Privacy Policy

Valid from 30.07.2021

This Privacy Policy describes the processing of personal data by KREEDIX OÜ (registry code 11043745) and companies belonging to the same group, namely REGISTER OÜ (registry code 11735006), STORYBOOK OÜ (registry code 14636888), managed oneu  websites and The controller of personal data processed through websites is KREEDIX OÜ (registry code 11043745; “KREEDIX“).

KREEDIX is guided by Regulation (EU) 2016/679 of the European Parliament and of the Council, the Personal Data Protection Act and other data protection legislation when processing personal data.

We have the right to make changesto this Privacy Policy from time to time. We make every effort to ensure that the Privacy Policy is up-to-date and accessible.
To stay up to date with the latest privatepolicy, we recommend that you visit our website from time to time. We may also notify us of changes to the Privacy Policy by e-mail or other contact details known to us.


1. Definitions

KREEDIX or “we”is KREEDIX OÜ (registry code 11043745) as the controller of personal data, i.e. the person who determines the purposes and means of processing personal data.

The information portal is a  website and and its subdomains.

A data subject is an identifiable or identified natural person whose personal data are processed,including:  (a) the user ofthe information portal;

A user is a data subject who uses the information portal  either personally or through a legal person (in which case the personal data of a natural person may be included in the data processed).

Personal data is any information about an identifiable or identified natural person (data subject).

Processing of personal data is any operation performed on personal data (e.g. collection, storage, alteration, transmission, erasure, organisation).

2. Processing of user's personal data

2.1. Composition of personal data

In order to achieve the objectives set out in this Privacy Policy, we process some or all of the following user’s personal data, the exact composition of the personal data processed is different in each case:

  • Personal identification :first and last name; personal identification code and  date of birth; username and password.
  • Contact details: e-mail address, telephone number;
  • Payment details: method of invoicing and invoicing; bank account number and other requisites/tender information; the history of payments; information related to arrears, etc.;
  • Data relating to theAgency : occupation, identity of the employer;
  • Data related to preferences: data on consents and prohibitions on direct marketing; information on the user’s interests and the use and preferences of services; language preference; other consents/prohibitions given by the user or choices of preferences  made;
  • Customer relationship data: composition and period of services ordered; event and user log; inquiries made on the information portal; information related to customer communication;
  • personal data otherwise become known in the course of using the Information Portal or performing contractual obligations.

The above personal data are collected from the data subject when creating an account on the Information Portal, using the services of the Information Portal, entering into payment agreements, applying for a demo account, joining a newsletter, responding to surveys/surveys, in the context of customer communication or otherwise, including on the data subject’s own initiative.

We receive confirmation of the user’s identity from a third party who provides the respective service. For example, the user can identify themselves via an ID-card, Mobile-ID, bank link. We  do not see or store pin1 or PIN 2 codes. When authenticating via ID-card and Mobile-ID and signing declarations of intent or confirmations, the User is obliged to comply with the security requirements and recommendations established by the respective developers and us. We recommend that you familiarize yourself with additional information on the  and websites.

We also process the user’s personal data using cookies used on the information portal. The cookie policy (including the composition of the data collected by cookies) is available on the respective information portal:  and

2.2. Legal basis and purpose of processing personal data

We process the user’s personal data upon the existence of a legal basis and for as long as it is necessary for thepurposes set out in the Privacy Policy. The processing of the user’s personal data in the Information Portal is carried out on the following legal bases and purposes.

2.2.1. Performance of the contract

We process personal identification data in order to identify the user, enter into an agreementwith the user for the use of the information portal (for the preparation of the contract and pre-contractual communication) and enable the User to use the information portal (incl. log in to the information portal). In addition, we process payment and contact details to enable the User to pay for the use of the information portal as part of the performance of the contract.  We also process contact details in order to provide the user with important notices about the service and performance of the contract and to manage the customer relationship.

2.2.2. Legitimate interest

We process the user’s personal data based on our legitimate interest in realising our business interests and, among other things, developing and expanding business activities, improving the services and its quality and ease of use, and creating different statistics. The aforementioned activities may not be necessary for the performance of the contract, which is why the processing of personal data for such purposes is based on our legitimate interest. The processing of personal data on the basis of a legitimate interest is in balance with the interests of the user, since in order to provide the best possible service, the processing of the user’s personal data is extremely necessary and obtaining a high quality service is also the user’s expectation of us.

We perform profiling against users for marketing purposes using text files or cookies installed in users’ browsers. Profiling is data processing that aims to provide news, advertisements and other offers of interest to the user that might interest the user. The purpose of profiling is to identify different types of customers and segment the customer base to enable us to make marketing decisions and choices, such as making offers that are likely to be of interest to a particular customer type and displaying customized advertising and content according to the customer type. Profiling for marketing purposes does not result in decisions having legal implications for the user. The user may object to profiling for marketing purposes at any time or prohibit the storage of cookies in their browser.

We may also process your personal data in the event of any contractual or other dispute between us in order to protect our legitimate interests.

