Privacy Policy

1. General Provisions

1.1 This Privacy Policy describes how personal data is collected, processed, and stored by Mikiwal OÜ (registry code 14100490), located at Võsu mnt 33, Haljala, Lääne-Virumaa, 45301, Estonia (hereinafter the “Data Controller”).

1.2 A data subject within the meaning of this Privacy Policy is any identified or identifiable natural person whose personal data is processed by the Data Controller, including website visitors and customers.

1.3 A client is a data subject who purchases goods or services from the Data Controller via the website www.bondingpupers.com.

1.4 The Data Controller processes personal data in accordance with applicable EU and Estonian legislation, including Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), ensuring lawful, fair, transparent, and secure processing.

2. Collection, Processing, and Storage of Personal Data

2.1 Personal data is collected primarily through electronic means, including the website, email communication, and payment processing systems.

2.2 By placing an order, contacting the Data Controller, or otherwise using the website, the data subject provides personal data knowingly and consents to its processing in accordance with this Privacy Policy, where consent is the applicable legal basis.

2.3 The data subject is responsible for ensuring that the personal data provided is accurate, complete, and up to date. The data subject must inform the Data Controller promptly of any changes.

2.4 The Data Controller is not responsible for damages resulting from incorrect or incomplete data provided by the data subject.

3. Categories of Personal Data Processed

3.1 The Data Controller may process the following personal data:

  • First and last name

  • Phone number

  • Email address

  • Delivery address

  • Payment-related identifiers (excluding full card or bank details)

  • Order and shopping cart contents

  • Communication history

3.2 The Data Controller may also process personal data obtained from public registers where permitted by law.

4. Legal Basis for Processing Personal Data

4.1 Personal data is processed based on the following legal grounds under Article 6(1) GDPR:

a) Consent – where the data subject has given clear consent
b) Contract performance – to fulfill orders and deliver goods
c) Legal obligation – accounting and statutory requirements
d) Legitimate interest – customer service, fraud prevention, and business development, provided such interests do not override the rights of the data subject

5. Purpose and Retention Periods

5.1 Personal data is processed for the following purposes and retained no longer than necessary:

  • Order processing and accounting – up to 7 years

  • E-shop functionality and technical support – up to 3 years

  • Customer relationship management – up to 3 years after the end of the customer relationship

5.2 After the retention period expires, personal data is securely deleted or anonymized.

6. Data Sharing and Third Parties

6.1 The Data Controller may share personal data with trusted third parties acting as authorized data processors, including:

  • Maksekeskus AS – payment processing

  • Stripe Payments Europe Ltd – card and alternative payment processing

  • Accounting service providers

  • Logistics and delivery partners

6.2 Personal data is shared only to the extent necessary to provide the service.

6.3 Payment processing takes place in secure environments operated by the payment service providers. The Data Controller does not have access to customers’ full bank or card details.

7. International Data Transfers

7.1 Where personal data is processed or stored outside the European Economic Area (EEA), the Data Controller ensures that appropriate safeguards are in place, such as EU Commission adequacy decisions or standard contractual clauses, in accordance with GDPR requirements.

8. Data Subject Rights

8.1 The data subject has the right to:

  • Access their personal data

  • Receive information about how their data is processed

  • Request correction of inaccurate or incomplete data

  • Request erasure of personal data (“right to be forgotten”), where applicable

  • Restrict or object to the processing of personal data

  • Request data portability

  • Withdraw consent at any time where processing is based on consent

8.2 To exercise these rights, the data subject may contact the Data Controller at reimo@sapo.ee.

8.3 The data subject has the right to lodge a complaint with the Estonian Data Protection Inspectorate or another competent supervisory authority within the EU.

9. Security Measures

9.1 The Data Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.

10. Amendments to the Privacy Policy

10.1 The Data Controller reserves the right to amend this Privacy Policy at any time in accordance with applicable law.

10.2 The updated Privacy Policy will be published on the website www.bondingpupers.com, and the effective date will be updated accordingly.