Privacy Policy
1. General Provisions
1.1. 1.1.This Privacy Policy governs the principles for the collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the data controller Studio 27 OÜ (hereinafter the Data Controller).
1.2. For the purposes of this Privacy Policy, a data subject is a customer or another natural person whose personal data is processed by the Data Controller.
1.3. For the purposes of this Privacy Policy, a customer is any person who purchases goods or services from the Data Controller’s website.
1.4. The Data Controller complies with the principles of personal data processing set out in applicable legislation and processes personal data lawfully, fairly, and securely. The Data Controller is able to confirm that personal data has been processed in accordance with legal requirements.
2. Collection, Processing, and Storage of Personal Data
2.1. Personal data collected, processed, and stored by the Data Controller is collected electronically, primarily via the website and email.
2.2. By sharing their personal data, the data subject grants the Data Controller the right to collect, organise, use, and manage personal data for the purposes defined in this Privacy Policy, which the data subject provides directly or indirectly when purchasing goods or services from the website.
2.3. The data subject is responsible for ensuring that the data provided is accurate, correct, and complete. Knowingly providing false information is considered a breach of this Privacy Policy. The data subject must inform the Data Controller without delay of any changes to the data provided.
2.4. The Data Controller is not liable for any damage caused to the data subject or third parties as a result of the data subject providing incorrect information.
3. Processing of Customers’ Personal Data
3.1. The Data Controller may process the following personal data of the data subject:
First and last name
Date of birth
Phone number
Email address
Delivery address
Bank account number
Payment card details
3.2. In addition to the above, the Data Controller has the right to collect data about the customer that is available in public registers.
3.3. The legal basis for processing personal data is Article 6(1)(a), (b), (c), and (f) of the General Data Protection Regulation (GDPR):
(a) the data subject has given consent for one or more specific purposes;
(b) processing is necessary for the performance of a contract concluded with the data subject or for taking steps prior to entering into a contract at the data subject’s request;
(c) processing is necessary to comply with a legal obligation of the Data Controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, especially where the data subject is a child.
3.4. Purposes of Personal Data Processing and Retention Periods
3.4.1. Purpose: Security and safety
Retention period: As required by law
3.4.2. Purpose: Order processing
Retention period: As required by law
3.4.3. Purpose: Ensuring the operation of the online shop
Retention period: Personal data is stored in the online shop system for the duration of the complaint submission period. After that, all orders and customer data are deleted.
3.4.4. Purpose: Customer management
Retention period: Up to one year
3.4.5. Purpose: Financial activities and accounting
Retention period: As required by law
3.4.6. Purpose: Marketing
Retention period: As required by law
3.5. The Data Controller has the right to share customers’ personal data with third parties such as authorised data processors, accountants, transport and courier companies, and payment service providers. The Data Controller is the controller of personal data and transfers personal data necessary for payment processing to the authorised processor Maksekeskus AS.
3.6. The Data Controller applies appropriate organisational and technical measures when processing and storing personal data to protect personal data against accidental or unlawful destruction, alteration, disclosure, or any other unlawful processing.
3.7. The Data Controller stores personal data for no longer than one year, depending on the purpose of processing.
4. Rights of the Data Subject
4.1. The data subject has the right to access their personal data and review it.
4.2. The data subject has the right to receive information about the processing of their personal data.
4.3. The data subject has the right to supplement or correct inaccurate personal data.
4.4. If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw consent at any time.
4.5. To exercise their rights, the data subject may contact customer support at info@studio27.ee.
4.6. The data subject has the right to lodge a complaint with the Estonian Data Protection Inspectorate.
5. Final Provisions
5.1. This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the Estonian Personal Data Protection Act, and applicable Estonian and European Union legislation.
5.2. The Data Controller has the right to amend this Privacy Policy in part or in full by notifying data subjects of changes via the website studio27.ee.