Privacy Policy

1. General Provisions

1.1. This privacy policy regulates the principles of collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the controller of the personal data ATR OÜ, registry code 12072200, address: Kiisa 9-3, Tallinn, Estonia, 11313 (hereinafter referred to as Data Controller.).

1.2. For the purposes of this privacy policy, a Data Subject means the customer or another natural person whose personal data is processed by the Data Controller. For the purposes of this privacy policy, a customer is anyone who purchases goods or services on the controller’s website.

1.3. When ordering from the online store of the Data Controller, the Data Subject agrees to the terms of this privacy policy by ticking the relevant checkbox while submitting the order.

1.4. The Data Controller follows the principles of data processing provided by legislation, among other things, the Data Controller processes personal data legally, fairly, and securely. The Data Controller is able to confirm that personal data have been processed in accordance with the legislation

1.5 The personal data collected, processed, and stored by Data Collector have been collected electronically, mainly via e-mail and submitting an order via the website. The personal data of the Data Subject, entered by the Data Subject while submitting an order, shall be included in the customer register and used for the performance of the sales contract and the offering of products to the Data Subject.

1.6. By sharing their personal data, the Data Subject grants the Data Controller the right to collect, organize, use and administer, for the purpose defined in the privacy policy, the personal data that the Data Subject shares with the Data Controller either directly or indirectly when purchasing goods or services on the website.

1.7. The Data Subject is liable for the accuracy, correctness, and integrity of the data submitted by them. The submission of knowingly false data is regarded as a breach of the privacy policy. The Data Subject is required to immediately notify the Data Controller of any changes in the data submitted.

1.8. The Data Controller is not liable for any damage or loss caused to the Data Subject or a third party as a result of the submission of false data by the Data Subject.

2. Processing and storage of personal data of customers

2.1. The Data Controller may process the following personal data of the Data Subject: name and surname, phone number, e-mail address, delivery address, method of payment, purchase history, bank account number, IP address.

The Data Controller does not see the bank card information of the Data Subject. To complete the transaction, the customer is directed to a secure environment of Montonio Finance OÜ. At the moment of payment, the customer’s card data is entered and saved by the customer into a database on a server of Montonio Finance OÜ, and the data shall be stored on a Montonio Finance OÜ server. Data Controller shall not be liable for the data processing by Montonio Finance OÜ.

2.2. In addition to the above, the Data Controller has the right to collect data about the customer that is available in public registers.

2.3. The legal basis for the processing of personal data is General Data Protection Regulation paragraph 6 section 1 subsections a), b), c) and f):

a) the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes.

b) processing of personal data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.

c) the processing of personal data may be required in order to comply with a legal obligation

f) processing of personal data is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The source of personal data and the basis for the processing of this data is the creation of a customer relationship under the terms of use when submitting an order on the online store. The processing of personal data is a condition of the contractual relationship.

2.4. Purpose and storage of personal data

2.4.1 Purpose

Personal data is processed in order to:

– Name and surname, phone number, e-mail address, and shipping address are used to manage the customer’s orders and deliver the products.
– Purchase history details (date of purchase, product, quantity, customer’s data) are used for preparing summaries of goods and services purchased and for analysing customer preferences.
– The bank account number is used to make refunds to the customer.
– Personal data such as e-mail, phone number, and the customer’s name are processed to handle any issues relating to providing goods and services (customer support).
– The online store user’s IP address or other network identifiers are processed to provide an online store as an information society service and for website usage statistics.

2.4.2. Storage

The Data Controller stores the data of the Data Subjects depending on the purpose of processing.

When the customer account of the online store is terminated, the personal data will be deleted, except when such data is needed to be preserved for accounting or solving consumer disputes.

If a purchase has been made on the online store without a customer account, the purchase history will be retained for three years.

In the case of consumer disputes and disputes related to payments, personal data will be stored until the fulfilment of a claim or until the end of the expiry period.

The personal data required for accounting are preserved for seven years.

2.5. The Data Controller has the right to share the personal data of customers with third parties such as customer support of the online store, authorized data processors, accountants, transport and courier companies, manufacturers of goods, and transfer services providers.

The Data Controller undertakes not to transfer the personal data of customers to unauthorized third parties unless the obligation to transfer personal data arises from the law.

2.6. When processing and storing the personal data of the Data Subject, the Data Controller implements organizational and technical measures that ensure the protection of personal data against accidental or illegal destruction, modification, disclosure and any other illegal processing.

Transfer of personal data to authorized processors of the online store (e.g. transport service provider and data hosting) is carried out on the basis of contracts concluded with the online store and authorized processors. Authorized processors are obliged to ensure appropriate protection measures when processing personal data.

2.7. The Data Controller is the processor of personal data. The Data Controller shall transmit the personal data necessary for making payments to the authorized processor Montonio Finance OÜ.

2.8. The employees of the online store have access to personal data to resolve technical issues related to the use of the online store and provide customer support service.

3. Rights of the Data Subject

3.1. The Data Subject has the right to access and examine their personal data. Registered users can access personal data on the user profile of the online store, and unregistered customers can access personal data via customer support.

3.2. The Data Subject has the right to receive information about the processing of their personal data.

3.3. The Data Subject has the right to modify or supplement inaccurate data.

3.4. If the Data Controller processes personal data according to an agreement with Data Subject, the Data Subject has the right to withdraw the consent at any time.

3.5.The Data Subject gives the Data Controller consent to send advertising materials and sale offers to the e-mail address entered by the Data Subject when placing an order if the Data Subject has expressed a wish to receive such notifications when placing the order (with a checkmark in the corresponding check box).

3.6. The Data Subject can contact the online store customer support at rubis@rubis.ee to exercise their rights.

3.7. The Data Subject has the right to have their personal data deleted. To delete personal data, customer support must be contacted by sending a request via e-mail rubis@rubis.ee . The deletion request will be answered no later than within a month, and the data deletion period will be specified. The personal data that is not deleted will be listed in a response to the data deletion request of the Data Subject along with legal basis and reasoning.

3.8. To protect their rights, the Data Subject can file a complaint with The Data Protection Inspectorate (info@aki.ee).

4. Final Provisions


4.1.These data protection conditions have been formulated in accordance with the regulation of the European Parliament and of the Council, 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Personal Data Protection Act of the Republic of Estonia and European Union legislations.

4.2. The Data Processor has the right to partially or completely change the data protection conditions by notifying the data subjects of the changes via the website rubis.ee