The responsible data controller for the online store lillepidu.ee is OÜ Baltum Grupp (10812555), located at Taara 1, Tallinn 11620, phone +372 5243357, and email marianne@lillepidu.ee.
What personal data is processed
Name, phone number, and email address;
Delivery address;
Bank account number;
Cost of goods and services and payment-related data (purchase history);
Customer support data.
For what purpose is personal data processed
Personal data is used for managing customer orders and delivering goods.
Purchase history data (purchase date, goods, quantity, customer data) is used to compile an overview of purchased goods and services and to analyze customer preferences.
The bank account number is used to refund payments to customers.
Personal data such as email, phone number, and customer name is processed to resolve issues related to the provision of goods and services (customer support).
The IP address of the online store user or other network identifiers are processed for the provision of the online store as an information society service and for website usage statistics.
Legal basis
The processing of personal data is carried out for the purpose of fulfilling the contract concluded with the customer.
The processing of personal data is carried out to fulfill legal obligations (e.g., accounting and resolving consumer disputes).
Recipients to whom personal data is transmitted
Personal data is transmitted to the online store customer support for managing purchases and purchase history and resolving customer issues.
Name, address, phone number, and email address are transmitted to the transport service provider chosen by the customer.
If the goods are delivered by courier, the customer’s address and phone number are also transmitted along with the contact information.
The accounting of the online store is performed by the service provider, so personal data is transmitted to the service provider for accounting operations.
Personal data may be transmitted to information technology service providers if necessary to ensure the functionality of the online store or data hosting.
Security and access to data
Personal data is stored on Zone.ee servers, located within the territory of a member state of the European Union or countries that have joined the European Economic Area.
Data may be transmitted to countries whose level of data protection has been assessed as adequate by the European Commission and to U.S. companies that have joined the Privacy Shield framework.
Access to personal data is granted to employees of the online store who need to access personal data to resolve technical issues related to the use of the online store and to provide customer support services.
The online store implements appropriate physical, organizational, and IT security measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized access, and disclosure.
The transmission of personal data to authorized processors (e.g., transport service providers and data hosting) is based on contracts concluded between the online store and authorized processors. Authorized processors are obligated to ensure appropriate protective measures in the processing of personal data.
Access and correction of personal data
Personal data can be accessed and corrected in the online store user profile.
If a purchase was made without a user account, personal data can be accessed through customer support.
Withdrawal of consent
If the processing of personal data is based on the customer’s consent, the customer has the right to withdraw consent by notifying customer support via email.
Retention
When the online store customer account is closed, personal data will be deleted, except in cases where such data must be retained for accounting purposes or resolving consumer disputes.
If a purchase is made in the online store without a customer account, the purchase history will be retained for three years.
In cases of disputes related to payments and consumer disputes, personal data will be retained until the claim is fulfilled or the statute of limitations expires.
Personal data necessary for accounting purposes will be retained for seven years.
Deletion
To delete personal data, you must contact customer support via email.
Responses to deletion requests will be provided within one month, specifying the data deletion period.
Transfer
Requests for the transfer of personal data submitted via email will be responded to within one month.
Customer support will verify the identity and inform about the personal data to be transferred.
Direct marketing communications
The email address and phone number are used to send direct marketing communications if the customer has given the corresponding consent.
If the customer does not wish to receive direct marketing communications, they must select the relevant link in the email footer or contact customer support.
Dispute resolution
Dispute resolution related to the processing of personal data occurs through customer support (CONTACT DETAILS). The supervisory authority is the Estonian Data Protection Inspectorate (info@aki.ee).