- General information and contact details
- Principles of personal data processing
- General purposes, grounds for, and activities of processing
- Other data subjects
- Composition and collection of personal data
- Transfer and authorised processing of personal data
- Rights of the data subject and exercise of rights
- Storage and security of processing personal data
1.1 Data Subject/you means a natural person regarding whom we have information or information that can be used to identify a natural person.
1.2 User means a person who has created an account in our online store.
1.3 Customer means any natural or legal person who has purchased or expressed their desire to purchase our products and/or services.
1.4 Visitor means a person who visits the Website.
1.5 Cookies mean data files stored in the Visitor’s device on the Website according to the selection made.
1.6 Contract means a contract of sale for products or another contract entered into between us and the Customer, incl. standard terms and conditions and other applicable procedures and policies.
1.8 Products mean the services and products offered by Thermory.
1.9 Website foremost means Thermory’s website https://thermory.com/ as well as our online store and social media pages.
2. General information and contact details
2.1 About us. Thermory AS (registry code 10278819, address Lõõtsa 1a, 11415 Tallinn) is a company engaged in the production and sale of thermally modified wood. Thermory processes your personal data as a controller.
2.2 Contacts. You can contact us in matters related to personal data by e-mail at [email protected].
Please note that everything behind the links on our Website or social media is governed by the privacy terms of the respective service providers. Processing of your personal data on social media channels is also done according to the privacy terms of these platforms.
Here you will find the key principles that we are always guided by when processing your personal data.
3.1 Our aim is responsible personal data processing where we are able to demonstrate the compliance of personal data processing with the purposes set and the applicable regulations.
3.2 All our processes, guidelines, actions, and activities related to personal data processing are based on the following principles: lawfulness, fairness, transparency, purposefulness, minimisation, accuracy, storage limitation, integrity, confidentiality, and data protection by default and by design.
4. General purposes, ground for, and activities of processing
Here you will find information about the purposes and grounds for processing your personal data.
4.1 Our aim is to offer our Customers high-quality thermally modified products and pleasant customer service.
We use the following grounds as grounds for personal data processing:
4.2 Consent. Based on consent, we process personal data precisely within the limits, to the extent and for the purposes for which the Data Subject has given us their consent. The Data Subject’s consent to us shall be freely given, specific, informed, and unambiguous, for example, by ticking the box in the online store or on the Website.For example, we send marketing messages based on consent. Consent may also be expressed by a clear act, for example, the Data Subject can, at their own discretion, send inquiries through the inquiry forms on our Website or book a consultation, in which case we process their data to respond to them and offer them Products.
4.3 Entry into and performance of a Contract. Upon entering into and performing a Contract, we may process personal data for the following purposes:
- taking steps prior to entering into a Contract, which are necessary for entering into a Contract or which the Data Subject requests;
- identifying the Customer to the extent necessary for entering into and performing a Contract;
- performing the obligations assumed to the Customer with regard to the provision of our Products and service, incl. product information, delivery information if necessary, etc.;
- communicating with the Customer, incl. sending information and reminders about the performance of the Contract or about Products.
4.4 Legal obligation. We process personal data to comply with a legal obligation in accordance with and to the extent provided by law.
4.5 Legitimate interest. Legitimate interest means our interest in managing or directing our company and enabling us to offer the best possible Products and services on the market. In case we are using legitimate interest, we have previously assessed your interests. We may process your personal data on the basis of legitimate interest for the following purposes:
- managing and analysing a customer database and for marketing activities in order to improve the availability, selection and quality of Products, incl. using a CRM solution to enable the foregoing, and making the best and most personal offers to the Data Subject upon their consent;
- ensuring a better user experience, higher quality services, and operation of various channels; we may analyse identifiers and personal data collected when our Website, our social media pages, online store and other sales channels and Products are used, and we may collect statistics about Visitors, Users, and Customers;
- organising campaigns, incl. organising personalised and targeted campaigns. The terms and conditions of campaigns are set out separately;
- sending marketing offers to the Customer or potential customer if the respective person has previously purchased a similar product. In this case, the person is always guaranteed to have a simple opportunity to resign from the communication, and we have considered our and the Customer’s interests;
- conducting satisfaction, incl. customer satisfaction, surveys and measuring the effectiveness of marketing activities performed;
- making recordings; we may record messages and orders given both in our premises and using means of communication (e-mail, phone, etc.) as well as information and other activities we have performed, inter alia, calls to landline numbers. If necessary, we use these recordings to prove orders or other activities;
- network, information and cyber security reasons, for example measures for combating piracy and ensuring the security of the Website as well as for making and storing back-up copies;
- processing for organisational purposes, foremost for financial management and transfer of personal data within the group for internal management purposes (but also audits and other potential supervision), including for processing the personal data of Customers or employees;
- establishing, exercising or defending legal claims, incl. assigning claims to, for example, collection service providers, or obtaining information from institutions assessing creditworthiness;
- protecting our health and property and the health and property of our employees and Customers, for example, we may use cameras that may also record sound to ensure safety and security on our territory.
