Contact Us
poksikinnas

Privacy policy

Privacy policy

The controller of the personal data of the online shop is WARUKU.COM (registry code 39009290238), located at

Tuisu tn 18-14, Kristiine linnaosa, 13415 Tallinn, Harju maakond,  and e-mail info@waruku.com. The controller has designated a data protection officer who

can be contacted by e-mail info@waruku.com (applicable to those who have a designated

data protection officer).

Which personal data are processed?

name, phone number and e-mail address;

delivery address;

bank account number;

cost of goods and services and data related to payments (purchase history);

customer support data;

IP address.

This list is a non-exhaustive example. The list should include only the categories of

personal data that are actually processed/collected. It is definitely recommended to

consult with the creator/developer of the online shop on the technical information, i.e.

to ask them which online identifiers and other data the web server logs.

For which purposes are personal data processed?

Personal data is used to manage the customer’s orders and to deliver goods.

Purchase history data (date of purchase, goods, quantity, customer data) are used to put together

an overview of the goods and services purchased, to analyse customer preferences and, among

other things, for the purposes of resolving consumer disputes.

The bank account number is used to reimburse payments to the customer.

Personal data such as the e-mail address, telephone number and name of the customer are

processed to handle any issues relating to the provision of goods and services (customer support).

E-mail is also used in order to forward invoices and the telephone number is used to notify the

customer about their goods arriving in the parcel locker.

The IP address or other online identifiers of users of the online shop are processed for the provision

of the online shop as an information society service and for web use statistics.

This is an example list, which should correspond to the list in the previous section, and the

purpose of processing for each category of personal data should correspond to the actual

purpose of the processing.

Legal basisThe purpose of processing personal data is to fulfil the agreement entered into with the customer

(managing the customer’s orders, delivery, returning goods and reimbursing payments).

Personal data are processed in order to fulfil legal obligations (e.g. for accounting).

The processing of personal data, i.e. the collection of purchase history data for the purposes of

resolving potential consumer disputes, is necessary due to the controller’s legitimate interest.

An analysis of legitimate interest should be carried out before exercising legitimate interest

(instructions:

https://www.aki.ee/sites/default/files/dokumendid/oigustatud_huvi_juhend_aki_26.05.2020.pdf

). The analysis should either be included in the privacy policy or it should be explicitly indicated

how the analysis can be accessed (e.g. in order to access the legitimate interest analysis, send an

e-mail to andmekaitse@ettevõte). See clause 13 (1) d) of the GDPR.

The data are processed with the consent of the customer for the following purposes: _____

(applicable to those who process personal data outside the terms of use, e.g. for profiling and

direct marketing. The customer should be informed of the processing in advance and the

consent should be individually confirmed).

Recipients of personal data

Personal data are forwarded to the customer support of the online shop in order to manage purchase

history and resolve customer issues (applicable only when customer support is provided by a third

party, i.e. someone outside the online shop).

Name, telephone number and e-mail address are forwarded to the transport service provider

selected by the customer. If the goods are delivered by a courier, the customer’s contact details, as

well as their address, are forwarded to the courier.

If an outside service provider handles the accounting for the online shop, the personal data is

forwarded to that service provider to perform the accounting operations.

Personal data may be forwarded to IT service providers if this is needed to ensure the functionality

of the online shop or to host data.

Security and access to data

Personal data are stored in the servers of ____, which are located on the territory of a member state

of the European Union or states of the European Economic Area. Data may be forwarded to states

whose level of data protection is sufficient according to the European Commission or to a company

of a third state to which a safeguard specified in articles 46 or 47 or in subsection 49 (1) of the

GDPR has been applied.The specific safeguard should be pointed out and it should be indicated how it can be accessed

(e.g. if the online shop relies with the third state provider on the European Commission’s

standard data protection clauses). See clause 13 (1) f) of the GDPR.

Personal data can be accessed by the staff of the online shop in order to resolve technical issues

related to the use of the online shop and to provide customer support.

The online shop applies the relevant physical, organisational and IT security measures in order to

protect personal data from accidental or unlawful destruction, loss, amendment or unauthorised

access and disclosure. These measures are: (list of security measures the online shop applies. For

example, data exchange with the online shop is carried out via an encrypted connection (TSL),

the customer’s passwords are encrypted (password hashes), standard encryption is used when

sending e-mails, there is a firewall and a relevant virus protection to protect the online shop’s

servers, there are regular backups that are kept separately from the online shop’s servers.)

Personal data are forwarded to processors (e.g. the transport service provider and data hosts) on

the basis of contracts between the online shop and processors. Upon processing data, the processors

are obliged to ensure the relevant safeguards in accordance with article 28 of the GDPR.

Access to and rectification of personal data

Personal data can be accessed and rectified via the online shop’s user profile or customer support.

If a purchase is made without a user account, personal data can be accessed via customer support.

If the request to access personal data has been submitted electronically, the information will also

be provided via commonly used electronic means.

Withdrawal of consent

If personal data are processed with the customer’s consent, the customer has the right to withdraw

their consent by making relevant changes in the user account’s settings or by notifying customer

support via e-mail.

Storage

Personal data are erased upon deleting the online shop’s customer account, except for the personal

data (purchase history) which are necessary for accounting or to resolve consumer disputes.

In the event of disputes regarding payments and consumer disputes, personal data are stored until

the claim is settled or the limitation period expires.

The personal data in original accounting documents is stored for seven years.

RestrictionIf the data are incorrect, incomplete or processed unlawfully, the customer has the right to request

the restriction of the processing of their personal data.

Objections

The customer has the right to submit objections regarding the processing of their personal data if

they have a reason to believe that there is no legal basis to process their personal data.

Erasure

For the erasure of personal data, customer support should be contacted by e-mail. Requests for

erasure are responded to within one month and the period of erasure is specified. The response to

the request will also indicate which personal data will not be erased, on which legal basis and why.

Transfer

Requests to transfer personal data submitted via e-mail are responded to within one month.

Customer support identifies the person and indicates which personal data is to be transferred.

Direct marketing messages

The e-mail address and telephone number are used to send direct marketing messages if the

customer has consented to receiving such messages. If the customer does not wish to receive direct

marketing messages, they should select the relevant link at the footer of the e-mail or contact

customer support.

Where personal data are processed for direct marketing purposes (profiling), the customer has the

right to object at any time both to the initial and further processing of their personal data, including

profiling related to direct marketing, by notifying customer support thereof via e-mail (the

respective information should be submitted clearly and separately from any other information).

In the event of profiling, information about the logic involved, as well as the significance and

the estimated consequences of such processing for a natural person should be submitted (see

clause 13 (2) f), clause 14 (2) g) and recital 60 of the GDPR).

Resolution of disputes

Disputes concerning the processing of personal data are settled through customer support

(CONTACT DETAILS). The supervisory authority is the Estonian Data Protection Inspectorate

(info@aki.ee).