Privacy Policy

Last updated: April 10, 2026

1. Introduction

Virelund OÜ (registry code: 17384217, VAT: EE102935031, "we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopiisi service.

This policy applies to all information collected through our service, website, and any related services, sales, marketing, or events (collectively, the "Service").

2. Data Controller

The data controller responsible for your personal data is:

Virelund OÜ
Registry code: 17384217
VAT: EE102935031
Address: Kuuse põik 27, Laagri alevik, 76401 Saue vald, Harju maakond, Estonia
Email: info@shopiisi.com
Board member: Sander Sülla

3. Information We Collect

3.1 Personal Information You Provide

We collect information you provide directly to us, such as:

  • Account registration information (name, email address, hashed password)
  • Profile information (business name, store information, business address)
  • Payment information (processed securely through third-party payment providers; we do not store full card numbers)
  • Communications with us (support tickets, feedback, surveys)
  • Multi-factor authentication data (TOTP secrets, passkey public keys)

3.2 Information Collected Automatically

When you use our Service, we automatically collect certain information:

  • Usage data (pages visited, features used, time spent)
  • Device information (IP address, browser type, device type, operating system)
  • Log data (access times, referring URLs, error logs)
  • Session cookies required for authentication and preferences

3.3 Information from Third Parties

We may receive information from third-party services when you choose to use them:

  • Social authentication providers (Google OAuth) — profile name and email
  • Payment processors — transaction status and identifiers (no full card details)

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide, operate, and maintain our Service
  • Process transactions and manage your account
  • Send you technical notices, updates, security alerts, and support messages
  • Respond to your comments, questions, and customer service requests
  • Monitor and analyze usage and trends to improve our Service
  • Detect, investigate, and prevent fraudulent transactions and other illegal activities
  • Comply with legal obligations and enforce our Terms of Service
  • Send promotional communications (only with your explicit consent; you may opt out at any time)

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to perform our service contract with you (e.g., account management, order processing, subscription billing)
  • Legitimate Interests (Art. 6(1)(f)): For improving our service, security, fraud prevention, and analytics — balanced against your rights and freedoms
  • Legal Compliance (Art. 6(1)(c)): To comply with applicable laws such as Estonian accounting law, tax regulations, and anti-money-laundering requirements
  • Consent (Art. 6(1)(a)): For marketing communications and optional features (withdrawable at any time without affecting the lawfulness of prior processing)

6. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • Service Providers: With trusted third-party sub-processors listed in Section 7 who assist in operating our Service, bound by data processing agreements
  • Legal Requirements: When required by law, court order, or to respond to lawful legal process from Estonian or EU authorities
  • Business Transfers: In connection with mergers, acquisitions, or asset sales, with prior notification to affected users
  • Protection of Rights: To protect our rights, property, or safety, or that of our users or the public, when we believe in good faith that disclosure is necessary
  • With Your Consent: When you explicitly consent to a specific sharing

7. Sub-Processors

We use the following third-party service providers (sub-processors) to help deliver our Service. Each is bound by a data processing agreement:

  • Amazon Web Services (AWS): Cloud infrastructure, hosting, database, transactional email delivery (SES), content delivery (CloudFront), and storage (S3) — Region: US-East-1 (N. Virginia). AWS maintains SOC 2 and ISO 27001 certifications and is covered by EU Standard Contractual Clauses.
  • Stripe: Payment processing, subscription billing, and card verification — EU data region. PCI DSS Level 1 certified.
  • MakeCommerce (Maksekeskus AS): Local payment methods and bank-link integrations for Baltic countries — Estonia. Regulated by the Estonian Financial Supervision Authority.
  • Montonio: Payment processing and bank-link integrations for Baltic countries — Estonia/Latvia/Lithuania. GDPR compliant.
  • Liisi, Esto, Inbank: Buy-now-pay-later (BNPL) financing providers for Baltic customers — Estonia. Each provider processes payment and credit data under their own data controller obligations and DPAs.
  • Cloudflare (Turnstile): Bot protection and CAPTCHA verification — EU/US. Cloudflare processes minimal data (interaction signals, no personal identifiers stored). Covered by EU Standard Contractual Clauses.
  • Google (Analytics 4): Anonymised website usage analytics — EU data region when available. Data is aggregated and used only for service improvement. Users can opt out via cookie preferences. Google LLC complies with EU-US Data Privacy Framework.
  • GitHub (Microsoft): Source code hosting and CI/CD deployment — USA. Covered by EU Standard Contractual Clauses.

