Gift cards
Gift cards
Liitu püsikliendiprogrammiga
ENG
EST

Privacy policy

The data controller for the LP Hospitality online store is True Goods OÜ (registry code 14966284), located at Peetri 12, Tallinn 10415, Estonia. Phone: +372 53805290.

Types of personal data processed:

  • name, phone number, and email address
  • delivery address
  • bank account number
  • purchase history, including the cost of goods/services and payment details
  • customer support information
  • IP address

Purpose of personal data processing

Personal data is used to manage customer orders and deliver goods. Purchase history data (date of purchase, items, quantity, customer information) is used to compile an overview of purchases, analyze customer preferences, and resolve consumer disputes.

Bank account numbers are used to issue refunds. Personal data such as email address, phone number, and customer name is processed in order to handle issues related to the provision of goods and services (customer support). Email addresses are also used to send invoices, and phone numbers are used to notify customers of parcel arrival. The user’s IP address and other network identifiers are processed for the provision of the online store as an information society service and for generating web usage statistics.

Legal basis

IPersonal data is processed to fulfill a contract concluded with the customer (order management, delivery, returns, refunds). Processing is also based on legal obligations (e.g. accounting). Some processing is based on the legitimate interest of the data controller, such as collecting purchase history data to resolve potential consumer disputes. A legitimate interest assessment is available upon request.

Recipients of personal data

The customer’s name, phone number, and email address are shared with the transport service provider chosen by the customer. In the case of courier delivery, the customer’s address is also shared.

If accounting is outsourced, personal data is transferred to the accounting service provider for performing accounting functions. Data may also be shared with IT service providers if necessary to ensure the functionality or hosting of the online store.

Data security and access

Personal data is stored on servers hosted by Veebimajutus.ee, located within the territory of a European Union member state or a country that is part of the European Economic Area. Data may be transferred to countries whose data protection levels have been deemed adequate by the European Commission or to third-party entities with appropriate safeguards as outlined in Articles 46, 47, or 49(1) of the General Data Protection Regulation (GDPR).

Access to personal data is granted only to employees of the online store who need the information to resolve technical issues or provide customer support. The online store applies appropriate physical, organizational, and IT security measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure. These measures include:

  • Data exchange between the website and the user takes place over encrypted SSL/TLS connections, ensuring secure communication.
  • User account passwords are stored in hashed form using WordPress’s default hashing algorithms, which helps prevent misuse in the event of a breach.
  • Email communication (e.g. order confirmations, notifications) is transmitted using secure protocols (SMTP with STARTTLS or similar).
  • Access to the admin panel is limited to authorized personnel and protected with strong passwords and multi-factor authentication (2FA, where applicable).
  • Servers are protected by firewalls and up-to-date antivirus software.
  • Regular backups of all data (files and databases) are made and stored securely on separate physical servers.
  • WordPress, WooCommerce, and all plugins are regularly updated to prevent security vulnerabilities and malware attacks.
  • Login attempts are monitored and rate-limited to reduce the risk of brute-force attacks.
  • Access logs are regularly audited to detect anomalies or unauthorized activity.

Data transfers to authorized processors (e.g. logistics, hosting) are governed by contracts that ensure GDPR-compliant safeguards under Article 28.

Access and correction of personal data

Users can access and update their personal data via their user profile or by contacting customer support. If a purchase was made without a user account, access is granted via customer support. If the request is submitted electronically, the response will also be provided through commonly used electronic means.

Withdrawal of consent

If data is processed based on the customer’s consent, they may withdraw consent at any time through their user account settings or by notifying customer support via email.

Data retention

Upon closing a customer account, personal data is deleted, except for data (such as purchase history) that is required for accounting or legal dispute resolution. Data related to payments or disputes is retained until the claim is resolved or the limitation period expires. Accounting records are retained for seven years.

Restriction

The customer has the right to request restriction of processing if their data is inaccurate, incomplete, or if it is being processed unlawfully. The customer also has the right to object to data processing if they have reason to believe there is no legal basis for it.

Deletion

To request deletion of personal data, the customer must contact customer support via email. The request will be answered within one month, including details on which data will be deleted and the legal basis for any data that will be retained.

Data portability

Requests to transfer personal data submitted via email will be answered within one month. Customer support will verify the identity of the requester and provide the data eligible for transfer.

Direct marketing messages

Email addresses are used for sending direct marketing messages only if the customer has given explicit consent. If the customer no longer wishes to receive such messages, they can unsubscribe using the link at the bottom of the email or by contacting customer support. The online store does not use personal data for profiling or make automated decisions.

Dispute resolution

Disputes regarding personal data processing are resolved via customer support at . The supervisory authority is the Estonian Data Protection Inspectorate ().

Developed by Reaktiiv