Privaatsuspoliitika

Effective date: November 15, 2025
Applies to: kristoolli.com, kristoolli.systeme.io, and related digital products operated by Kristo Olli (Olliptimus OÜ)

Data Controller: Olliptimus OÜ (Reg. no. 14589924, Address: Sõõru 30, Tallinn, Estonia)
Email: hey@kristoolli.com
Websites: kristoolli.com & kristoolli.systeme.io

1. General Provisions

1.1. This Privacy Policy governs the principles of collecting, processing, and storing personal data on the website kristoolli.com and all related online services and stores (“the Website”).

1.2. The data controller is Olliptimus OÜ, Tallinn, Estonia (email: hey@kristoolli.com).

1.3. The data subject (also “you”) is any customer or individual whose personal data is processed by the data controller.

1.4. By using this Website or providing personal information, the data subject grants the controller the right to collect, organize, store, use, and manage personal data in accordance with this Privacy Policy and applicable law.

1.5. The controller ensures that all personal data is processed lawfully, fairly, and securely and is capable of demonstrating compliance with the General Data Protection Regulation (EU 2016/679) and the Estonian Personal Data Protection Act.

2. What Data We Collect

2.1. Personal data is collected electronically through the Website, forms, email communication, and online payment systems.

2.2. The types of personal data processed may include:

• First and last name

• Email address

• Billing address (if applicable)

• Payment method and transaction details (processed securely by third parties)

• Company name (if applicable)

• Device and browser data (collected automatically via Websites' analytics tools)

2.3. We may also process data available from public sources or registries where relevant to legitimate business purposes (e.g., invoicing).

2.4. You are responsible for ensuring the accuracy and completeness of the information provided. Knowingly providing false or misleading data is considered a violation of this Privacy Policy.

3. Purposes and Legal Bases for Processing

3.1 We process personal data for the following purposes, based on the corresponding legal grounds under Article 6(1) of the GDPR:

We process your personal data for the following purposes:

– To process your orders and deliver digital products (legal basis: contract performance; retention: 7 years).
– To operate and improve the website (legal basis: legitimate interest; retention: as necessary).
– To provide customer support (legal basis: legitimate interest; retention: 3 years).
– To meet financial and legal obligations (legal basis: legal requirement; retention: 7 years).
– To send newsletters and marketing emails, if you’ve opted in (legal basis: consent; retention: until withdrawal).
– To ensure site security and prevent fraud (legal basis: legitimate interest; retention: as required by law).

3.2. We do not process or store unnecessary data beyond what is required for the above purposes.

3.3. Data may be processed automatically (e.g., for analytics) but never for profiling or automated decision-making that affects your rights.

4. Data Sharing and Processors

4.1. To operate our Websites and deliver our digital products effectively, we may share your personal data with carefully selected third-party service providers (“data processors”) who help us perform specific business functions. These providers process your data only under our instructions, in compliance with GDPR, and solely for the purposes stated in this Privacy Policy.

We may share limited personal data with:

• Framer – for hosting and analytics of our website (anonymous usage data only, no personal data collected).

• Systeme.io – to manage online courses, email communication, and product access.

• Stripe – to securely process online payments. We do not have access to your full card details.

• Google Workspace – for business email communication and document management.

• Accounting and tax partners – to comply with legal and financial reporting obligations.

4.2. These third parties process data only on our behalf, under legally binding data processing agreements, and are compliant with GDPR.

4.3. We do not sell, lease, or disclose your personal data to unauthorized third parties.

5. Data Retention and Deletion

Personal data is retained only as long as necessary for the stated purposes or as required by law.

• Purchase and billing data: 7 years (as required by Estonian Accounting Act)

• Email and marketing data: until consent is withdrawn

• Analytics and cookies: as defined in cookie policies

Once the retention period expires, data is securely deleted or anonymized.

6. Security Measures

We apply organizational, physical, and technical security measures to protect personal data from accidental or unlawful destruction, alteration, unauthorized access, or disclosure.

This includes:

• HTTPS encryption

• Password-protected systems and limited access

• Secure storage on GDPR-compliant servers within the EU

• Partner contracts ensuring equivalent protection

7. Data Subject Rights

As a data subject, you have the following rights under the GDPR:

• Right of access: request information about your personal data.

• Right to rectification: correct inaccurate data.

• Right to erasure: request deletion of your data (“right to be forgotten”).

• Right to restriction: limit how your data is processed.

• Right to data portability: receive your data in a machine-readable format.

• Right to object: object to direct marketing or processing based on legitimate interests.

• Right to withdraw consent: withdraw any consent-based processing at any time.

To exercise your rights, contact hey@kristoolli.com.
Requests are processed within 30 days as required by GDPR.

If you believe your rights have been violated, you may file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.
Website: https://www.aki.ee/en

8. Cookies and Analytics

We use only essential cookies necessary for the Websites to function properly and Framer’s built-in analytics to understand general performance (e.g. page visits, device types).

• These analytics are anonymous and aggregated.

• They do not identify you personally or track your browsing across other websites.

• No third-party tracking pixels, ads, or remarketing cookies are used.

If we ever introduce marketing or tracking cookies in the future, we’ll update this policy and request your consent through a cookie banner.

9. Marketing Communication

If you voluntarily subscribe to email updates, we may use your name and email address to send newsletters, resources, and product updates.

You can unsubscribe at any time by clicking “Unsubscribe” in any email or contacting hey@kristoolli.com.

10. International Data Transfers

If data is transferred outside the European Economic Area (EEA) (e.g., when using tools like Stripe or Google), it is protected through Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the European Commission.

11. Amendments

We reserve the right to modify this Privacy Policy at any time to reflect updates in the law, business practices, or technical changes.

Updated versions will be posted on this page with a new “Effective Date.”

12. Governing Law

This Privacy Policy is governed by the laws of the Republic of Estonia and applicable European Union legislation.

13. Contact

If you have any questions, concerns, or requests related to personal data, please contact:
📧 hey@kristoolli.com
📍 Tallinn, Estonia