Privacy Policy and Personal Data Processing
1. General Provisions
1. This Privacy Policy and Personal Data Processing Policy (hereinafter — the Policy) is developed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), as well as applicable legislation of the Republic of Estonia.
2. The Policy defines the procedure for processing personal data and measures to ensure their security undertaken by ARHI. AI OÜ (hereinafter — the Operator).
3. The primary objective of the Operator is to ensure the observance of the rights and freedoms of personal data subjects, including the right to privacy and protection of personal data.
4. This Policy applies to all information that the Operator may obtain about users of the ARHI. AI website and services.
2. Information About the Operator
1. Company name: ARHI. AI OÜ
2. Registry code: 17 306 157
3. Legal address: Paekaare tn 40−96, Tallinn, Harjumaa, 13 613, Estonia
4. The Operator independently determines the purposes and means of personal data processing.
3. Definitions
1. Personal data — any information relating to an identified or identifiable natural person.
2. Data subject — a natural person whose personal data are processed.
3. Processing of personal data — any operation or set of operations performed on personal data, including collection, storage, use, transfer, restriction, erasure, or destruction.
4. Automated processing — processing of personal data using information technologies.
5. Data Controller (Operator) — a legal entity that determines the purposes and means of personal data processing.
6. Data Processor — a person who processes personal data on behalf of the Operator.
7. Restriction of processing — temporary suspension of personal data processing.
4. Principles of Personal Data Processing
Personal data processing is carried out based on the following principles:
1. Lawfulness, fairness, and transparency.
2. Purpose limitation to specific and legitimate purposes.
3. Data minimization — processing only data that are necessary.
4. Accuracy and relevance of personal data.
5. Storage limitation.
6. Integrity and confidentiality.
7. Accountability of the Operator.
5. Purposes of Personal Data Processing
The Operator processes personal data for the following purposes:
1. Providing access to website functionality and services.
2. User registration and account management.
3. Fulfillment of contractual obligations.
4. Communication with users, including sending notifications and informational messages.
5. Improving service quality and user experience.
6. Compliance with EU and Estonian legal requirements.
6. Categories of Personal Data Processed
For the purposes specified, the following personal data may be processed:
1. First and last name.
2. Email address.
3. Phone number.
4. User account data.
5. Technical data (IP address, browser data, cookies).
6. Other data voluntarily provided by the user.
The Operator does not process special categories of personal data without a separate lawful basis.
7. Legal Grounds for Processing
Personal data processing is carried out on the basis of:
1. Consent of the data subject.
2. Necessity for the performance of a contract.
3. Compliance with legal obligations of the Operator.
4. Legitimate interests of the Operator, provided they do not override the rights of the data subject.
8. Retention Periods of Personal Data
1. Personal data are stored no longer than necessary to achieve the processing purposes.
2. Upon achievement of the processing purposes, data are erased or anonymized unless otherwise required by law.
3. The user has the right to request erasure of their data in cases provided by GDPR.
9. Transfer of Personal Data to Third Parties
1. Personal data may be transferred to third parties only to the extent necessary to achieve processing purposes.
2. Transfers are carried out to data processors under data processing agreements.
3. Cross-border transfers outside the EU are permitted only with appropriate safeguards provided by GDPR.
10. Rights of Personal Data Subjects
The data subject has the right to:
1. Obtain information about the processing of their personal data.
2. Access their personal data.
3. Request correction of inaccurate data.
4. Request erasure of personal data.
5. Restrict processing of personal data.
6. Object to personal data processing.
7. Data portability.
8. Withdraw consent at any time.
9. Lodge a complaint with a data protection supervisory authority.
11. Personal Data Protection Measures
The Operator applies necessary technical and organizational measures to protect personal data from:
1. Unauthorized access.
2. Loss, alteration, or destruction.
3. Unlawful disclosure.
12. Final Provisions
1. This Policy is valid indefinitely until replaced by a new version.
2. The Operator has the right to amend this Policy in case of changes in legislation or business processes.
3. The current version of the Policy is subject to publication on the Operator’s website.