Privacy Policy

1. General Provisions

1.1. This Privacy Policy governs the principles for the collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the data controller Hiiu Gourmet OÜ (hereinafter the Data Controller).
1.2. A data subject within the meaning of this Privacy Policy is a customer or any other natural person whose personal data is processed by the Data Controller.
1.3. A customer within the meaning of this Privacy Policy is any person who purchases goods or services through the Data Controller’s website or online store.
1.4. The Data Controller processes personal data in accordance with applicable legislation and ensures that personal data is processed lawfully, fairly, and securely. The Data Controller is able to confirm that personal data has been processed in compliance with legal requirements.

2. Collection, Processing and Storage of Personal Data

2.1. Personal data collected, processed, and stored by the Data Controller is collected electronically, primarily via the website, online store, and email communication.
2.2. By providing personal data, the data subject grants the Data Controller the right to collect, organize, use, and manage personal data for the purposes specified in this Privacy Policy.
2.3. The data subject is responsible for ensuring that the data provided is accurate, correct, and complete and must inform the Data Controller without delay of any changes to the data.
2.4. The Data Controller is not liable for any damage caused by the data subject providing incorrect information.

3. Processing of Personal Data

3.1. The Data Controller may process the following personal data of the data subject:

• first and last name
  
• email address
  
• telephone number
  
• delivery address
  
• order and payment-related information
  
• website usage data (e.g. cookies and statistics)

(The Data Controller does not store payment card details. Payments are processed via secure third-party payment service providers.)
3.2. In addition to the above, the Data Controller may collect data available from public registers where necessary for the performance of a contract or compliance with legal obligations.
3.3. The legal basis for processing personal data is set out in Article 6(1)(a), (b), (c), and (f) of the General Data Protection Regulation (GDPR).
3.4. Purposes of processing and retention periods:

• Order processing and fulfillment – until fulfillment of the contract and thereafter up to 7 years
  
• Customer communication and customer management – up to 3 years from the last interaction
  
• Accounting and financial obligations – in accordance with statutory retention periods
  
• Website and online store functionality and analytics – up to 2 years
  
• Marketing communications – until withdrawal of consent

3.5. The Data Controller may disclose personal data to third parties such as:

• payment service providers (e.g. Maksekeskus AS)
  
• courier and transport service providers
  
• accounting service providers

Personal data is disclosed only to the extent necessary to provide the service.
3.6. The Data Controller applies appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, or unauthorized access.
3.7. Personal data is retained for no longer than 7 years, unless a longer retention period is required by law.

4. Rights of the Data Subject

4.1. The data subject has the right to access their personal data and obtain information about its processing.
4.2. The data subject has the right to request correction or deletion of inaccurate personal data.
4.3. The data subject has the right to restrict the processing of personal data or to object to such processing.
4.4. Where personal data is processed on the basis of consent, the data subject has the right to withdraw consent at any time.
4.5. To exercise their rights, the data subject may contact the Data Controller via email at hiiugourmet@gmail.com
4.6. The data subject has the right to lodge a complaint with the Estonian Data Protection Inspectorate.

5. Final Provisions

5.1. This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and applicable Estonian and European Union legislation.

5.2. The Data Controller has the right to amend this Privacy Policy in whole or in part by publishing the updated version on the website https://hiiugourmet.ee