Online shop for charity products


Principles for processing customer data

This document defines the processing of customer data at the disposal of Step One, its purposes, composition and confidentiality.

Who is the customer?

A person who has entered into a contractual relationship with Step One.

What is customer data?

Customer Data is any information known to Step One about your customer (e.g. customer name, ID, contact details, transaction details).

What is customer data processing?

Processing of customer data is any operation on customer data (including collection, storage, organisation, retention, modification, disclosure, access, consultation, retrieval, use, transmission, cross-use, interconnection, blocking, erasure and destruction of customer data).

Who is the data controller?

The data controller is MTÜ Step One (reg. code 80607182, e-mail:

The data processors are:

Postal service providers, in order to deliver the ordered goods to the customer; Advertising service providers, including social media service providers, to whom we only transfer the data necessary to inform the customer about new products and promotions and to analyse customer behaviour in the e-shop;

Companies providing IT support to ensure the functioning and development of the e-shop and other IT solutions used by Step One NGO.

Composition of customer data to be processed:

MTÜ Step One may collect the following data:

first name and surname/company name;

personal/registration number;

place of residence/residence;

current account;

contact details;

Transaction details (details of purchases made by the customer);

data on habits, preferences and satisfaction (e.g. activity, services used, customer satisfaction and complaints);

all customer data not previously mentioned, which the customer has transmitted to Step One by means of communication (e.g. telephone and computer network) on his/her own initiative, including the right of Step One to record all orders given by the customer by means of communication.

On the basis of the law, the NGO Step One is entitled to process customer data not mentioned in this document.

What is the purpose and legal basis for processing customer data?

Step One processes customer data in order to:

Fulfil the contract with the client, based on:

- in the performance of a contract or in the implementation of pre-contractual measures at the request of the customer;

- when performing a legal obligation;

- the legitimate interest of the NGO Step One.

Provide additional services, carry out customer satisfaction surveys, market analyses and make statistics based on:

- with the customer's consent;

- Step One's legitimate interest in improving Step One's services and products;

- improve the customer experience and develop new products and services.

Defend your infringed or contested rights (e.g. by submitting data to a court), based on:

- With the client's consent;

- in the performance of a contract or in the implementation of pre-contractual measures at the request of the customer;

- when performing a legal obligation;

- MTÜ Step One's legitimate interest in preventing, restricting and investigating misuse or unlawful use of MTÜ Step One's services and products.

Comply with legal obligations (e.g. transferring data to the investigating authority) based on:

- in the performance of a contract or in the implementation of pre-contractual measures at the request of the customer;

- when performing a legal obligation;

- Step One's legitimate interest in sound risk management and corporate governance.

In which cases MTÜ Step One discloses customer data?

Customer data is confidential and will not be disclosed or accessed by third parties without the prior consent of the customer, except as required by law.

Step One has signed agreements with mailing companies and telephone survey service providers on the confidential use of the information provided.

Who is the Third Person?

A third party is a natural or legal person who is neither a customer nor a processor of customer data.

Where is customer data processed?

In general, customer data is processed within the European Union and the European Economic Area (EU/EEA), but in some cases it is transferred to and processed in countries outside the EU/EEA.

The transfer and processing of customer data outside the EU/EEA may take place provided that there is a legal basis, such as the fulfilment of a legal obligation or the customer's consent, and appropriate safeguards are in place.

The appropriate safeguard is:

a valid contract containing the standard terms and conditions of a contract developed by the EU;

there is an adequate level of data protection in the country outside the EU/EEA where the recipient is located, in accordance with the European Commission Decision;

the recipient is certified under the Privacy Shield data protection framework (applicable to recipients located in the United States).

Upon request, the customer will receive further information on the transfer of customer data to countries outside the EU/EEA.

How does Step One use customer data to provide services?

MTÜ Step One sends customers MTÜ Step One offers. Also, offers made by partners carefully selected by MTÜ Step One will be forwarded to customers. A partner will not receive customer data for its own use unless the customer has expressed a specific interest in the goods or services of the partner.

How does the NGO Step One use profiling to make personalised offers?

Profiling is the automatic processing of customer data used to assess certain personal characteristics of a customer. For example, to analyse or predict a person's economic situation, personal preferences, interests, place of residence. Profile analysis is used for marketing purposes based on the legitimate interest of the NGO Step One, the performance of a contract or the customer's consent.

Step One NGO may process customer data to improve the user experience of digital services, such as adapting the views of services to the device used and creating personalised offers for the customer (unless the customer has opted out of direct marketing). Such marketing may be based on what services the customer uses, how the customer uses them, and how the customer navigates the Step One NGO applications.

Based on the legitimate interest of the NGO Step One, the NGO Step One ensures the use of a convenient e-commerce environment for private customers by making and marketing personalised offers based on profile analysis.

What are the customer's rights?

The customer has the following rights in relation to the processing of customer data:

- request the correction of your customer data if it is insufficient, incomplete or incorrect;

- object to the processing of their customer data where the use of the customer data is based on a legitimate interest, including profiling for direct marketing purposes (e.g. receiving marketing offers or participating in surveys);

- request the deletion of your personal data, for example, if it is processed with your consent and you have withdrawn your consent. Such a right does not apply if the customer data that is requested to be deleted is also processed for other legal reasons, such as the performance of a contract;

- restrict the processing of your customer data on the basis of applicable law, for example, at a time when Step One is assessing whether the customer has the right to have his or her data deleted;

- to be informed whether Step One processes their customer data and, if so, to have access to the aforementioned data;

- receive customer data provided by the customer and processed on the basis of the customer's consent or for the performance of a contract, in written form or in a commonly used electronic format, and, where technically feasible, transfer this data to another service provider (data portability);

- withdraw your consent to the processing of customer data;

- file complaints about the use of customer data with the Estonian Data Protection Inspectorate (website: if the customer considers that the processing of his/her customer data infringes his/her rights and interests under the applicable law.

How can I change my customer data and request to stop processing it?

The customer has the right to access his/her customer data via e-mail If the customer data has changed or is incorrect for any other reason, the customer must notify us by e-mail to

The customer has the right to request the cessation of the processing of his/her data and/or the deletion of the data collected, if the right to do so arises from the Personal Data Protection Act or other legislation.

How long will customer data be kept?

Customer data will not be processed for longer than necessary. The retention period may be based on contracts with the customer, the legitimate interest of Step One NGO or applicable law (e.g., laws relating to accounting or statute of limitations, other private law).

Where can I get more information about the processing of customer data?

If you would like a more detailed explanation of how we process your customer data, please email 

Viimati muudetud 19/07/2022

Shopping cart
Start typing to see products you are looking for.