PRIVACY – VendRock

PRIVACY POLICY – VENDROCK OÜ

Effective Date: 17 February 2025

Last Updated: 17 February 2025

VendRock OÜ (“VendRock,” “Company,” “we,” “us,” or “our”) is committed to ensuring the highest standards of privacy protection and data security in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Estonian Personal Data Protection Act, and other applicable data protection laws.

This Privacy Policy provides detailed information about how we collect, process, store, share, and protect personal data obtained through our website and services. By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy.

1. DATA CONTROLLER INFORMATION

Company Name: VendRock OÜ

Business Registration Number: 17178618

Registered Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia

E-Mail Contact: info@vendrock.com

Phone Contact: +49 (0) 1522 5398725

VendRock OÜ is the data controller responsible for processing personal data as outlined in this policy.

2. CATEGORIES OF PERSONAL DATA PROCESSED

We collect and process the following categories of personal data:

A. Data Provided by Users

• Identity Data: Name, surname, date of birth, and contact details (e.g., email address, phone number).

• Account Data: Username, password, and other credentials required to access our services.

• Payment Data: Bank account details, billing information, and transaction history when making purchases or receiving payments.

• Communication Data: Messages, inquiries, or feedback submitted via email, contact forms, or other communication channels.

B. Data Collected Automatically

• Technical Data: IP address, browser type and version, operating system, and other technical identifiers.

• Usage Data: Time and date of access, pages visited, interaction patterns, and other analytics data.

• Cookies and Tracking Technologies: See Section 9 (Cookies & Tracking Technologies) for details.

C. Data Received from Third Parties

• Publicly available data from regulatory authorities, social media platforms, and financial institutions.

• Fraud prevention and verification data from payment providers or identity verification services.

We do not collect or process special categories of personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, biometric data, or health information) unless explicitly required by law.

3. LEGAL BASES FOR DATA PROCESSING

We process personal data based on the following legal bases under Article 6(1) of the GDPR:

• Performance of a Contract (Art. 6(1)(b) GDPR): Processing is necessary to fulfill contractual obligations with users, customers, and business partners.

• Legal Obligations (Art. 6(1)(c) GDPR): Processing is required for compliance with regulatory obligations, including tax, anti-money laundering (AML), and financial reporting requirements.

• Legitimate Interests (Art. 6(1)(f) GDPR): Processing is based on our legitimate business interests, including website optimization, fraud prevention, and customer support.

• Consent (Art. 6(1)(a) GDPR): Processing based on explicit user consent, such as for marketing communications and cookie tracking.

Users have the right to withdraw consent at any time (see Section 8 (User Rights Under GDPR)).

4. PURPOSES OF DATA PROCESSING

We process personal data for the following specific purposes:

Purpose	Legal Basis
Account creation, user authentication, and service access	Performance of a contract (Art. 6(1)(b))
Processing payments and financial transactions	Performance of a contract (Art. 6(1)(b))
Responding to customer inquiries and providing support	Legitimate interests (Art. 6(1)(f))
Compliance with tax, regulatory, and legal obligations	Legal obligation (Art. 6(1)(c))
Marketing, newsletters, and promotional campaigns	Consent (Art. 6(1)(a))
Website analytics and performance monitoring	Legitimate interests (Art. 6(1)(f))

5. DATA RETENTION POLICY

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Data Category	Retention Period
Account & transaction data	6 years (statutory retention period)
Communications & customer support inquiries	2 years from last contact
Website analytics & logs	12 months
Marketing consent records	Until consent is withdrawn

Once the retention period expires, personal data is permanently deleted or anonymized.

6. DATA SHARING & DISCLOSURE

We do not sell, rent, or trade personal data. However, we may share personal data with the following third parties under strict confidentiality and security measures:

A. Service Providers & Processors

We engage third-party service providers (e.g., payment processors, hosting providers, analytics platforms) who process data on our behalf. These providers are contractually bound by Data Processing Agreements (DPAs) in compliance with GDPR (Art. 28).

B. Legal & Regulatory Authorities

We may disclose personal data to public authorities, regulators, or courts if required by law, court order, or regulatory request.

C. Business Transfers

In case of a merger, acquisition, or corporate restructuring, personal data may be transferred to the successor entity.

7. INTERNATIONAL DATA TRANSFERS

VendRock OÜ primarily stores and processes data within the European Economic Area (EEA). If personal data is transferred outside the EEA, we ensure adequate protection via:

• EU Standard Contractual Clauses (SCCs)

• Adequacy decisions by the European Commission

• Binding Corporate Rules (BCRs) for intra-group transfers

8. USER RIGHTS UNDER GDPR

Users have the following rights under GDPR:

• Right to Access (Art. 15 GDPR): Obtain a copy of your personal data.

• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate data.

• Right to Erasure (Art. 17 GDPR): Request deletion of personal data (“Right to be Forgotten”).

• Right to Restriction (Art. 18 GDPR): Request limitation of data processing.

• Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.

• Right to Object (Art. 21 GDPR): Object to data processing based on legitimate interests.

• Right to Withdraw Consent: Revoke consent at any time.

To exercise your rights, please contact: info@vendrock.com

Users also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (AKI).

9. COOKIES & TRACKING TECHNOLOGIES

Our website uses cookies and tracking technologies for analytics, user authentication, and marketing. Users may manage cookie preferences via browser settings.

10. SECURITY MEASURES

VendRock OÜ implements advanced technical and organizational security measures (e.g., encryption, firewalls, multi-factor authentication) to protect personal data from unauthorized access, alteration, disclosure, or destruction.

For any privacy-related inquiries, please contact:

E-Mail: info@vendrock.com

📍 Registered Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia

VendRock OÜ – Last Updated: 17 February 2025