Privacy policy

Last updated: September 17, 2025

Privacy Policy
Webstore Candela Stuudio data controller is Candela Stuudio OÜ (reg.code 17167537) location Mustamäe tee 112-35, Tallinn, Estonia, tel +37256923737 and e-mail candelastuudio@gmail.com.

Personal Data Processed

  • Name, phone number, and email address
  • Delivery address and billing address
  • Payment data, bank account number
  • Cost of goods and services
  • IP address

Purpose of Personal Data Processing
Personal data is used to manage customer orders and deliver goods.

Purchase history data (purchase date, product, quantity, customer data) is used to provide an overview of purchased goods and services, analyze customer preferences, and for purposes such as resolving consumer disputes.

Bank account numbers are used to process refunds to the customer.

Personal data such as email, phone number, and customer name is processed to resolve issues related to the provision of goods and services (customer support). Emails are used for sending invoices and for marketing purposes if the customer has given consent, and phone numbers are used to notify customers when goods have arrived at parcel lockers.

Website user IP addresses or other network identifiers are processed to provide the website as an information society service and to generate web usage statistics.

Legal Basis
Personal data processing is based on:

  • Performance of a contract with the customer (order management, delivery, refunds)
  • Compliance with legal obligations (e.g., accounting)
  • Legitimate interest of the data controller, such as collecting purchase history to resolve potential consumer disputes

Recipients of Personal Data

  • Name, phone number, and email address are shared with the transport service provider selected by the customer. For courier deliveries, the customer’s address is also shared.
  • If website accounting is handled by a service provider, personal data is shared for accounting purposes.
  • Personal data may be shared with IT service providers if required for website functionality or data hosting.

Security and Access to Data
The online store uses Shopify as a platform. This means customer personal data is processed in Shopify’s system in accordance with Shopify’s privacy policy, which can be accessed here.

Access to personal data is granted to store employees to resolve technical issues related to website use and to provide customer support.

The data controller implements organizational and technical measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, or any other unlawful processing.

Sharing personal data with authorized processors (e.g., transport service providers, data hosting) is based on contracts with the store and processors. Processors are required to implement appropriate safeguards in line with GDPR Article 28.

Accessing and Correcting Personal Data
Personal data can be accessed and corrected via the user profile or through customer support. If the purchase was made without a user account, personal data can be accessed via customer support. Requests submitted electronically will be answered using generally available electronic means.

Withdrawal of Consent
If personal data processing is based on customer consent, the customer has the right to withdraw consent via their account settings or by notifying customer support via email.

Retention
Upon closure of a customer account, personal data is deleted, except for purchase history data, which must be retained for accounting purposes or to resolve consumer disputes.

Data related to payments and consumer disputes is retained until the claim is fulfilled or the statute of limitations expires.

Personal data in accounting documents is retained for seven years.

Restriction
Customers have the right to request restriction of their personal data processing if the data is inaccurate, incomplete, or unlawfully processed.

Objections
Customers have the right to object to the processing of their personal data if they have reason to believe that there is no legal basis for processing. 

Deletion
To delete personal data, contact customer support via email. Requests are responded to within one month and specify the period for deletion. The response will also clarify which personal data cannot be deleted and the legal basis and reason for retaining it.

Data Portability
Requests for personal data transfer submitted by email will be answered within one month. Customer support will verify the identity and provide the data subject to transfer.

Direct Marketing
Email addresses are used for direct marketing communications only if the customer has given consent. If the customer does not wish to receive marketing messages, they can use the unsubscribe link in the email footer or contact customer support.

Dispute Resolution
Disputes regarding personal data processing are resolved through customer support (candelastuudio@gmail.com). The supervisory authority is the Estonian Data Protection Inspectorate (info@aki.ee)