This Privacy Policy ("Policy") describes how ITTO OÜ, operating as Brecho.me, collects, uses, stores, and protects your personal data, in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 - GDPR).
Controller: ITTO OÜ, operating as Brecho.me
DPO Email: [email protected]
2.1. Data Provided by You:
- Identification data: full name, date of birth, nationality;
- Contact data: email, phone, address;
- Financial data: bank account (IBAN), card data (processed by Stripe);
- Profile data: photo, store name, description;
- Content: product photos, listing descriptions.
2.2. Data Collected Automatically:
- IP address, device type, operating system, browser;
- Navigation data: pages visited, time spent, clicks;
- Geolocation (when authorized);
- Cookies and tracking identifiers.
2.3. Data from Third Parties:
- Identity verification results (Stripe);
- Fraud prevention bureau information (when applicable).
We use your data to:
a) Create and manage your seller account;
b) Process transactions and payments via Stripe;
c) Communicate about sales, deliveries, and disputes;
d) Prevent fraud and illegal activities;
e) Comply with legal and regulatory obligations;
f) Improve our services and user experience;
g) Send marketing communications (with your consent).
- Registration and transactions: Performance of a contract (Art. 6(1)(b))
- Identity verification: Performance of a contract (Art. 6(1)(b))
- Fraud prevention: Legitimate interest (Art. 6(1)(f))
- Transactional communications: Performance of a contract (Art. 6(1)(b))
- Tax compliance: Legal obligation (Art. 6(1)(c))
- Marketing: Consent (Art. 6(1)(a))
- Service improvement: Legitimate interest (Art. 6(1)(f))
We share your data with:
5.1. Payment Processors:
- Stripe, Inc. (USA): Banking data for payment processing.
- Legal basis: Performance of a contract + Standard Contractual Clauses (SCCs) for international transfer.
5.2. Buyers:
- Name and address for product delivery.
- Legal basis: Performance of a contract.
5.3. Carriers:
- Name, address, phone for delivery logistics.
- Legal basis: Performance of a contract.
5.4. Authorities:
- When required by law, court order, or regulatory directive.
- Legal basis: Legal obligation.
5.5. We do NOT sell your personal data to third parties.
Your data may be transferred to Stripe servers located in the United States. This transfer is protected by:
a) Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914);
b) Additional technical and organisational safeguards in accordance with GDPR Chapter V;
c) Stripe security certifications (PCI-DSS, SOC 2).
- Registration data: Duration of account
- Transaction records: 7 years (accounting and tax obligation under Estonian law)
- Access logs: 6 months
- Marketing data: Until consent withdrawal
- After account deletion: Data necessary for legal obligations retained in accordance with applicable law
You have the right to:
a) Access your personal data (Art. 15);
b) Rectify inaccurate or incomplete data (Art. 16);
c) Request erasure of your data ("right to be forgotten") (Art. 17);
d) Restrict the processing of your data (Art. 18);
e) Request data portability in a structured, commonly used, machine-readable format (Art. 20);
f) Object to processing based on legitimate interests (Art. 21);
g) Withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal (Art. 7(3));
h) Not be subject to automated individual decision-making, including profiling (Art. 22).
To exercise your rights, send an email to: [email protected]
Response time: up to 30 calendar days (extendable by a further 60 days for complex requests, as permitted under GDPR Art. 12(3)).
We adopt the following security measures in accordance with GDPR Art. 32:
a) Data encryption in transit (TLS/SSL);
b) Encryption of sensitive data at rest;
c) Role-based access controls;
d) Suspicious activity monitoring;
e) Regular encrypted backups;
f) Incident response procedures, including notification to the Estonian Data Protection Inspectorate within 72 hours of a personal data breach (GDPR Art. 33).
10.1. Cookie Types:
- Essential: Required for platform operation;
- Analytics: Usage statistics (anonymized);
- Advertising: Disabled by default.
10.2. Management:
You can manage your cookie preferences at any time. In accordance with the ePrivacy Directive (2002/58/EC), non-essential cookies require your prior consent. Some features may become unavailable if cookies are disabled.
The Platform is not intended for minors under 18 years of age. We do not intentionally collect data from minors. In accordance with GDPR Art. 8, where consent is the legal basis for processing, children under 16 (or a lower age as specified by member state law, but not below 13) require parental consent. If we identify data from minors collected without proper consent, we will proceed with immediate deletion.
This Policy may be updated periodically. Material changes will be communicated by email or platform notification, with 30 days advance notice.
For questions, requests, or complaints:
- Email: [email protected]
- Response time: 30 calendar days
You may also file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
- Website: www.aki.ee
If you are resident in another EU/EEA member state, you have the right to lodge a complaint with the supervisory authority in your country of residence.