Privacy Notice

Valid from August 1, 2025

1. GENERAL

   1. This Privacy Notice (hereinafter "Notice") provides an overview of how Osaühing Galador Grupp, with registry code 11073019, address Värvi tn 4, Tallinn, Estonia (hereinafter "we", "us", or "our") processes, as a data controller, the personal data of the following categories of data subjects:
      1. visitors and customers of our e-shop, located at www.galador.ee (hereinafter "e-shop");
      2. other persons whose personal data we process in the ordinary course of our business, including when contacting us (e.g., by phone, email, or other channels).
   2. We process your personal data in the manner described in this Notice and in accordance with applicable legislation, including the General Data Protection Regulation (2016/679) of the European Union and other data protection laws.
   3. If you have any questions about the processing of your personal data, please contact us by e-mail at galador@galador.ee.

2. CATEGORIES AND SOURCES OF PERSONAL DATA

   1. Personal data is any information that allows us to directly or indirectly identify you as a natural person. We process, including collect, use, store, and transfer the following personal data:
      1. Basic Data: your first and last name.

         Sources of data: we receive personal data from you when you create a customer account in our e-shop, make a purchase, or contact us.

      2. Contact Data: your e-mail address and telephone number.

         Sources of data: we receive personal data from you when you create a customer account in our e-shop, make a purchase, or contact us.

      3. Authentication Data: your e-shop username and password.

         Sources of data: we receive personal data from you when you create a customer account in our e-shop.

      4. Order Data: order number, content of the order, any additional instructions provided to us.

         Sources of data: we receive personal data from you when you place an order through our e-shop.

      5. Delivery Data: delivery method, delivery address, recipient's name, and phone number.

         Sources of data: we receive your personal data during the process of an order placed through our e-shop, either from you or from the person who placed the order.

      6. Payment Data: Basic Data, payment method, bank account details from which the payment was made, and the amount due.

         Sources of data: we receive personal data from you when you place an order through our e-shop.

      7. Inquiry Data: Your Basic Data, Contact Data, the content of the inquiry, and the date.

         Sources of data: we receive your personal data when you contact us.

      8. E-shop Visit Data: data generated during visits to and use of the e-shop through web cookies and similar technologies (depending on the specific cookie, this data includes, among other things, various cookie identifiers, IP address, device identifiers). More detailed information about the cookies used in the e-shop is provided in section 7 of the Notice.

         Sources of data: we receive personal data from you when you visit our e-shop.

3. PURPOSES AND LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA

   1. We process your personal data for the following purposes and on the following legal bases:
      1. Consent

         For the processing of personal data for the purposes stated herein, we require your consent. You have the right to withdraw your consent at any time by sending us a corresponding e-mail to the contact details provided in section 1.3 of the Notice. With regard to web cookies, you always have the right to withdraw your consent by changing your preferences in our e-shop.

         The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

         Purpose of processing	Categories of personal data
         Development and improvement of the e-shop services, including collecting information about your recent visits to the e-shop for analytical purposes, so that we can improve the functionality of the e-shop and make it even more user-friendly.	E-shop Visit Data
         For marketing purposes, we collect and process e-shop visit data using cookies to provide you with personalized offers based on your browsing history.
         Sending newsletters for direct marketing purposes.	Contact Data (e-mail address)

      2. Performance of a contract

         The processing of personal data is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract.

         Purpose of processing	Categories of personal data
         Creating a customer account, authenticating users, and managing customer accounts.	Basic Data Contact Data Authentication Data
         Conclusion and performance of a sales contract, including recording your acceptance of the terms and conditions of purchase, processing the order, arranging for the delivery of goods, processing payments, processing withdrawals from orders and returns, communicating with you, and fulfilling the rights and obligations arising from the warranty of the purchased products.	Basic Data Contact Data Order Data Delivery Data Payment Data

      3. Compliance with a legal obligation

         We process your personal data to comply with a legal obligation, where such an obligation arises from law or other legal act.

         Purpose of processing	Categories of personal data
         Organization of accounting, including the retention of accounting source documents.	Basic Data Contact Data Order Data Payment Data
         Compliance with requirements and obligations arising from legal acts and fulfilling requests from public sector authorities and other law enforcement agencies.	All data categories

      4. Legitimate interest

         For the purposes mentioned herein, we process your personal data based on legitimate interests. You have the right to request explanations regarding the processing based on legitimate interest by sending a corresponding request to the address mentioned in section 1.3 of the Notice. You also have the right to object if you find that the processing of your data for the purposes listed below infringes on your rights.

         Purpose of processing	Categories of personal data
         Receiving and responding to inquiries, including feedback, general business communication.	Inquiry Data
         Processing of payment-related personal data to identify and associate payments with the correct orders, make refunds if necessary, and ensure proper accounting.	Basic Data Contact Data Order Data Payment Data
         Processing of personal data using functional (strictly necessary) cookies for the operation and security of the e-shop, for example, for session management or to save privacy settings.	E-shop Visit Data
         Backing up documents and data, including storing information containing personal data in backup systems.	All data categories
         Disclosure of data to professional advisors.
         Disclosure of data to legal successors and/or potential acquirers.
         Disclosure of data to public sector, law enforcement, and supervisory authorities.
         Establishment, exercise and/or defence of legal claims.
         Organizing the sale of parts of the company or the merger of the company, as well as the sale of the business and transferring information for the purpose of conducting a legal or other audit and for related data exchange; disclosure of data to our legal successors and/or potential acquirers.

