1. Processing of Personal Data
The data controller for cbdshop.ee online store is Green shop SIA (registration code 40203249140), email: cbdshop.estland@gmail.com
What personal data is processed
- name, phone number and email address;
- delivery address;
- bank account number;
- cost of goods and services and payment-related data (purchase history);
- customer support data.
For what purposes personal data is processed
- Personal data is used to manage customer orders and deliver goods.
- Purchase history data (purchase date, goods, quantity, customer data) is used to create an overview of purchased goods and services and to analyze customer preferences.
- Bank account numbers are used to issue refunds to customers.
- Personal data such as email, phone number, and customer name are processed to resolve issues related to goods and services (customer support).
- The IP address or other network identifiers of the online store user are processed for providing the online store service and for website usage statistics.
2. Legal basis
Personal data is processed for the performance of a contract concluded with the customer.
Personal data is processed to comply with legal obligations (e.g. accounting and consumer dispute resolution).
Recipients of personal data
Personal data is shared with the online store’s customer support for managing orders, purchase history, and resolving customer issues.
Name and phone number are shared with the selected delivery service provider and/or supplier when the supplier ships the goods. If delivery is made by courier or to a post office, the customer’s address is also shared.
If accounting is handled by a service provider, personal data is shared for accounting purposes.
Personal data may be shared with IT service providers if necessary for website functionality or hosting.
3. Security and access to data
Personal data is stored on Veebimajutus.ee servers located in the EU or EEA. Data may be transferred to countries deemed adequate by the European Commission or to companies participating in the Privacy Shield framework.
Access to personal data is granted to online store employees who need it to resolve technical issues or provide customer support.
The online store applies appropriate physical, organizational, and IT security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure.
The online store is the data controller and transfers necessary data for payments to the authorized processor Maksekeskus AS.
Transfers to processors (e.g. logistics providers and hosting services) are based on agreements ensuring adequate protection of personal data.
4. Access and correction of personal data
Personal data can be viewed and corrected in the user profile. If the purchase was made without an account, data can be accessed via customer support.
5. Withdrawal of consent
If data processing is based on consent, the customer has the right to withdraw consent by notifying customer support via email.
6. Retention
When a customer account is closed, personal data is deleted unless it must be retained for accounting or dispute resolution purposes.
If purchases are made without an account, purchase history is stored for 3 years.
In case of payment disputes, data is stored until the claim is fulfilled or the limitation period expires.
Accounting-related data is stored for 7 years.
7. Deletion
Requests for data deletion must be sent to customer support via email. Requests are answered within one month, specifying the deletion timeframe.
8. Data portability
Requests for data portability sent via email are answered within one month. Customer support verifies identity and provides information on transferable data.
9. Direct marketing communications
Email addresses and phone numbers are used for direct marketing messages if the customer has given consent. Customers can unsubscribe via the email footer or by contacting customer support.
If personal data is processed for direct marketing (profiling), the customer has the right to object at any time by contacting customer support via email. This must be clearly stated separately from other information.
10. Dispute resolution
Disputes related to personal data processing are resolved via customer support (email: cbdshop.estland@gmail.com). The supervisory authority is the Estonian Data Protection Inspectorate (info@aki.ee).