1. General Provisions
1.1. This privacy policy governs the principles of collection, processing, and storage of personal data. Personal data is collected, processed, and stored by Gruff Technology OÜ (registry code 16620414), located at Telliskivi 60, 10412 Tallinn, Estonia (hereinafter the Data Controller).
1.2. For the purposes of this privacy policy, a data subject is a customer or other natural person whose personal data is processed by the Data Controller.
1.3. For the purposes of this privacy policy, a customer is anyone who purchases goods or services from the Data Controller’s website or uses the software application.
1.4. The Data Controller follows the principles of data processing provided by legislation; among other things, the Data Controller processes personal data legally, fairly, and securely. The Data Controller is able to confirm that personal data has been processed in accordance with the legislation.
2. Collection, Processing, and Storage of Personal Data
2.1. The personal data collected, processed, and stored by the Data Controller is collected electronically, mainly via the website, software application, and e-mail.
2.2. By sharing their personal data, the data subject gives the Data Controller the right to collect, organize, use, and manage personal data for the purposes defined in this privacy policy, which the data subject shares directly or indirectly when purchasing goods or services on the website or using the software application.
2.3. The data subject is responsible for ensuring that the data provided is accurate, correct, and complete. Submitting false information intentionally is considered a violation of the privacy policy. The data subject is obliged to immediately inform the Data Controller of any changes in the submitted data.
2.4. The Data Controller shall not be liable for any damage caused to the data subject or third parties by the submission of false data.
3. Processing of Customers’ Personal Data
3.1. The Data Controller may process the following personal data of the data subject: first name and surname, date of birth, personal identification code, phone number, e-mail address, delivery address, bank account details, payment card details, and usage data of the software application.
3.2. In addition, the Data Controller has the right to collect data about the customer that is available in public registers.
3.3. The legal basis for processing personal data is Article 6(1)(a), (b), (c), and (f) of the General Data Protection Regulation (GDPR):
- the data subject has consented to the processing of their personal data for one or more specific purposes;
- the processing is necessary for the performance of an agreement or for taking pre-contractual measures;
- the processing is necessary to fulfil the Data Controller’s legal obligations;
- the processing is necessary for the legitimate interests of the Data Controller or a third party, unless such interests are overridden by the data subject’s fundamental rights and freedoms.
3.4. Personal data processing purposes and retention periods:
- Safety and security — according to terms prescribed by law
- Order processing — 360 days
- Ensuring the functioning of online store services — 360 days
- Customer management — 360 days
- Financial activities, accounting — according to terms prescribed by law
- Marketing — 360 days
3.5. The Data Controller has the right to share personal data with third parties, such as authorized data processors, accountants, transport and courier companies, and payment service providers, if needed. In regular use of the Gruff smart socket and Gruff app, no personal data is processed.
3.6. When processing and storing personal data, the Data Controller implements organizational and technical measures to ensure protection against accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing.
3.7. The Data Controller retains data depending on the processing purpose, but no longer than 7 years.
4. Rights of the Data Subject
4.1. The data subject has the right to access and inspect their personal data.
4.2. The data subject has the right to receive information about the processing of their personal data.
4.3. The data subject has the right to supplement or correct inaccurate data.
4.4. If the Data Controller processes personal data on the basis of the data subject’s consent, the data subject has the right to withdraw their consent at any time.
4.5. The data subject can contact the Online Store customer support at info@grufftechnology.eu to exercise their rights.
4.6. To protect their rights, the data subject may submit a complaint to the Estonian Data Protection Inspectorate.
5. Final Provisions
5.1. This privacy policy has been drawn up in accordance with Regulation (EU) 2016/679 (GDPR), the Personal Data Protection Act of the Republic of Estonia, and other applicable legislation of the Republic of Estonia and the European Union.
5.2. The Data Controller has the right to partially or completely change the data protection conditions by notifying data subjects of the changes via the website grufftechnology.eu.