Toolscab OÜ Privacy Policy
This privacy policy (hereinafter: privacy policy) sets out how Toolscab OÜ (hereinafter: Toolscab or we) collects and uses personal data. Toolscab protects the privacy of its customers and other data subjects (hereinafter collectively: you or data subject). Please read the privacy policy as it contains important information about the processing of personal data.
The privacy policy applies to all our services and online activities, including our website, web and mobile applications (i.e., app), and social media-related processing.
If you would like more information about the processing of personal data or the privacy policy, please feel free to contact us at info@toolscab.ee.
1. DEFINITIONS
The definitions are set out in this section of the privacy policy or in the text of the privacy policy.
1.1 The terms of personal data protection have the same meaning as defined in the General Data Protection Regulation (2016/679) (hereinafter: GDPR). For ease of reading, frequently used terms are listed in this chapter.
1.2 User - a person who has created a user account in our application to use Toolscab services (either a customer or a customer's representative).
1.3 Customer - a legal or natural person who uses our service.
1.4 Visitor - a person who visits our website.
1.5 Cookies - data files stored on visitors' devices according to the choices made when using the website. For more information about the use of cookies, please refer to the cookie solution on our website.
1.6 Agreement - any agreement concluded between us and the customer or other data subject, including terms of use.
1.7 Service(s) - the services we provide, such as the rental of tools and household items from smart lockers via web and mobile applications.
1.8 Website - our website, accessible at www.toolscab.ee, and all its subdomains and our social media pages (if applicable).
2. GENERAL INFORMATION AND CONTACT DETAILS
Here you will find information about when the privacy policy applies, who we are, and how to contact us.
2.1 About us. We are Toolscab OÜ, registration code 14215193, address Harju County, Tallinn, Kristiine district, Laki tn 16, 10621. Toolscab offers the possibility to rent tools and household items through a convenient application and smart lockers.
2.2 Contact details. If you have any questions about the processing of personal data, please write to us at info@toolscab.ee or Harju County, Tallinn, Kristiine district, Laki tn 16, 10621, addressed to "Toolscab OÜ".
2.3 About the privacy policy. The privacy policy applies to the processing of personal data by us. We have the right to unilaterally change the privacy policy. We will inform the data subject of any significant changes on the website or in another way.
2.4 Controller andprocessor status.Toolscab is the controller of personal data in the provision of its service. This means that we determine the purpose of the processing of personal data and decide what data, why, and how it is processed. We are the controllers of personal data when we process the personal data of our customer (if the customer is a natural person) or the personal data of our customer's employees and representatives in the provision of our service(s).
2.5 Other links and social media. Please note that links on our website may lead to websites governed by the privacy policies of specific service providers, not this privacy policy. We are not responsible for the content published on other websites. Personal data processing also takes place on various social media channels according to the privacy policies of those platforms (the respective service provider) and the privacy policy of the platform and this privacy policy (Toolscab's processing).
3. PRINCIPLES OF PERSONAL DATA PROCESSING
Here you will find the principles we follow when processing personal data.
3.1 Compliance and purpose. Our goal is to process personal data responsibly so that we can demonstrate compliance with the set objectives and applicable regulations.
3.2 Principles. All our processes, guidelines, and activities related to the processing of personal data are based on the following principles: legality, fairness, transparency, purposefulness, data minimization, accuracy, storage limitation, integrity, confidentiality, and integrated data protection and data protection by default.
4. Information we process.
Here you will find the categories of data subjects and the personal data we process.
4.1 Categories of data subjects. In general, we may process the personal data of the following data subjects:
(a) our customer (if the customer is a natural person) and
(b) representatives and employees of our customer;
(c) User data (customer or customer's representative);
(d) representatives of our partners;
(e) our employees or contractors;
(f) website visitors.
We do not process children's data. Our services are not directed at children.
4.2 Collection of personal data. We collect the following types of personal data:
(a) personal data disclosed by the data subject (e.g., data provided for the conclusion of a contract - e.g., creating a user account or obtaining information about our service(s)). These are usually name, contact details, email address, data provided to us on social media by the data subject;
(b) personal data resulting from our regular communication with the data subject (e.g., correspondence, chat, etc., related to the service(s));
(c) personal data resulting from the consumption and use of the service(s) (Toolscab service usage data, including rental history and web and mobile application usage data);
(d) personal data resulting from visiting and using the website;
(e) personal data received from third parties (e.g., verifying the identity of the customer);
(f) personal data generated and combined by us (e.g., correspondence in the context of the customer relationship, user activity analysis).
