Cart
Your cart is empty
Continue shopping
General Provisions
1.1. This privacy policy governs the principles of collecting, processing, and storing personal data. Personal data is collected, processed, and stored by the data controller Gabrie OÜ (hereinafter the data controller).
1.2. The data subject, within the meaning of this privacy policy, is the client or other natural person whose personal data is processed by the data controller.
1.3. The client, within the meaning of this privacy policy, is anyone who purchases goods or services from the data controller's website.
1.4. The data controller complies with the principles of data processing set out in legislation, including processing personal data lawfully, fairly, and securely. The data controller is able to confirm that personal data has been processed in accordance with legal requirements.
Collection, Processing, and Storage of Personal Data
2.1. Personal data collected, processed, and stored by the data controller is mainly collected electronically via the website and email.
2.2. By sharing their personal data, the data subject grants the data controller the right to collect, organize, use, and manage personal data for the purposes defined in this privacy policy, which the data subject shares directly or indirectly when purchasing goods or services on the website.
2.3. The data subject is responsible for ensuring the accuracy, correctness, and completeness of the data provided. Deliberate submission of false data is considered a violation of this privacy policy. The data subject is obliged to promptly notify the data controller of any changes to the data provided.
2.4. The data controller is not responsible for damages caused to the data subject or third parties due to false data submitted by the data subject.
Processing of Clients' Personal Data
3.1. The data controller may process the following personal data of the data subject:
3.1.1. First and last name;
3.1.2. Phone number;
3.1.3. Email address;
3.1.4. Delivery address;
3.1.5. Bank account number;
3.1.6. Payment card details;
3.2. In addition to the above, the data controller may collect data about the client available in public registers.
3.3. The legal basis for processing personal data is Article 6(1)(a), (b), (c), and (f) of the General Data Protection Regulation:
a) the data subject has given consent to process their personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or to take steps prior to entering into a contract at the data subject's request;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
f) processing is necessary for the legitimate interests pursued by the controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject;
3.4. Personal data processing according to purpose:
3.4.1. Purpose – security and safety
Maximum retention period – according to legal deadlines;
3.4.2. Purpose – order processing
Maximum retention period – up to 2 years;
3.4.3. Purpose – ensuring operation of e-shop services
Maximum retention period – up to 2 years;
3.4.4. Purpose – customer management
Maximum retention period – up to 5 years;
3.4.5. Purpose – financial activities, accounting
Maximum retention period – according to legal deadlines;
3.4.6. Purpose – marketing
Maximum retention period – until withdrawal of consent or up to 3 years.
3.5. The data controller has the right to share clients' personal data with third parties, such as authorized data processors, accountants, transport and courier companies, and payment service providers. The data controller is the responsible controller. The data controller transmits necessary personal data for payment processing to the authorized processor Maksekeskus AS.
3.6. The data controller applies organizational and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, or any other unlawful processing.
3.7. The data controller retains data subjects' data depending on the purpose of processing, but no longer than 5 years.
Rights of the Data Subject
4.1. The data subject has the right to access and review their personal data.
4.2. The data subject has the right to receive information about the processing of their personal data.
4.3. The data subject has the right to supplement or correct inaccurate data.
4.4. If personal data is processed based on the data subject's consent, the data subject has the right to withdraw consent at any time.
4.5. The data subject can exercise their rights by contacting the e-shop customer support at info@gabrie.ee.
4.6. The data subject may submit a complaint to the Data Protection Inspectorate for protection of their rights.
Final Provisions
5.1. These data protection terms are drafted in accordance with the EU Regulation (EU) 2016/679 (General Data Protection Regulation), the Estonian Personal Data Protection Act, and other relevant Estonian and EU laws.
5.2. The data controller has the right to amend these data protection terms partially or fully, notifying data subjects of changes via the website info@gabrie.ee