4.6 New purpose. Where personal data is processed for a new purpose other than that for which the personal data are originally collected or it is not based on the Data Subject’s consent, we carefully assess the permissibility of such new processing. We will, in order to ascertain whether processing for a new purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- any link between the purposes for which the personal data are collected and the purposes of the intended further processing;
- the context in which the personal data are collected, in particular regarding the relationship between the Data Subject and us;
- the nature of the personal data, in particular whether special categories of personal data are processed or whether personal data related to criminal convictions and offences are processed;
- the possible consequences of the intended further processing for Data Subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
5. Other data subjects
Here you will find more detailed information regarding the processing of the data of cooperation partners, representatives of Customers who are legal persons, and job applicants.
5.2 The purposes and grounds for processing and information about personal data collected extend to the aforementioned persons to the extent appropriate according to the specific relationship.
5.3 Read more about the processing of the personal data of a job applicant here: [LINK or description where to find]
6. Composition and collection of personal data
Here you will find information about whose personal data and which personal data we collect and how we collect personal data.
6.1 We collect the following types of personal data:
- Personal data disclosed to us by the Data Subject (e.g. data submitted for the purpose of ordering Products – name, contact details, e-mail address, product information);
- Personal data resulting from standard communication between us and the Data Subject (e.g. correspondence regarding the Products);
- Personal data resulting from the consumption of Products and services (e.g. when using Thermory’s online store);
- Personal data resulting from visiting and using the Website;
- Data transmitted to us by the User and the User’s data regarding the use of the Website, incl. data related to the account and data related to purchases;
- Personal data obtained from third parties;
- Personal data generated and combined by us (e.g. correspondence within the context of customer relationship or list of order history).
6.2 Thermory generally processes the data of the following Data Subjects: Customers (natural persons), representatives of Customers and cooperation partners who are natural persons, our employees, (potential) customers, Website Visitors, and Users.
6.3 Specifically, we collect/may collect, inter alia, the following personal data in connection with the Products and the Website: name, contact details (e-mail address, phone number, date of birth, address/seat, place of business, area of activity of the Customer/Data Subject, representative(s), contact persons, bank account number, payment/invoice information, information about using our systems (Website, online store), data concerning interest in Products and use thereof, data concerning the performance of the Contract, and other data concerning the offer/consumption of Products and our activities.
6.4 Thermory does not knowingly collect the data of children.
7. Transfer and authorised processing of personal data
Here you will find information about the transfer and authorised processing of personal data.
7.1 We cooperate with persons to whom we may transmit data, including personal data, concerning the Data Subjects within the context and for the purpose of cooperation. When transferring personal data to third parties (generally our cooperation partners), we comply with the applicable data protection requirements.
7.2 Such third parties may include, inter alia, persons in the same group as us, distributors of our Products, logistics companies, supply partners, factoring providers, advertising and marketing partners, payment service providers, customer satisfaction survey companies, debt collection service providers, advisers, credit registers, ICT partners, i.e. service providers for various technical services, provided that:
- the respective purpose and processing are lawful;
- personal data is processed pursuant to the instructions of the controller and on the basis of a valid contract.
7.3 In other cases, we transmit your personal data to third parties provided that we have your consent, a legal obligation, or there is an exception in the event that the transfer is necessary to protect your vital interests.
7.4 As a general rule, we do not transmit personal data outside the European Economic Area. Where we transfer personal data outside the European Economic Area, we do so in compliance with the requirements of data protection regulations, e.g. where the European Commission has decided that there is an adequate level of protection in the respective country or, in the absence of such a decision, we have adopted appropriate safeguards (e.g. binding intragroup rules or standard data protection clauses).
8. Rights of data subject and exercise of rights
Your personal data belongs to you, and here you will find information about your rights and protecting of your personal data.
You may refuse or block cookies by changing the parameter settings of your internet browser. Disabling cookies may mean that will not be able to use certain functions of the Websites.
8.1 Rights concerning consent:
- The Data Subject has the right to notify us at any time of their intention to withdraw their consent to the processing of their personal data. Withdrawal of the consent does not affect the lawfulness of prior processing.
- You can exercise your rights concerning consent, for example by unsubscribing from messages in the footer of the respective e-mail or by contacting us at the address [email protected].
8.2 In the event of processing personal data, the Data Subject has the following rights, provided that the prerequisites set out in the GDPR are met:
- Right to receive information, i.e. the Data Subject has the right to receive information with regard to the personal data collected about them.
- Right to access data, which includes, inter alia, the right of the Data Subject to a copy of the personal data processed.
- Right to rectification of inaccurate personal data. The Data Subject can rectify incorrect data by contacting us using the contact details provided above. The User may have been given the ability to rectify certain data through their account (if enabled).
- Right to erasure, i.e. in certain cases, the Data Subject has the right to obtain the erasure of personal data, for example where data is processed solely on the basis of consent.
- Right to restriction of processing personal data. This right arises, inter alia, where the processing of personal data is not permitted by law or temporarily when the Data Subject contests the accuracy of personal data.
- Right to data portability, i.e. in certain circumstances, the Data Subject acquires the right to receive their data in a machine-readable format or to require the transmission of the data to another controller in a machine-readable format.