4.3 Processed personal data. We mainly process the following personal data:
(a) Visitor data - data collected during the use of the website, including through cookies (if allowed);
(b) identification data of our customer's representatives or the customer (if the customer is a natural person) identification data- name, strong authentication data (if used for identification), position, and authorizations;
(c) contact details of the customer and representatives contact details - email address, phone number;
(d) customer and representatives service usage and preference data - username, language preferences, usage data, contract data, billing data (bank account and invoice data), service consumption history;
(e) usage and technical information - data about our service, including web and mobile application and website usage, including technical data of the device used, information about the browser, IP address, pages viewed, time and date of visit, time spent on these pages, unique identifiers of the device, and other diagnostic data and logs;
(f) communication data - communication with us (text messages, emails, chats, calls);
(g) customer and representatives on video recordings, for example, cameras attached to our smart lockers or if they visit our premises (remain on security camera recordings);
(h) payment behavior data - payment and claim data collected during accounting;
(i) contract information - contract information, contract performance information, service information, payment information;
(j) customer and representatives other data - for example, feedback, ratings on the service, and data provided as feedback in satisfaction surveys.
See also the summary of personal data processing in Appendix 1, which links the processing purpose, categories of personal data, and processing bases. Contact us if you need more detailed information about the processing of your personal data.
5.GENERAL PURPOSES, BASES, AND OPERATIONS OF PROCESSING
Here you will find information about the purposes and bases of personal data processing.
5.1 Consent. Based on consent, we process personal data precisely within the limits, to the extent, and for the purposes for which the data subject has given their consent. The data subject's consent must be freely given, specific, informed, and unambiguous. The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent before its withdrawal.
5.2 Conclusion and performance of the contract. When concluding and performing a contract, we may process personal data for the following purposes:
(a) taking measures before concluding the contract, which are necessary for entering into the contract(generally, the data used are frompoints 4.3 subpoints b and c);
(b) identification to the extent necessary for concluding and performing the contract or enabling the use of our service (generally, the data used are from points 4.3 subpoints b, and c, i);
(c) fulfilling obligations (e.g., billing) (generally, the data used are from points 4.3 subpoints b, c, d, and f, i);
(d) communicating with the customer and user, including sending information and reminders about the performance of the contract or the use of the service (generally, the data used are from point 4.3 subpoints b, c, d, f, h, and i);
(e) protecting rights and claims (depending on the data, all collected data may be used);
(f) identifying, preventing, and resolving technical problems (depending on the problem, all collected data may be processed);
(g) providing customer support (mainly the data used are from points 4.3 subpoints b, c, d, e, f, h, and i);
(h) providing and maintaining our service, including monitoring the use of our service and website (mainly usage data is used, but all data may be processed);
(i) notifying you of changes to our service or sending you other notices related to the contract/service (mainly the data used are from points 4.3 subpoints b, c, and i).
Please note that the exact purpose and bases may also be defined in the terms and/or contract.
5.3 Legal obligation. We process personal data to fulfill legal obligations in accordance with the law and to the extent provided by law. For example, the obligation to retain accounting documents under the Accounting Act.
