PRIVACY POLICY (GDPR)
Effective date: 2 October 2025
Languages: This Policy is available in Estonian, English and Russian. For users in Estonia, the Estonian version prevails in case of inconsistencies.
1. Controller and contacts
Controller: Vertera OÜ (private limited company, Estonian Commercial Register / Äriregister)
Reg. No.: 14137122 VAT No.: EE101948883
Registered address: Parda 3, 10151 Tallinn, Estonia
E-mail (privacy): vertera.estonia@gmail.com
Data Protection Officer: Not appointed. For privacy matters contact the e-mail above.
2. Scope
This Policy explains how we collect, use, share and protect personal data when you browse or shop on https://vertera.eu (the “Website”), create an account, contact customer service, receive marketing (where permitted) or otherwise interact with us. If any term conflicts with mandatory law, the latter prevails.
3. Categories of personal data
- Identity & contact: name, e-mail, phone, delivery/billing address, country/region.
- Account & auth: login identifier, password, security tokens, preferences, consent settings.
- Orders & payments: ordered items, prices, delivery choices, payment status and method (we receive only tokenised/limited payment data from providers; we do not store full card details).
- Communications: messages to support, feedback, claims.
- Device/usage: IP, device/browser type, logs, pages viewed, referral sources; cookies & similar tech (see Cookie Policy/consent tool).
- Verification/anti-fraud (if needed): e.g., age confirmation, signals to prevent abuse.
We do not intentionally collect special categories (health, biometric, beliefs). Please do not send such data via the Website.
4. Purposes and legal bases (Art. 6 GDPR)
- Contract (Art. 6(1)(b)): run the Website, process orders, deliver goods, customer service, account management.
- Legal obligations (Art. 6(1)(c)): payments, invoicing, accounting/tax, responding to lawful requests.
- Legitimate interests (Art. 6(1)(f)): Website security, fraud prevention, quality monitoring and improvement, handling/defending legal claims. We balance these interests against your rights.
- Consent (Art. 6(1)(a)): direct e-marketing (e-mail/SMS/push) and non-essential cookies/analytics/ads. Consent can be withdrawn at any time (Section 11/12).
- Soft opt-in (Art. 6(1)(f), where permitted by law): own similar products to existing customers, with easy opt-out in every message.
- Vital interests/public task: only in exceptional cases, if applicable.
5. Children
The Website is not intended for children below the age of digital consent in their country (typically 13–16 in the EEA; 13 in Estonia). We do not knowingly process such data without appropriate consent. If you believe a child shared data with us, contact us for deletion.
6. Sources
Data come from you (forms/checkout/support), automatically from your device (cookies/logs), and from service providers for payment, delivery, analytics and communications. We do not buy data from brokers.
7. Recipients and roles
We share data, as necessary, with:
- Processors (Art. 28): hosting/cloud/security, payment processors/financial institutions, delivery/logistics, CRM/support/communications, analytics (only with consent where required), professional advisers (legal/tax/audit). Each acts under contract and on our instructions.
- Affiliates: help provide the Website and fulfil orders. They act as processors unless otherwise stated.
- Joint controllers (Art. 26): where purposes and means are jointly determined with a partner, we act as joint controllers; the essence of the arrangement is available on request.
- Public authorities: where required by law.
8. International transfers
If data are transferred outside the EEA/UK, we rely on an adequacy decision or the EU Standard Contractual Clauses with supplementary measures where appropriate. You may request a copy or description of the safeguards.
9. Mandatory data and consequences (Art. 13(2)(e))
Providing some data is contractually necessary: name, delivery address, contact details, payment details. Without them we cannot conclude or perform the sales contract. Providing optional data (e.g., marketing preferences, extra profile fields) is not required for a purchase.
10. Retention
We keep data only as long as needed for the purposes above and to meet legal duties:
- Account: life of the account + up to 3 years after closure (claims/queries).
- Orders/invoices/accounting:up to 7 years (accounting/tax).
- Marketing: until you withdraw consent or object, or after a defined period of inactivity.
When retention ends, data are deleted or irreversibly anonymised.
11. Your rights (Arts. 12–22)
You may request access, rectification, erasure, restriction, portability (for data you provided, when processed by automated means based on consent or contract), and object to processing based on legitimate interests. You may object at any time to direct marketing (including related profiling). Where processing relies on consent, you may withdraw it at any time (lawfulness before withdrawal remains).
To exercise rights:vertera.estonia@gmail.com. We reply within one month (extendable up to two months for complex requests). We may verify your identity.
12. Cookies and consent
We use cookies and similar tech to operate the Website, remember preferences, analyse traffic and—only with your consent—to personalise content/ads. Details (categories, purposes, retention, third parties) are shown in the Cookie Policy and the consent tool, where you can change/withdraw choices at any time via the banner or a “Cookie settings” link in the footer. Non-essential cookies are not set before consent.
13. Direct marketing & service messages
Marketing is sent only with consent or under soft opt-in (where permitted) for similar own products to existing customers. Every message contains an unsubscribe link. Service communications (e.g., order updates) are not marketing.
14. Security
We implement appropriate technical and organisational measures: access control; encryption in transit and, where appropriate, at rest; network/app security; backups; staff training; internal policies; vendor due diligence. No system is perfectly secure; residual risks remain.
15. Automated decisions
We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Limited profiling for analytics/marketing may occur with consent or where permitted by law; you can opt out as described above.
16. Data breaches
We assess personal data breaches and will notify the supervisory authority and, where there is a high risk to you, inform you without undue delay, in accordance with GDPR.
17. Complaints
You can contact us first at vertera.estonia@gmail.com. You also have the right to complain to your local authority.
In Estonia: Andmekaitse Inspektsioon (AKI) — see www.aki.ee.
18. Changes
We may update this Policy. The updated version will carry a new effective date; where changes are material, we will provide additional notice where reasonable.