Valid from 30.07.2021

This privacy policy describes the processing of personal data by KREEDIX OÜ (registration code 11043745) and companies belonging to the same group, which are REGISTER OÜ (registration code 11735006), STORYBOOK OÜ ( registry code 14636888), managed by 1CONTACT OÜ on websites: inforegister.ee; ssb.ee; 1contact.net; kreedix.ee. KREEDIX OÜ (registry code 11043745; "KREEDIX") is the responsible processor of personal data processed through the websites.

When processing personal data, KREEDIX is based on Regulation (EU) 2016/679 of the European Parliament and of the Council, the Personal Data Protection Act and other legislation regulating data protection.

We reserve the right to make changes to this Privacy Policy from time to time. We do our best to keep the privacy policy up-to-date and accessible. We recommend that you visit our website from time to time to keep up to date with the latest privacy policy. We may also notify you of changes to the privacy policy via e-mail or other contact information known to us.

1. Definitions

KREEDIX or "us" is KREEDIX OÜ (registration code 11043745) as the controller of personal data, i.e. the person who determines the purposes and means of personal data processing. Infoportaal has the website inforegister.ee and scorestorybook.ee and its subdomains. Data subject is an identifiable or identified natural person whose personal data is processed, including: a) user of the information portal; and b) a natural person whose personal data is collected from public sources. User is a data subject who uses the information portal either personally or through a legal entity (in which case personal data of a natural person may also be included in the processed data). Personal data is any information about an identifiable or identified natural person (data subject). Processing of personal data is any operation performed with personal data (e.g. collection, storage, modification, transfer, deletion, arrangement).

2. Processing of the user's personal data

2.1. Composition of personal data

In order to achieve the goals set out in the privacy policy, we process some or all of the following user personal data, while the exact composition of processed personal data differs in each case:

  • Personal identification data: first and last name; personal identification number and date of birth; username and password;
  • Contact details: e-mail address, telephone number;
  • Payment data: billing and invoice delivery method; bank account number and other details/information regarding the means of payment; payment history; information related to debts etc.;
  • Data related to occupation: occupation, identity of employer;
  • Preference-related data: direct marketing approvals and prohibitions data; information about the user's interests and the use and preferences of the services; language preference selection; other consents/prohibitions given by the user or preference selections made;
  • Customer relationship data: composition and period of ordered services; event and user log; inquiries made in the information portal; information related to customer communication;
  • personal data that became known in other ways during the use of the information portal or the fulfillment of contractual obligations.

The above personal data is collected from the data subject when creating an account in the information portal, using the services of the information portal, concluding payment agreements, applying for a demo account, subscribing to the newsletter, responding to surveys/surveys, as part of customer communication or in other ways, including at the data subject's own initiative.

We receive confirmation of the user's identity from a third party that offers the corresponding service. For example, the user can identify himself through an ID card, Mobile ID, bank link. We do not see or store the user's PIN 1 or PIN 2 codes. When authenticating via ID card and Mobile ID and signing declarations of intent or confirmations, the user is obliged to follow the security requirements and recommendations established by the respective developers and us. We recommend that you familiarize yourself with additional information on the web pages https://www.id.ee/en/mobile-id/ and https://www.id.ee/en/. We also process the user's personal data with the help of cookies used in the information portal. The principles of using cookies (including the composition of the data collected with the help of cookies) are available in the corresponding information portal: https://www.inforegister.ee/en/cookies and https://ssb.ee/en/cookies.

2.2. Legal basis and purpose of personal data processing

We process the user's personal data if there is a legal basis and as long as it is necessary to fulfill the purposes set out in the privacy policy. The user's personal data is processed in the information portal on the following legal bases and purposes.

2.2.1. Execution of the contract

We process personal identification data in order to identify the user's identity, conclude a contract with the user for the use of the information portal (for contract preparation and pre-contractual communication) and enable the user to use the information portal (including logging into the information portal). In addition, we process payment and contact data in order to enable the user to pay for the use of the information portal as part of the performance of the contract. We also process contact data in order to provide the user with important notifications regarding the service and the performance of the contract, and to manage the customer relationship.

2.2.2. Legitimate interest

We process the user's personal data based on our legitimate interest in order to realize our own business interests and, among other things, develop and expand business, improve services and their quality and ease of use, and create various statistics. The aforementioned activities may not be necessary for the performance of the contract, which is why the processing of personal data for such purposes is based on our legitimate interest. The processing of personal data on the basis of legitimate interest is balanced with the user's interests, since the processing of the user's personal data is extremely necessary to provide the best possible service, and receiving a high-quality service is also the user's expectation from us.

We perform user profiling for marketing purposes using text files or cookies installed in users' web browsers. Profiling is data processing, the purpose of which is to provide the user with industry news of interest, advertisements and other offers that could be of interest to the user. The purpose of profiling is to identify different customer types and segment the customer base to enable us to make marketing decisions and choices, such as making offers that are likely to be of interest to a specific customer type and displaying advertising and content tailored to that customer type. As a result of profiling for marketing purposes, no decisions with legal significance are made regarding the user. The user can at any time object to profiling for marketing purposes or prohibit the storage of cookies in his web browser. We may also process your personal data in the event of any contractual or other dispute between us to protect our legitimate interests.