5.4 Legitimate interest. Our legitimate interest means our interest in managing or directing our activities and enabling us to provide the best possible service. When we rely on legitimate interest, we have previously assessed our and your interests. You have the right to see the assessment related to the processing of your personal data. To do so, write to us at info@toolscab.ee. We may process your personal data (excluding special categories of personal data) based on legitimate interest for the following purposes:
(a)managing and analyzing the customer database and service (if not covered by the contract), to improve the availability, features, and quality of the service(s), e.g., using customer management systems or analytics solutions (mainly identification data, contact data, and service usage data are used);
(b)developing our service, including web and mobile applications and website (mainly anonymously; however, depending on the development, all data may be used);
(c) ensuring a better customer/user experience, to provide a higher quality service/services; we may monitor the use of our service and website, analyze identifiers and personal data collected during the use of our website, service, social media pages, and other sales channels, and collect statistics about customers, users, and visitors; usage data and feedback and ratings provided may also be processed;
(d) organizing campaigns, including personalized and targeted campaigns (generally identification data, contacts). The terms of the campaigns are set separately;
(e)sending offers/information to the customer or potential customer, if the relevant person has previously purchased a similar product or shown interest in it and if such processing is permitted in the specific jurisdiction. In such a case, the person is always provided with an easy way to opt-out of the communication, and we have taken into account both our own and the (potential) customer's interests;
(f) conducting satisfaction surveys and measuring the effectiveness of marketing activities (contact data and general service usage data are used);
(g) making and logging recordings; we may record messages and orders transmitted both in our premises and via means of communication (email, phone, etc.), as well as information and other activities provided by us. If necessary, we use these recordings to prove orders or other activities;
(h)using camera recordings at our smart lockers- we record activities at our rental lockers to ensure the safety of individuals and property and, if necessary, to check the use of the service, contract performance; also, to use recordings to prove, defend, and present claims if necessary;
(i) technical and cybersecurity reasons, e.g., measures to combat piracy and ensure the security of the website, as well as making and storing backups and preventing/eliminating technical problems (depending on the problem, all data may be processed);
(j) processing for organizational purposes, especially for managing and processing personal data for internal management purposes (but also for audits and other possible supervision), including processing personal data of customers or representatives (mainly general service usage and customer data);
(k) preparing, presenting, or defending legal claims, including assigning claims to, for example, debt collection service providers or using legal advisors (depending on the claim/problem, all data may be processed);
(l) we may share personal data,if we conduct a business transaction or negotiate a business transaction involving the sale or transfer of all or part of Toolscab's business or assets. These transactions may include any merger, financing, acquisition, or bankruptcy transaction or proceeding;
(m) if you have informed us that you do not wish to receive certain types of information - retaining information about such a prohibition.
5.5 New purpose. If personal data is processed for a purpose other than that for which it was originally collected, or if it is not based on the data subject's consent, we carefully assess the permissibility of such new processing. To determine whether processing for a new purpose is compatible with the original purpose of collecting personal data, we take into account, among other things:
(a) any link between the purposes for which the personal data was collected and the intended further processing purposes;
(b) the context in which the personal data was collected, in particular regarding the relationship between the data subject and us;
(c) the nature of the personal data, in particular whether special categories of personal data or personal data related to criminal convictions and offenses are processed;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymization.
6. TRANSFER AND AUTHORIZED PROCESSING OF PERSONAL DATA
Here is information about the transfer and authorized processing of personal data.
6.1 Use of cooperation partners. We cooperate with persons to whom we may transfer data concerning data subjects (including personal data) within the framework and purpose of cooperation. When transferring personal data to third parties (generally our cooperation partners), we comply with applicable data protection requirements.
6.2 Requirements for the use of cooperation partners. Such third parties may include, among others:
(a) advertising and marketing partners (generally anonymous information; but depending on the service, contact data, technical information);
(b) payment service providers (separate controllers);
(c) customer satisfaction survey companies (generally anonymous information; but depending on the service, contact data);
(d) advisors (depending on the service, all personal data may be processed);
(e) IT partners, i.e., providers of various technical services (depending on the service, all personal data may be processed),
provided that the relevant purpose and processing are lawful and, if it is an authorized processor, that personal data is processed under the instructions of the controller and a valid contract.
6.3 Other transfer/disclosure. In other cases, we may transfer your personal data to third parties, provided that we have a basis for such processing, e.g., your consent or a legal obligation. We may also disclose personal data in the following cases:
6.3.1 For legal protection purposes. In certain cases, we may be required to disclose your personal data when required by law or when public authorities submit a valid request. Before disclosing personal data, we always assess the legality of the information requests.
6.3.2 For business transactions. If we or our subsidiaries are involved in a merger, acquisition, or sale of assets, your personal data may be transferred.