code Code download content_copy expand_less

4. RECIPIENTS AND TRANSFER OF PERSONAL DATA

   1. In certain cases, to fulfil obligations arising from legal acts or a contract, or to ensure our legitimate interests, we may need to transfer your personal data to the following categories of data recipients, who process your personal data as separate data controllers:

      Recipient category	Purpose of disclosure
      Public sector authorities and law enforcement agencies	If necessary, we will disclose your personal data to public sector authorities and law enforcement agencies to comply with a legal obligation, a court-ordered requirement, or in other cases to prevent and avert unlawful acts.
      Payment service providers	We transfer personal data to payment service providers who process this data to facilitate and confirm payment transactions.
      Courier and transport service providers	We transfer personal data to courier and transport companies who process this data for the delivery of goods and for carrying out delivery-related operations (including contacting you and communicating the parcel status).
      Professional advisors	If necessary, we will disclose your personal data to professional advisors to ensure the proper conduct of our business. For example, auditors, lawyers.
      Legal successors and/or potential acquirers of the company	If it is necessary for the transfer of our company or for the purpose of a merger and acquisition, your personal data may be disclosed to said acquirers or legal successors and their representatives and/or financial and legal advisors.

   2. We may engage and use data processors in the processing of personal data, who will only have access to your personal data for the purpose of fulfilling a contract concluded with us and will implement the necessary level of protective measures in the processing of personal data. The engaged data processors fall into the following categories:

      Recipient category	Purpose of disclosure
      IT service providers	For the functioning of daily business operations, our IT service providers (for example, data backup service providers) who manage and enable us to use the technical infrastructure may have access to your personal data.
      Software service providers	To facilitate the performance of daily work, our software service providers who facilitate our work may have access to your personal data.
      Accounting service providers	For the functioning of daily business operations, our accounting service providers may have access to your personal data.
      Web analytics and marketing service providers	Service providers who help to analyze the use of the e-shop and organize targeted marketing, including the measurement and optimization of advertising.

   3. Some of the recipients we involve in data processing, including data processors, may be located outside the European Economic Area, so when disclosing personal data to them, we may transfer your personal data outside of the said territory. In such a case, we will ensure the implementation of adequate safeguards to protect your personal data (e.g., standard contractual clauses adopted by the European Commission or an adequacy decision). You have the right to receive additional information regarding the protective measures taken by contacting us at the contact details provided in section 1.3 of the Notice.

5. RETENTION OF PERSONAL DATA

   1. We will retain your personal data for as long as is reasonably necessary to achieve the purposes set out in section 3 of the Notice or until a legal obligation to do so provides otherwise. In determining the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes of the processing and whether we can achieve those purposes by other means, and the obligations arising from applicable legal acts.
   2. For example, we retain accounting source documents for seven years from the end of the financial year in which the economic transaction was recorded in the accounting register based on the source document.
   3. For additional retention periods for personal data or if you would like more information about the retention of a specific category of personal data, please contact us at the contact details provided in section 1.3 of the Notice.
   4. After the retention period for personal data has expired or if we no longer need the respective personal data to fulfil the purposes, we will delete the personal data or make it anonymous, unless a longer retention of the personal data is necessary to comply with a legal obligation or requirements, or to resolve a legal dispute.

6. RIGHTS OF THE DATA SUBJECT

   1. You have the right to contact us at the contact details provided in section 1 of the Notice to exercise your following rights in relation to our processing of personal data:
      1. Right of access to personal data, including to obtain a copy thereof and to receive information about the processing of your personal data;
      2. Right to rectification of personal data, if we hold inaccurate personal data about you;
      3. Right to erasure of personal data, e.g., if they are no longer necessary for the purpose for which we collected them, you withdraw the consent given for processing and we have no other legal ground for processing the personal data, or the personal data has been processed unlawfully;
      4. Right to request the restriction of processing of personal data, e.g., if you contest the accuracy of the personal data, the processing of the personal data is unlawful, or we no longer need the personal data for the purposes of the processing, but you need the personal data for the establishment, exercise or defence of legal claims;
      5. Right to data portability to you or to another controller, where this is technically feasible, and the processing is carried out by automated means and the legal basis for the processing is your consent or the performance of a contract;
      6. Right to object, e.g., if the processing is based on our legitimate interest or for marketing purposes;
      7. Right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing of personal data that took place before the withdrawal of consent;
      8. Right to lodge a complaint with a supervisory authority, e.g., the Data Protection Inspectorate (www.aki.ee, info@aki.ee).

7. USE OF WEB COOKIES AND SIMILAR TECHNOLOGIES

   1. We use all cookies, except for "functional" cookies, with your prior consent. You always have the right to withdraw your consent by changing your preferences through our e-shop.
   2. We use both first-party cookies (i.e., cookies installed by us) and third-party cookies (i.e., cookies from service providers, such as Google).
   3. The cookies we use are divided into session cookies and persistent cookies. Session cookies are only valid for the duration of your browsing session in the e-shop and are automatically deleted when you close your web browser. Persistent cookies, however, are stored on your device for a specified period, which may be set by us or a third party, and expire either on a specific date or after a certain period of time.

   4. For convenience, we have classified the cookies used in our e-shop according to their purpose as follows:

8. AMENDMENT OF THE NOTICE

   1. We may amend or supplement the Notice from time to time to accurately reflect our processing of your personal data. In such a case, the latest version of the Notice will be published in our e-shop.