Login

Country

Cart

Your cart is empty

Privacy policy

Effective date: September 23, 2025

We respect your privacy and handle personal data fairly, lawfully, and transparently. This Policy explains what data we collect, the legal basis for processing, who we share it with, how long we keep it, how we use cookies, and what rights you have.

1) Who we are (data controller) and contacts

Controller: Värvikas Grupp OÜ
Trading name: Varvikas
Registration code: 14760743
VAT: EE102176285
Address: Liivalao tn 11, Nõmme linnaosa, 11216 Tallinn, Harju maakond, Estonia
E-mail: info@varvikas.com
Phone/WhatsApp: +372 610 4269

Data protection contact: info@varvikas.com (please use subject line “Personal data/Privacy”).

Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia; tel. +372 627 4135; e-mail: info@aki.ee.

If you interact with our local websites or storefronts in other EU countries, the lead supervisory authority remains the Estonian authority.

2) Scope of this Policy

This Policy applies to our Shopify-based websites (the “Site”) and to our official support and marketing channels (such as e-mail newsletters, messengers, and live chat if enabled). If you purchase our products through third-party marketplaces (e.g. Amazon or Allegro), data collection and processing on those platforms is also subject to their own privacy policies.

3) Data we collect

The type and scope of data depends on how you use our Site and services:

3.1 Customer and account data

Name, surname, e-mail, phone number, billing and delivery addresses, country/city, order history, returns, warranty requests, language settings, and preferences.

3.2 Payment data

We do not store full payment card details. Payments are processed by your chosen payment provider. We receive the transaction status/identifier and details needed for accounting and refunds.

3.3 Communications

Messages you send us (via e-mail, messengers, contact forms, or site chat), along with related metadata (date, channel, status). Calls may be recorded only if you are notified in advance.

3.4 Site usage and cookies

Technical details of your device and browser, IP address (processed within analytics providers’ settings), page visits, on-site actions, cookies, and similar technologies (see Section 8).

3.5 B2B contacts (dealers/partners)

Staff contact details, correspondence, contractual and billing information.

3.6 Sources

Data comes from: (1) directly from you; (2) automatically when you use the Site; (3) service providers (delivery, payments, IT, analytics); (4) public sources and social media (within your privacy settings).

3.7 Children

The Site is not intended for independent use by children under 13. If services of the “information society” are offered, parental/guardian consent is required for children under 13 (see Section 12).

4) Purposes and legal bases

We only process personal data where permitted by law. Main purposes and legal bases (GDPR Art. 6):

A. Contract performance (Art. 6(1)(b)) — account registration and management; order processing and delivery; returns and warranty support; order status notifications.

B. Legal obligations (Art. 6(1)(c)) — bookkeeping and tax records; responses to lawful authority requests; compliance with trade regulations and document retention rules.

C. Legitimate interests (Art. 6(1)(f)) — site functionality and IT security; fraud prevention; personalization of the storefront (within cookie consent); e-mail to existing customers about similar products (soft opt-in) with the right to object; protecting legal rights in disputes.

D. Consent (Art. 6(1)(a)) — newsletter subscriptions, non-essential cookies/pixels (analytics and marketing), publishing reviews with your image/name, participation in promotions. You may withdraw consent at any time without affecting lawful processing already carried out.

E. Vital interests (Art. 6(1)(d)) — in rare emergency situations only.

We do not make decisions based solely on automated processing that produce legal effects or significantly affect you. Personalized recommendations and advertising are based on segments/identifiers and can always be disabled (see Sections 8 and 11).

Mandatory data: Providing contact/address details and payment/order information is required to place and deliver an order. Without it, we cannot process your purchase. Providing data for marketing subscriptions and non-essential cookies is voluntary and refusal does not affect your ability to shop or use the Site.

5) Who we share data with (categories of recipients)

We engage data processors under contracts and instructions:

  • E-commerce platform: Shopify (hosting, store platform, tech support). For certain operations, Shopify may act as an independent controller (see Section 10).
  • Payment providers: depending on the chosen method (receive and process payment details).
  • Carriers: Omniva, DPD, DHL (for shipping and tracking numbers).
  • IT providers: hosting, CRM, e-mail newsletters, live chat, anti-fraud tools.
  • Analytics & marketing (with consent): Google Analytics 4, Google Ads, Meta (Facebook/Instagram).
  • Advisors: accountants, auditors, lawyers (where needed).
  • Marketplaces: if you order on a third-party platform, its privacy policy applies.

We do not share your data with third parties for their own marketing purposes without your consent.

6) International transfers

We operate globally and apply legally required safeguards:

  • Canada (Shopify Inc.) — transfers permitted under the EU adequacy decision for commercial organizations.
  • USA (e.g. Google, Meta, some Shopify services): transfers rely on valid mechanisms (EU–US Data Privacy Framework and/or EU Standard Contractual Clauses), plus your cookie/consent choices for non-essential tools.

Copies of contractual safeguards and applied measures are available on request.