2.2.3. User consent

We process the user's personal data on the basis of the user's consent, whereby the user is provided with information about the purposes of processing such personal data prior to giving consent. Based on the user's consent, we process personal data in order to send direct marketing messages (newsletters, etc.) to the user. The user can also voluntarily (i.e. with consent) participate in various surveys and studies. In addition, we use cookies in the information portal, of which certain cookies are used only with the user's consent.

The user has the right to withdraw consent to the processing of such personal data at any time by notifying us at the contacts provided in the privacy policy or using other technical solutions, if available, including the user having the right to opt out of direct marketing sent to the e-mail address by pressing the corresponding button in the footer of the notification. Withdrawal of consent does not affect previously performed processing operations and their legality. If the person withdraws the consent to send direct marketing, the data about the user's corresponding declaration of intent will be stored.

2.2.4. Fulfillment of legal obligations

We may process your personal data to fulfill the obligations set out in legislation, for example to ensure the protection of personal data (including responding to requests from data subjects and inquiries from competent state authorities), to store personal data for any period of time necessary to fulfill obligations arising from law (e.g. for accounting purposes) and to fulfill other obligations arising from applicable legislation.

2.3. Storage of personal data

We retain personal data only as long as it is necessary to achieve the purposes described in the privacy policy, to protect our rights or to fulfill our obligations under legislation. We limit the processing of personal data and process personal data only when necessary.

The user's personal data is stored for up to five years from the end of the customer relationship, with the exception of basic accounting documents, which are stored for seven years from the end of the financial year related to the relevant personal data, and personal data related to the contract concluded with the user (including debts), which is stored for up to 10 years from the end of the customer relationship. At the end of the aforementioned periods, the corresponding personal data will be deleted, unless the processing of personal data is necessary due to the circumstances to protect our legitimate interests, e.g. in the event of contractual or other disputes between us (including due to an ongoing dispute). We also have the right to make personal data anonymous after the aforementioned periods, i.e. to process personal data in such a way that the data can no longer be treated as personal data.

Regardless of the end of the customer relationship, with the prior consent of the user, we may process the user's personal data for direct marketing until the user has withdrawn the consent. If the person prohibits direct marketing (withdraw consent) and there is no other legal basis for processing, information about the ban is stored to the extent necessary to ensure compliance with the ban on sending direct marketing messages.

3. Processing of personal data collected from public sources

3.1. Composition of personal data

In addition to personal data received from users, we process personal data related to natural persons (data subjects) related to legal entities available from public sources. The source of such personal data is primarily the business register. The composition of the personal data of data subjects related to legal entities from public sources that we process is as follows:

  • first and last name;
  • personal identification number and date of birth;
  • role in a legal entity (e.g. board member, partner/shareholder, council member, beneficial owner, procurator, liquidator, bankruptcy trustee) and its beginning and end;
  • business and entrepreneurship bans;
  • contact details.

In turn, we combine the above personal data with data concerning legal entities related to the data subject, which are not personal data. This creates different relationships between the data subject and the companies. The information portal processes personal data of valid and invalid representatives of legal entities and related persons in accordance with the privacy policy. This means that valid and invalid connections between data subjects and legal entities are published in the information portal.

We do not collect personal data related to property belonging to the data subject. In relation to companies, we primarily collect court decisions from the register of court decisions, announcements from Official Gazettes, media articles from mainstream media publications, various data from company-related websites (home page, Facebook, etc.), procurement-related documents from the public procurement register and job offers from the Unemployment Fund page, but we do not carry out inquiries based on the data subject or with the aim of publishing the personal data of the data subject. , which is not related to business. We cannot rule out that the data available from the cited sources contain personal data. At the same time, these personal data are not associated with the non-business activities of the data subject, and the connections are primarily manifested through a company related to the data subject.

We compile different scores for companies (reputation and credit score), which are derived by combining business data using different technologies. We do not compile any scores for the data subject, but only for companies related to the data subject. We can also publish the score with the data subject, but we make sure that the score is accompanied by a corresponding note that the score applies to related companies. We thereby ensure that the public does not attribute company scores to data subjects.

Users of the information portal can access personal data of data subjects collected from public sources. The composition of the personal data disclosed to users depends on the level of access (unregistered user, registered user, registered contractual customer user), while the user can make personal data collected about him from public sources available to all users of the information portal to a certain extent in the information portal.

3.2. Legal basis and purpose of using personal data

The processing of personal data available from public sources is necessary for the provision of the information portal service based on the protection of our and third parties' legitimate interests. Regarding the legitimate interest of us and third parties, we have prepared a comprehensive analysis, which the data subject must contact us using the contact details provided in the privacy policy.

