Ursus OÜ respects the privacy of its customers and partners, whose data we come into contact with, and we work daily to ensure data protection and secure processing.

In the principles of this privacy policy, we describe how Ursus OÜ (hereinafter the data processor) processes your personal data in the event of inquiries, execution of contracts, use of the website or visits to representative offices.

Ursus OÜ may make changes to the privacy policy from time to time, and the up-to-date privacy policy is published on the website www.ursus.ee.

In case of questions or additional information, please contact us via contact details provided in the “Contact” menu.

1. General Provisions

1.1. This privacy policy regulates the principles of collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the controller of the personal data Perfect Cosmetics OÜ, registry code 12414646, address: Lääne County, Lääne-Nigula Parish, Uugla village, Mõisatalli, 91013 (hereinafter referred to as Data Controller.).

1.2. For the purposes of this privacy policy, a Data Subject means the customer or another natural person whose personal data is processed by the Data Controller. For the purposes of this privacy policy, a customer is anyone who purchases goods or services from the controller.

1.3. When ordering from the Data Controller the Data Subject agrees to the terms of this privacy policy. The processing of personal data is a condition of the contractual relationship.

1.4. Processing is any operation performed on personal data, such as collection, storage, modification, use, viewing, deletion and destruction. The Data Controller follows the principles of data processing provided by legislation, among other things, the Data Controller processes personal data legally, fairly, and securely. The Data Controller is able to confirm that personal data have been processed in accordance with the legislation.

1.5. The personal data collected, processed, and stored by Data Collector have been collected electronically, mainly via e-mail and submitting an order. The personal data of the Data Subject, entered by the Data Subject while submitting an order, shall be included in the customer register and used for the performance of the sales contract and the offering of products to the Data Subject.

1.6By sharing their personal data, the Data Subject grants the Data Controller the right to collect, organize, use and administer, for the purpose defined in the privacy policy, the personal data that the Data Subject shares with the Data Controller either directly or indirectly when purchasing goods or services.

1.7. The Data Subject is liable for the accuracy, correctness, and integrity of the data submitted by them. The submission of knowingly false data is regarded as a breach of the privacy policy. The Data Subject is required to immediately notify the Data Controller of any changes in the data submitted.

1.8. The Data Controller is not liable for any damage or loss caused to the Data Subject or a third party as a result of the submission of false data by the Data Subject.

2. Processing and storage of personal data of customers

2.1. The Data Controller may process the following personal data of the Data Subject:

2.1.1. name and surname

2.1.2. business data of the company

2.1.3. phone number

2.1.4. e-mail address

2.1.5. delivery address

2.1.6. method of payment

2.1.7. purchase history

2.1.8. bank account number

2.1.9. IP address

2.1.10. Other information in the contract

2.2. In addition to the above, the Data Controller has the right to collect data about the customer that is available in public registers.

2.3. The legal basis for the processing of personal data is General Data Protection Regulation paragraph 6 section 1 subsections a), b), c) and f):

a) the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes.

b) processing of personal data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.

c) the processing of personal data may be required in order to comply with a legal obligation

f) processing of personal data is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2.4. Purpose and storage of personal data

2.4.1. Personal data is processed in order to:

2.4.1.1. Name and surname, business data, phone number, e-mail address, and shipping address are used to manage the customer’s orders and deliver the products, to respond customer requests and to send invoices to the customer;

2.4.1.2. Purchase history details (date of purchase, product, quantity, customer’s data) are used for preparing summaries of goods and services purchased and for analysing customer preferences.

2.4.1.3. The bank account number is used to make refunds to the customer.

2.4.1.4. Personal data such as e-mail, phone number, and the customer’s name are processed to handle any issues relating to providing goods and services (customer support).

2.4.1.5. User’s IP address or other network identifiers are processed to provide website usage statistics. The website of Ursus OÜ uses cookies, which are used for identification and analytics purposes. Cookies store the following data: hardware and software data, IP address, visit time;

2.4.1.6. Other information reflected in the contract is processed for the purpose of fulfilling the contract and ensuring agreements;

2.4.1.7. Complying with a legal obligation, such as accounting obligation.

2.4.2. The Data Controller stores the data of the Data Subjects depending on the purpose of processing.

2.4.2.1. When the customer account is terminated, the personal data will be deleted, except when such data is needed to be preserved for accounting or solving consumer disputes.

2.4.2.2. In the case of consumer disputes and disputes related to payments, personal data will be stored until the fulfilment of a claim or until the end of the expiry period.

2.4.2.3. The personal data required for accounting are preserved for seven years.

2.5. The Data Controller has the right to share the personal data of customers with third parties such as customer support, authorized data processors, accountants, transport and courier companies, manufacturers of goods, and transfer services providers. The Data Controller undertakes not to transfer the personal data of customers to unauthorized third parties unless the obligation to transfer personal data arises from the law.

2.6. When processing and storing the personal data of the Data Subject, the Data Controller implements organizational and technical measures that ensure the protection of personal data against accidental or illegal destruction, modification, disclosure and any other illegal processing. Transfer of personal data to authorized processors (e.g. transport service provider and data hosting) is carried out on the basis of contracts with authorized processors. Authorized processors are obliged to ensure appropriate protection measures when processing personal data.

2.7. Personal data are stored on the servers of Ursus OÜ, which are located on the territory of a Estonia.

2.8. The employees have access to personal data to resolve technical issues and provide customer support service.

3. Use of security cameras

3.1. We use security cameras in representative stores of Ursus OÜ, office and warehouse to ensure the protection of our customers and company’s assets. When you visit representative stores, offices or warehouses, your image may remain on our security camera footage. Security cameras only record the image, no sound is recorded. The camera image is not monitored in real time. Territories within the field of view of security cameras are marked with appropriate stickers.

3.2. The legal basis for the use of security cameras and their recordings is legitimate interest of Ursus OÜ in ensuring the protection and security of customers and property.

3.3. Camera recordings are stored for three months and access to such recordings is limited to employees who need access to the recordings in connection with the performance of their duties.

3.4. You have the right to access and receive a copy of the recording on which you are depicted. To obtain a copy of the recording, please contact us using the details in the „Contact“ menu, and describe as accurately as possible the time and place when your image was recorded. Ursus OÜ has the right to reject the application if the satisfaction of your application would unreasonably harm the rights and freedoms of other persons.

4. Rights of the Data Subject

4.1. The Data Subject has the right to access and examine their personal data via customer support. The data subject can contact the customer support at (info@ursus.ee) to exercise their rights.

4.2. The Data Subject has the right to receive information about the processing of their personal data.

4.3. If the Data Controller processes personal data according to an agreement with Data Subject, the Data Subject has the right to withdraw the consent at any time.

4.4. The Data Subject has the right to modify or supplement inaccurate data.

4.5. The Data Subject has the right to have their personal data deleted. To delete personal data, customer support must be contacted by sending a request via e-mail (info@ursus.ee). The deletion request will be answered no later than within a month, and the data deletion period will be specified. The personal data that is not deleted will be listed in a response to the data deletion request of the Data Subject along with legal basis and reasoning.

4.6. To protect their rights, the Data Subject can file a complaint with The Data Protection Inspectorate (info@aki.ee).

5. Final Provisions

5.1. These data protection conditions have been formulated in accordance with the regulation of the European Parliament and of the Council, 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Personal Data Protection Act of the Republic of Estonia and European Union legislations.

5.2. The Data Processor has the right to partially or completely change the data protection conditions by notifying the data subjects of the changes via the website (www.ursus.ee).