Privacy policy
This privacy policy explains how Mailisepood (registry code 12578508) ("we") processes personal data in accordance with the General Data Protection Regulation (GDPR) and Estonian law.
Data controller
Mailisepood (registry code 12578508)
Address: Kivinuka tee 5, Vääna-Jõesuu küla, Harku vald, Harjumaa
Email: mailis.kess@gmail.com
No separate data protection officer has been appointed; for data-protection matters, write to mailis.kess@gmail.com.
What data we collect
- Order data: name, email, phone, delivery and billing address, ordered products and order history.
- Payment data: payment takes place in the payment service provider's environment — we neither see nor store your full card details.
- Account data: if you create an account, we store the data needed to sign in.
- Usage data: cookieless web-analytics in aggregate (individual visitors are not identified).
Providing the data required to fulfil an order (name, contact, delivery address) is a precondition for concluding the contract — without it we cannot fulfil the order.
Purpose and legal basis of processing
- Fulfilling orders and customer support — performance of a contract.
- Accounting and statutory obligations — legal obligation.
- Store security and operation — legitimate interest.
- Newsletters and marketing — your consent (which you can withdraw at any time).
Authorised processors (sub-processors)
We use the following trusted sub-processors to provide the service:
| Processor | Purpose | Location / safeguard |
|---|---|---|
| Hetzner Online GmbH | Web hosting, database and server-side cookieless web-analytics collection (self-hosted FluentCart + FluentCRM) | Helsinki, Finland (EU) |
| Cloudflare, Inc. | DNS, CDN, WAF, DDoS protection, SSL | EU/EEA servers; company in the USA (DPA + SCC / EU–US Data Privacy Framework) |
| MXroute, LLC | Mailbox hosting (incoming mail) | USA (Dallas, Texas); provider offers no formal DPA or SCC — see liability note |
| Amazon Web Services, Inc. (Amazon SES) | Sending transactional emails | eu-central-1 (Frankfurt, EU); company in the USA (AWS DPA + SCC) |
| Supabase, Inc. | Storage of server-side web-analytics data (cookieless) | London, United Kingdom (AWS eu-west-2; EU adequacy decision); company in the USA (DPA + SCC) |
Note: FluentCart (the store) and FluentCRM (customer management) are self-hosted on our servers (Hetzner) and process data on our instructions — they are not separate external service providers. Payment service providers (bank links, card payment, instalments) and delivery providers (parcel machines, couriers) act as independent controllers and are not sub-processors of the processors listed above.
Liability note (MXroute): hosting of incoming email takes place in the USA without a formal DPA or standard contractual clauses (SCC); we use it solely to receive email and avoid transmitting sensitive personal data through this channel.
Data retention
We retain accounting source documents for 7 years (Accounting Act). We retain order data for the performance of the contract and the limitation period for legal claims (generally up to 3 years from the end of the contract). We retain account and marketing data while the account is active or the consent is valid.
Children
The online store is not directed at children (under 13) and does not knowingly collect the personal data of minors.
Transfers to third countries
Some service providers are located outside the EU/EEA. Transfers are protected by a European Commission adequacy decision, standard contractual clauses (SCC) and/or the EU–US Data Privacy Framework, as indicated in the table above.
Your rights
You have the right to access your data, rectify or erase it, restrict processing, object, and receive your data in a portable format. Where processing is based on consent (e.g. the newsletter), you have the right to withdraw consent at any time without affecting the lawfulness of prior processing. Send requests to mailis.kess@gmail.com. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee).
Automated decisions
We do not make automated decisions or carry out profiling based on your data that would have legal effects on you.
Cookies and web analytics
We use only cookies necessary for the store to function. Our web analytics is cookieless and based on legitimate interest — we collect aggregate statistics only, without cookies or visitor profiles.
Changes
We may update this privacy policy from time to time. The current version is always on this page.