6.4 Transfer outside the European Economic Area (EEA).Generally, we process personal data within the EEA. Our server room is located in the EEA. If we transfer personal data outside the EEA, we ensure that the requirements set out in Chapter V of the GDPR are met, e.g., if the European Commission has decided that there is an adequate level of protection in that country (see Article 45 of the General Data Protection Regulation) or, in the absence of such a decision, we have taken appropriate safeguards, e.g., binding corporate rules or standard data protection clauses (see Article 46 of the General Data Protection Regulation) or if the company is listed in the new EU-US Data-Privacy Framework. We take all reasonably necessary measures to ensure that personal data is processed securely and in accordance with this privacy policy. If personal data is transferred based on standard clauses, the data subject has the right to review the relevant standard clauses to the extent appropriate by writing to us at the email provided in section 2.2. General information about the mentioned transfer measures can be found:
6.4.1 Adequacy decisions adopted are available here.
6.4.2 The text of the EU standard clauses is available here. The data subject may request the specific standard clauses text related to their personal data transfer.
6.4.3 The Data-Privacy Framework list can be found here.
7. RETENTION AND SECURITY OF PERSONAL DATA
Here is a description of how we protect personal data and how long we retain personal data.
7.1 Retention. When retaining personal data, we follow the purpose of processing, the limitation periods for possible claims, and the retention periods provided by law. We retain personal data for as long as necessary depending on the purpose of processing. Customer data is generally retained during the validity period of the contract and for another 3 years to protect possible claims. Certain personal data is retained according to the requirements of applicable law, e.g., accounting data for 7 years and employment contract data for 10 years. Personal data whose retention period has expired is destroyed or anonymized. We retain camera recordings from our smart lockers for one month (recordings related to claims may be retained longer).
7.2 Security measures. We have established guidelines and procedures to ensure the security of personal data through both organizational and technical measures. Among other things, we do the following to ensure security and confidentiality:
(a) We use an access level management system;
(b) We ensure the confidentiality of personal data according to the nature of the personal data;
(c) We use software solutions that help ensure a security level corresponding to the market standard.
7.3 Incident. In the event of a personal data incident, we do our best to mitigate the consequences and reduce such risks in the future. We comply with the notification requirements of the General Data Protection Regulation.
8. Data protection rights under the General Data Protection Regulation
Here is information about the data subject's rights related to personal data.
8.1 We want to ensure that you are fully aware of all your rights related to personal data. Every data subject has the following rights (subject to certain conditions):
(a) Right to be informed - the data subject's right to be informed about the personal data collected about them.
(b) Right of access and to obtain a copy - the data subject has the right to access their personal data and request copies of it.
(c) Right to rectification - the data subject has the right to request that we correct any inaccurate information.
(d) Right to erasure - the data subject has the right to request, under certain conditions (e.g., if we process your personal data based on your consent), that we delete your personal data.
(e) Right to restrict processing - the data subject has the right to request, under certain conditions (e.g., if we process your personal data based on your consent), that we restrict the processing of your personal data.
(f) Right to object to processing - the data subject has the right to object, under certain conditions (e.g., if we process your personal data based on legitimate interest), to the processing of their personal data.
(g)Right to access the legitimate interest assessment related to the processing of their personal data, by writing to our contacts (see section 2.2).
(h) Rights related to consent - the data subject has the right to withdraw their consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out based on consent before its withdrawal. If you wish to withdraw your consent, write to us at the contacts provided in section 2.2. If you have subscribed to our newsletter (if any), you can unsubscribe via the unsubscribe link in the email.
(i) Right to data portability - the data subject has the right to request, under certain conditions, that we transfer the data collected about the data subject in a machine-readable format to another organization or directly to you.
(j)Rights related to automated processing and profilingmean that the data subject has the right, based on their specific situation, to object at any time to the processing of personal data concerning them based on automated decisions/profiling and to request human intervention. The data subject may also request an explanation of the logic behind the automated decision-making. For clarity, we do not use automated processing or profiling that significantly affects the data subject or their rights.
(k) Right to compensation - the data subject has the right to claim compensation if the processing of personal data has caused damage to the data subject.
(l) Right to file a complaint - you have the right to file a complaint with us, the supervisory authority, or the court if you believe that your rights related to the processing of personal data have been violated.To find a solution, we ask that you first contact us.If necessary, the contact details of our data protection supervisory authority (Data Protection Inspectorate) can be found here: https://www.aki.ee/et/inspektsioon-kontaktid/tootajate-kontaktid. The data subject has the right to contact the data protection supervisory authority of their country of residence or the supervisory authority of the country where the alleged violation occurred. The contact details of the data protection supervisory authorities of EU member states can be found here. The data subject may also turn to the court if they believe that the processing of personal data violates their rights and interests.
8.2 Exercise of rights. If you submit a request related to the processing of personal data, we have one month to respond to you. If the response is complex, the response time may be extended by another two months. If you wish to exercise any of the above data protection rights or need more information about your rights, please contact us. Please note that before we can exercise your rights related to personal data, we may need to verify your identity.
9. Changes
9.1 Recent changes and the entry into force of the privacy policy:
Publication | Effective Date | Main changes |
21.05.2023 | 21.05.2023 | Privacy Policy version 1; |
Appendix 1 - Overview of the purposes and bases for processing personal data
The table shows the usual purposes and activities for processing personal data. Depending on the specific situation, there may be differences in data processing from what is shown in the table. If desired, the data subject can obtain more detailed information about the processing of their personal data by writing to us via email.
Personal Data Processing Table | Identification Data | Contact Data | Contract and Contract Performance Information | Service Usage and Preference Data | Usage and Technical Information | Communication Data | Payment Behavior Information | Recordings | Other | Visitor Information | ||
PURPOSE | ACTIVITY | BASIS FOR PROCESSING | ||||||||||
Entering into a Contract and Providing Service | Collecting data for entering into a contract, including enabling account creation | Contract/necessary for entering into a contract GDPR art 6 (1) b | X | X | x | x | x | |||||
Contract performance | Contract/necessary for entering into a contract GDPR art 6 (1) b | X | x | X | x | x | x | X | ||||
Contract performance monitoring (e.g., notification if the rental payment does not work) | Contract/necessary for entering into a contract GDPR art 6 (1) b; (claims verification legitimate interest) | X | X | x | x | x | X | |||||
Providing the service, including web and mobile applications | Contract/necessary for entering into a contract GDPR art 6 (1) b | X | X | x | X | x | x | x | X | |||
Communication and assistance in using the service (customer support) | Contract/necessary for entering into a contract GDPR art 6 (1) b | X | X | x | x | x | x | |||||
Billing | Contract/necessary for entering into a contract GDPR art 6 (1) b | X | x | x | ||||||||
Development and maintenance necessary for providing the service | Contract (to the extent necessary for contract performance) | Depending on the situation, all data may be processed | ||||||||||
Fulfillment of Legal Obligations | Accounting Activities | Legal Obligation GDPR art 6 (1) c | x | x | x | x | ||||||
Proof, Defense, and Presentation of Claims/Rights | Proof, Defense, and Presentation of Claims/Rights | Legitimate Interest GDPR art 6(1) f | Depending on the situation, all data may be processed | |||||||||
Checking user activities if necessary (logs, communication, recordings) | Legitimate Interest GDPR art 6(1) f | x | x | x | X | x | x | x | X | x | ||
Use of recordings | x | x | x | x | ||||||||
Promotion of Business Interests | Service development and improvement | Legitimate interest GDPR art 6(1) f | Depending on the situation, all data may be processed | |||||||||
Analytical activities | Legitimate interest GDPR art 6(1) f | Depending on the situation, all data may be processed | ||||||||||
Marketing and sales activities | Legitimate interest GDPR art 6(1) f; consent (newsletters) | x | x | x | x | x | x | |||||
Ensuring Security | Use of Cameras | Legitimate Interest GDPR art 6(1) f | x | X | ||||||||
Use of cybersecurity solutions | Legitimate interest GDPR art 6(1) f | Depending on the situation, all data may be processed | ||||||||||
Categories of Personal Data
Data Category | Personal Data |
Identification Data | Name, strong authentication data (if used for identification), contact details, position, and authorizations; |
Contract and Contract Performance Data | Full name, contract terms, selected service(s), contract performance and payment information |
Contact Data | Email, phone, address |
Visitor Information | Data collected during the use of the website, including through cookies (if allowed); |
Usage and Service Data | Service usage history, selected service(s), data about our service, including web and mobile application and website usage, including technical data of the device used, information about the browser, IP address, pages viewed, time and date of visit, time spent on these pages, unique identifiers of the device, and other diagnostic data and logs; |
Service Usage and Preference Data | Username, language preferences, usage data, contract data, billing data (bank account and invoice data), service consumption history; |
Communication | Personal data in various communications (if any), email, chat, calls |
Payment Behavior | Payments, bank account/card information, contract information, invoices |
Recordings | Image on security camera recordings (if applicable) |
Other | Feedback, ratings |