We will notify you of any material changes to our sub-processor list by updating this policy and, where practical, through in-app notification. All sub-processors comply with GDPR requirements.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal information:

  • Encryption in transit (TLS 1.2+) for all connections
  • Encryption at rest for all stored data
  • Passwords are securely hashed; we never store plaintext passwords
  • Cross-site request forgery (CSRF) protection on all state-changing operations
  • Role-based access controls and least-privilege principle for internal access
  • Web application firewall for DDoS and injection protection
  • Regular security assessments and dependency updates
  • Automated database backups with point-in-time recovery

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach, we will notify affected users and the Estonian Data Protection Inspectorate within 72 hours as required by GDPR Art. 33.

9. Data Retention

We retain your personal information for specific periods based on the type of data and legal requirements:

  • Account data: For the duration of your account plus 1 year after account cancellation (to allow reactivation)
  • Financial and transaction records: 7 years (required by Estonian Accounting Act § 12)
  • Support communications: 3 years after resolution
  • Usage logs and analytics: 2 years, then anonymized
  • Marketing consent records: 5 years after consent withdrawal (for compliance audit trail)
  • Security and fraud prevention data: 5 years

After account cancellation, your data is retained for 1 year. You will receive an email notification 7 days and 1 day before permanent deletion. After this retention period, all personal data is permanently deleted or anonymized, except where retention is required by law (e.g., financial records for 7 years per Estonian law).

You may request early deletion of your data at any time by contacting info@shopiisi.com. We will process such requests within 30 days, subject to legal retention obligations.

10. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements
  • Right to Restrict Processing (Art. 18): Request limitation of processing under certain circumstances
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON export available in account settings)
  • Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint: File a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority

To exercise these rights, contact us at info@shopiisi.com. We will respond within 30 days. We may request identity verification before processing your request.

11. International Data Transfers

Our primary infrastructure is hosted on AWS US-East-1 (N. Virginia, USA). Your data may therefore be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary measures including encryption and access controls

You may request a copy of the Standard Contractual Clauses by contacting us at info@shopiisi.com.

12. Cookies and Tracking Technologies

We use the following types of cookies:

  • Strictly Necessary: Session cookies for authentication, CSRF protection, and language preferences. These cannot be disabled without breaking core functionality.
  • Functional: Theme preference (light/dark mode) and UI state.

We do not use third-party advertising cookies, tracking pixels, or analytics cookies that identify individual users. We do not engage in cross-site tracking.

You can control cookies through your browser settings, but disabling session cookies will prevent you from logging in.

13. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us immediately and we will delete such data within 72 hours.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our website with a revised "Last updated" date
  • Sending you an email notification at least 14 days before material changes take effect
  • Providing in-app notifications

Your continued use of our Service after the effective date of changes indicates your acceptance of the updated Privacy Policy. If you do not agree with the changes, you may close your account.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Virelund OÜ
Registry code: 17384217
VAT: EE102935031
Address: Kuuse põik 27, Laagri alevik, 76401 Saue vald, Harju maakond, Estonia
Email: info@shopiisi.com
Board member: Sander Sülla

Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia. Website: aki.ee. You have the right to lodge a complaint if you believe we have not addressed your concerns adequately.

We value your privacy

We use cookies to provide essential functionality, personalize content, and analyze traffic. You can manage your preferences below.