Privacy Policy

PRIVACY POLICY OF BEAUTY BOUTIQUE

Last updated: 01.06.2025

1. Controller of Personal Data

The controller of personal data in the beautyboutique online store is PurelyYou OÜ, registry code 17095370, Staapli 8, Harjumaa, Estonia, email: info@beautyboutique.ee (hereinafter "Merchant").

2. Categories of Processed Personal Data

• Name
• Contact details: email address and phone number
• Billing and delivery address
• Bank account number
• Purchase history: product/service, price, quantity, date
• Customer support communication
• Additional information related to customer surveys and/or promotional offers
• IP address and other identifiers used to access the online store

More details about cookies can be found in our Cookie Policy.

3. Purpose and Legal Basis of Data Processing

Personal data is processed for the performance of a contract concluded with the customer (e.g., processing and delivering orders). Personal data is also processed to comply with legal obligations (e.g., accounting and resolving consumer disputes). Purchase history is used to provide order summaries and analyze customer preferences. Bank account information is used for issuing refunds. Customer service inquiries are handled using contact information. IP addresses and technical identifiers are processed for providing the e-commerce service and compiling website usage statistics.

4. Transmission of Personal Data to Authorized Processors

The Merchant may disclose personal data only to authorized processors necessary for providing services to the customer and only to the extent required for their service.

Authorized data processors include:

• IT Service Providers: UX Genius OÜ, Veebimajutus, Oracle, Amazon Web Services (AWS)
• Accounting Software Providers: SmartAccounts
• Delivery Partners: Omniva, Itella, DPD
• Payment Service Providers: Swedbank, SEB, LHV, Luminor, Coop Pank, Montonio Finance UAB, PayPal
• Web Analytics and Marketing Tools: Google Analytics, Facebook

5. Security and Data Access

Personal data is stored in secure Microsoft Azure servers located in the EU/EEA or countries with adequate data protection levels. Appropriate physical, technical, and organizational measures are applied to protect data against accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure.

6. Access, Correction, and Deletion of Data

Registered users can view and edit their data through the account management section of the website. Guest users may submit requests via the Data Request Form.

7. Consent Withdrawal

If data processing is based on consent, the customer may withdraw it anytime in the account settings or by contacting customer support.

8. Retention Period

Upon account closure, data is deleted unless retention is required for accounting or legal claims. Guest order data is retained for 3 years. Data related to payment and legal disputes is kept until claims are resolved or limitation periods expire (3 years). Accounting records are retained for 7 years.

9. Deletion of Data

Account data can be deleted via account settings. Other deletion requests can be submitted via the Data Request Form. Responses will be provided within 1 month.

10. Data Portability

Users can download an export of their data in account settings. Other portability requests are handled via the Data Request Form. Identity verification may be required.

11. Direct Marketing and Profiling

Email and phone numbers may be used to send promotional offers. Users can opt-out by using the unsubscribe link or contacting customer support. Users may object at any time to the use of their data for direct marketing or profiling.

12. Dispute Resolution

Data-related disputes can be addressed via customer support. The supervisory authority is the Estonian Data Protection Inspectorate (info@aki.ee). Consumer complaints may be submitted to the Consumer Protection Commission or the EU ODR platform: https://ec.europa.eu/consumers/odr