Privacy policy
Privacy Policy
1. General Provisions
1.1. This Privacy Policy sets out the principles for the collection, processing, and storage of personal data. The data controller responsible for collecting, processing, and storing personal data is Unakounted OÜ(hereinafter the “Data Controller”).
1.2. The data subject, for the purposes of this Privacy Policy, is any customer or other natural person whose personal data is processed by the Data Controller.
1.3. A customer, for the purposes of this Privacy Policy, is anyone who purchases goods or services from the Data Controller’s online store.
1.4. The Data Controller processes personal data lawfully, fairly, and securely in accordance with applicable legislation. The Data Controller can confirm that all personal data is handled in compliance with legal requirements.
2. Collection, Processing, and Retention of Personal Data
2.1. Personal data is primarily collected electronically through the website and email.
2.2. By sharing their personal data, the data subject authorizes the Data Controller to collect, organize, use, and manage the personal data for the purposes outlined in this Privacy Policy, either directly or indirectly through the use of the website and associated services.
2.3. The data subject is responsible for ensuring that the information provided is accurate, complete, and up to date. Knowingly providing false data is considered a violation of this Privacy Policy. The data subject must notify the Data Controller immediately of any changes to the provided information.
2.4. The Data Controller is not liable for damages resulting from incorrect information provided by the data subject to either themselves or third parties.
3. Processing of Customer Personal Data
3.1. The Data Controller may process the following types of personal data:
-
First and last name
-
Date of birth
-
Phone number
-
Email address
-
Shipping address
-
Bank account number
-
Payment card details
3.2. In addition to the above, the Data Controller may collect information about the customer from public records.
3.3. The legal basis for processing personal data is Article 6(1)(a), (b), (c), and (f) of the General Data Protection Regulation (GDPR):
a) The data subject has given consent to the processing of their personal data for one or more specific purposes;
b) Processing is necessary for the performance of a contract with the data subject or to take steps prior to entering into a contract;
c) Processing is necessary to comply with a legal obligation;
f) Processing is necessary for the legitimate interests of the Data Controller or a third party, except where such interests are overridden by the data subject’s rights and freedoms, particularly if the data subject is a child.
3.4. Personal Data Processing by Purpose and Retention Periods
| Purpose of Processing | Maximum Retention Period |
|---|---|
| 3.4.1. Security and safety | According to legally defined periods |
| 3.4.2. Order fulfillment | Up to 3 years after the date of purchase |
| 3.4.3. Ensuring operation of e-commerce services | Up to 3 years, or as specified in Shopify’s policies |
| 3.4.4. Customer relationship management | Until the end of the customer relationship + 2 years |
| 3.4.5. Financial activities and accounting | As defined by law (e.g., 7 years under the Accounting Act) |
| 3.4.6. Marketing | Until consent is withdrawn or 2 years after last contact |
3.5. The Data Controller may share personal data with authorized third parties such as accountants, courier services, and payment service providers. For the purpose of payment processing, necessary personal data is transferred to Maksekeskus AS, the authorized processor.
3.6. The Data Controller applies appropriate organizational and technical security measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing.
3.7. The Data Controller retains personal data for no longer than necessary to achieve the purposes of processing and, unless stated otherwise above, for no longer than 3 years.
4. Data Subject Rights
4.1. The data subject has the right to access and review their personal data.
4.2. The data subject has the right to receive information about how their personal data is processed.
4.3. The data subject has the right to correct or update inaccurate personal data.
4.4. If processing is based on consent, the data subject has the right to withdraw consent at any time.
4.5. To exercise these rights, the data subject may contact customer support at info@mai-attire.com.
4.6. The data subject also has the right to file a complaint with the Estonian Data Protection Inspectorate or their local data protection authority.
5. Final Provisions
5.1. This Privacy Policy is prepared in accordance with the General Data Protection Regulation (EU) 2016/679, the Estonian Personal Data Protection Act, and other applicable EU and Estonian laws.
5.2. The Data Controller has the right to amend this Privacy Policy partially or entirely. Updates will be announced on the website mai-attire.com.