2.2.3. User consent

We process the user’s personal data on the basis of the user’s consent, with prior information about the purposes for which such personal data are processed. Based on the user’s consent, we process the person’sdata in order to send direct marketing notices (newsletters, etc.) to the user. It is alsopossible for the userto participate voluntarily (i.e. with consent) in various surveys and surveys. In addition, we use cookies on the information portal, of which certain cookies are used only with the user’s consent.

The User has the right to withdraw his/her consent to the processing of such personal data at any time by notifying us of the contacts provided in the Privacy Policy or using other technical solutions, if available, including by cancelling direct marketing to the e-mail address by clicking on the corresponding button in the footer of the notice. Withdrawal of consent shall not affect processing operations previously carried out and their legality. If a person withdraws his/her consent to the direct marketing, the user’s respective declaration of intent shall be retained.

2.2.4. Compliance with legal obligations

We may process your personal data in order to comply with legal  obligations, such as ensuring the protection of personal data (including responding to requests from data subjects and requestsfrom competent national authorities),storing personal data for any periodoftimenecessary for the performance of legal obligations (e.g. for accounting purposes) and for the performance of other applicable legalobligations.

2.3. Retention of personal data

We will only retain personal data for as long as it is necessary to achieve the purposes described in this Privacy Policy, to protect our rights or to comply with legal obligations. We restrict the processing of personal data and process personal data only if necessary.

The user’s personal data shall be stored for up to five years  from the end of the customer relationship,except for  the basic accounting documents, which shall be stored for seven years from the end of the financial year related to the respective personal data and personal data related to the contract (including arrears) concluded with the User, which shall be stored for up to 10 years from the end of the customer relationship. Upon expiry of the above periods, the respective personal data will be deleted, unless the processing of personal data is  necessary under the circumstances  to protect our legitimate interests, e.g.  in the event of contractual or other disputes between us (including due to a continuous dispute). We also have the right to anonymize personal data following the aforementioned periods, i.e. to process personal data in such a way that the data are no longer treated as personal data.

Despite the termination of the customer relationship, we may process the User’s personal data for direct marketing with the user’s prior consent until the user has withdrawn the consent. Where a person prohibits direct marketing (I withdraw consent)  and there is no other legal basis for processing, information on the prohibition shall be retained to the extent necessary to ensure compliance with the prohibition on directmarketing notifications.

3. Processing of personal data collected from public sources

3.1. Composition of personal data

In addition to personal data received from users, we process personal data available from public sourcesrelated to natural persons (data subjects) related  tolegal persons. The source of such personal data shall be,  in particular, the Business Register. The composition of the personal data of data subjects related to legal persons from public sources that we process is as follows:

  • first name and surname;
  • personal identification code and date of birth;
  • the role of the legal person (e.g. member of the management board, shareholder, member of the supervisory board, beneficial owner, procurator, liquidator, insolvency practitioner)  and its beginning and end;
  • prohibitions on business and business;
  • Contact details.

In turn, we combine the above personal data with data concerning legal persons related to the data subject, which are not personal data. This creates different links between the data subject and the companies. Personal data of valid and invalid representatives of legal persons and other related persons are processed in the Information Portal in accordance with the Privacy Policy. This means that valid and invalid relationships between data subjects and legal entities are published on the information portal.

We do not collect personal data in relation to property belonging to the data subject. We collect, in particular, court decisions from the register of court decisions, notices of official notices, media articles from mainstream media publications, various data from company-related websites (website, Facebook, etc.), documents related to procurement from the public procurement register and job offers from the Unemployment Insurance Fund, but we do not make enquiries on the basis of the data subject or for the purpose of disclosing personal data of the data subject that are not related to business. We cannot exclude that the data available from these sources contain personal data. However, those personal data are not linked to the non-business activities of the data subject and the links are manifested, in particular, through a company linked to the data subject.

We compile different scores (reputation and credit scores) for companies, which are derived by combining business data using different technologies. We do not compile any scores for the data subject, but only for companies related to the data subject. We may also publish the score with the data subject, but we will make sure that the score is marked accordingly, that the score applies to related companies. In doing so, we will ensure that the public does not attribute corporate scores to data subjects.

The personal data of data subjects collected from public sources can be accessed by the users of the information portal. The composition of the personal data disclosed to users depends on the level of access (unregistered user, registered user, registered contractual client user), while the user can make available to a certain extent the personal data collected about him/her from public sources on the information portal to all users of the information portal.

3.2. Legal basis and purpose of the use of personal data

The processing of personal data available from public sources is necessary to provide the information portal service based on the protection of our legitimate interestsand thoseof third parties.  In connection with our legitimate interest and those of third parties, we have prepared an in-depth analysis, which the data subject must contact  us with at the contact detailsset out in this Privacy Policy.

