Privacy policy

What we collect, why, how long we keep it and what rights you have.

1. Controller and scope

This privacy policy describes how Kreative Digital OÜ (Estonian business register code 14201185, registered at Rüütli 38, 3rd floor, Pärnu, 80011, Estonia), hereafter Pigmenta, collects, processes and stores personal data of visitors and customers of pigmenta.ee.

The data controller is Kreative Digital OÜ. For data-protection questions, contact info@pigmenta.ee.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act and the principle of data minimisation — we only collect what we genuinely need.

2. What we collect

When you join the waitlist we only collect your email and, optionally, your first name. You can leave the waitlist at any time via the link in any of our emails.

  • Identification data: first and last name (where needed)
  • Contact data: email address, phone number
  • Delivery data: the parcel locker you choose (Omniva, Smartpost, DPD)
  • Order content: uploaded photo files, chosen sizes, quantities, finish and border style
  • Payment metadata: order total, payment status, payment method. Card details and bank-transfer details are not stored by Pigmenta — they are handled by Maksekeskus AS
  • Business customer data: company name, business register code, VAT number where applicable (for B2B invoices)
  • Technical data: IP address, browser type, device type, time zone, referrer — needed for security and service operation
  • Order-tracking data: status updates returned from Maksekeskus and the courier (payment received, parcel in transit, ready for pickup, etc.)

3. Legal bases for processing

We process personal data on the various bases set out in GDPR Article 6 (1):

  • Performance of a contract (Art. 6 (1) (b)): placing the order, delivery, customer service, accounting
  • Legal obligation (Art. 6 (1) (c)): retention of orders under accounting law, VAT reporting
  • Legitimate interest (Art. 6 (1) (f)): service security, fraud prevention, anonymous analytics, analysing usage patterns to improve the service
  • Consent (Art. 6 (1) (a)): setting analytics and marketing cookies, direct-marketing emails, waitlist sign-up

4. Uploaded photo files

Your uploaded photo files are at the heart of the service — we use them only to fulfil your order (printing and packing). Files are stored on Hetzner Object Storage, an S3-compatible server based in Helsinki (Finland, EU); uploads happen over an encrypted HTTPS connection.

Pigmenta does not use your uploads for any other purpose — we do not publish them, share them for advertising, use them to train AI models, show them to other customers or use them in marketing.

Retention: uploaded files are deleted no later than 14 days after the order has been dispatched. Order metadata (quantities, sizes, totals) is kept for 7 years under accounting law.

If we have reason to suspect copyright infringement or illegal content (e.g. violence, child sexual abuse material), we may retain the files for longer and notify the competent authorities under applicable law.

5. Sharing with third parties (processors)

We do not sell, rent or otherwise broker personal data to third parties for marketing or any other purpose. We do not share data with any data brokers or ad networks.

  • Hetzner Online GmbH (Germany / Finland) — server hosting, photo-file storage (Hetzner Object Storage, hel1)
  • Maksekeskus AS (Estonia) — card payments, bank links; acts as an independent controller under its own privacy policy
  • Omniva, Itella (Smartpost), DPD Estonia — parcel-locker delivery; receive the data needed for the order (recipient name, phone, locker)
  • Twilio Inc. (US, with EU subsidiary in Ireland) — SendGrid email service for order confirmations and transactional notifications; SendGrid Marketing Contacts for managing waitlist sign-ups
  • Twilio Inc. — phone IVR and customer service (if you call our number)
  • Google Ireland Limited — Google Tag Manager and Google Analytics 4 anonymous analytics (consent-based only; see cookies policy)
  • Google Ireland Limited (planned) — Google Ads conversion measurement (consent-based only)
  • Meta Platforms Ireland Limited (planned) — Meta Pixel measurement of user activity for advertising (consent-based only)

6. Retention periods

  • Uploaded photo files: up to 14 days after dispatch
  • Order data (invoices, accounting): 7 years (Estonian Accounting Act § 12)
  • Customer-service conversations (email, call recordings): 2 years
  • Waitlist email addresses: until launch + 6 months, or until you unsubscribe
  • Direct-marketing consent: until withdrawn
  • Web and server logs (IP, requests): 90 days (for security and fraud prevention)
  • Cookies: depends on the cookie type; see the cookies policy

7. Your rights as a data subject

On the order-tracking page (/track) you can download your order data in JSON format and start a deletion request. For other questions, contact info@pigmenta.ee — we respond within 30 days.

If you feel we have processed your data incorrectly, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee) or another competent supervisory authority.

  • Right of access — you can ask for a copy of the data we hold about you
  • Right to rectification — if data is inaccurate or out of date, you can demand correction
  • Right to erasure ("right to be forgotten") — you can request deletion, except where the law requires retention (e.g. the 7-year accounting period)
  • Right to restriction of processing — you can demand a temporary pause
  • Right to data portability — you can receive your data in a structured, machine-readable format (e.g. JSON) for transfer to another service
  • Right to object — you can refuse processing based on legitimate interest (e.g. profiling)
  • Right to withdraw consent — where processing is based on consent, you can withdraw at any time

8. Data security

We apply organisational and technical security measures to protect personal data against unauthorised access, alteration, disclosure or destruction. These include:

  • all traffic between pigmenta.ee and the underlying services is TLS 1.2+ encrypted
  • photo files move directly from your browser to Hetzner Object Storage over an encrypted channel (S3 signed PUT)
  • the database lives on a protected Hetzner server and is only reachable on the internal network
  • Pigmenta employees have access strictly on a need-to-know basis
  • all third parties (Hetzner, Maksekeskus, Twilio, Google) hold their own security and compliance certifications (ISO 27001, SOC 2, GDPR compliance)
  • order data is backed up daily; backups are retained for at most 30 days

9. Changes to this privacy policy

Pigmenta may amend this privacy policy from time to time — for instance when a new processor is added, when the law changes or when the service evolves. We notify customers of significant changes by email at least 14 days before they take effect.

The date of the most recent update is shown at the bottom of this page.