Valli tee 17, Vaela küla, Kiili vald 75413 Harjumaa Estonia
Valli tee 17, Vaela küla, Kiili vald 75413 Harjumaa Estonia
1.1. This privacy policy governs the principles of collecting, processing, and storing personal data. Personal data is collected, processed, and stored by the data controller, Arras OÜ (hereinafter referred to as the “data controller”).
1.2. A data subject, within the meaning of this privacy policy, is a customer or any other natural person whose personal data is processed by the data controller.
1.3. A customer, within the meaning of this privacy policy, is anyone who purchases goods or services from the data controller’s website.
1.4. The data controller complies with the principles of data processing established by law, ensuring that personal data is processed lawfully, fairly, and securely. The data controller can confirm that personal data is processed in accordance with legal requirements.
2.1. Personal data collected, processed, and stored by the data controller is primarily obtained electronically, mainly through the website and email.
2.2. By sharing their personal data, the data subject grants the data controller the right to collect, organize, use, and manage personal data for the purposes defined in this privacy policy. This includes data provided directly or indirectly when purchasing goods or services on the website.
2.3. The data subject is responsible for ensuring that the provided information is accurate, correct, and complete. Knowingly providing false information is considered a violation of this privacy policy. The data subject must notify the data controller immediately of any changes to the provided information.
2.4. The data controller is not responsible for any damage caused to the data subject or third parties due to incorrect information provided by the data subject.
3.1. The data controller may process the following personal data of the data subject:
3.1.1. First and last name;
3.1.2. Phone number;
3.1.3. Email address;
3.1.4. Delivery address;
3.1.5. Bank account number.
3.2. In addition to the above, the data controller has the right to collect data about the customer from publicly available registers.
3.3. The legal basis for processing personal data is Article 6(1) of the General Data Protection Regulation (GDPR):
(a) The data subject has given consent for processing their personal data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract with the data subject or to take steps at the request of the data subject before entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the data controller is subject;
(f) Processing is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the rights and freedoms of the data subject, especially if the data subject is a child.
(g) Processing for direct marketing purposes.
3.4. Processing of personal data based on purpose:
3.4.1. Purpose: Security and safety – Retention period: As required by law.
3.4.2. Purpose: Order processing – Retention period: As required by law.
3.4.3. Purpose: Ensuring the functionality of e-commerce services – Retention period: As required by law.
3.4.4. Purpose: Customer management – Retention period: As required by law.
3.4.5. Purpose: Financial activities and accounting – Retention period: As required by law.
3.4.6. Purpose: Marketing – Retention period: As required by law.
3.5. The data controller has the right to share customer personal data with third parties, including authorized processors, accountants, transportation and courier companies, and payment service providers. The data controller is responsible for personal data, while payments are processed through the authorized processor Montonio AS.
3.6. The data controller applies organizational and technical measures to ensure the protection of personal data from accidental or unlawful destruction, alteration, disclosure, or any other form of unlawful processing.
3.7. The data controller retains personal data for up to 15 years, depending on the processing purpose.
4.1. The data subject has the right to access their personal data and review it.
4.2. The data subject has the right to receive information regarding the processing of their personal data.
4.3. The data subject has the right to supplement or correct inaccurate data.
4.4. If the data controller processes personal data based on the data subject’s consent, the data subject has the right to withdraw their consent at any time.
4.5. To exercise their rights, the data subject may contact customer support at info@arras.eu.
4.6. The data subject has the right to file a complaint with the Data Protection Inspectorate for the protection of their rights.
5.1. This privacy policy has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679, the Personal Data Protection Act of the Republic of Estonia, and other applicable Estonian and European Union laws.
5.2. The data controller reserves the right to amend this privacy policy in whole or in part, notifying data subjects via the website www.arrascf.eu.