Privacy Policy
Sviby* (hereinafter also referred to as "Sviby OÜ") is committed to protecting the privacy of its Clients. Therefore, these privacy terms have been prepared, which address the collection, use, disclosure, transmission, and storage of Client data.
*All terms used in the Privacy Policy are defined in the www.sviby.com Terms of Use.
- General Provisions
- The Privacy Policy regulates the principles of processing personal data. The responsible data controller for personal data is the Organizer, as the collection of personal data in ticket sales is related to the Organizer's wishes and instructions, not those of Sviby OÜ. