Privacy Policy

1. General Provisions

1.1. This Privacy Policy governs the principles of collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the data controller (OÜ Serene Sleep) (hereinafter: Data Controller). 1.2. In this Privacy Policy, the data subject is a client or other natural person whose personal data is processed by the Data Controller. 1.3. In this Privacy Policy, a client is any person who purchases goods or services from the Data Controller’s website. 1.4. The Data Controller processes personal data in accordance with European Union and Estonian legislation and ensures lawful, fair, and secure processing of personal data.

2. Collection, Processing, and Storage of Personal Data

2.1. Personal data collected, processed, and stored by the Data Controller is collected electronically, primarily via the website and email. 2.2. By sharing their personal data, the data subject grants the Data Controller the right to collect, organize, use, and manage personal data for the purposes defined in this Privacy Policy, which the data subject provides directly or indirectly when purchasing goods or services on the website. 2.3. The data subject is responsible for the accuracy, correctness, and completeness of the data provided. Deliberate provision of false data is considered a breach of this Privacy Policy. The data subject is required to immediately notify the Data Controller of any changes to the provided data. 2.4. The Data Controller is not responsible for any damage caused to the data subject or third parties due to false data provided by the data subject.

3. Processing of Clients’ Personal Data

3.1. The Data Controller may process the following personal data of the data subject:
3.1.1. First and last name;
3.1.2. Phone number;
3.1.3. Email address;
3.1.4. Delivery address;
3.1.5. Bank account number;
3.1.6. Payment and billing data. The Data Controller does not process or store the client’s credit card details – these are processed and stored by Maksekeskus AS in accordance with applicable regulations.

3.2. The Data Controller has the right to collect data about the client from public registers to the extent necessary for fulfilling the contract with the client or for compliance with legal obligations. 3.3. Legal basis for processing personal data:
3.3.1. GDPR Art. 6(1)(a): the data subject has given consent to process personal data for one or more specific purposes;
3.3.2. GDPR Art. 6(1)(b): processing is necessary for the performance of a contract with the data subject or for taking steps prior to entering into a contract at the request of the data subject;
3.3.3. GDPR Art. 6(1)(c): processing is necessary for compliance with a legal obligation of the Data Controller;
3.3.4. GDPR Art. 6(1)(f): processing is necessary for the legitimate interests of the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly if the data subject is a child.

3.4. Purposes of personal data processing and retention periods:
3.4.1. Security and safety – retained according to the deadlines set by applicable regulations;
3.4.2. Order processing – personal data is retained up to 3 years after the end of the contract or until potential claims expire;
3.4.3. Ensuring the operation of the e-shop (including technical logs) – logs are retained for up to 1 year unless required by law for a longer period;
3.4.4. Client management – data is retained up to 3 years after client communication ends;
3.4.5. Financial activities and accounting – retention period according to applicable regulations;
3.4.6. Marketing – data is retained up to 2 years after the last client interaction or until consent is withdrawn.

3.5. The Data Controller may share clients’ personal data with the following persons and service providers:
3.5.1. Authorized data processors (e.g., IT service providers);
3.5.2. Accounting and financial service providers;
3.5.3. Transport and courier companies for order delivery;
3.5.4. Maksekeskus AS for payment processing (authorized and responsible processor for payment data).

3.6. The Data Controller applies organizational and technical security measures to protect personal data against unauthorized processing, destruction, or disclosure. 3.7. Personal data is retained only as long as necessary to fulfill the purposes of processing or comply with legal obligations, in accordance with section 3.4 of this Privacy Policy.

4. Data Subject Rights

4.1. In accordance with the General Data Protection Regulation, the data subject has the following rights:
4.1.1. The right to access and review their personal data;
4.1.2. The right to obtain information about the processing of their personal data;
4.1.3. The right to correct or supplement inaccurate data;
4.1.4. The right to request deletion of data if there is no lawful basis for processing;
4.1.5. The right to restrict processing;
4.1.6. The right to object to processing, including for marketing purposes. 4.2. If personal data is processed based on the data subject’s consent, the data subject may withdraw consent at any time. 4.3. To exercise rights, the data subject can contact customer support via email at info@serenesleep.ee. 4.4. The data subject may also lodge a complaint with the Estonian Data Protection Inspectorate to protect their rights.

5. Transfer of Personal Data Outside the EU

5.1. The Data Controller does not transfer personal data outside the European Union or the European Economic Area, except where the service provider is located outside the EU and such transfer is conducted in compliance with the GDPR.

6. Cookies and Other Web Technologies

6.1. www.serenesleep.ee (hereinafter: the Webshop) uses cookies to provide the best possible service to clients. 6.2. Cookies are used for the following purposes:
6.2.1. Displaying targeted advertising through third-party services (Facebook Custom Audiences, Facebook/Meta Ads, Google Ads, Google Display Network);
6.2.2. Tracking website visitor traffic (Google Analytics). 6.3. More information about how Facebook, Meta, and Google collect and use your data, your rights, and how to protect your privacy can be found in the Facebook, Meta, and Google privacy policies. 6.4. Marketing and analytics cookies are used only with the data subject’s consent. Users can always refuse marketing and analytics cookies and change their preferences in the cookie settings.

7. Final Provisions

7.1. This Privacy Policy is drafted in accordance with the GDPR, Estonian Personal Data Protection Act, and other applicable legislation. 7.2. The Data Controller reserves the right to partially or fully amend the Privacy Policy. All changes will be published on www.serenesleep.ee.