Privacy Policy
Last updated: 25.05.2026
This Privacy Policy explains how Esrap OÜ processes personal data on the website https://esrap.ee, its subpages, online store, contact forms, customer communications, support channels and other communication channels related to Esrap services.
1. Data Controller
The data controller is Esrap OÜ, registry code 17482196, address Harju maakond, Viimsi vald, Haabneeme alevik, Laanelinnu tee 3-12, email info@esrap.ee, phone +372 555 23298.
Please send questions and requests related to personal data processing to info@esrap.ee.
2. What Data We Process
We may process the following personal data:
- identification and contact data, such as name, email, phone number, company and job title;
- online store and order data, such as order contents, delivery address, purchase history, customer account data and payment-related information;
- withdrawal request and return data, such as the order or purchase reference, description of products or services to be withdrawn from, request status, submission time, customer comment and technical data related to the request;
- communication data, such as contact form enquiries, chatbot or AI agent conversations, customer support correspondence and other customer communications;
- technical data, such as IP address, browser type, device information, logs, cookie preferences and technical data related to website use;
- marketing data, such as direct marketing preferences, newsletter subscription, consent or opt-out records and campaign responses;
- analytics data, such as aggregated website usage statistics;
- B2B customer relationship data, such as the customer's representative's contact details, role, company details, communication history and information related to service provision.
We do not wish to collect special categories of personal data, such as health data, biometric data or other sensitive data. Please do not enter such data into contact forms, chat or AI agent conversations unless it is strictly necessary for handling the specific enquiry.
3. Where the Data Comes From
We receive personal data mainly directly from you when you complete a contact form, use a chatbot or AI agent, place an order, submit a withdrawal request or return-related enquiry, create an account, communicate with us by email or phone, or use our services.
We may also receive data from your employer or from the company you represent when we communicate in the context of a B2B customer relationship. Technical data is generated automatically when using the website and services.
In certain cases, we may use public sources, such as business register data, where this is necessary for identifying a business customer or contact person, managing a customer relationship, performing background checks or providing a service.
4. Purposes and Legal Bases of Processing
We process personal data for the following purposes and on the following legal bases:
| Purpose | Examples of data | Legal basis |
|---|---|---|
| Responding to enquiries and pre-contractual communication | name, email, phone number, company, enquiry content | steps prior to entering into a contract or legitimate interest |
| Managing online store orders and customer accounts | order data, contact details, delivery address, purchase history | performance of a contract |
| Processing withdrawal requests, returns and refunds | name, email, phone number, order or purchase reference, products or services to be withdrawn from, customer comment, submission time, IP address, user agent information and request status | performance of a contract, legal obligation or legitimate interest |
| Managing invoices, payments and accounting | invoice data, payment information, company details | legal obligation |
| Managing customer relationships and B2B contacts | contact person's name, role, email, phone number, communication history | legitimate interest |
| Customer support and resolving technical issues | communication data, support requests, technical logs, issue description | performance of a contract or legitimate interest |
| Ensuring website and service security | IP address, logs, device and browser information | legitimate interest |
| Cookies necessary for website functionality | session cookies, security and preference cookies | legitimate interest or processing necessary for providing the service |
| Direct marketing to existing customers | email, company, existing customer relationship, marketing preferences | legitimate interest where permitted by law and where a simple opt-out is available |
| Newsletter and consent-based marketing | email, consent records, marketing preferences | consent |
| Marketing cookies and consent-based tracking | cookie ID, consent choices, website usage data | consent |
| Establishing, exercising or defending legal claims | contract, communication, invoice and log data | legitimate interest or legal obligation |
Where we process personal data on the basis of legitimate interest, Esrap's legitimate interest consists primarily of managing customer relationships, communicating with B2B contacts, ensuring the security of services, resolving technical issues, preventing misuse and defending legal claims. We rely on legitimate interest only where we have assessed that our interest does not override the rights and freedoms of the data subject.
5. Cookies and Analytics
We use the following on the website:
- essential cookies that are necessary for the website, online store, login, security and language preferences to function;
- preference or functionality cookies where they are necessary to maintain the user experience;
- marketing or tracking cookies only if you have given your consent.
Cookie choices can be changed through the cookie manager on the website. More information is available in the Cookie Policy: https://esrap.ee/cookie-policy.
For analytics, we use self-hosted Plausible analytics. Plausible is cookieless by default and does not use traditional tracking cookies. If we introduce additional tracking technologies, we will use them according to your consent choices and update this Privacy Policy where necessary.
6. Contact Forms, Chat and AI Agent
If you use a contact form, chat or AI-based conversation agent on our website, we process the data submitted in the conversation or enquiry to respond to the enquiry, prepare a sales or consultation process, manage customer communications and improve service quality.
Please do not enter special categories of personal data or confidential information into the conversation unless it is necessary for handling the enquiry. The conversation result or summary may be transferred to Esrap's CRM or support system where this is necessary for handling the enquiry or managing the customer relationship.
If a third-party technical service is used to process the conversation, this is done on Esrap's instructions and only to the extent necessary for providing the service. The service providers used and any international data transfers are described in the recipients and data transfer sections of this Privacy Policy.
