• Eesti
  • Русский
  • English

Privacy Policy

Ниже — готовый вариант с тегами “. “`html

ROSES.EE Privacy Policy

Personal Data Processing

The controller of personal data for the ROSES.EE online store is:

ONE MANAGEMENT OÜ
Registry code: 14770859
Address: Tartu mnt 24, Tallinn, Harju maakond, Estonia
Phone: +372 54 50 12 19
Email: [email protected]

1. General provisions

ONE MANAGEMENT OÜ processes personal data of ROSES.EE online store customers only to the extent necessary for receiving and fulfilling orders, processing payments and refunds, arranging delivery, providing customer support, fulfilling accounting and tax obligations, ensuring security and maintaining the technical operation of the online store.

ONE MANAGEMENT OÜ may transfer personal data to authorized service providers only to the extent necessary to perform a specific function.

Such service providers may include payment and financial institutions, transport and courier partners, IT and POS service providers, technical infrastructure providers and accounting service providers.

2. Payment and financial service providers

For processing payments and refunds, ROSES.EE may use payment and financial service providers, including Montonio Finance UAB, Revolut Payments UAB, PayPal and other payment service providers.

Such providers receive only the data necessary to process the payment transaction, identify the payment, issue a refund and comply with applicable financial regulatory requirements. Such data may include the payer’s name, payment amount, transaction details, payment reference, payment details and other data necessary for processing a payment or refund.

Payment and financial service providers do not receive access to full operational information about the order and delivery, including the recipient’s address, recipient’s phone number, order contents, order comments, route information or internal delivery data, unless such transfer is required for a specific payment transaction.

3. POS and IT service providers

For the technical operation of sales, accounting and the online store, ROSES.EE may use POS and IT systems, including Poster POS and other technical services.

When using such services, data necessary for the technical functioning of the system, sales accounting, order processing, transaction processing and internal control may be processed.

POS and IT service providers do not receive access to customers’ personal data beyond the extent necessary for the functioning of the relevant service.

4. Data transfers outside the European Union and the European Economic Area

If certain service providers process personal data outside the European Union or the European Economic Area, such transfer is carried out only where there is a legal basis and appropriate safeguards as required by the GDPR.

Such safeguards may include a data processing agreement, European Commission standard contractual clauses, an adequacy decision or other applicable personal data protection mechanisms.

5. Personal data processed

ROSES.EE may process the following personal data:

  • customer’s first and last name;
  • recipient’s name and contact details, if provided when placing the order;
  • phone number;
  • email address;
  • delivery address;
  • data necessary for fulfilling the order;
  • cost of goods and purchase history;
  • customer support data;
  • bank account number or other payment data necessary for issuing a refund;
  • IP address;
  • cookies;
  • device and browser data;
  • data necessary to ensure security and prevent misuse.

6. Purposes of personal data processing

Personal data is processed for the following purposes:

  • receiving, processing and fulfilling orders;
  • arranging delivery;
  • communicating with the customer and/or order recipient;
  • processing payments and refunds;
  • customer support;
  • fulfilling accounting and tax obligations;
  • resolving disputes and claims;
  • ensuring the safety of customers, employees, goods and property;
  • ensuring the technical operation of the online store;
  • website analysis and visitor statistics;
  • improving service quality and product assortment;
  • sending marketing communications with the customer’s consent.

7. Legal bases for processing

Personal data is processed on the following legal bases:

  • performance of a contract with the customer — Article 6(1)(b) GDPR;
  • compliance with legal obligations — Article 6(1)(c) GDPR;
  • legitimate interest of the company — Article 6(1)(f) GDPR;
  • customer consent for marketing or the use of optional cookies — Article 6(1)(a) GDPR.

8. Recipients of personal data

Personal data may be transferred to the following categories of recipients:

  • ROSES.EE customer support — to the extent necessary for processing the order and communicating with the customer;
  • transport and courier partners — to the extent necessary for delivering the order, including name, phone number, email and delivery address;
  • payment and financial institutions, including Montonio Finance UAB, Revolut Payments UAB, PayPal and other payment service providers — to the extent necessary for processing payments and refunds;
  • POS and IT service providers, including Poster POS and other technical services — to the extent necessary for the technical operation of sales, accounting, the online store and related systems;
  • accounting service providers — only to the extent necessary for fulfilling accounting and tax obligations.

Accounting service providers do not receive access to operational delivery data, such as the recipient’s address, recipient’s phone number, order contents, order comments or route information, unless such access is required for fulfilling a specific accounting or legal obligation.

9. Data security

ROSES.EE applies technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, loss or destruction.

Access to personal data is granted only to authorized persons and only to the extent necessary for performing their duties or providing the relevant service.

Service providers who process personal data on behalf of ROSES.EE are required to comply with GDPR requirements and ensure an appropriate level of data protection.

10. Data retention periods

Personal data is retained only for as long as necessary to achieve the purposes of processing or for the period required by law.

Retention periods:

  • customer account data — until the account is deleted;
  • order data without an account — up to 3 years, unless longer retention is necessary for resolving a dispute or protecting the company’s rights;
  • accounting and tax data — 7 years;
  • data related to claims and disputes — until the dispute is resolved or the applicable limitation period expires;
  • marketing data — until consent is withdrawn;
  • technical data and cookies — according to cookie settings and the retention periods of the relevant tools.

