1.1. The terms of this Privacy Policy are drawn up in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia, and the legislation of the Republic of Estonia and the European Union, as well as the instructions of the Data Protection Inspectorate.
1.2. This Privacy Policy governs the principles of the collection, processing, and storage of personal data. Personal data are collected, processed, and stored by the controller of personal data TSSTBOX OÜ, registry code 16689914, address Peterburi tee 53 kab.103, Tallinn 11415 (hereinafter the data processor). TSSTBOX OÜ is a company engaged in the sale of accessories for off-road vehicles.
1.3. TSSTBOX OÜ reserves the right to change the terms of the Privacy Policy if necessary by publishing it on the website tsstbox.ee
1.4. For the purposes of this Privacy Policy, the data subject is a customer or another natural person whose personal data are processed by the data processor (hereinafter the data subject). A customer within the meaning of this Privacy Policy is anyone who purchases goods or services in the data processor’s online store.
1.5. By placing an order in the data processor’s online store, the data subject agrees to the terms of this Privacy Policy.
1.6. By providing their personal data, the data subject grants the data processor the right to collect, use, and manage personal data for the purposes set out in this Privacy Policy, which the data subject shares with the data processor directly or indirectly when purchasing goods or services on the website tsstbox.ee.
1.7. The data processor complies with the principles of processing personal data established by law, including processing personal data lawfully, fairly, and securely.
1.8. When processing and storing the data subject’s personal data, the data processor implements organizational and technical measures that ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure, and other unlawful processing.
1.9. The personal data that the data processor collects, processes, and stores are collected electronically, mainly when placing an order via the website and by email, as well as at the premises of the data processor. When an order is submitted, the data subject’s personal data entered by the data subject are entered into the data processor’s database and are used to perform the obligations arising from the sales contract.
1.10. The data subject is responsible for the accuracy, correctness, and completeness of the data provided by them. Knowingly providing false information is considered a violation of this Privacy Policy. The data subject must immediately notify the data processor of any changes to the data provided.
1.11. The data processor is not liable for any damage caused to the data subject or third parties as a result of the data subject providing false information.
2.1. The data processor processes the data subject’s personal data on the basis of Article 6(1)(a), (b), (c), and (f) of the General Data Protection Regulation as follows:
2.1.1. Point (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
2.1.2. Point (b) the processing of personal data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
2.1.3. Point (c) the processing of personal data is necessary for compliance with a legal obligation to which the data processor (responsible processor) is subject;
2.1.4. Point (f) the processing of personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
2.2. The source of personal data and the basis for their processing is the establishment of a customer relationship when placing an order in the online store. The processing of personal data is a condition of the contractual relationship. Purchasing goods and services in the online store and concluding a contract without providing personal data to the data processor is not possible.
3.1. The data processor processes the following personal data of the data subject:
3.1.1. first and last name;
3.1.2. phone number;
3.1.3. email address;
3.1.4. delivery address and billing address;
3.1.5. payment method;
3.1.6. purchase history;
3.1.7. bank account number;
3.1.8. call recording (when calling customer support);
3.2. The data processor does not see and does not process the data subject’s bank card data. To complete a purchase transaction in the online store, the customer is redirected to the secure environment of the following service provider(s):
3.2.1. PayPal;
3.2.2. Everypay;
3.2.3. Montonio;
3.2.4. LHV Finance;
3.3. At the time of payment, the customer’s card data are entered into the database of the relevant service provider and stored by the relevant service provider.
3.4. The data processor is not responsible for the processing of the data subject’s data by the said service provider.
3.5. Payments
To process secure payment transactions, we use Stripe Inc. (located in the United States). Stripe is certified to PCI DSS Level 1, which is the highest level of certification in the payment industry.
Data we collect:
Legal basis: Necessary for the performance of a contract or to take steps prior to entering into a contract at the request of the data subject.
Third-party payment processor: Stripe Inc. processes payment data on our behalf. Transfers of data to the United States are protected by Standard Contractual Clauses. For more information, please refer to the Stripe Privacy Policy.
3.6. Compilation and analysis of statistical data to improve the website
Data we collect:
Legal basis: Consent (Article 6(1)(a) GDPR and the ePrivacy Directive).
We collect these data using cookies and similar technologies only after obtaining your explicit consent through our cookie banner.