7. Recipients and Processors
We use service providers who may process personal data on behalf of Esrap and under Esrap's instructions. These may include:
| Type of service | Examples |
|---|---|
| Web hosting and server infrastructure | Hetzner Cloud |
| Email and office software | Microsoft email and office software services |
| ERP, CRM, online store, chat and accounting | Odoo |
| Delivery and logistics | Shipit24 and other agreed delivery partners |
| Web analytics | self-hosted Plausible |
| Geolocation or language/location-based routing | DB-IP or another technical service if used on the website |
| Payment and banking services | Maksekeskus AS, banks, card payment providers and other payment service providers where required for an order or payment |
| Customer support and technical administration | support channels and technical tools used by Esrap |
| AI or automated conversation technical service | the service provider used for the relevant AI or chat workflow |
We may also disclose data to competent authorities, advisers or other persons where this is necessary to comply with a legal obligation, perform a contract, or establish, exercise or defend legal claims.
If a customer pays for an order via Maksekeskus, Esrap discloses to Maksekeskus AS the personal data necessary to carry out and confirm the payment, such as the purchaser's name, contact details, order number, payment amount and payment-related technical data. Maksekeskus AS processes this data for the purpose of mediating and confirming the payment. When mediating payments, Maksekeskus AS acts as Esrap's processor to the extent that it processes data on Esrap's behalf, and may in certain cases process data as an independent controller for the fulfilment of its own legal obligations.
If you submit a withdrawal request through Esrap's website, customer portal, order link or by email, we process your name, email address, phone number, order or purchase reference, description of the products or services to be withdrawn from, comment, order data, submission time, request status and technical data such as IP address and user agent information. The purpose of processing is to enable the consumer to exercise the right of withdrawal, identify the relevant order, confirm receipt of the request, process the return or refund and protect the rights of Esrap and the customer in the event of a possible dispute.
8. Transfers Outside the European Economic Area
We prefer service providers who process data within the European Economic Area.
If transferring personal data outside the European Economic Area becomes necessary due to a specific service provider, sub-processor or technical service, the transfer will take place only on a basis permitted under the GDPR, such as a European Commission adequacy decision, standard contractual clauses or another appropriate safeguard.
You can request more information about safeguards used by a specific service provider by contacting info@esrap.ee.
9. Retention Periods
We retain personal data only for as long as necessary to fulfil the purpose of processing, comply with a legal obligation, or establish, exercise or defend legal claims.
| Data | Retention period |
|---|---|
| Contact form, chat and AI agent enquiries | up to 24 months after the enquiry has ended, unless longer retention is necessary due to a customer relationship or legal claim |
| Customer communication correspondence | up to 36 months after active communication ends, unless longer retention is necessary due to a contract, warranty, dispute or legal claim |
| Operational online store order data | up to 3 years after the last purchase, except for data required for accounting or legal claims |
| Withdrawal request and return data | generally up to 3 years after the request has been finally processed or the order has ended, unless longer retention is necessary for accounting, a legal claim or a dispute |
| Invoices and accounting documents | 7 years as required by law |
| Server and security logs | generally up to 90 days, unless logs are needed to investigate a security incident or defend a legal claim |
| Direct marketing data | until an objection is submitted or the customer relationship ends, unless another legal basis applies |
| Consent records | until the consent expires and, where necessary, for a reasonable period afterwards for evidentiary purposes |
| Data related to legal claims | until the limitation period for the claim expires or the dispute ends |
If the same data set is needed for several purposes, we retain it for the longest applicable period. After the retention period expires, we delete the data or anonymise it where technically and legally possible.
10. Data Subject Rights
You have the right to:
- receive information about the processing of your personal data;
- request access to your personal data;
- request correction of inaccurate or incomplete data;
- request erasure of data;
- restrict data processing;
- object to processing, especially direct marketing and processing based on legitimate interest;
- receive data in a portable format where applicable;
- withdraw consent where processing is based on consent.
You can opt out of direct marketing through the unsubscribe link included in each marketing message or by contacting us at info@esrap.ee.
To exercise your rights, please write to info@esrap.ee. We generally respond to requests within one month. If the request is complex or extensive, we may extend the response period to the extent permitted under the GDPR and will inform you of this. Before disclosing or changing data, we may ask for additional information needed to verify your identity.
11. Automated Decisions and Profiling
We do not make automated decisions or carry out profiling that would have legal or similarly significant effects on you.
If we use an AI-based conversation agent, its purpose is to structure enquiries, collect information and support customer communication. The AI agent does not make a legal or similarly significant automated decision about you.
12. Children's Data
Our services are not directed at minors and we do not knowingly collect children's data. If we become aware that we have accidentally collected a child's personal data without an appropriate basis, we will delete it within a reasonable time.
13. Obligation to Provide Data
To enter into a contract, fulfil an order, respond to an enquiry or provide support, we need certain data, such as contact details, order data or a description of the issue. If such data is not provided, we may not be able to fulfil the order, provide the service or respond substantively to the enquiry.
For marketing consent, optional cookies and other voluntary processing, you may refuse consent or withdraw it later.
14. Security Measures
We apply appropriate technical and organisational measures to protect personal data, including restricting access rights, need-to-know access, secure connections, backup and logging arrangements, confidentiality obligations and considering data protection requirements when selecting service providers.
The exact measures depend on the nature, scope and risk of the processing.
15. Filing a Complaint
If you believe that your personal data has been processed unlawfully, please first contact Esrap OÜ at info@esrap.ee so that we can address the matter.
You also have the right to file a complaint with the Estonian Data Protection Inspectorate:
- website: https://www.aki.ee
- email: info@aki.ee
16. Changes to the Privacy Policy
We may update this Privacy Policy from time to time if our services, data processing or legal requirements change. The new version will be published on the same page together with the update date.
If a change materially affects how your personal data is processed, we will, where possible, notify you additionally through an appropriate channel.