Privacy Policy

1. Data Controller

RZ.Torski OÜ (trading as VINParts) Kirsi tn 8-18, 10616 Tallinn, Republic of Estonia Registry code: 16910388 Email: info@vinparts.ee Phone: +372 787 8822 Website: www.vinparts.ee This Privacy Policy explains what personal data RZ.Torski OÜ collects, for what purposes and on what legal bases it is processed, to whom it is disclosed, and what rights you have as a data subject. This Policy complies with Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act (IKS).

2. Categories of Personal Data Collected

Identification data: first and last name, email address, phone number (legal basis: GDPR Art. 6(1)(b) — contract performance). Delivery data: delivery address, city, postcode, country (legal basis: GDPR Art. 6(1)(b)). Financial data: payment transaction reference and status — card details are not stored by us, processed by Maksekeskus AS (legal basis: GDPR Art. 6(1)(b) and 6(1)(c)). Technical data: IP address, browser type and version, device data, page visit log (legal basis: GDPR Art. 6(1)(f) — legitimate interest — security and fraud prevention). Behavioural data: cart contents, viewed products, search queries, clicks (legal basis: GDPR Art. 6(1)(b) and 6(1)(a) — consent for analytics cookies). Vehicle data: VIN code, make, model, year, registration plate (Estonian plates) — used solely to find compatible parts for your vehicle (legal basis: GDPR Art. 6(1)(b)). AI chat data: content of conversations with Otto the AI consultant, including parts queries — processed to provide the service, retained for 90 days (legal basis: GDPR Art. 6(1)(b)).

3. Purposes of Processing and Legal Bases

Order fulfilment (GDPR Art. 6(1)(b)): receiving and confirming orders, arranging delivery, issuing invoices. Customer support (GDPR Art. 6(1)(b)): responding to queries, handling complaints and returns. Referral programme (GDPR Art. 6(1)(b)): tracking referral links, calculating and paying bonuses. Accounting (GDPR Art. 6(1)(c)): sales invoices and accounting records for 7 years as required by the Accounting Act. Analytics (GDPR Art. 6(1)(a) — consent): website usage analysis via Google Analytics GA4 in anonymised form. Marketing (GDPR Art. 6(1)(a) — consent): newsletters and promotional emails — only with separately given consent. Security (GDPR Art. 6(1)(f) — legitimate interest): fraud detection, system protection. VINParts Club / loyalty programme (GDPR Art. 6(1)(b)): managing VP Points, tracking loyalty status, calculating and crediting bonuses.

4. Legal Bases Summary (GDPR Art. 6)

Art. 6(1)(a) — consent: marketing emails, analytics cookies, marketing targeting. Consent can be withdrawn at any time. Art. 6(1)(b) — contract performance: all operations related to the purchase process — order, delivery, returns, customer support. Art. 6(1)(c) — legal obligation: retaining accounting records for 7 years (Accounting Act § 12), tax obligations. Art. 6(1)(f) — legitimate interest: fraud protection, system security, anonymised usage statistics.

5. Retention Periods

Accounting documents (invoices, payments): 7 years from the date of the document — Accounting Act § 12. Customer profile data: 3 years after the last order or account closure, whichever is earlier. Order history: 3 years — to support warranty and complaint rights. AI chat logs (Otto): 90 days — to improve service quality. Referral programme data (unconfirmed partners): 90 days. Cookies: see the cookie table in section 11. GDPR requests (access, erasure requests): 3 years — to demonstrate compliance. After the retention period, data is deleted or anonymised.

6. Disclosure to Third Parties

7. International Data Transfers (GDPR Art. 44–46)

Some of our partners are located outside the European Economic Area (EEA), primarily in the United States. Such transfers are permitted only where adequate protection is ensured. Mechanism used: Standard Contractual Clauses (SCC) approved by the European Commission pursuant to GDPR Art. 46(2)(c) and Commission Implementing Decision (EU) 2021/914. Anthropic PBC (USA) — your conversations with Otto AI are sent to Anthropic's servers in the USA. Anthropic has signed SCCs. OpenAI OpCo LLC (USA) — voice (TTS) and photo analysis. Resend Inc (USA) — transactional emails. Google LLC (USA) — Google Analytics (anonymised) and OAuth. Google has signed SCCs. You have the right to obtain a copy of the SCC documents by emailing info@vinparts.ee.

8. Data Subject Rights (GDPR Art. 15–22)

Right of access (Art. 15): the right to know what data is processed about you, for what purposes and to whom it is disclosed. Right to rectification (Art. 16): the right to request correction of inaccurate data. Right to erasure / Right to be forgotten (Art. 17): the right to request deletion of data when there is no longer a legal basis for processing. Right to restriction of processing (Art. 18): the right to request suspension of data use in certain cases. Right to data portability (Art. 20): the right to receive your data in a machine-readable format and transfer it to another service provider. Right to object (Art. 21): the right to object to processing based on legitimate interests. Right to withdraw consent (Art. 7(3)): consent-based processing can be cancelled at any time — this does not affect the lawfulness of processing before withdrawal. Right not to be subject to automated decision-making (Art. 22): we do not make decisions based solely on automated processing that would significantly affect you.

9. Exercising Your Rights

To exercise your rights, send an email to info@vinparts.ee stating: • Type of request (access / rectification / erasure / etc.) • Your name and email address • Brief description of the request We will respond within 30 days of receiving the request (GDPR Art. 12(3)). In complex cases we may extend this by 2 months, notifying you accordingly. We may ask for additional proof to verify your identity. We will not disclose data without verification. In your profile settings you can download your data (GDPR portability) and delete your account.

10. Complaint to the Data Protection Inspectorate (AKI)

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the supervisory authority: Estonian Data Protection Inspectorate (AKI) Tatari 39, 10134 Tallinn Email: info@aki.ee Phone: +372 627 4135 Website: www.aki.ee You may also submit a complaint via the AKI website. We recommend contacting us first to try to resolve the matter directly.

11. Cookie Policy

Cookie table: Essential cookies (always active, GDPR Art. 6(1)(b)): • session — user session management — until browser close • cart — cart contents — 7 days • locale — language preference — 1 year • auth_token — authentication token — 30 days Analytical cookies (consent only, GDPR Art. 6(1)(a)): • _ga — Google Analytics GA4 user identifier — 2 years • _ga_* — Google Analytics GA4 session counter — 2 years Marketing cookies (consent only, GDPR Art. 6(1)(a)): • _fbp — Facebook Pixel — 90 days You can change cookie settings at any time in the cookie banner. Refusing essential cookies affects website functionality.

12. Changes to This Policy

We reserve the right to update this Privacy Policy. For significant changes, registered users will be notified by email at least 14 days in advance. The current version is always available at www.vinparts.ee/privacy. The date of changes is shown at the top of the page.