Oathfeed Accessory Cabinet Web Store, the data controller, is OÜ Oathfeed (registration code 16710258), located at Käärdi 4, Võiste, Häädemeeste Vald, Estonia. Tel: +372 5694 8481, email: silvi@oathfeed.com.

Types of Personal Data Processed:

- Name, phone number, and email address
- Delivery address for the purchased goods
- Bank account number
- Cost of goods and services and related payment information (purchase history)
- Customer support data
- IP address

Purpose of Personal Data Processing:

Personal data is used for managing customer orders and delivering goods. Purchase history data (purchase date, items, quantity, customer information) is used to compile overviews of purchased goods and services, analyze customer preferences, and resolve consumer disputes. Bank account numbers are used for processing customer refunds. Personal data such as email, phone number, and customer name are processed to address questions related to the provision of goods and services (customer support). Additionally, email addresses are used for sending invoices, and phone numbers are used to inform customers about package delivery to parcel lockers. The Web Store uses IP addresses and other network identifiers to provide the online store service and generate web usage statistics.

Legal Basis for Processing

Processing of personal data is based on the fulfillment of the contract with the customer (management of customer orders, delivery, and refund of goods and payments). Processing of personal data is carried out to comply with legal obligations (e.g., accounting). Processing of personal data is necessary for the legitimate interest of the data controller, which includes collecting purchase history data to resolve potential consumer disputes.

Recipients to Whom Personal Data Is Disclosed

Name, phone number, and email address are disclosed to the transportation service provider chosen by the customer. For items delivered by courier, the customer's address is also provided. If the Web Store's accounting is outsourced to a service provider, personal data is disclosed to the service provider for accounting purposes. Personal data may be disclosed to IT service providers if necessary to ensure the functionality or data hosting of the online store.

Security and Access to Data

Personal data is stored on Zone virtual servers located in the territory of a European Union member state or a country within the European Union Economic Area. Data may be transferred to countries whose data protection level has been assessed as adequate by the European Commission or to a third country enterprise subject to the protection measures mentioned in Articles 46, 47, or 49(1) of the General Data Protection Regulation. Access to personal data is restricted to Web Store employees who need to access the data for resolving technical issues related to the online store and providing customer support. The Web Store implements appropriate physical, organizational, and IT security measures to protect personal data from accidental or unlawful destruction, loss, alteration, or unauthorized access and disclosure. Measures include encrypted communication for data exchange with the online store (TLS), encrypted storage of customer passwords (hashing), standard encryption for sending emails, and firewall protection for the web store's servers. Transmission of personal data to authorized processors (e.g., transportation service providers and data hosting) is based on contracts concluded between the Web Store and the authorized processors. Authorized processors are required to implement appropriate protection measures in accordance with Article 28 of the General Data Protection Regulation.

Accessing and Correcting Personal Data

Customers can access and correct their personal data through their user profile on the online store or through customer support. If a purchase is made without a user account, the customer can access personal data through customer support. If a request for accessing personal data is submitted electronically, the information will be provided through publicly available electronic means.

Withdrawal of Consent

If personal data processing is based on customer consent, the customer has the right to withdraw consent by changing the settings in their customer account or by notifying customer support via email.

Retention

Upon closing the customer account on the Web Store, personal data is deleted, except for personal data (purchase history) necessary for accounting or resolving consumer disputes. Personal data related to payments and consumer disputes is retained until the claim is fulfilled or the limitation period expires. Personal data included in primary accounting documents is retained for seven years.

Restriction

Customers have the right to request the restriction of processing their personal data if the data is inaccurate, incomplete, or processed unlawfully.

Objections

Customers have the right to object to the processing of their personal data if they have reason to believe that there is no legal basis for processing the data.

Deletion

To delete personal data, customers must contact customer support via email. The request will be answered within one month, specifying the period for data deletion. The response will also identify personal data that will not be deleted and the legal basis and reason for retention.

Transfer

A request for transferring personal data submitted via email will be answered within one month. Customer support will verify the identity of the individual and provide information on the personal data subject to transfer.

Direct Marketing Notices

Email addresses and phone numbers are used for sending direct marketing notices if the customer has given consent for such use. Customers who do not wish to receive direct marketing notices can either click the appropriate link in the email footer or contact customer support. In case of personal data processing for direct marketing purposes (profiling), customers have the right to object to the processing of their personal data, including profiling analysis related to direct marketing, at any time by notifying customer support via email (clear and separate information should be provided in each case). If profiling is conducted, information about the logic used and the importance and expected consequences of such personal data processing for the individual is provided (see Article 13(2)(f) and Article 14(2)(g) of the General Data Protection Regulation and Recital 60 of the General Data Protection Regulation).

Dispute Resolution

Disputes related to the processing of personal data are resolved through customer support (see CONTACT page). The supervisory authority is the Estonian Data Protection Inspectorate (info@aki.ee).