Privacy Policy

1. General provisions

1.1. This privacy policy regulates the principles governing the collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the data controller Perfect Cosmetics OÜ, registration code 12414646, address Mõisatalli, Uugla village, Lääne-Nigula municipality, Läänemaa, 91013 (hereinafter referred to as the data processor).

1.2. Data subject within the meaning of the privacy policy is a customer or other natural person whose personal data is processed by the data processor. Customer within the meaning of the privacy policy is anyone who purchases goods or services from the data processor’s website.

1.3. By placing an order in the data processor’s online store, the data subject agrees to the terms and conditions of this privacy policy by checking the corresponding box in the order form.

1.4. The data processor complies with the principles of data processing set out in legislation, including processing personal data lawfully, fairly, and securely. The data processor is able to confirm that personal data has been processed in accordance with the provisions of legislation.

1.5 Personal data collected, processed, and stored by the data controller is collected electronically, mainly through the website when placing an order and via e-mail. When an order is placed, the personal data entered by the data subject is entered into the customer register and used to fulfill the sales contract and deliver products to the data subject.

1.6. By sharing their personal data, the data subject grants the data processor the right to collect, organize, use, and manage personal data for the purposes specified in the privacy policy, which the data subject shares with the data processor directly or indirectly when purchasing goods or services on the website.

1.7. The data subject is responsible for ensuring that the data they provide is accurate, correct, and complete. Knowingly providing false information is considered a violation of the privacy policy. The data subject is obliged to immediately notify the data processor of any changes to the data provided.

1.8. The data processor is not liable for any damage caused to the data subject or third parties by the submission of false data by the data subject.

2. Processing and storage of customers’ personal data

2.1. The data processor processes the following personal data of the data subject:

– first and last name;
– telephone number;
– e-mail address;
– delivery address;
– payment method;
– purchase history;
– bank account number;
– IP address.

2.1.1 The data processor does not see the data subject’s bank card details. To complete the transaction, the customer is redirected to the secure environment of Montonio Finance OÜ. At the time of payment, the customer enters their card details into the database located on the server of Montonio Finance OÜ, and the data is stored on the server of Montonio Finance OÜ. The data processor is not responsible for the use of data by Montonio Finance OÜ.

2.2. In addition to the above, the data processor has the right to collect data about the customer that is available in public registers.

2.3. The legal basis for the processing of personal data is Article 6(1)(a), (b), (c) and (f) of the General Data Protection Regulation:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) the processing of personal data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing of personal data is necessary for compliance with a legal obligation to which the controller is subject;

f) the processing of personal data is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The source of personal data and the basis for its processing is the establishment of a customer relationship in the online store when registering an order, in accordance with the terms of use. The processing of personal data is a condition of the contractual relationship.

2.4. Purpose and storage of personal data processing

2.4.1 Purpose

Personal data is processed for the following purposes:
– First and last name, telephone number, e-mail address, and delivery address are used to manage customer orders and deliver goods;
– Purchase history data (purchase date, goods, quantity, customer details) is used to compile an overview of purchased goods and services and to analyze customer preferences;
– Bank account numbers are used to refund payments to customers;
– Personal data such as e-mail, phone number, customer name, is processed in order to resolve issues related to the provision of goods and services (customer support);
– The IP address or other network identifiers of online store users are processed for the purpose of providing the online store as an information society service and compiling web usage statistics.

2.4.2. Storage

The data processor stores the data subjects’ data depending on the purpose of processing.

When a customer account is closed in the online store, personal data is deleted, unless such data needs to be stored for accounting purposes or for resolving consumer disputes.

If a purchase is made in the online store without a customer account, the purchase history is retained for three years.

In the event of disputes related to payments and consumer disputes, personal data is retained until the claim is fulfilled or the limitation period expires.

Personal data required for accounting purposes is retained for seven years.

2.5. The data processor has the right to share customers’ personal data with third parties, such as online store customer support, authorized data processors, accountants, transport and courier companies, goods manufacturers, and companies providing transfer services.

The data processor undertakes not to disclose customers’ personal data to unrelated third parties, except where the disclosure of personal data is required by law.

2.6. When processing and storing the personal data of data subjects, the data processor shall implement organizational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing.

The transfer of personal data to authorized processors of the online store (e.g., transport service providers and data hosting providers) is based on agreements concluded between the online store and the authorized processors. Authorized processors are required to ensure appropriate security measures when processing personal data.

2.7.The data processor is the controller of personal data. The data processor transfers the personal data necessary for making payments to the authorized processor Montonio Finance OÜ.