7) Retention periods

We keep data only as long as necessary or as required by law:

  • Orders and accounting records — 7 years after the financial year end in which the transaction was recorded.
  • Account data — as long as you have an account, plus up to 24 months after deletion (for backups/logs per IT security rules).
  • Support correspondence — up to 24 months after case closure (longer if needed to defend legal rights).
  • Marketing subscriptions — until you unsubscribe/opt out or withdraw consent.
  • Analytics/ads data — according to provider retention periods, and only if you consent.
  • Cookies — per the specific file’s lifespan (see Section 8 and Cookie Settings in the site footer).

After retention periods, data is deleted or securely anonymized.

8) Cookies and similar technologies

We use cookies, web pixels, and local storage for site operation, analytics, and marketing.

Categories:

  • Strictly necessary — cart, checkout, authentication, security, load balancing. Always active, no consent required.
  • Functional — remember language/region and convenience settings. Enabled by your choice.
  • Analytics — aggregated site usage stats (enabled with consent).
  • Marketing — personalization and campaign measurement (enabled with consent).

Consent management: On your first visit, a cookie banner/panel lets you accept or reject categories (except strictly necessary). You can adjust preferences later via the footer link. We do not load analytics or marketing tags without your consent. If declined, we apply technical modes (e.g. Consent Mode) to limit identifiers.

External providers and help resources:
Google (Analytics/Ads): How Google uses data ; Google ad settings.
Meta (Facebook/Instagram): Privacy Policy ; Business Tools Terms ; Ad preferences.

Examples:
Shopify (strictly necessary): cart, checkout, secure_customer_sig, _shopify_y, _shopify_s etc.
Analytics (consent): GA4/_ga, _ga_*, _gid.
Ads (consent): _gcl_au (Google Ads), _fbp (Meta).
The current list and retention times are available in the Cookie Settings panel.

9) Security

We use organizational and technical measures: HTTPS/TLS, access controls, contractor permissions, backups, staff training, and incident response procedures. Absolute internet security cannot be guaranteed; if a breach occurs, we follow notification procedures required by law.

10) Relationship with Shopify

Our Site runs on the Shopify platform. To provide and improve its services, Shopify receives certain data about store activity and, in some cases, acts as an independent controller (e.g. for fraud prevention, platform analytics, service improvements). For requests about data Shopify processes as a controller, please use the Shopify Privacy Portal or review Shopify’s consumer Privacy Policy. For data we control, contact us directly (see Section 1).

11) Marketing communications

E-mail/SMS to existing customers: we may send offers for products similar to previous purchases (soft opt-in). You can opt out anytime via the unsubscribe link in the message.

Consent-based subscriptions: if you are not an existing customer or wish to receive personalized offers, we will ask for your consent separately. You may withdraw consent at any time.

Advertising audiences (Customer Match/Custom Audiences): when using customer lists for ads (Google/Meta), we upload only necessary contact identifiers in hashed form, based on your consent or our legitimate interests (where permitted). You can opt out by contacting us (Section 1) and/or adjusting Google/Meta ad settings (see Section 8).

12) Children and age of consent

We do not target the Site for independent use by children. For online services, consent for children under 13 must be given or confirmed by a parent/guardian. Parents/guardians may request deletion of their child’s data (see Section 14).

13) Your rights

You have the rights to: access, rectification, erasure, restriction, portability, objection (including to direct marketing), withdraw consent, and not be subject to decisions based solely on automated processing that have legal or similarly significant effects.

We respond without undue delay and within 1 month; this may be extended by up to 2 more months depending on complexity/volume. For clearly unfounded/excessive requests, we may charge a reasonable fee or refuse, with reasons. To protect your data, we may require identity verification.

How to exercise rights: E-mail us at info@varvikas.com (ideally from the address linked to your order/account) or by post (see Section 1). You also have the right to complain to the Estonian Data Protection Inspectorate or your local EU authority.

14) Third-party sites and links

The Site may contain links to external resources. We are not responsible for their data practices; please review their policies before use. Inclusion of a link does not imply endorsement unless stated otherwise.

15) Changes to this Policy

We may update this Policy from time to time. The latest version is always available on the Site; material changes will be highlighted separately (via banner or e-mail notice where required).

16) Delivery and company details (for transparency)

Carriers: Omniva, DPD, DHL; terms and timelines depend on destination and are shown at checkout.
Free shipping threshold: the current amount is displayed in your cart/checkout.

Appendix A. Key recipients and technologies

  • Shopify (platform) — hosting, checkout, fraud prevention, store operation.
  • Payment providers — depending on payment method (e.g. cards, local methods).
  • Delivery — Omniva, DPD, DHL.
  • Analytics/ads (consent-based) — Google Analytics 4, Google Ads, Meta Pixel.
    Current cookie list and lifespans are shown in the Cookie Settings panel.

Provider policies:
Google: Privacy Policy ; Partner sites data use.
Meta: Privacy Policy ; Business Tools Terms.

For details on specific providers or safeguards for transfers outside the EEA, please contact us (see Section 1).

Didn't find an answer to your question?

Simply Contact us via form:

Free Shipping Over €59 Orders over €59
14-Day Money Back Full Refund Guaranteed
Secure Checkout SSL Encrypted & Safe
Free Shipping Over €59 Orders over €59
14-Day Money Back Full Refund Guaranteed
Secure Checkout SSL Encrypted & Safe