Privacy policy

1. General Provisions

1.1. This Privacy Policy governs the collection, processing, and storage of personal data and defines the principles under which personal data is processed. Personal data is collected, processed, and stored by Be Aware Cup OÜ (registration code 16534198, Aasa tee 5b, Püünsi village, Viimsi parish, Harju County, Estonia;  hereinafter referred to as the "Data Controller".

The Data Controller may process personal data through authorised data processors for the provision of the following services:

  • Payment processing - Montonio Finance UAB (Lithuania)
  • Product delivery -SmartPosti OÜ (Finland)
  • Online store management - Shopify Inc. (Canada)

The Data Controller uses the Shopify platform for managing the online store, which is operated by Shopify Inc. In connection with the processing of personal data, Shopify may transfer data outside the European Union, including to Canada and the United States. Such transfers are carried out solely on the basis of the European Commission's Standard Contractual Clauses and other appropriate safeguards ensuring an adequate level of protection in accordance with Regulation (EU) 2016/679  (GDPR).

1.2. For the purposes of this Privacy Policy, a data subject is any customer or other natural person whose personal data is processed by the Data Controller.

1.3. For the purposes of this Privacy Policy, a customer is any person who purchases goods or services from the Data Controller's online store.

1.4. The Data Controller complies with all principles of personal data processing established by applicable legislation, including processing personal data lawfully, fairly, transparently and securely. The Data Controller is able to demonstrate that personal data is processed in accordance with applicable legal requirements.

2. Collection, Processing and Storage of Personal Data

2.1. Personal data collected, processed, and stored by the Data Controller is primarily collected electronically, primarily through the website and email communication.

2.2. By sharing personal data, the data subject grants the Data Controller the right to collect, store, process, and use personal data solely for the purposes defined in this Privacy Policy. Personal data may be processed both directly and indirectly, including through purchases made in the online store.

2.3. The data subject is responsible for ensuring that the submitted data is accurate, correct, and complete. Knowingly submitting false information is considered a violation of this Privacy Policy. The data subject is obliged to notify the Data Controller immediately of any changes to the submitted data.

2.4. The Data Controller is not liable for any damage caused to the data subject or third parties as a result of false or inaccurate information submitted by the data subject. 

2.5. Personal data is processed securely by implementing appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

3. Cookies

3.1. This website uses cookies to ensure the proper functioning of the website. Cookies are small text files stored on the user's device when visiting the website. Cookies are used, among other things, to recognise previous visits and improve the user experience.

3.2. Types and purposes of Cookies

The website uses the following categories of cookies:

  • Necessary Cookies - these cookies are essential for the functioning of the website and enable the use of its core features, such as remembering shopping cart contents and ensuring secure navigation. Without these cookies, the website cannot function properly.

 

  • Statistical (Analytical) Cookies - these cookies are used to collect usage statistics in order to analyse the use of the website and improve its performance and user experience. Through cookies, information may be collected regarding, for example, visited pages, duration of visits, and users` general behaviour. 

 

  • Marketing Cookies - these cookies are used to measure the effectiveness of advertising campaigns and optimise marketing activities. Marketing cookies track user activity on the website, including viewed pages, click behaviour, and browsing activity, in order to provide more relevant and personalised advertisements. Marketing cookies may also be used for advertising targeting and remarketing purposes, including measuring social media advertising conversions and analysing advertising effectiveness. These cookies collect infomation about pages visited by users to support personalised marketing content across different channels.

Marketing cookies originate from third-party services used by the website, such as advertising service providers and social media platforms.

3.3. Data collected through cookies

Cookies may collect the following information regarding website usage:

  • Technical information about the device and browser;
  • Visited pages and navigation paths;
  • Number and duration of visits;
  • Click frequency and user behaviour;
  • Interest-based preferences (in the case of marketing cookies)

This information is used to ensure website functionality, improve user experience, compile statistics, and where applicable, provide personalised content and advertisements.

3.4. Third-Party Services

The website uses third-party services that utilise cookies and process information regarding website usage. Such services may include: 

  • E-commerce platform services (Shopify);
  • Advertising and marketing services (Meta Pixel).

These services process data in accordance with their own privacy policies and may, in certain cases, transfer data outside of the European Economic Area while ensuring appropriate safeguards.

3.5. Legal basis for Cookie Processing

The legal basis for cookie processing is as follows:

  • Necessary cookies - processing is necessary for the provision of the online store service;
  • Statistical and marketing cookies - processing is based on the user`s prior consent.

3.6. Cookie Retention Periods

Cookies may be either:

  • Session cookies, which are automatically deleted after closing the browser; or
  • Persistent cookies, which remain stored on the user's device for a specified period of time (for example, from 7 days to 1 year or longer, depending on the type of the cookie).

