PRIVACY POLICY

Effective from: 01.02.2026

Avatud OÜ (registry code 12443197, address Harju county, Tallinn, Kesklinna district, Viru väljak 2, 10111)

1. CONTROLLER

1.1. The controller of personal data is Avatud OÜ, registry code 12443197, address Harju county, Tallinn, Kesklinna district, Viru väljak 2, 10111.

1.2. Data protection inquiries: hello@avatud.ee

1.3. Right to file a complaint with the Data Protection Inspectorate: www.aki.ee

2. WHAT DATA WE PROCESS AND FROM WHERE

2.1. Users (Buyers)

  • Identity data: first and last name, personal ID code, date of birth
  • Contact data: email address, phone number
  • Transaction data: purchased codes, usage status, payment information
  • Technical data: IP address, device information, cookies

2.2. Service providers (Partners)

  • Name and contact details
  • Bank account details (IBAN)
  • Tax residency, personal ID / registry code (DAC7 reporting)
  • VAT ID (for VAT-registered persons)

2.3. Data sources (eID)

We collect your personal data (Name, Personal ID, Date of birth) automatically from state registries (SK ID Solutions AS, Population Register) when you authenticate with Smart-ID, Mobile-ID or ID-card. This ensures data accuracy and is necessary for fraud prevention (Privacy by Design principle).

2.4. Data subject's responsibility

The data subject is responsible for the accuracy of the submitted data. The controller is not liable for any damage resulting from the submission of false data.

3. PROCESSING PURPOSES AND LEGAL BASIS

3.1. Performance of contract – GDPR art 6(1)(b)

For providing the platform service, generating Activation Codes, processing payments, and customer service.

3.2. Legal obligation – GDPR art 6(1)(c)

  • DAC7: DAC7 (Tax information exchange): The platform transmits service providers' income and personal data (TIN, date of birth) to the Estonian Tax and Customs Board (EMTA).
  • Accounting Act: Accounting Act: Transaction data is retained for 7 years.
  • RahaPTS: Money Laundering Prevention Act (RahaPTS): Identity verification above the legally defined thresholds.

3.3. Legitimate interest – GDPR art 6(1)(f)

Fraud detection, IT system security, and analytics for service improvement.

4. SHARING DATA WITH THIRD PARTIES

  • Service providers: Your name and Activation Code information are forwarded to the specific Service provider for service delivery.
  • Payment service provider: For payment processing.
  • Estonian Tax and Customs Board (EMTA): Under the DAC7 directive – annual automated data transfer.
  • Police and Border Guard Board: For criminal investigations as required by law.

5. DATA RETENTION

Data typeRetention period
Accounting documents7 years (legal obligation)
Active account dataFor the duration of the contract
Closed account data3 years after closure
Analytics cookiesUp to 13 months

6. YOUR RIGHTS

  • Access your data and obtain a copy
  • Request correction of inaccurate data
  • Request erasure of data when no legal basis exists
  • Object to processing based on legitimate interest
  • Data portability

To exercise your rights, send a digitally signed request to hello@avatud.ee. We will respond within 30 days.

7. SECURITY MEASURES

The controller implements appropriate organizational and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure and other unlawful processing (GDPR art 32).

8. FINAL PROVISIONS

8.1. This privacy policy has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Personal Data Protection Act of the Republic of Estonia, and other applicable laws of the Republic of Estonia and the European Union.

8.2. The controller has the right to amend the privacy policy unilaterally, notifying data subjects via the website avatud.ee.

Avatud OÜ | registry code 12443197 | hello@avatud.ee | avatud.ee