3.3. Storage of personal data

We delete personal data collected from public sources after 5 years from the end of the data subject's last valid connection with the legal entity. This retention period ensures the integrity of the information published in the information portal and the usefulness of the service for users. When preparing the retention principles, we have taken into account that the deadline for submitting claims against a member of the management body is at least 5 years, but in certain cases (in case of intentional violation) 10 years. Thus, the 5-year erasure deadline balances the maximum expiration date of the claim (10 years) resulting from the law and jurisprudence and the interests of the data subject. When storing personal data, we also base it on the fact that as long as the person is active in business and filing claims against him is only possible in the event of a willful violation (i.e. after 5 years of business-related activity), third parties have a legitimate interest in accessing the data subject's data.

In addition, at the request of the data subject, personal data that have proven to be incorrect or that, in the opinion of the data controller, are not related to business or are unduly damaging to the data subject will be deleted. We will immediately delete any data that has turned out to be incorrect or not related to the business, if this becomes known to us.

3.4. Notification

We do not inform the data subject if we process personal data about the data subject available from public sources, as we do not search for personal (non-business) contact data of the data subject from public sources, and finding out the data subjects' contact data would require us to make impossible or disproportionate efforts. In addition, we want to limit the processing of personal data as much as possible, and processing the data subject's personal contact data only for the purpose of informing the data subject is not justified.

4. Data receivers

We have the right to publish and transmit the personal data of data subjects (users and data subjects whose personal data have been collected from public sources), in particular:

  • to companies belonging to the KREEDIX group, based on our legitimate interest in offering high-quality and comprehensive service and various benefits;
  • to legal advisors, auditors, etc. to third parties to protect their rights;
  • to the non-payment register, etc. to third parties to collect debts, i.e. to protect one's interests;
  • to third parties to whom the data subject has given consent for the transfer of personal data (e.g. as part of the transfer of personal data);
  • in cases provided by law, to the competent state body;
  • to our cooperation partners, including developers and server and cloud service providers, payment solution providers, digital marketing service providers (social media and advertising partners and analysts).

The receivers of personal data are located in Estonia, the European Union or the Economic Area of ​​the European Union. In the event that we should transfer personal data to recipients who are not located in the aforementioned regions, we will take all necessary measures to ensure the security of personal data processing and compliance with legislation, including by concluding appropriate agreements with the recipient.

5. Rights of data subjects

According to the current legislation, the data subject (user and data subject whose personal data has been collected from public sources) has the right to:

  • request information about the personal data collected about him;
  • request deletion of your personal data;
  • request correction of your personal data;
  • request the restriction of the processing of your personal data;
  • object to the processing of your personal data;
  • to the transfer of personal data, i.e. to receive one's personal data in a structured, commonly used format and in a machine-readable form and transfer this data to another data controller.

If we process personal data on the basis of consent, the data subject may withdraw consent at any time, in which case the processing of personal data will cease. This does not affect any processing operations previously performed. When submitting requests, the user must take into account that when deleting or restricting the processing of such personal data, which are necessary to fulfill the contract, the services may not be partially or fully available to the user. An additional function has been created for users to supplement, change and delete certain personal data in the information portal. Such an option ensures increased protection of the interests of data subjects (especially those whose personal data have been collected from public sources).

6. Safeguards

We process personal data only if there is a legal basis and for legitimate purposes. To ensure the security of personal data, we use measures and store personal data in such a way that the security and confidentiality of personal data is guaranteed. Internal information security and data protection is achieved, for example, by implementing preventive risk assessment practices in the development of products and services, as well as by training employees in issues related to information security and data protection. We adopt the necessary organizational, physical and IT security measures to ensure the security of personal data.

According to the employment contracts concluded with them and the current legislation, our employees are obliged to keep confidential the personal data entrusted to them in the course of their work tasks, while the obligation of confidentiality for employees and former employees is indefinite.

If we transfer personal data to authorized processors acting on our behalf, we make sure of the reliability of these persons and enter into appropriate agreements and data processing contracts with them.

If a violation related to personal data occurs and it represents a likely threat to the rights and freedoms of the data subject, we will notify the Data Protection Inspectorate of such a violation. Additionally, we will take measures to stop the breach as soon as possible.

7. Inquiries and complaints

In case of inquiries, questions and complaints related to the processing of personal data, the data subject has the right to contact KREEDIX as the controller at the following contacts:

KREEDIX OÜ Tähe tn 129b, 50113 Tartu (+372)7446644 info@kreedix.ee

The KREEDIX data protection specialist can be contacted by e-mail at andmekaitse@ir.ee.

We respond to inquiries as quickly as possible, taking into account the legal deadlines. We respond to the data subject's request within 30 days and inform the user whether and what measures have been taken to resolve the request. If the request is complex or voluminous, the response deadline can be extended by 60 days. If we do not take measures in accordance with the data subject's request, we inform the data subject of the reasons for not taking measures and explain the possibility of filing a complaint with the Data Protection Inspectorate or going to court to protect your rights.

The data subject has the right to file a complaint with the national data protection supervisor if you find that the processing of your personal data does not comply with the legislation. In Estonia, the national supervisor is the Data Protection Inspectorate (info@aki.ee; tel. 627 4135).