Draft — pending review by qualified Estonian legal counsel. Not for production use.
Privacy Policy
In case of any discrepancy, the Estonian version prevails / Vastuolude korral kehtib eestikeelne versioon.
1. Controller
The controller of your personal data is Ehted Inimestele OÜ (registry code 17048100), Rataskaevu tn 20, Kesklinna linnaosa, 10123 Tallinn, Harju maakond. For data-protection matters, contact: info@ehtekunst.ee. As a small operator we have no separate data protection officer; the operator handles data-protection matters.
2. Data we collect
- On registration: name, e-mail, password hash (not the password itself).
- In profiles: biography, links, materials, portrait photos (artists/organizations).
- From artists for sales: VAT status and number, IBAN, studio/shipping address.
- On purchase: buyer name, delivery address, phone number (collected for parcel-locker SMS pickup codes — shared with the work's maker and the carrier for fulfilment only), payment reference (never card data).
- From inquiries: name, e-mail, message.
- In logs: a hash of the IP address (not plaintext), browser info (user agent), timestamps.
- Cookies: session and CSRF cookies (see Cookie Policy).
3. Artist register (alumni data)
Ehtekunst.ee contains a cultural-historical register of Estonian jewellery art: graduates of the jewellery and blacksmithing department of the Estonian Academy of Arts (EKA) and of the national metalwork department of the University of Tartu Viljandi Culture Academy, from 1950 to 2025. The data comes from public graduation lists.
- Published data: a register entry publishes only the name, year of graduation, school and department. No other personal data is published without the person's involvement.
- Purpose and legal basis: documenting and making accessible the history of Estonian jewellery art (a cultural archive). The legal basis is legitimate interest (GDPR art. 6(1)(f)).
- Your rights in the register: every person in the register has the right to claim and manage their profile, request rectification, object, and request removal of the entry. Requests: info@ehtekunst.ee. We respond within 30 days at the latest; we generally honour a removal request without asking for further justification. For entries of deceased artists, relatives may also submit requests.
4. Purposes and legal basis
- Managing accounts, purchases and delivery — performance of a contract (GDPR art. 6(1)(b)).
- Accounting source documents — legal obligation (art. 6(1)(c)).
- Security and fraud prevention — legitimate interest (art. 6(1)(f)).
- Newsletter and non-essential cookies — consent (art. 6(1)(a)).
5. Retention periods
- Accounts: until deletion; accounting source documents (invoices, payments) 7 years (Accounting Act §12).
- Inquiries: 2 years.
- Consent log (ConsentEvent): 5 years.
- Server logs: 90 days.
6. Recipients
We do not sell your data. Data is shared only to provide the service:
- Stripe — payment processing (card data goes directly to Stripe, not to us).
- The work's maker (consignor) and the carrier (Omniva / Itella Smartpost) — receive name, delivery address and phone number for fulfilment only.
- Transactional-email provider — to send transaction and notification e-mails.
- Fastmail — mailbox hosting.
- Hetzner — server hosting (data centre in Finland, EU).
- Zone.ee — domain registrar.
- Accountant and auditors — as required by law.
7. Transfers outside the EU
Our data resides in the European Union (Finland). Stripe may transfer data to the United States when processing payments, under the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
8. Automated decision-making
We do not make automated individual decisions or profiling with legal effects about you.
9. Your rights
You have the right to: access your data; request rectification; request erasure; restrict processing; receive your data in a portable format; object; and withdraw consent. Exercise these at /dashboard/privacy (self-service export and deletion request) or by writing to info@ehtekunst.ee.
A deletion request is fulfilled within 30 days (GDPR art. 17). Deletion anonymises personal data but preserves Artist/archive records whose retention is required for accounting or archival integrity (e.g. issued invoices for 7 years).
You have the right to lodge a complaint with the Data Protection Inspectorate (aki.ee, Tatari 39, 10134 Tallinn).
10. Children
The service is not directed at anyone under 16 and we do not knowingly collect data from anyone under 16.
11. Cookies
See Cookie Policy.
12. Contact
For data-protection matters write to info@ehtekunst.ee.
Legal basis: General Data Protection Regulation (GDPR); Personal Data Protection Act; Accounting Act §12.
Version 1 · Effective from 3 July 2026