The deliberate submission of false information is considered a violation of this Privacy Policy. The data subject is obligated to inform the Data Processor promptly of any changes to the provided data.
2.4. The Data Processor is not liable for any damages caused to the data subject or third parties due to the submission of incorrect data by the data subject.
3. Processing of Customer Personal Data
3.1. The Data Processor may process the following personal data of the data subject:
3.1.1. First and last name;
3.1.2. Date of birth or personal identification code;
3.1.3. Phone number;
3.1.4. Email address;
3.1.5. Delivery address;
3.1.6. Bank account number;
3.1.7. Goods cost and payment-related data (purchase history);
3.1.8. Customer support data.
3.2. In addition to the above, the Data Processor has the right to collect data about the customer that is available in public registries.
3.3. The legal basis for processing personal data is set forth in Article 6(1) of the General Data Protection Regulation (GDPR): a) the data subject has given consent for the processing of their personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the data controller is subject; f) processing is necessary for the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms, especially where the data subject is a child.
3.4. The purpose of personal data processing:
3.4.1. Purpose – security and safety Maximum data retention period – as specified by the law
3.4.2. Purpose – order processing Maximum data retention period – 48 hours
3.4.3. Purpose – ensuring the operation of the online store services Maximum data retention period – 7 years
3.4.4. Purpose – customer management Maximum data retention period – 5 years
3.4.5. Purpose – financial activities, accounting Maximum data retention period – as specified by the law
3.4.6. Purpose – marketing Maximum data retention period – 10 years
3.5. The Data Processor has the right to share customer personal data with third parties, such as authorized processors, accountants, transport and courier companies, and payment service providers. The Data Processor is the controller of personal data. The Data Processor will share necessary personal data with the authorized processor Maksekeskus AS for payment processing.
3.6. The Data Processor implements organizational and technical measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing.
3.7. The Data Processor retains the data of the data subject depending on the purpose of processing, but not for longer than 10 years.
4. Rights of the Data Subject
4.1. The data subject has the right to access their personal data and review it.
4.2. The data subject has the right to obtain information about the processing of their personal data.
4.3. The data subject has the right to rectify inaccurate data.
4.4. If the Data Processor processes the personal data of the data subject based on their consent, the data subject has the right to withdraw consent at any time.
4.5. The data subject may contact customer support at info@c12wood.ee to exercise their rights.
4.6. The data subject also has the right to lodge a complaint with the Data Protection Inspectorate to protect their rights.
5. Final Provisions
5.1. These data protection terms are created in accordance with EU Regulation (EU) 2016/679 on the protection of individuals regarding the processing of personal data and the free movement of such data, as well as the repeal of Directive 95/46/EC (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia, and relevant Estonian and EU legislation.
5.2. The Data Processor reserves the right to modify these data protection terms, either partially or fully, by notifying the data subjects of the changes through the website www.c12wood.ee.