PROCESSING OF PERSONAL DATA

The responsible processor of personal data for the online store Chilli.ee is Chilli Deals OÜ (registry code 11998579) located at Ehitajate tee 114, Tallinn, phone +372 6664666, and email info@chilli.ee.

Types of personal data processed

• name, phone number (if the customer opts for SMS confirmation), and email address;
• delivery address or location of the parcel machine;
• bank account number;
• data regarding the cost of goods and services and payment information (purchase history);
• customer support data;

Purpose of processing personal data

Personal data is used for managing customer orders and delivering goods.

Purchase history data (purchase date, service or product, quantity, customer details) is used for compiling an overview of purchased goods and services and for analyzing customer preferences.

The bank account number is used to refund payments to the customer.

Personal data such as email, phone number, and customer name is processed to resolve issues related to the provision of goods and services (customer support).

The IP address or other network identifiers of the online store user are processed to provide the online store as an information society service and to compile website usage statistics.

Legal basis

Personal data is processed for the purpose of fulfilling a contract concluded with the customer.

Personal data is also processed to comply with legal obligations (e.g. accounting and resolution of consumer disputes).

Recipients to whom personal data is disclosed

Personal data is shared with the online store’s customer support for managing purchases and purchase history and for resolving customer issues.

The customer’s name and phone number are forwarded to the transport service provider selected by the customer. If goods are delivered by courier, the customer’s address or designated location is also provided in addition to contact details.

If the online store’s accounting is handled by a service provider, personal data is shared with that provider for accounting purposes.

Personal data may also be disclosed to information technology service providers when necessary to ensure the functionality of the online store or for data hosting.

Security and access to data

Personal data is stored on servers located within a European Union member state or a country within the European Economic Area. Data may be transferred to countries whose data protection levels have been deemed adequate by the European Commission, and to U.S. companies that are part of the Privacy Shield framework.

Access to personal data is granted to online store employees who require such access to resolve technical issues related to the use of the online store and to provide customer support.

The online store implements appropriate physical, organizational, and IT security measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure.

The processing of personal data by the online store’s authorized processors (e.g. transport service provider and data hosting) is based on contracts concluded with those processors. Authorized processors are required to implement adequate safeguards when processing personal data.

Accessing and correcting personal data

Personal data can be accessed and corrected in the user profile of the online store. If a purchase has been made without a user account, personal data can be accessed through customer support.

Withdrawal of consent

If personal data is processed based on the customer’s consent, the customer has the right to withdraw that consent by notifying customer support via email.

Retention

Upon closing the customer account in the online store, personal data is deleted unless it is needed for fulfilling an order, for accounting purposes, or for resolving consumer disputes.

If a purchase was made in the online store without creating a user account, the purchase history is retained for three years.

In the event of disputes related to payments or consumer issues, personal data is retained until the claim is satisfied or the limitation period expires (three years).

Personal data necessary for accounting is retained for seven years.

Deletion

To request deletion of personal data, please contact customer support via email. The deletion request will be responded to no later than within one month, and the period for data deletion will be specified.

Data portability

Requests for data portability submitted via email will be responded to within one month at the latest. Customer support will verify identity and provide information on the personal data subject to portability.

Direct marketing messages

The email address and phone number are used for sending direct marketing messages if the customer has provided consent. If the customer does not wish to receive direct marketing messages, they may use the unsubscribe link in the email header or contact customer support.

If personal data is processed for direct marketing purposes (profiling), the customer has the right to object at any time to the initial or further processing of their personal data, including profiling related to direct marketing, by notifying customer support via email.

Dispute resolution

Disputes related to the processing of personal data are resolved through customer support at info@chilli.ee. The supervisory authority is the Estonian Data Protection Inspectorate (info@aki.ee).