- Rights related to automated processing and profiling mean that the Data Subject, on grounds relating to their particular situation, has the right to object at any time to the processing of personal data concerning them based on automated decisions/profiling and to require human intervention. The Data Subject may also require an explanation regarding the logic of making an automated decision. Automated processing/profiling may also be partially based on data collected from public sources. We do not use automated processing or profiling that has a significant effect on the Data Subject or their rights.
- Right to an assessment by a supervisory authority as to whether the processing of the personal data of the Data Subject is lawful.
- Right to compensation for damages where the processing of personal data has caused damages to the Data Subject.
8.3 Exercise of rights. In the event of a question, request, or complaint regarding the processing of personal data, the Data Subject has the right to contact us using the contact details provided in clause 2.
8.4 Filing complaints:
- The Data Subject has the right to file their complaint with us, the Data Protection Inspectorate, or the court.
- Contact details of the Data Protection Inspectorate (DPI) can be found on the DPI’s website at https://www.aki.ee/et/inspektsioon-kontaktid/tootajate-kontaktid.
9. Storage and security of processing personal data
Here you will find a description of how we protect your personal data and for how long we store personal data.
9.1 Storage. We store personal data only for the period necessary for the purpose of processing. As a rule, for the duration of the period of validity of the Contract + three years to protect against any potential claims. Personal data whose storage period has expired are destroyed or made anonymous. When storing personal data, we comply with the purpose of processing, limitation periods for potential claims in the event of filing claims, and storage periods provided for in the law.
9.2 Security measures. We have established guidelines and rules of procedure on how to ensure the security of personal data through the use of both organisational and technical measures. Among others, we do the following to ensure security and confidentiality:
- we provide our employees with access to personal data only where this is necessary for the performance of their duties and where the respective permission has been requested and rights have been granted;
- a processor may process the personal data transferred to them only for the purpose and to the extent necessary for providing the services set out in the contract;
- we use software solutions that help ensure a level of security that meets the market standard.
9.3 In the event of any incident involving personal data, we do our best to mitigate the consequences and alleviate the relevant risks in the future.
10. Cookies and other web technologies
Here you will find information about which Cookies or other technologies we use and where more detailed information about the respective processing can be found.
10.1 We may collect data about the Visitors and Users of the Website and other information society services (e.g. online store) as well as the Customers by using Cookies (i.e. small fragments of information stored in the hard drive of the Visitor’s computer or another device by the Visitor’s browser) or other similar technologies and process such data (e.g. IP address, device information, location information).
10.2 We use the collected data to enable the consumption of Products and services in accordance with the habits of the Data Subject, to ensure the best quality of Products and services, to inform the Visitor, User and Customer of the content and give recommendations, to make the advertisements more relevant and our marketing efforts more effective, to simplify logging in and protecting data. Collected data is also used to count Data Subjects and record their usage habits.
10.3 We use session and persistent Cookies. Session Cookies are deleted automatically after each visit, while persistent Cookies are retained when the Website is used repeatedly.
10.4 Our Website may contain third party Cookies regarding which our cooperation partners are the controllers.
10.5 We use the following types of Cookies:
10.5.1 Necessary Cookies are required to use the Website – to navigate the page and use its functions –, and necessary Cookies enable logging into the Website, shopping basket functions, distinguishing bots from people, and ensuring other security functions. Without these Cookies, the Website cannot function properly and the provision of service may be hindered. Because necessary Cookies are essential for the operation of the Website and for the provision of Thermory’s Products, these Cookies are always enabled.
10.5.2 Preference Cookies – these Cookies store the Data Subject’s selections (such as font size, other personalised website display features) and attributes (such as user name, language, or country of location of the User) in order to offer a more personalised and convenient use of the Website. Preference Cookies, although separate from necessary Cookies, are necessary for the Users to ensure that an appropriate personalised solution is displayed. The data stored depends on a specific Cookie. In general, we collect technical data about the device and store the selections made by the Data Subject (e.g. font size, other editable properties of the Website) and their attributes (e.g. user name, language, country of location).
10.5.3 Functional/statistics/analytics Cookies are Cookies that collect information about how Data Subjects use the Website, for example which subpages are visited most frequently and which error messages occurred. These Cookies generally do not collect information that can identify the person. These are used to improve the operation of the Website and Product offers.
10.5.4 Marketing and personalised analytics Cookies are Cookies used for optimising marketing activities and/or for displaying personalised advertising. These Cookies may be third party Cookies.
10.6 With regard to Cookies, Visitors consent to their use on the Website or in the web browser. The processing is generally based on consent. The majority of web browsers allow Cookies. Without Cookies, not all functions of the Website may be available to the Visitor. Enabling or disabling Cookies and other similar technologies is up to the Visitor through the settings of their own web browser and the Cookie solution on our Website. The Data Subject can enable and disable Cookies by type (excl. necessary Cookies that are enabled automatically).
10.7 More information about Cookies and the use of other similar technologies can be found on our Website through the respective Cookie solution.
|Publication||Entry into force||Key changes|