1.           General provisions

1.1.       This Privacy Policy regulates the principles of collection, processing and storage of personal data. Personal data are processed and stored by Nerostein OÜ, who is the controller of the personal data (hereinafter the Controller).

1.2.       For the purposes of this Privacy Policy, a data subject means the client or another natural person whose personal data are processed by the Controller.

1.3.       For the purposes of this Privacy Policy, a client means anyone who purchases goods or services on the Controller’s website.

1.4.       The Controller observes the principles relating to data processing provided by legislation and, among other things, processes personal data in a lawful, fair and secure manner. The Controller is able to declare that personal data have been processed in accordance with the provisions of legislation.



  1.           Collection, processing and storage of personal data

2.1.       The personal data collected, processed and stored by the Controller have been collected electronically, mainly via the website and e-mail.

2.2.       By sharing their personal data, the data subject grants the Controller the right to collect, arrange, use and administer, for the purpose defined in the Privacy Policy, the personal data that the data subject shares with the Controller either directly or indirectly when purchasing goods or services on the website.

2.3.       The data subject is liable for the accuracy, correctness and integrity of the data submitted by them. Submission of knowingly false data is regarded as a breach of the Privacy Policy. The data subject is required to immediately notify the Controller of any changes in the data submitted.

2.4.       The Controller is not liable for any damage or loss caused to the data subject or a third party as a result of the submission of false data by the data subject.



  1.           Processing of client data, purposes of processing and legal grounds for processing

3.1.       The Controller collects client data mainly from the client themselves (e.g. from petitions, applications, in the course of the client relationship) and in the course of the client’s use of the services (e.g. making of transfers, performance of contracts).

3.2.       The Controller also obtains client data from third parties:

3.2.1.    From persons related to the client (e.g. the person who submits a loss notice or another person related to the contract) upon submission of petitions and applications;

3.2.2.    From cooperation partners and persons related to the provision of services to clients (e.g. resellers). We can obtain such data, above all, if the client has granted their prior consent to the cooperation partner or if the Controller has legitimate interest in obtaining the data. We can obtain data, above all, in the course of providing a service, upon placing and confirming an order;

3.2.3.    From public and private registers (e.g. population register, register of taxable persons, Tax and Customs Board). The Controller uses the data mainly for checking and specifying client data;

3.3.       The Controller processes client data in order to perform its legal obligations arising from legislation (national laws, supervision guidelines, regulations and European Union legislation) as well as to perform the contract entered into with the client. For example in order to process the petition submitted by the client and prepare the entry into the contract, on the basis of the consent of the client as well as to protect the legitimate interests of the Controller.

3.4.       The legitimate interests of the Controller manifest themselves in the first place in promoting the Controller’s business activities upon providing clients with better services and products, in developing the Controller’s products, in ensuring data and information security, in debt management as well as in protecting themselves in the case of legal disputes.

3.5.       Client data are processed for performing the contract entered into with the participation of the data subject.

3.6.       The Controller has the right to share the personal data of clients with third parties such as processors, accountants (Directo OÜ), transport and courier companies (Ball Transport OÜ, Bestway Grupp OÜ, HRX AS), companies providing transfer services (TransferWise Ltd, AS LHV Pank).

3.7.       The Controller processes and stores personal data of the data subject, implementing the organisational and technical measures to ensure that the personal data are protected against any accidental or unlawful destruction, alteration, disclosure and any other unlawful processing.

3.8.       The client grants their consent for the processing of client data by placing an order (order application) that provides the client with an opportunity to grant their consent voluntarily.

3.9.       In their activities, the Controller processes the following types of client data:

3.9.1.    Personal data (name);

3.9.2.    Contact details (e-mail, telephone, installation address);

3.9.3.    Data on the residence for tax purposes (residence for tax purposes);

3.10.     Purposes for which the Controller processes client data:

3.10.1.  Client relationship management and verification of the data provided by the client and, where necessary, rectification or modification of the data. The processing takes place for performing the contract or for taking measures prior to entry into the contract as well as on the basis of a legitimate interest for managing the client base, improving the services provided to the client, incl. for eliminating errors;

3.10.2.  Exercise of the rights of the Controller in connection with legal requirements as well as the certification and protection thereof in or outside court. The processing takes place on the basis of the legitimate interest of the Controller for the purpose of protecting themselves in legal disputes;

3.10.3.  Conduct of consumer surveys, examination of consumer habits. The processing takes place on the basis of the legitimate interest of the Controller in order to obtain client feedback and opinion about their satisfaction with the services and products provided by the Controller and therethrough develop the existing and new products and services.

3.10.4.  To perform the burden of proof in the case of possible disputes, the Controller may also collect information on the receipt of letters of mandatory content that are sent out (e.g. the recipient of the letter, the date of sending, information about arrival). The processing takes place on the basis of the legitimate interest of the Controller for the purpose of protecting themselves in legal disputes.



  1.           Storage of personal data

4.1.       The Controller processes client data proceeding, among other things, from data minimisation and storage limitation principles.

4.2.       The Controller stores client data until the purposes of the processing have been achieved or the obligations arising from legislation have been performed.

4.3.       The Controller stores the client data constituting personal data as a maximum for ten years of the termination of the client relationship. The reason and legal ground for storage of client data constituting personal data after the termination of the client relationship arise either from the statutory obligation to store data or from the Controller’s legitimate interest in ensuring necessary information and possible supporting documents for resolving disputes or managing other risks arising from contracts entered into with clients.

4.4.       The Controller stores the client data constituting personal data taking also into consideration the rights of other clients on the principle that the data to be erased may not adversely affect the interests and rights of other clients.



  1.           Rights of data subject

5.1.       The data subject has the right to gain access to and examine their personal data.

5.2.       The data subject has the right to obtain information on the processing of their personal data.

5.3.       The data subject has the right to modify or rectify inaccurate data.

5.4.       If the Controller processes the personal data of the data subject based on the consent granted by the latter, the data subject has the right to withdraw their consent at any time.

5.5.       To exercise their rights, the data subject can address the client support at



  1.           Cookies

6.1.       A cookie is a small text file that a website transfers to the hard drive of your computer in the form of a browser cookie file in order for the website to remember information about you. Cookies themselves cannot be used for establishing your identity.

6.2.       Our website uses the Google Analytics software that saves only anonymous and impersonalised information about the use of the website.

6.3.       A cookie file usually contains the name of the domain from which the cookie file came, the ‘lifespan’ of the cookie and its value, usually a randomly generated number.

6.4.       More detailed information about the cookies used is set out below:

Names of cookies            Purpose              When do these cookies expire?

_ga        To distinguish between the different website visitors.Two years.

_gid       To distinguish between the different website visitors.One day.


_gat_organizer                One minute.


Cookies can be permitted or denied in the pop-up window that opens upon the first use of the website. Later, preferences can be changed in the window that opens through the ‘cookie’ icon located in the bottom left-hand corner of the homepage of the website.


You can disallow cookies used through the following link


You can also block the use of cookies at any time by activating the settings of your web browser that allow you to refuse to configure some or all of the cookies.



  1.           Final provisions

7.1.       These data protection terms and conditions have been prepared in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia and legislation of the Republic of Estonia and the European Union.