Privacy policy

Effective from: 02.04.2026

1. Data Controller

The controller of personal data is:

NORDEKS GRUPP OÜ
Registry code: 17447751
VAT number: EE102959826
Address: Harju County, Tallinn, Kristiine district, Sõjakooli tn 12, 11316, Estonia
E-mail: info@nordeks.eu
Phone: +372 57408097

2. What Personal Data We Process

We may process the following personal data:

- first and last name
- phone number
- e-mail address
- delivery and billing address
- order and payment related data
- customer communication data
- technical data related to the use of the website
- cookie and analytics related data
- newsletter subscription data

The GDPR requires that individuals be provided with clear and understandable information about who collects the data, why it is processed, and to whom it may be disclosed.

3. Purposes and Legal Basis for Processing Personal Data

We process personal data for the following purposes:

- fulfilling orders and concluding and performing contracts, including payment processing, delivery of goods, and customer communication;
- compliance with legal obligations, such as accounting and statutory reporting obligations;
- sending newsletters where the individual has given consent;
- improving the reliability, security, and usability of the online store;
- analytics and marketing, where consent has been given or where processing is permitted under applicable law.

Where processing is based on consent, such as subscribing to the newsletter or the use of certain marketing cookies, consent may be withdrawn at any time. Valid consent must be freely given, specific, informed, and unambiguous.

4. Recipients of Personal Data

We may transfer personal data only to the extent necessary for providing services, to the following persons or categories of recipients:

- payment service providers, including Maksekeskus
- delivery partners, such as Omniva or other delivery providers
- technical platform and hosting service providers of the online store, including Shopify
- analytics and advertising service providers, such as Google and Meta
- accounting, IT, and customer support service providers
- public authorities in justified cases where disclosure of data is required by law

Data necessary for making payments may be transferred to an authorized payment service provider. Maksekeskus states in its data protection terms that it processes personal data for the provision of payment solutions.

5. Cookies

The online store may use cookies and similar technologies in order to:

- ensure the technical functioning of the website;
- improve user experience;
- compile usage statistics;
- measure campaign performance;
- display more relevant advertising.

If we use analytics or advertising cookies, we will ask for the user’s consent where necessary through a cookie banner or a corresponding preference tool.

6. Retention of Personal Data

We retain personal data only for as long as necessary to fulfill the purpose of processing or to comply with obligations arising from applicable law.

Data related to orders, invoices, and accounting is retained for the period required by law. Estonian accounting rules generally provide that accounting source documents and other business documents necessary for reconstructing transactions must be retained for seven years from the end of the financial year.

We retain e-mail addresses provided for newsletter subscriptions until consent is withdrawn or the person unsubscribes from the newsletter.

7. Rights of the Data Subject

A person has the right to:

- receive information about the processing of their personal data;
- request access to their data;
- request correction of inaccurate data;
- request deletion of data or restriction of processing in cases provided by law;
- object to processing;
- withdraw their consent;
- receive their data in a structured format, where applicable;
- lodge a complaint with a supervisory authority.

For questions related to personal data, please contact us at info@nordeks.eu.

8. Filing a Complaint

If a person believes that their personal data has been processed unlawfully, they have the right to contact the Estonian Data Protection Inspectorate.

9. Transfer of Data Outside the EEA

Some of our service providers may process personal data outside the European Economic Area. In such cases, we apply appropriate safeguards, such as the European Commission’s standard contractual clauses or other mechanisms permitted by law.

10. Amendments to the Privacy Policy

We reserve the right to amend this Privacy Policy where necessary due to changes in legislation, business processes, or the services used. The current version will always be published on the website.