4.1. Personal data are processed for the following purposes:
4.1.1. First and last name, phone number, email address, and delivery address are used to manage and fulfill customers’ orders and to deliver goods;
4.1.2. Purchase history data, including the customer’s personal data (order number, purchase date, product, quantity, customer email address, phone number, name), are used to obtain an overview of purchased goods and services, to resolve complaints and fulfill warranty obligations, and to resolve any other issues related to the provision of goods and services (customer support);
4.1.3. Payment method data, including the bank account number, are used to refund payments to the customer;
4.1.4. Customer support call recordings are used to confirm the data subjects’ intent for the purpose of resolving disputes, as well as to ensure and develop higher-quality customer service.
5.1. Personal data are stored in the data processor’s database located on the servers of Hetzner Online GmbH and Zone Media OÜ, which, in turn, are located in the territory of a Member State of the European Union or in countries that have joined the European Economic Area.
5.2. The data processor stores data subjects’ data primarily depending on the purpose of processing and in accordance with the retention period established for the data processor by law.
5.3. When making a purchase in the online store, both without a customer account and with a customer account, the purchase history, including personal data, is stored for seven years.
5.4. An inactive customer account is stored for three years, after which the customer account is closed.
5.5. When a customer account in the online store is closed, personal data are deleted, except where such data must be retained for accounting purposes or for the resolution of consumer disputes.
5.6. In the event of disputes related to payments and consumer disputes, personal data will be stored until the claim is satisfied or the limitation period expires.
5.7. Personal data required for accounting purposes are stored for seven years.
6.1. The data processor has the right to transfer customers’ personal data to third parties such as the online store’s customer support service, authorized data processors, accountants, transport and courier companies, manufacturers of goods, and companies providing transfer services.
6.2. The data processor undertakes not to transfer customers’ personal data to unrelated third parties unless the obligation to transfer personal data arises from law.
6.3. The transfer of personal data to authorized processors of the online store (e.g., the transport service provider and data hosting) takes place on the basis of agreements concluded between the online store and the authorized processors. Authorized processors are obliged to ensure appropriate safeguards when processing personal data.
6.4. Employees of the online store have access to personal data and may view personal data in order to resolve technical issues related to the use of the online store and to provide customer support services.
6.5. Processors
We transfer your personal data to the following processors:
| Processor | Country | Purpose | Transfer safeguard |
|---|---|---|---|
| Google LLC | USA | Analytics and advertising | Standard Contractual Clauses |
| Stripe Inc. | USA | Payment processing | Standard Contractual Clauses |
All data processors located in the United States are situated outside the European Economic Area. We ensure appropriate safeguards for data transfers by means of Standard Contractual Clauses approved by the European Commission in accordance with Chapter V of the GDPR.
6.6. Legal obligations
We disclose personal information where required by law or court order, in response to requests from law enforcement authorities, to the extent permitted by other legal provisions, in order to provide information or to conduct investigations related to public safety matters. This includes compliance with requirements imposed by tax authorities, regulators, and law enforcement authorities in Finland and in other jurisdictions where we operate.
6.7. Data processing agreements
In accordance with Article 28 GDPR, we have entered into Data Processing Agreements (DPAs) with all of our data processors:
These agreements ensure that our processors process personal data only in accordance with our documented instructions and implement appropriate technical and organizational measures to protect your data.
6.8. No sale of personal data
We do not sell, rent, or trade your personal information to third parties for marketing purposes. Any sharing of data with third parties is limited to the purposes described in this Privacy Policy and is carried out subject to appropriate safeguards.
7.1. The data processor generally does not transfer personal data to third countries.
7.2. If such a need arises, the data processor transfers personal data to a third party and/or a third country only for the purposes and to the extent determined by law, a contract, consent, or legitimate interest, while complying with all legislation governing data protection. If the data processor needs to transfer personal data outside the European Union or equivalent territories, pursuant to Article 45 of the data protection regulation, the need to guarantee an equivalent level of protection of personal data outside the EU borders must be at least at the same level as within the EU borders. If, to the best of our knowledge, the level of personal data protection in the destination country is not equivalent to the level in the EU, we will notify you thereof in writing by email, and you will be able to give appropriate confirmation for the transfer or prohibit the transfer of your data.
8.1. The data processor’s website tsstbox.ee uses cookies. A cookie is a small text block of data in the data subject’s web browser that a web page sends to the cookie file on the data subject’s device.
8.2. The data processor uses the following cookies:
8.2.1. Necessary cookies, including functional cookies – cookies are necessary so that the website user can browse the website and use its features.
8.2.2. Analytical and statistical cookies – necessary, in particular, to ensure a better user experience when visiting the website, to ensure the website functions better and is developed, and to track visit statistics of various pages of the website.
