This Privacy Policy ("Policy") describes how ITTO OÜ, operating as Brecho.me, collects, uses, stores, and protects your personal data, in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 - GDPR).
Controller: ITTO OÜ, operating as Brecho.me
DPO Email: [email protected]
2.1. Data Provided by You:
- Identification data: full name, date of birth, nationality;
- Contact data: email, phone, address;
- Financial data: bank account (IBAN), card data (processed by AS LHV Pank / Every Pay, PCI-DSS certified, within the EU);
- Profile data: photo, store name, description;
- Content: product photos, listing descriptions.
2.2. Data Collected Automatically:
- IP address, device type, operating system, browser;
- Navigation data: pages visited, time spent, clicks;
- Geolocation (when authorized);
- Cookies and tracking identifiers.
2.3. Identity, Beneficial-Owner & Screening Data:
- Identity-verification data and documents (legal name, date of birth, address, registry/tax ID);
- For legal-entity sellers, ultimate beneficial-owner details;
- Identity-verification and screening results (from AS LHV Pank, Stripe, and the Platform's verification providers);
- Sanctions, politically-exposed-person (PEP), adverse-media, and anti-money-laundering screening results;
- Fraud and counterfeit prevention bureau information (when applicable).
We use your data to:
a) Create and manage your seller account;
b) Process transactions and payments via our payment processors (AS LHV Pank / Every Pay for card payments, Stripe for other methods);
c) Communicate about sales, deliveries, and disputes;
d) Verify your identity and beneficial owners, and screen you against sanctions, PEP, and anti-money-laundering (AML/CTF) requirements, as required by our payment institution and applicable law;
e) Prevent fraud, counterfeit goods, and illegal activities;
f) Comply with legal and regulatory obligations;
g) Improve our services and user experience;
h) Send marketing communications (with your consent).
- Registration and transactions: Performance of a contract (Art. 6(1)(b))
- Identity verification: Performance of a contract (Art. 6(1)(b))
- Sanctions, PEP, and AML/CTF screening and beneficial-owner identification: Legal obligation (Art. 6(1)(c)), under the Estonian Money Laundering and Terrorist Financing Prevention Act (MLTFPA / RahaPTS) and our payment institution's requirements
- Fraud and counterfeit-goods prevention: Legitimate interest (Art. 6(1)(f))
- Transactional communications: Performance of a contract (Art. 6(1)(b))
- Tax compliance: Legal obligation (Art. 6(1)(c))
- Marketing: Consent (Art. 6(1)(a))
- Service improvement: Legitimate interest (Art. 6(1)(f))
We share your data with:
5.1. Payment Processors:
- AS LHV Pank (Estonia, EU), operating the Every Pay gateway: card payment data for processing card payments, and seller identity, beneficial-owner, and screening data for the identity, sanctions, and AML checks this institution requires of platforms. Card data is handled by this PCI-DSS-certified institution within the EU and is never stored by Brecho.me.
- Stripe, Inc. (USA): banking/payout data for other payment methods.
- Legal basis: Performance of a contract + Standard Contractual Clauses (SCCs) for any international transfer.
5.2. Buyers:
- Name and address for product delivery.
- Legal basis: Performance of a contract.
5.3. Carriers:
- Name, address, phone for delivery logistics.
- Legal basis: Performance of a contract.
5.4. Authorities:
- When required by law, court order, or regulatory directive.
- Legal basis: Legal obligation.
5.5. We do NOT sell your personal data to third parties.
Your data may be transferred to Stripe servers located in the United States. This transfer is protected by:
a) Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914);
b) Additional technical and organisational safeguards in accordance with GDPR Chapter V;
c) Stripe security certifications (PCI-DSS, SOC 2).
- Registration data: Duration of account
- Transaction records: 7 years (accounting and tax obligation under Estonian law)
- Identity, beneficial-owner, and AML/sanctions screening records: 5 years after the end of the business relationship (Estonian Money Laundering and Terrorist Financing Prevention Act)
- Access logs: 6 months
- Marketing data: Until consent withdrawal
- After account deletion: Data necessary for legal obligations retained in accordance with applicable law
You have the right to:
a) Access your personal data (Art. 15);
b) Rectify inaccurate or incomplete data (Art. 16);
c) Request erasure of your data ("right to be forgotten") (Art. 17);
d) Restrict the processing of your data (Art. 18);
e) Request data portability in a structured, commonly used, machine-readable format (Art. 20);
f) Object to processing based on legitimate interests (Art. 21);
g) Withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal (Art. 7(3));
h) Not be subject to automated individual decision-making, including profiling (Art. 22).
To exercise your rights, send an email to: [email protected]
Response time: up to 30 calendar days (extendable by a further 60 days for complex requests, as permitted under GDPR Art. 12(3)).
We adopt the following security measures in accordance with GDPR Art. 32:
a) Data encryption in transit (TLS/SSL);
b) Encryption of sensitive data at rest;
c) Role-based access controls;
d) Suspicious activity monitoring;
e) Regular encrypted backups;
f) Incident response procedures, including notification to the Estonian Data Protection Inspectorate within 72 hours of a personal data breach (GDPR Art. 33);
g) Card payment data is never stored on Brecho.me systems; it is captured and processed directly by our PCI-DSS-certified payment institution (AS LHV Pank / Every Pay) using Strong Customer Authentication (3-D Secure 2).
10.1. Cookie Types:
- Essential: Required for platform operation;
- Analytics: Usage statistics (anonymized);
- Advertising: Disabled by default.
10.2. Management:
You can manage your cookie preferences at any time. In accordance with the ePrivacy Directive (2002/58/EC), non-essential cookies require your prior consent. Some features may become unavailable if cookies are disabled.
The Platform is not intended for minors under 18 years of age. We do not intentionally collect data from minors. In accordance with GDPR Art. 8, where consent is the legal basis for processing, children under 16 (or a lower age as specified by member state law, but not below 13) require parental consent. If we identify data from minors collected without proper consent, we will proceed with immediate deletion.
This Policy may be updated periodically. Material changes will be communicated by email or platform notification, with 30 days advance notice.
For questions, requests, or complaints:
- Email: [email protected]
- Response time: 30 calendar days
You may also file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
- Website: www.aki.ee
If you are resident in another EU/EEA member state, you have the right to lodge a complaint with the supervisory authority in your country of residence.