VendRock OÜ

Effective Date: 17 February 2025

Last Updated: 17 February 2025

VendRock OÜ (“VendRock”, “we”, “us”, “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, transfer, store, and safeguard personal data across all of our digital services and operations, in compliance with global privacy and data protection laws, including but not limited to:

• The General Data Protection Regulation (EU) 2016/679 (“GDPR”)

• The Estonian Personal Data Protection Act

• The UK Data Protection Act 2018 and UK GDPR

• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

• The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

• The Brazilian General Data Protection Law (LGPD)

• The South African Protection of Personal Information Act (POPIA)

• The Singapore Personal Data Protection Act (PDPA)

• The Australian Privacy Act 1988

• Any other applicable privacy and data protection laws worldwide

By using our services, websites, or applications, you acknowledge and agree to the terms outlined in this Privacy Policy.

1. DEFINITIONS

• Personal Data / Personal Information: Any information relating to an identified or identifiable natural person (such as name, email address, IP address, etc.).

• Processing: Any operation performed on personal data (collection, use, storage, transfer, deletion, etc.).

• Controller: VendRock OÜ, who determines the purposes and means of processing personal data.

• Processor: Any third party processing personal data on behalf of VendRock OÜ.

• Data Subject: Any individual whose personal data is collected and processed.

2. DATA CONTROLLER

VendRock Private Limited (VendRock OÜ)

Registration Number: 17178618

Registered Office: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Republic of Estonia

Contact: privacy@vendrock.com

3. CATEGORIES OF DATA COLLECTED

We may collect and process the following categories of personal data:

• Identity Data: Full name, username, customer ID, title, date of birth.

• Contact Data: Address, email, phone number, billing/shipping details.

• Financial Data: Payment details, billing information (processed via secure third-party payment providers).

• Technical Data: IP address, login data, browser type, operating system, device identifiers, cookies.

• Usage Data: Information about how users interact with our websites, services, and products.

• Marketing Data: Preferences regarding receiving marketing and promotional communications.

• Sensitive Data (only where legally permitted and with explicit consent): Biometric identifiers, government-issued IDs, or health-related information (if relevant).

4. PURPOSES OF DATA PROCESSING

We process personal data for the following purposes:

1. Contract Performance – To process orders, deliver products, provide services, and manage customer accounts.

2. Legal Compliance – To comply with applicable laws, tax regulations, anti-money laundering (AML) obligations, and financial recordkeeping requirements.

3. Legitimate Interests – To improve services, maintain security, prevent fraud, enforce our terms of service, and conduct analytics.

4. Consent-Based Processing – For marketing, newsletters, and promotions (only with explicit user consent).

5. Employment and Recruitment – Processing applicant and employee data in compliance with labor laws.

5. LEGAL BASIS FOR PROCESSING

Depending on jurisdiction, we rely on one or more of the following legal bases:

• GDPR / EU / UK GDPR: Consent, contract necessity, legal obligation, legitimate interest.

• CCPA/CPRA (California): Notice at collection, right to opt-out of “sale” or “sharing” of personal information.

• LGPD (Brazil): Consent, contract, legal obligation, legitimate interest, protection of credit.

• PIPEDA (Canada): Knowledge and consent, limited collection, limited use and retention.

• POPIA (South Africa): Lawful purpose, consent, contractual necessity.

• PDPA (Singapore): Purpose limitation, notification, and consent.

• Australian Privacy Act: Consent, contractual necessity, legal obligation.

6. DATA RETENTION

• Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

• Financial and transactional records may be retained up to 7 years for compliance with tax and accounting obligations.

• Marketing data is deleted upon user withdrawal of consent.

7. DATA SHARING AND TRANSFERS

We may share data with:

• Affiliates and subsidiaries (if applicable).

• Service providers and processors (IT hosting, payment gateways, logistics providers, marketing platforms).

• Regulatory authorities where legally required.

• Business partners in joint ventures or in case of mergers, acquisitions, or restructuring.

International Transfers:

Data may be transferred outside the EU/EEA, UK, or other jurisdictions. We ensure adequate safeguards such as:

• EU Standard Contractual Clauses (SCCs).

• Binding Corporate Rules (BCRs).

• Adequacy decisions by the European Commission.

8. USER RIGHTS

Under GDPR / UK GDPR / Estonian Law:

• Right to access personal data.

• Right to rectification of inaccurate data.

• Right to erasure (“right to be forgotten”).

• Right to restriction of processing.

• Right to data portability.

• Right to object to processing.

• Right to withdraw consent at any time.

• Right to lodge a complaint with a supervisory authority (Estonian Data Protection Inspectorate or relevant national authority).

Under CCPA / CPRA (California):

• Right to know what personal information is collected, used, and shared.

• Right to request deletion of personal information.

• Right to opt-out of sale or sharing of personal data.

• Right to non-discrimination for exercising privacy rights.

Under LGPD (Brazil):

• Right to confirm existence of processing.

• Right to access, correct, and delete personal data.

• Right to portability.

• Right to revoke consent.

Under PIPEDA (Canada):

• Right to access personal data.

• Right to challenge accuracy and have corrections made.

• Right to challenge compliance with PIPEDA principles.

Under POPIA (South Africa):

• Right to be notified of data collection.

• Right to access, correct, or delete personal data.

• Right to object to processing.

Under PDPA (Singapore):

• Right to access personal data.

• Right to correction.

• Right to withdraw consent.

Under Australian Privacy Act:

• Right to access and correction.

• Right to complain to the Office of the Australian Information Commissioner (OAIC).

9. SECURITY MEASURES

VendRock OÜ implements appropriate technical and organizational measures to protect personal data, including:

• Data encryption in transit and at rest.

• Secure socket layer (SSL) technology.

• Role-based access control and authentication.

• Regular security audits and penetration testing.

• Incident response and breach notification procedures.

10. COOKIES & TRACKING TECHNOLOGIES

• We use cookies, pixels, and tracking tools for analytics, personalization, and advertising.

• Users can manage cookie preferences via browser settings or consent banners.

• For more details, see our Cookie Policy.

11. CHILDREN’S PRIVACY

Our services are not directed at children under the age of 16 (or lower age where permitted by local law). We do not knowingly collect data from children without parental consent.

12. DATA PROTECTION OFFICER (DPO)

We have appointed a Data Protection Officer responsible for overseeing compliance:

DPO Contact: info@vendrock.com

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Any changes will be posted with a revised “Last Updated” date.

14. CONTACT INFORMATION

If you have questions or wish to exercise your rights, contact us at:

VendRock OÜ

Ahtri tn 12, 15551, Tallinn, Estonia

Email: info@vendrock.com