3.7. Consent and Cookie Management

The use of non-essential cookies requires the users prior consent. Users have the right to accept or refuse the use of non-essential cookies.

Users have the right to:

  • Give or withhold consent for cookies use;
  • Modify or withdraw consent at any time;
  • Block or delete cookies through browser settings.

Most browsers allow users to manage cookies, including fully or partially blocking them (including third-party cookies). Depending on the browser used, cookies may be restricted or disabled entirely. 

Blocking all cookies, including necessary cookies, may affect website functionality and limit website usability. Without necessary cookies, not all website features may be available.

Users may manage their cookie preferences through the cookie declaration or browser settings. Instructions for deleting cookies are available in the settings of the browser being used (such as Chrome, Safari, or Firefox).

4. Processing of Customer's Personal Data

4.1. The Data Controller may process the following personal data of the data subject:

  • First and last name;
  • Telephone number;
  • Email address;
  • Delivery address;
  • Location data (solely for service provision purposes, such as displaying nearby parcel machines during checkout);
  • Bank account number;
  • Other data available in public registers where necessary for fulfilling orders or complying with legal obligations.

All payment data is processed securely solely through authorised payment service providers. The Online Store does not have access to credit card information or other payment data and does not store or process such data within its own systems.

4.2. The legal basis for processing personal data is Article 6 (1) (a), (b), (c), and (f) of the General Data Protection Regulation (GDPR):

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the Data Controller is subject;

f) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

4.3. Retention periods by purpose:

4.3.1. Security and Safety: personal data is retained in accordance with statutory retention periods.

4.3.2. Order Processing: personal data is retained for up to 3 years.

4.3.3. Ensuring the functionality of the online store: personal data is retained for up to 3 years for website administration, customer management, and user experience monitoring.

4.3.4. Customer management: personal data is retained for up to 3 years for contact management, communication, and complaint resolution.

4.3.5. Financial activities and accounting: personal data is retained in accordance with statutory retention periods.

4.3.6. Marketing (Direct marketing and newsletters): personal data is retained for up to 3 years or until consent is withdrawn.

4.3.7. Location data for parcel machine display: location data is retained only for the duration necessary to fulfil the order and is deleted after order completion.

4.4. Sharing personal data 

The Data Controller may share personal data only with authorised data processors, such as accounting service providers, transport and courier companies, payment service providers, and online store platform providers.

The Data Controller uses only those authorised processors that ensure an adequate level of data protection and compliance with Regulation 2016/679 (GDPR).

 

  • Payment processing: Montonio Finance UAB (Lithuania)
  • Product delivery: SmartPosti OÜ (Finland)
  • Online store management: Shopify Inc. (Canada)

Shopify Inc. may process data outside the European Union. Such transfers are carried out solely on the basis of Standard Contractual Clauses and other appropriate safeguards ensuring an adequate level of data protection.

4.5. Security measures 

The Data Controller implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage.

4.6. Accuracy of data

 The data subject is responsible for ensuring that submitted data is accurate, correct and complete. Knowingly submitting false information constitutes a violation of this Privacy Policy.

4.7. Retention periods

The Data Controller retains personal data according to the purpose of processing. Where statutory retention periods exceed the periods specified in this Privacy Policy, the statutory retention periods shall apply.

5. Rights of the Data Subject

5.1. The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed, and where applicable, access to such personal data.

5.2. The data subject has the right to receive information regarding the purpose of processing, categories of processed data, recipients of the data, and applicable retention periods.

5.3. The data subject has the right to request correction or completion of inaccurate or incomplete personal data.

5.4. In certain circumstances, the data subject has the right to request the deletion of personal data ("right to be forgotten"), restriction of processing, or to object to the processing of personal data.

5.5. Where processing is based on consent, the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

5.6. The data subject has the right to receive personal data in a structured, commonly used, machine-readable format and to transmit such data to another controller (right to data portability).

5.7. To exercise their rights, the data subject may contact the Data Controller at info@beawarecup.ee.

5.8. If the data subject believes that the processing of personal data violates the GDPR, they have the right to file a complaint with Estonian Data Protection Inspectorate.

5.9. Providing personal data is prerequisite for entering into contract and fulfilling an order. If the data subject does not provide the necessary personal data, the Data Controller cannot fulfill the order or conclude the contract.

5.10. The Data Controller does not use automated decision-making or profiling that produces legal effects concerning the data subject or similarily significantly affects them.

6. Final Provisions

6.1. This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation - GDPR), the Personal Data Protection Act of the Republic of Estonia, and other applicable legislation of the European Union and the Republic of Estonia.

6.2. The Data Controller reserves the right to amend this Privacy Policy partially or fully. The updated version will be published on beawarecup.ee and shall enter into force upon publication on the website.