Privacy Policy
This Privacy Policy describes how Brandweb OÜ ("we", "us", "Klarq") collects and uses personal data when you shop at klarq.ee, create an account, or otherwise interact with us.
Data controller
Brandweb OÜ
Registry code: 14274296
VAT: EE101981905
Address: Sütemetsa tee 8-10, 76916 Tiskre, Harjumaa, Estonia
Contact: hello@klarq.ee
We do not sell your personal data. We do not share it with advertisers or use it for purposes beyond what is described in this policy.
When you place an order
To fulfil your order we collect your name, email address, delivery address, and phone number. We also receive confirmation that payment was made (but not your card number or bank credentials, those are processed exclusively by Maksekeskus AS). This processing is necessary to perform our contract with you.
When you create an account
We store your email address, a hashed password (we never see your actual password), and the details you add to your profile such as a saved delivery address. We also store your order history so you can track and manage past purchases. This is necessary to perform the service you have requested.
When you browse the shop
We use Plausible Analytics, a privacy-first tool that tracks page views and traffic patterns without cookies, without cross-site tracking, and without any data that can identify you individually. This is based on our legitimate interest in understanding how the shop is used so we can improve it.
When you subscribe to our newsletter
With your explicit consent, we add your email address to our Brevo mailing list to send you curated product news and offers. You can withdraw consent at any time using the unsubscribe link in any email, or by contacting us at hello@klarq.ee.
Under GDPR, we must have a lawful basis for each type of processing. We rely on the following:
Processing your order, arranging delivery, handling returns, and managing your account.
Retaining order and transaction data for 7 years as required by the Estonian Accounting Act.
Understanding aggregate site usage via Plausible Analytics to improve the shop. No personal data is involved.
Sending newsletters and promotional offers only when you have opted in. Consent is freely given and can be withdrawn at any time.
We share data with carefully selected third-party service providers only to the extent needed to operate the shop. Each processor is contractually bound to handle your data in accordance with GDPR.
Stores your account information, order history, and session tokens. Data processing agreement in place. EU data stored on AWS eu-north-1 (Stockholm).
Processes payment transactions as an authorised data processor. We transmit the personal data necessary for making payments (name, email, order amount). We do not receive or store card numbers or bank credentials. Subject to Maksekeskus's data protection terms at makecommerce.net/terms-and-conditions-of-data-protection.
Sends order confirmation emails and, only with your explicit consent, marketing emails. We share only your email address and first name for this purpose.
Serves optimised product images. Does not receive personal data; processes only image requests.
Tracks anonymised page views and aggregate traffic patterns. No cookies, no cross-site tracking, no personal data. All data is aggregated and cannot be used to identify you.
Hosts the klarq.ee web application and a relay server (relay.klarq.ee) used for supplier integrations. Server located in Helsinki, Finland. Processes web request logs; does not store customer personal data beyond standard server logs.
Maksekeskus AS processes payment data as our authorised processor and is subject to its own data protection terms at makecommerce.net/terms-and-conditions-of-data-protection. We recommend reviewing them before completing a purchase.
We keep your data only as long as necessary for the purpose for which it was collected, or as required by law.
| Data | Retention period | Reason |
|---|---|---|
| Order and transaction records | 7 years | Estonian Accounting Act (statutory obligation) |
| Account information | Until account deletion | Contract performance |
| Session tokens | 30 days from last activity | Security and authentication |
| Newsletter consent log | 5 years after withdrawal | Demonstrating consent compliance under GDPR |
| Anonymised analytics | Aggregated: no personal data retained | Legitimate interest: no identifiable data |
When you delete your account, your personal data is anonymised rather than hard-deleted. Order records are retained in anonymised form for 7 years to meet our legal obligations under the Estonian Accounting Act. This means your name, email, and contact details are removed, but the order totals and dates are kept for tax purposes.
As a data subject under GDPR, you have the following rights. We will respond to any request within 30 days, free of charge.
Right of access
Art. 15 GDPR
Request a copy of the personal data we hold about you, including information about how we use it, who we share it with, and how long we keep it.
Right to rectification
Art. 16 GDPR
Ask us to correct inaccurate or incomplete personal data. You can update most details directly in your account settings.
Right to erasure ('right to be forgotten')
Art. 17 GDPR
Request deletion of your personal data where there is no longer a legal basis to hold it. Note that data we are legally required to retain (e.g., accounting records) cannot be erased before the statutory period expires.
Right to data portability
Art. 20 GDPR
Receive a structured, machine-readable copy of the data you have provided to us, so you can transfer it to another service. Request this via your account at klarq.ee/account/privacy.
Right to restrict processing
Art. 18 GDPR
Ask us to pause processing of your data while a dispute is resolved, for example while you contest the accuracy of data we hold.
Right to object
Art. 21 GDPR
Object to processing based on legitimate interest. You can also object to direct marketing at any time, including by using the unsubscribe link in any marketing email.
Right to withdraw consent
Art. 7(3) GDPR
Where processing is based on your consent (e.g., marketing emails), you can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at hello@klarq.ee, or use the self-service tools at klarq.ee/account/privacy. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee).
We use a small number of cookies and browser local storage entries to keep the shop working. We do not use advertising cookies or cross-site tracking by default.
A full breakdown of every cookie and local storage entry we use, along with how to manage your preferences, is set out in our Cookie Policy.
Functional cookies are strictly necessary for the shop to work and are always active. Analytics and marketing cookies require your explicit consent via the cookie banner.
We send marketing emails only to customers who have explicitly opted in. Every marketing email includes a one-click unsubscribe link. Clicking it removes you from our list immediately.
We use Brevo to send emails. Your email address and first name are shared with Brevo for this purpose only. We never share your email with third-party marketers or sell it to any party.
Most of your data is processed within the EU/EEA. Where data is transferred outside the EEA (for example, to Supabase or ImageKit infrastructure in the USA), we ensure appropriate safeguards are in place: either Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision.
Supabase stores EU customer data in Stockholm, Sweden (AWS eu-north-1). The frontend is hosted on Hetzner servers in Helsinki, Finland. No customer data is routinely processed outside the EU without appropriate transfer mechanisms in place.
We take the security of your data seriously. Measures we have in place include:
- All data in transit is encrypted with TLS;
- Database access is protected by Row Level Security (RLS); no customer can access another customer's data;
- Admin-level database access uses a service role key that is never exposed to the browser;
- Passwords are hashed by Supabase and are never stored in plain text;
- We do not store payment card details. Payment data is handled exclusively by Maksekeskus AS.
No system is completely secure. If you suspect a security issue or data breach, contact us immediately at hello@klarq.ee.
We may update this Privacy Policy from time to time to reflect changes in law, our operations, or the services we use. Material changes will be communicated to registered customers by email where possible. The "last updated" date at the top of this page always shows when it was most recently revised. Continued use of the shop after a change constitutes acceptance of the updated policy.
This Privacy Policy is based on and complies with the following legislation: