Privacy Policy

Last updated: Sept 25, 2023

1. General Provisions

1.1. This privacy policy outlines the principles governing the collection, processing, and storage of personal data. Personal data is processed and stored by Flow Lab EU OÜ, a private limited company registered under registry code 14687934 on 22.03.2019. Flow Lab EU OÜ is responsible for the processing of personal data and will be referred to as "the controller" in this policy.

1.2. In this privacy policy, "data subject" refers to the customer or any other natural person whose personal data is processed by the controller.

1.3. A "customer" in this context is anyone who purchases goods or services through the controller's website.

1.4. The controller is committed to adhering to all relevant legislation and ensuring that personal data is processed lawfully, fairly, and securely.

2. Collection, Processing, and Storage of Personal Data

2.1. Personal data collected, processed, and stored by the controller is primarily obtained electronically, mainly via the website and email.

2.2. By providing their personal data, data subjects grant the controller the right to collect, use, and manage their personal data for the purposes defined in this privacy policy, whether shared directly or indirectly during the purchase of goods or services on the website.

2.3. Data subjects are responsible for the accuracy, correctness, and integrity of the information they submit. Knowingly providing false information constitutes a violation of this privacy policy, and data subjects are required to promptly notify the controller of any changes in their submitted data.

2.4. The controller is not liable for any damage or loss resulting from the submission of false data by the data subject.

3. Processing of Personal Data of Customers

3.1. The controller may process the following personal data of data subjects:

- Given name and surname
- Date of birth
- Telephone number
- Email address
- Delivery address
- Bank account number
- Payment card details: Name and Card Number

3.2. Additionally, the controller has the right to collect publicly available data about the customer.

3.3. The legal basis for processing personal data includes Article 6(1) of the General Data Protection Regulation:

- (a) Consent from the data subject.
- (b) Processing necessary for the performance of a contract.
- (c) Processing required for compliance with legal obligations.
- (f) Processing necessary for legitimate interests, except where overridden by the rights and freedoms of the data subject.

3.4. Personal data is processed for specific purposes:

- Security and safety: Retained as required by law.
- Order processing: 30 days
- Ensuring the functioning of online store services: 30 days
- Customer management: 30 days
- Financial activities, accounting: Retained as required by law.
- Marketing: 30 days

3.5. The controller may share customer data with third parties such as processors, accountants, transport and courier companies, and payment processors. The controller remains responsible for data processing and transmits necessary payment information to the processor, Maksekeskus AS.

3.6. The controller implements organizational and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, or other unlawful processing.

3.7. The retention period for data depends on the purpose of processing but will not exceed 1 year.

4. Rights of the Data Subject

4.1. Data subjects have the following rights:

- Access and examination of their personal data.
- Information on the processing of their personal data.
- Modification

or rectification of inaccurate data.
- Withdrawal of consent if personal data processing is based on consent.

4.2. To exercise these rights, data subjects can contact the customer support of the online store at info@carspa.ee

4.3. Data subjects also have the option to file a complaint with the Data Protection Inspectorate to protect their rights.

5. Final Provisions

5.1. These data protection terms and conditions have been prepared in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia, and relevant legislation of the European Union and the Republic of Estonia.

5.2. The controller reserves the right to amend these data protection terms and conditions, notifying data subjects of any changes via https://carspa.ee