TERMS AND CONDITIONS OF PERSONAL DATA PROCESSING
Effective from August 20, 2025
These personal data processing terms (hereinafter “Terms”) set out the principles for the processing of personal data by HEATONBALTIC OÜ, registration code 17324178, website Sevra.ee (hereinafter “we”), as the data controller for the personal data of the data subject (“you”).
When we act as an authorized processor, we operate in accordance with the data processing agreements concluded between us and the data controllers, as well as with applicable legal acts. In addition to ensuring the processing of personal data as a data controller in accordance with relevant legal acts, we keep confidential (taking into account possible applicable exceptions) and secure all other data that is disclosed to us and to which a confidentiality obligation applies.
Before using the website and entering into an agreement with us, please read the Terms carefully. If you do not agree to the Terms, please stop using the website or do not enter into a contractual relationship with us.
We reserve the right to update the Terms from time to time, by notifying you on our website and/or via email.
1. CATEGORIES OF PERSONAL DATA
To achieve the purposes set out in the Terms, we process some or all of the following personal data. The exact composition of personal data processed varies for each case, but we always adhere to the principle of processing as little personal data as necessary to achieve the purpose:
- First and last name;
- Personal identification code;
- Address for goods delivery and equipment installation;
- Email address;
- Phone number;
- Purchase history;
- Remotely readable data related to the client’s use of devices, to ensure the functioning of devices and services (e.g., consumption costs, error codes, user-selected settings);
- Data on direct marketing consents and prohibitions;
- Other personal data that becomes known to us in the ordinary course of providing services or in communication with individuals.
We also collect non-personal information, including data on website visit duration, number of clicks, and user behavior, but we do so solely for the purpose of analysis and making the website more user-friendly. We only use secure services, such as Google Analytics. We also compile relevant statistical summaries for business purposes, but in doing so, your personal data is converted into anonymized data, which is stored in a secure data repository.
2. PURPOSES AND LEGAL BASIS OF DATA PROCESSING
We process personal data when it is necessary to enable the use of the website (including the e-shop) or to fulfill our contractual obligations to you. We process your: (i) name, personal identification code, contact details, and address for the preparation and management of contracts and orders, for providing services and goods, and for the installation and delivery of goods; (ii) payment instrument data to enable payment for services and goods and refund payments; (iii) payment history and information related to debts for managing client relationships and billing. We also process your personal data for sending notifications regarding contractual relationships, including responding to your comments, questions, and requests.
If you call us or send us emails, we process your personal data (including retaining emails and, upon relevant notification, recording calls) to respond to your inquiries and improve the quality of customer service. In such cases, your personal data is processed based on our legitimate interest to ensure smooth customer support.
Based on our legitimate interests, we process data related to creditworthiness assessment, such as credit reports concerning you (e.g., taust.ee and accountscoring.com) and bank statements shared by you with us. We process data concerning creditworthiness solely for the purpose of verifying the reliability and solvency of potential clients.
Based on our legitimate interest, we also process purchase history data (purchase date, item, quantity, client data) to compile overviews of goods and services and analyze client preferences.
We may also process your personal data to fulfill obligations set out in legal acts, for example, to ensure the protection of personal data, to retain personal data for any period necessary to fulfill legal obligations (e.g., for accounting purposes), and to fulfill other obligations arising from applicable legal acts.
We may process your personal data in the event of any disputes between us to protect our legitimate interests.
With your consent, we process your personal data to send you newsletters, blog updates, advertisements, marketing, and other information via email. You can unsubscribe from such mailing lists at any time by clicking the corresponding button in the email footer.
We always ask for your prior explicit consent for personal data processing if we use it for purposes not specified in the Terms. You can withdraw such consent at any time.
3. SECURITY MEASURES
We process personal data only when there is a legal basis and only for legitimate purposes. We use security measures and store personal data in a way that ensures its security and confidentiality. Personal data is accessible only to individuals for whom it is necessary in connection with their work duties or to whom the disclosure of personal data is in accordance with the Terms or legal acts.
