Privacy Policy

1. General Provisions

This Privacy Policy governs the principles by which UX Labor Oü processes and stores personal data. UX Labor Oü is the data controller (“we,” “us,” “our”).

A “data subject” is any natural person whose personal data we collect and process. A “customer” is any data subject who purchases goods or services from our online store at indoorgarden.ee.

We process personal data lawfully, fairly and securely, in compliance with Regulation (EU) 2016/679 (GDPR) and applicable Estonian data protection laws.

2. Collection, Processing and Storage of Personal Data

We collect personal data electronically via our website, e-mail and payment systems. Paper-based data collection is not routinely used.
By providing personal data, you consent to its collection, organization, use and management for the purposes described in this Policy.
You are responsible for ensuring that the data you submit are accurate, complete and up to date. Please inform us promptly of any changes.
We are not liable for any loss or damage arising from your submission of inaccurate data.

3. Customer Personal Data Processing

We do not collect any additional sensitive personal data (e.g. health, religion).

3.2. Public Sources

Where permitted by law, we may supplement the above with data from publicly available registers.

3.3. Legal bases for processing

Consent (GDPR Art. 6(1)(a)) – for marketing communications.
Contract performance (Art. 6(1)(b)) – to fulfill your orders.
Legal obligation (Art. 6(1)(c)) – accounting and tax record-keeping.
Legitimate interests (Art. 6(1)(f)) – fraud prevention, site security and customer support, balanced against your rights.

3.4. Purpose-specific retention

Security and fraud prevention: 1 year of logs, thereafter auto-deleted
Order processing: 7 years (required for accounting and tax under Estonian law)
E-shop functionality (cookies, analytics): Up to 2 years, or until you clear your cookies
Customer support and CRM: 3 years after last contact
Financial and accounting records: 7 years (legal requirement)
Marketing communications: Until consent is withdrawn, but no longer than 3 years

3.5. Data sharing

Payment processor: Maksekeskus AS (for payment authorization).
Delivery partners: courier and postal services for order fulfilment.
Accountants and auditors for statutory reporting.
IT service providers under strict data-processing agreements.

3.6. Security measures

We implement organizational and technical safeguards (encryption, access controls, regular audits) to protect your data against unauthorized access, alteration or destruction.

3.7. Final deletion

Unless a longer retention is required by law, we delete or anonymize all personal data no later than 7 years from collection.

4. Data Subject Rights

Access: You have the right to request a copy of your personal data.
Information: You may obtain details on how and why we process your data.
Rectification: You can ask us to correct inaccurate or incomplete data.
Erasure: If processing is based on consent, you may withdraw consent at any time.
Restriction: You may request temporary suspension of processing in certain cases.
Data portability: You can request your data in a structured, machine-readable format.
Objection: You may object to processing based on legitimate interests or direct marketing.
Complaint: You have the right to lodge a complaint with the Estonian Data Protection Inspectorate.

To exercise any right, please contact us at klienditugi@indoorgarden.ee.

5. Final Provisions

This Policy was prepared in accordance with GDPR (EU) 2016/679, the Estonian Personal Data Protection Act, and related EU and national legislation.
We reserve the right to amend this Policy. Any changes will be published at indoorgarden.ee/privacy and will take effect 14 days after publication.