3.3. Retention of personal data

We delete personal data collected from public sources after 5 years from the end of the data subject’s last valid relationship with the legal person. This retention period ensures the integrity andusefulness of the information published on the information portalto users. When drawing up the retention policy, we have taken into accountthat the time limit for making claims against a member of the management body is at least 5 years, but in certain cases (in case of intentional violation) 10 years. Thus, the 5-year erasure period balances the maximum limitation period (10 years) and the interests of the data subject arising from law and case law. When storing personal data, we also proceed from the fact that as long as the person is active in business and claims against him or her are possible only in the event of an intentional breach (i.e. after 5 years of business activities), third parties have a legitimate interest in accessing the data subject’s data.

In addition, at the request of the data subject, personal data which have proved to be incorrect or which, in the opinion of the controller, are not related to business or are excessively harmful to the data subject shall be erased. We will delete the data that has been found to be incorrect or not related to business immediately, even if it becomes known to us.

3.4. Information

We do not inform the data subject when processing personal data available from public sources about the data subject, as we do not seek  personal  (non-business)  contact dataof the data subject from public sources,  and the identification of the contact details of the data subjects would require impossible or disproportionate efforts from us.  In addition, we wish to restrict the processing of personal data as far as possible, and the processing of the personal contact details of the data subject only for the purpose of informing the data subject is not justified.

4. Data receivers

We have the right to disclose and transfer personal data of data subjects (users and data subjects whose personal data are collected from public sources)  in particular:

  • a company belonging to the KREEDIX Group, based on our legitimate interest in providing high-quality and comprehensive service and various benefits;
  • legal advisers, auditors, etc. to protect their rights;
  • to the register of payment defaults and the like to collect debts to third parties, i.e. to protect their interests;
  • to third parties to whom the data subject has given his or her consent to the transfer (e.g. in the context of the transfer of personal data);
  • in cases provided for by law, to the competent state body;
  • our partners, including developers and serviceproviders, payment solution providers, digital marketing service providers  (socialmedia and advertising partnersand analysts).

The recipients of personal data are located in Estonia, the European Union or the Economic Area of the European Union. In the event that we should transfer personal data to recipients who are not located in the aforementioned areas, we will take all necessary measures to ensure the security of the processing of personal data and compliance with the law, including by concluding appropriate agreements with the recipient.

5. Rights of data subjects

In accordance with applicable law, the data subject (the user and the data subjectwhose personal data have been collected from publicsources) has the right to:

  • request information about the personal data collected about him or her;
  • request the erasure of your personal data;
  • request the rectification of your personal data;
  • request restriction of the processing of your personal data;
  • challenge the processing of your personal data;
  • transfer personal data, i.e. receive your personal data in a structured, commonly used and machine-readable format and transfer that data to another controller.

If we process personal data on the basis of consent, the data subject may withdraw the consent at any time, in which case the processing of personal data will be terminated. This shall not affect processing operations carried out in the past.

When submitting requests, the User must take into account that the services may not be partially or fully available to the User when deleting personal data or restricting the processing necessary for the performance of the contract.

An additional feature has been created for users to supplement, modify and delete certain personal data on the Information Portal. Such a possibility ensures a heightened level of protection of the interests of data subjects, in particular those whose personal data have been collected from public sources.

6. Protective measures

We process personal data only if there is a legal basis and for legitimate purposes. In order to ensure the security of personal data, we use measures and store personal data in such a way as to ensure the security and confidentiality of personal data. Internal information security and data protection will be achieved, for example, by implementing preventive risk assessment practices in the development of products and services, as well as by training staff on information security and data protection issues.  We take  the necessary organisational, physical andIT securitymeasuresto ensure the security ofour data.

Our employees are obliged to keep confidential the personal data entrusted to them in the course of their duties in accordance with the employment contracts concluded with them and the legislation in force, while the confidentiality of employees and former employees is indefinite.

When we transfer personal data to processors acting on our behalf, we verify the reliability of these persons and enter into appropriate agreements and data processing agreements withthem.

If a personal data breach occurs and this poses a likely threat to the rights and freedoms of the data subject, we will notify the Data Protection Inspectorate of such a breach. In addition, we will take measures to put an end to the infringement as soon as possible.

7. Inquiries and complaints

In the case of inquiries, questions and complaints related to the processing of personal data, the data subject has the right to contact CREEDIX as the controller in the following contacts:

Tähe tn 129b, 50113 Tartu

You can contact the CREEDIX data protection specialist by e-mail at

We will respond to inquiries as soon as possible, taking into account legal deadlines. We will respond to thedata subject’s   requestwithin 30 days and inform thefounder whether and what measureshave been  taken to resolve the request. If the application is complex or voluminous, the deadline for reply may be extended by 60  days. If  we do not take action at the request of  the data subject, we will inform the data subject of the reasons for not taking action and explain the possibility of submitting a complaint to the Data Protection Inspectorate or going to court to protect our rights.

The data subject has the right to lodge a complaint with the national data protection supervisory authority if you consider that the processing of personal data relating to you does not comply with the legislation. In Estonia, the state supervisory authority is the Data Protection Inspectorate (; tel. 627 4135).