We implement appropriate physical, organizational, and information technology security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorized access and disclosure.
Personal data is stored on servers located in a Member State of the European Union or in countries that have joined the European Economic Area. Data may be transferred to countries whose data protection level has been deemed adequate by the European Commission.
We are not responsible for any misuse of your personal data caused by malware on your device.
4. RECIPIENTS
We have the right to disclose and transfer personal data without your prior consent to authorized processors acting on our behalf and under appropriate data processing agreements, including device installers, suppliers and vendors, product and service developers, credit registries, accountants, IT solution/development and data hosting and analytics service providers, transport and installment payment service providers. We also transfer data to fulfill obligations arising from legal acts. To protect our rights, we have the right to disclose personal data to third parties, including debt collection agencies (e.g., payment default register and similar third parties for debt recovery), legal advisors, auditors, etc.
We may provide marketing service providers (digital marketing, direct marketing, campaigns, special offers) (e.g., Facebook) with access to personal data collected and stored within the framework of our marketing campaigns. In such cases, the marketing service providers become authorized personal data processors on our behalf.
A precise list of personal data processors authorized by us and the content of processing operations is provided below:
5. DELETION AND RETENTION
We retain personal data only for as long as it is necessary to achieve the purposes described in the Terms, to protect our rights, or to fulfill obligations arising from legal acts. We limit the processing of your personal data and process personal data only when necessary.
Personal data is retained for up to 5 years from the end of the client relationship, except for personal data related to the fulfillment of a contract concluded with the client (including debts), which is retained for up to 10 years from the end of the client relationship. Upon the expiry of the aforementioned periods, the respective personal data is deleted, unless the processing of personal data is necessary due to circumstances for the protection of our legitimate interests, e.g., in the event of contractual or other disputes between us (including due to ongoing disputes). We also have the right, after the aforementioned periods, to anonymize personal data, i.e., to process personal data in such a way that the data can no longer be considered personal data.
To fulfill accounting requirements, we retain original accounting documents for 7 years from the end of the financial year in which the original document was recorded in accounting.
Regardless of the termination of the client relationship, with the client’s prior consent, we may process the user’s personal data for direct marketing until the user has withdrawn their consent. If a person prohibits direct marketing (withdraws consent) and there is no other legal basis for processing, information about the prohibition will be retained to the necessary extent to ensure compliance with the direct marketing prohibition.
We have the right to process anonymized data (including personal data that has been irreversibly reprocessed in such a way that it cannot be linked to any identifiable natural person) both during and after the validity of our agreement, and to allow processing by cooperation partners for the purpose of developing our services and solutions and for statistical analysis.
6. YOUR RIGHTS
You can request information about the processing of your personal data from us at any time. According to applicable legal acts, you have or may have the right to:
- to request the erasure of your personal data;
- to request the rectification of your personal data;
- to request the restriction of the processing of your personal data, but in such a case, you may not be able to fully use our website or services;
- to object to the use of your personal data;
- the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller.
If we process personal data based on consent, you can withdraw your consent at any time, in which case the processing of personal data will be terminated. This does not affect processing operations carried out previously.
We respond to inquiries as quickly as possible, taking into account deadlines arising from legal acts.
7. COOKIES
We use cookies on our website. Cookies are small text files that are stored on the visitor’s device by the web browser when visiting the website. Cookies remember you and your preferences so that we can provide you with relevant information, recommendations, and improve the user experience.
Among the cookies used are essential cookies, which are necessary to ensure the functioning of the website. In addition, we use cookies to analyze website traffic, but for the use of such cookies, we ask for your consent. You can disable the use of cookies in your web browser settings. The cookies we use do not allow for personal identification. Furthermore, we may share website usage data with our social media and advertising partners and analysts, who may combine the data with other data available to them.
8. INQUIRIES AND COMPLAINTS
For questions or complaints related to personal data processing, please contact us via email at kontakt[at]sevra.ee or the Estonian Data Protection Inspectorate (info@aki.ee; +372 627 4135).