This privacy policy has been prepared by Living Minerals OÜ (hereinafter also: data processor) and it concerns the collection, use, publication, transmission, and storage of personal data of the data controller’s customer in the operation of the website www.mineralgarden.org (hereinafter: website). Living Minerals OÜ processes the personal data of the users of the portal in accordance with the legislation of the European Union and the laws of the Republic of Estonia.
Living Minerals OÜ collects, and processes personal data provided voluntarily by the users of the portal. The transfer of personal data to Living Minerals OÜ is not mandatory but may be indispensable for the use of the portal services.
1.1. This Privacy Policy governs the principles governing the collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the chief processor of personal data, Living Minerals OÜ.
1.2. For the purposes of the Privacy Policy, a data subject is a customer or other natural person whose personal data is processed by a data processor.
1.3. For the purposes of the Privacy Policy, a customer is anyone who purchases goods or services from the data controller’s website.
1.4. The data processor follows the principles of data processing provided by legislation; among other things, the data processor processes personal data lawfully, fairly, and securely. The data processor confirms that personal data have been processed in accordance with the provisions of legislation.
2.1. The personal data collected, processed, and stored by the data controller are collected electronically, mainly via the website and e-mail.
2.2. By sharing their personal data, the data subject grants the data controller the right to collect, organize, use, and manage personal data for the purposes defined in the privacy policy, which the data subject shares directly or indirectly with the data controller when purchasing goods or services on the website.
2.3. The data subject is fully responsible for their provided data’s accuracy, correctness, and consistency. Providing false data knowingly is a breach of privacy policy. The data subject is obliged to immediately notify the data processor of any changes in the submitted data if it is necessary for fulfilling the contractual relations correctly.
2.4. The data processor shall not be liable for any damage caused to the data subject or third parties caused by the submission of false data by the data subject.
3.1. The processor of data may process the following personal data for the following purposes:
| Type of data | Legal basis of processing | Purpose of processing |
| First and last name | Article 6 (1) (a) and (b) and (c) of the GDPR (General Data Protection Regulation) | Execution of the contract concluded with the client, fulfilment of the accounting obligation of the responsible data processor* |
| Phone number | Article 6 (1) (a) and (b) of the GDPR | Execution of the contract concluded with the client |
| Email address | Article 6 (1) (a) and (b) of the GDPR | Execution of the contract concluded with the client |
| Delivery address | Article 6 (1) (a) and (b) of the GDPR | Execution of the contract concluded with the client |
| Bank account number: | Article 6 (1) (a), (b) and (c) of the GDPR | Execution of the contract concluded with the client, fulfilment of the accounting obligation of the responsible data processor* |
| Payment card details | Article 6 (1) (a) and (b) of the GDPR | Execution of the contract concluded with the client |
| IP address | Article 6(1) (f) of GDPR | Providing the service of the online store |
* Pursuant to section 7 (3) of the Accounting Act, an invoice submitted for the transfer of goods or provision of services must contain, among other things, information enabling the identification of the counterparties if the accounting party of the accounting entity is an accounting entity, a state accounting entity, or a foreign juridical person. Pursuant to section 2 (2) of the Accounting Act, accounting entities are the Republic of Estonia as one legal person in public law (hereinafter state), a local government unit, any juridical person in private or public law registered in Estonia, a sole proprietor and a branch of a foreign company registered in Estonia).
Therefore, if you purchase goods from the online store as an accounting entity (for example, as a company or self-employed person), we are also obliged to keep the identifiable data of the parties, which may include the first and last name of the company’s board member or self-employed person.
3.2. In addition to the above, the data processor has the right to collect data about the customer that is available in public registers.
3.3. Article 6 (1) (a), (b), (c) and (f) of the General Regulation on the protection of personal data, which is the legal basis for the processing of personal data:
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing of personal data is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
(c) the processing of personal data is necessary for the performance of a legal obligation of the controller;
(f) the processing of personal data is necessary in the legitimate interest of the controller or of a third party, unless such interest outweighs the interests of the data subject or the fundamental rights and freedoms for which personal data must be protected, in particular where the data subject is a child.
Point (f) contains two alternatives: the legitimate interest of the controller and the legitimate interest of a third party. The data controller as the responsible processor, processes the data based on its own legitimate interests. It is in the legitimate interest of the controller to provide customers with an efficient online store service, which cannot be done without processing the IP address of the website visitors. If the customer does not disclose their personal data to the data processor, the data processor will not be able to associate the customer’s IP address with their person.
3.4. Purposes of processing personal data and storage of personal data in accordance with the purpose of processing:
3.4.1. Purpose of processing – performance of the contract concluded with the customer
Maximum period of storing personal data – if it is necessary for the performance of the obligations entered into under the contract, but not more than 3 years.
3.4.2. Purpose of processing – fulfilment of the accounting obligation of the responsible person
Maximum period of retaining personal data – in accordance with the time limits specified in the applicable legislation.
Purpose of processing – provision of online store service
Maximum period of storing personal data – 1 year.
3.5. To fulfil the contractual obligations between the parties and to provide the service more efficiently, the data controller has the right to share the personal data of customers with third parties, such as authorized data processors, accountants, transport and courier companies or transmission service companies. The data processor is the controller of personal data.
3.6. When processing and storing personal data of the data subject, the processor shall implement organizational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing.
4.1. The data subject has the right to access and inspect their personal data.
4.2. The data subject has the right to receive information about the processing of their personal data.
4.3. The data subject has the right to demand the addition or correction of inaccurate data.
The data subject has the right to object to the processing of their personal data.
The data subject has the right to demand the transfer of their data.
4.6. If the data processor processes the personal data of the data subject on the basis of the data subject’s consent, the data subject has the right to withdraw the consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing of data carried out on the basis of the consent prior to the withdrawal.
4.7. The data subject can contact the company by e-mail at living.minerals@gmail.com to exercise their rights.
4.8. To protect their rights, a data subject can submit a complaint to the Data Protection Inspectorate.
5.1. These data protection conditions have been drawn up in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC law and legislation of the Republic of Estonia and the European Union.
5.2. The data processor has the right to change the data protection conditions in part or in full by notifying the data subjects via the website.