11. Automated decision-making and profiling

ROSES.EE does not use automated decision-making that has legal or other significant effects on the customer.

Purchase behavior analytics may be used in aggregated form for statistics, improving the product assortment, service quality and the operation of the online store.

12. Marketing

Marketing communications are sent only with the customer’s consent or on another legal basis permitted by applicable law.

The customer may unsubscribe from marketing communications at any time by using the unsubscribe link in the email or by sending a request to [email protected].

The customer has the right to object at any time to the processing of their personal data for direct marketing purposes.

13. Cookies

ROSES.EE may use cookies and similar technologies to ensure the operation of the website, analyze traffic, improve user experience and carry out marketing.

Cookies may be:

  • strictly necessary cookies;
  • analytical cookies;
  • functional cookies;
  • marketing cookies.

Optional cookies are used only with the user’s consent, where such consent is required by applicable law.

The user may change cookie settings in their browser or through the consent settings on the website, if such functionality is available.

14. Customer rights

The customer has the right to:

  • access their personal data;
  • request correction of inaccurate data;
  • request deletion of data;
  • request restriction of processing;
  • object to data processing;
  • request data portability;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with a supervisory authority.

Requests concerning the processing of personal data may be sent to: [email protected].

A response to the request will be provided within one month of receiving the request, unless applicable law provides for a different period.

15. Complaints

Complaints and requests concerning the processing of personal data may be sent to ROSES.EE:

ONE MANAGEMENT OÜ
Email: [email protected]
Phone: +372 54 50 12 19

The customer also has the right to contact the supervisory authority:

Andmekaitse Inspektsioon
Website: https://www.aki.ee

Audio and video recording

16. Video surveillance

Video surveillance is used in the ROSES.EE sales area at Tartu mnt 24, Tallinn.

Video surveillance is used to ensure the safety of customers, employees, goods and property, prevent theft and other violations, and resolve possible disputes related to customer service, handover of orders or other incidents.

The legal basis for processing is the company’s legitimate interest — Article 6(1)(f) GDPR.

Access to video recordings is limited to authorized persons only. Data is retained for a limited period and automatically deleted after the retention period expires, unless longer retention is required for investigating an incident, resolving a dispute or complying with a legal obligation.

17. Audio recording

In certain cases and only where necessary, ROSES.EE may record audio in customer service areas or during telephone communication with customer service.

Audio recording may be used to ensure security, prevent violations, control service quality and resolve disputes.

If a telephone call is recorded, the customer is informed of such recording before the call begins.

Audio recording is not carried out in rest areas, toilets, changing rooms or other places where a person has a heightened expectation of privacy.

Legitimate interest assessment for video surveillance at ONE MANAGEMENT OÜ

18. Definition of legitimate interest

The purposes of video surveillance are:

  • ensuring the safety of property, goods, customers and employees;
  • preventing and investigating incidents, including theft, property damage and conflict situations;
  • resolving disputes with customers relating to orders, service, handover of goods or delivery.

Legal basis: Article 6(1)(f) GDPR — the company’s legitimate interest.

Justification:

  • retail and online commerce involve risks of losses, theft, errors and conflict situations;
  • in the event of disputes or incidents, the company may need an objective record of events;
  • video surveillance helps protect the rights of the company, employees, customers and third parties.

19. Necessity of processing

Video surveillance may be used in the following areas:

  • sales area — recording the actions of customers and employees, preventing theft and disputes;
  • corridors, storage areas and cold rooms — protecting stock and preventing access by unauthorized persons;
  • assembly area — quality control of order fulfilment and resolution of possible disputes;
  • exit and handover area — recording the handover of goods to customers and couriers.

Alternative measures, such as physical security or logbooks, do not always allow the objective reconstruction of the circumstances of an incident.

20. Data minimization principle

ROSES.EE uses video surveillance only in areas where it is necessary for the stated purposes.

Cameras do not cover rest areas, toilets, changing rooms or other areas where a person has a heightened expectation of privacy.

Access to recordings is restricted. Where necessary, recordings are viewed only by authorized persons.

21. Impact on the data subject

ROSES.EE takes into account the right of customers, employees and other persons to respect for private life.

Potential interference with privacy is limited by the following measures:

  • placing notices about video surveillance;
  • video surveillance only in work, sales and storage areas;
  • limited retention period for recordings;
  • restricted access to recordings;
  • use of recordings only for the stated purposes.

22. Balancing of interests

Company interests:

  • protection of property and goods;
  • prevention of losses;
  • safety of staff and customers;
  • resolution of conflicts and claims;
  • protection of the company’s rights in disputes.

Interests of data subjects:

  • right to respect for private life;
  • right to protection of personal data;
  • right to transparent information about data processing.

Conclusion: considering the limited monitored areas, limited retention period, notices about video surveillance and access control, the processing of data through video surveillance is proportionate to the stated purposes. The company’s legitimate interest in ensuring security and protecting its rights outweighs the limited interference with the rights of data subjects.

23. Final statement

Video surveillance at ONE MANAGEMENT OÜ:

  • is used for specific and lawful purposes;
  • is limited to necessary areas;
  • is carried out in accordance with the principles of necessity, proportionality and data minimization;
  • is carried out within the framework of the GDPR and with respect for the rights of data subjects.
“`