2.8. Personal data is stored on Zone Media OÜ servers located in the territory of a European Union member state or a country that has joined the European Union’s economic area. Data may be transferred to countries whose level of data protection has been assessed as adequate by the European Commission and to US companies that have joined the Privacy Shield framework.

2.9. Access to personal data is granted to online store employees who may view personal data in order to resolve technical issues related to the use of the online store and to provide customer support.

3. Newsletter subscription and data processing

3.1. Newsletter subscription

– Subscribing to the newsletter is free and voluntary.

– You can subscribe to the newsletter:

• • when registering an account;
  • on the designated page: https://www.luminordic.com/uudiskirjaga-liitumine/.

– When signing up, the customer enters their email address and, if necessary, their name.

– By signing up, the customer agrees to receive marketing materials, special offers, and news.

– Newsletters are sent via the Metrilo (https://www.metrilo.com/) platform.

3.2. Data processing and storage

– The data provided for subscribing to the newsletter will be processed until the customer wishes to unsubscribe from the newsletter.

– The customer cannot temporarily suspend receiving newsletters, but can only unsubscribe completely.

– The data subject has the right to unsubscribe from the newsletter at any time in the following ways:

• • by clicking on the unsubscribe link at the bottom of each email;
  • by writing to hei@luminordic.com;
  • by indicating your wish to unsubscribe via the online store chat window.

– The data subject can change their data:

• • in the e-store under “My Account” → “My Data”;
  • by writing to hei@luminordic.com or via the e-store chat window.

– The data processor will not disclose any data related to the newsletter to third parties without the customer’s consent.

4. Terms and conditions of prize draws and data processing

4.1. Participation in prize draws

– Prize draws are held as part of separate campaigns, the terms and conditions of which are always set out in the campaign post (e.g., on social media or in a marketing email).

– The following personal data may be processed for participation in the prize draw:

• • e-mail address (for conducting the prize draw and notifying and announcing the winner);
  • name or social media username (for conducting the prize draw and notifying and announcing the winner).

4.2. Selecting and notifying winners

– Winners will be selected at random in accordance with the terms and conditions of the specific campaign.

– The terms and conditions of the draw will determine who participates in the draw, for example:

• • “Leave feedback and participate in the draw” – everyone who has left feedback during the campaign period will participate in the draw.

• • “Leave a comment and enter the prize draw” – everyone who has left a comment on the relevant post will be entered into the prize draw.

– Winners will be drawn on the working day specified in the campaign terms and conditions.

– Winners will be contacted by email or via the relevant social media channel.

– If the winner does not respond within 7 days, a new winner will be drawn.

– The winner’s name or social media username will also be published on LUMI’s social media channels (Instagram, Facebook).

– If the customer does not want their name or username to be made public, they can notify us by writing to hei@luminordic.com, and the data will be removed.

4.3. Processing of data for the purpose of the prize draw

– The list of participants in the prize draw will not be retained after the prize draw has ended.

– Once the winner has confirmed the draw and the prize has been awarded, the data subject may request the deletion of their data by writing to hei@luminordic.com.

5. Rights of the data subject

5.1. The data subject has the right to access and review their personal data. Registered users can view their personal data in their online store user profile, while unregistered customers can view their personal data through customer support.

5.2. The data subject has the right to obtain information about the processing of their personal data.

5.3. The data subject has the right to supplement or correct inaccurate data.

5.4. If the data processor processes the data subject’s personal data on the basis of the data subject’s consent, the data subject has the right to withdraw their consent at any time.

5.5. The data subject gives the data processor consent to send advertising materials and sales offers to the e-mail address entered by the data subject when placing an order, if the data subject has expressed a wish to receive such notifications when placing the order (by ticking the corresponding box).

5.6. The data subject may contact the e-store’s customer support at (hei@luminordic.com) to exercise their rights.

5.7. The data subject has the right to have their personal data deleted. To have personal data deleted, please contact customer support by email (hei@luminordic.com). The deletion request will be responded to within one month at the latest, specifying the period for which the data will be deleted. The response to the request will also specify which personal data will not be deleted and on what legal basis and for what reason.

5.8. The data subject may also lodge a complaint with the Data Protection Inspectorate (info@aki.ee) to protect their rights.

6. Final provisions

6.1. These data protection conditions have been drawn up in accordance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Directive 95/46/ EC (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia, and the legislation of the Republic of Estonia and the European Union.

6.2. The data controller has the right to change the data protection conditions in part or in full by notifying the data subjects of the changes via the website (www.luminordic.com).