Privacy Policy

Privacy Policy

This Privacy Policy explains how AS Plokk, operating the online store Plokk Garden Outlet (hereinafter the Online Store), processes personal data.

We are committed to processing personal data lawfully, fairly, and transparently in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Data Controller

The controller of personal data is:

AS Plokk
Address: Pargi 7, Kadrina, Estonia
E-mail: outlet@plokk.ee
Phone: +372 56 359 556
Registry code: 10268152

If you have any questions about the processing of your personal data, you can contact us using the details above.

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

• first and last name
• delivery and billing address
• phone number
• e-mail address
• order and purchase history
• payment-related information
• communication with customer support
• technical data related to website use, such as IP address, browser type, device information, cookies, and usage data

We collect personal data directly from you when you place an order, contact us, subscribe to marketing messages if offered, or use our website.

3. Purposes and Legal Bases for Processing

We process personal data only where there is a valid legal basis under the GDPR. The legal basis must be identified and communicated clearly to data subjects.

We process personal data for the following purposes:

3.1 Performance of a contract

We process personal data in order to:

• process and fulfil orders
• arrange payment and delivery
• send order confirmations and service-related notifications
• handle returns, complaints, and warranty or non-conformity claims
• communicate with customers regarding their orders

For these purposes, the legal basis is performance of a contract or taking steps prior to entering into a contract.

3.2 Compliance with legal obligations

We may process personal data in order to comply with our legal obligations, including:

• accounting and bookkeeping obligations
• consumer protection obligations
• responding to lawful requests from public authorities
• handling statutory complaint and refund obligations

For these purposes, the legal basis is compliance with a legal obligation.

3.3 Legitimate interests

We may process personal data on the basis of our legitimate interests for purposes such as:

• improving the Online Store and user experience
• preventing fraud and misuse
• defending legal claims
• managing and documenting customer communication
• maintaining website security and technical functionality

Where we rely on legitimate interests, we assess that our interests are not overridden by your fundamental rights and freedoms.

3.4 Consent

Where required, we process personal data on the basis of your consent, for example for certain marketing communications or non-essential cookies.

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4. Recipients of Personal Data

We may share personal data with the following categories of recipients where necessary:

• payment service providers
• delivery and logistics service providers
• IT and website hosting service providers
• accounting or legal service providers
• customer support software providers
• public authorities where required by law

We only share personal data to the extent necessary for the relevant purpose.

Where third parties process personal data on our behalf, they act as our processors and are required to process personal data in accordance with applicable data protection requirements.

5. International Transfers

As a rule, we process personal data within the European Economic Area (EEA).

If personal data is transferred outside the EEA, we will ensure that an appropriate safeguard applies, such as an adequacy decision by the European Commission or the use of standard contractual clauses, as required by applicable law.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as long as required by law.

Indicative retention periods may include:

• order and accounting data: for the period required by applicable accounting and tax laws
• customer communication related to orders and complaints: for as long as necessary to resolve the matter and defend legal claims
• marketing consent records: until consent is withdrawn or no longer needed for evidencing compliance
• technical logs and website security data: for a limited period necessary for security and troubleshooting

When personal data is no longer needed, it will be deleted or anonymised.

7. Cookies and Similar Technologies

The Online Store may use cookies and similar technologies to ensure the functioning of the website, improve usability, analyse traffic, and, where applicable, support marketing activities.

Cookies may include:

• strictly necessary cookies required for the operation of the website
• analytics cookies
• preference cookies
• marketing cookies, if used

Where required by law, non-essential cookies will only be used on the basis of your consent. Consent under the GDPR must be informed, specific, and freely given.

You can manage cookie preferences through the cookie banner or your browser settings.

A separate Cookie Policy may also be provided if needed.

8. Data Subject Rights

Under the GDPR, data subjects have the right to be informed and to exercise several rights regarding their personal data. Supervisory guidance also notes that organisations should answer data subject requests within one month in most cases.

Subject to the conditions set out in applicable law, you have the right to:

• request access to your personal data
• request rectification of inaccurate personal data
• request erasure of personal data
• request restriction of processing
• object to processing where we rely on legitimate interest
• withdraw consent at any time where processing is based on consent
• receive your personal data in a structured, commonly used, machine-readable format where the right to data portability applies
• lodge a complaint with a supervisory authority

To exercise your rights, please contact us at outlet@plokk.ee.

We may need to verify your identity before responding to your request.

9. Direct Marketing

If we send newsletters or other direct marketing communications, we will do so in accordance with applicable law.

Where required, we will only send direct marketing on the basis of your consent.

You may opt out of marketing communications at any time by using the unsubscribe link in the message or by contacting us directly.

10. Security of Personal Data

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures may include access controls, secure connections, software updates, internal procedures, and limiting access to personal data to persons who need it for their work.

11. Children’s Data

The Online Store is not directed at children, and we do not knowingly collect personal data from children without an appropriate legal basis.

12. Complaints and Supervisory Authority

If you have concerns about how we process your personal data, we encourage you to contact us first at outlet@plokk.ee.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate. The Estonian authority explains that individuals may request correction, deletion, restriction, and object to processing, and complaints can be submitted to the authority.

Estonian Data Protection Inspectorate
Tatari 39, 10134 Tallinn, Estonia
E-mail: info@aki.ee
Phone: +372 627 4135

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, our processing activities, or the operation of the Online Store.

The latest version of the Privacy Policy will always be available on the website.