8.3. The data subject may always decide whether to allow the use of cookies in the web browser or not. If the data subject does not wish to use cookies, the data subject can set their web browser to automatically disable cookies or to notify them each time a website requests permission to add cookies. To carry out the necessary configuration, you need to review the help function of your device’s web browser.
8.4. If the data subject does not wish cookies to be stored on their device, they can be blocked in the settings of the web browser.
8.5. Please note that visiting the data processor’s website is also possible by disabling the use of cookies, but it may still happen that certain services or certain parts of the website will not work properly. Refusing cookies may limit the ability to use the website.
8.6. It should also be noted that the website contains links to other websites, and the data processor is not responsible for data exchange on other websites or for the privacy policies of other websites.
9.1. When visiting the data processor at its address, please note that 24/7 video surveillance equipment (CCTV cameras) is used on the data processor’s territory and in its buildings.
9.2. CCTV cameras are used for the purpose of protecting the data processor’s property and, if necessary, for handling customer complaints, including claims or disputes related to customer transactions.
9.3. CCTV recordings are stored on average for 2 and no more than 6 months.
9.4. Recordings may be stored longer if, before their deletion, proceedings were initiated or there is an evident need to initiate proceedings to investigate an offense or other incident, in connection with which it is necessary to keep the recording for a longer period. In this case, the relevant data will be stored until the end of the proceedings.
9.5. The use of CCTV on the territory and in the premises of the data processor will be indicated by appropriate signage.
9.6. The data processor has the right to transfer the collected data to law enforcement authorities, state authorities, and local government authorities.
9.7. The data processor transfers CCTV system recordings only at the request of a criminal prosecution authority in accordance with the law and where recordings exist.
10.1. The data processor records incoming calls to the customer support phone number. Calls are recorded on the basis of the data subject’s consent, i.e., the data subject is informed about the recording before the conversation begins, and the data subject may terminate the call at any time and contact the data processor by email at alex@tsstbox.ee.
10.2. The data processor processes call recordings to prove the data subjects’ intent for the purpose of resolving disputes and, consequently, to ensure and develop higher-quality customer support.
10.3. Customer support inquiry recordings of the data processor are stored for 30 calendar days.
11.1. The data subject has the right to obtain information about the processing of their personal data. The data subject has the right to access their personal data that the data processor holds and processes. Customers with a customer account can view their personal data in the online store user profile; unregistered customers may submit a request related to their personal data via customer support by sending the relevant request by email to alex@tsstbox.ee.
11.2. When requesting your personal data, the data processor has the right to verify your identity in advance.
11.3. The data subject has the right to supplement or correct inaccurate data.
11.4. If the data processor processes the data subject’s personal data on the basis of the data subject’s consent, the data subject has the right to withdraw consent at any time.
11.5. The data subject has the right to delete personal data. To delete personal data, it is necessary to contact customer support by email (alex@tsstbox.ee). A response to the deletion request will be provided no later than within one month and will specify the period for deleting the data. If necessary, the response will also list the personal data that cannot be deleted due to a legal obligation to retain them.
11.6. If the data subject finds that a violation of personal data processing has occurred with respect to their data, or that the data processor has violated their rights when processing personal data, they have the right to seek protection of their rights from the Data Protection Inspectorate or in court at any time.
11.7. If the data subject’s permanent place of residence is in another EU Member State, the contact information of the relevant authority can be found on the website of the European Data Protection Board (EDPB) (https://edpb.europa.eu/about-edpb/about-edpb/members_en#member-ee.).
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
To exercise these rights, please contact us using the information provided in the “Contact details” section.
If you are a resident of Canada, you have additional rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
To exercise these rights, please contact us using the information provided in the “Contact details” section.
Your personal data may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from those of your country.
14.1. Transfers to the United States
Where personal data are transferred from the European Economic Area (EEA) or the United Kingdom to the United States (for processors such as Google LLC and Stripe Inc.), we use the Standard Contractual Clauses (SCCs) approved by the European Commission as safeguards for the protection of your data in accordance with Chapter V GDPR.
Standard Contractual Clauses are contractual commitments between us and our data processors that ensure appropriate protection of personal data transferred outside the EEA, as recognized by the European Commission following the Schrems II decision (2020).
14.2. Transfers from Canada
Where personal data are transferred from Canada to other countries, we take appropriate measures to ensure the protection of your personal data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). These measures include contractual obligations and technical security measures implemented by our processors.
EN
EE
RU