PERSONAL DATA PROCESSING

The controller responsible for processing personal data in the Heveren online store is Insystem Baltic OÜ (registry code 11278572), located at Lai 2, 79806 Kohila parish, Rapla county, phone +372 53 020 891, e-mail info@insystem.ee. Personal data is used for managing customer orders and delivering goods.

Purchase history data (date of purchase, product, quantity, customer data) is used to prepare an overview of purchased goods and services, and to analyse customer preferences.

The bank account number is used to issue refunds to customers.

Personal data such as e-mail, phone number, and customer name is processed in order to solve issues related to the provision of goods and services (customer support).

The IP address or other online identifiers of the online store user are processed for the provision of the online store as an information society service and for web usage statistics.

Legal Basis

Personal data is processed for the purpose of fulfilling the contract concluded with the customer.

Personal data is processed to comply with legal obligations (e.g. accounting, consumer dispute resolution).

Recipients of Personal Data

Personal data is transmitted to online store customer support for management of purchases and purchase history and for solving customer-related issues.

The customer’s name, phone number and e-mail address are transmitted to the transport service provider selected by the customer. If the goods are delivered by courier, the customer’s address is also transmitted in addition to contact details.

Personal data (name and bank account number) is transmitted to the accounting service provider to carry out accounting operations.

Security and Access to Data

Personal data is stored on servers of Veebimajutus located in a member state of the European Union or in a country of the European Economic Area. Data may be transferred to countries whose data protection level has been deemed adequate by the European Commission and to companies in the United States that adhere to the Privacy Shield framework.

Access to personal data is granted only to employees of the online store who need the data to solve technical issues related to the online store or provide customer support.

The online store applies appropriate physical, organizational and IT security measures in order to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure.

Transfer of personal data to authorised processors (e.g. transport companies, hosting service providers) takes place based on agreements between the online store and the processors. The processors are required to ensure appropriate data protection measures.

Accessing and Correcting Personal Data

Personal data can be viewed and corrected in the customer’s account profile. If the purchase was made without creating a user account, personal data can be accessed through customer support.

Withdrawal of Consent

If personal data is processed based on customer consent, the customer has the right to withdraw consent by informing customer support by e-mail.

Retention

When a customer account of the online store is closed, personal data is deleted unless such data must be retained for accounting or consumer dispute resolution.

If a purchase is made without a customer account, the purchase history is retained for three years.

In the case of disputes related to payments or consumer complaints, data is retained until the claim is resolved or until the limitation period expires.

Personal data required for accounting is retained for seven years.

Deletion

To request deletion of personal data, contact customer support by e-mail. The deletion request will be answered no later than within one month, and the data deletion period will be specified.

Data Portability

Requests for data portability submitted by e-mail will be answered within one month. Customer support verifies identity and informs the customer which personal data is subject to transfer.

Direct Marketing Messages

E-mail address and phone number are used to send direct marketing messages if the customer has given consent. If the customer no longer wishes to receive direct marketing messages, they may unsubscribe using the link in the newsletter footer or by contacting customer support.

If personal data is processed for direct marketing purposes (including profiling), the customer has the right to object at any time to the processing of their personal data for such purpose by informing customer support at info@insystem.ee.

Dispute Resolution

Disputes related to personal data processing are resolved through customer support (info@insystem.ee).
The supervisory authority is the Estonian Data Protection Inspectorate (info@aki.ee).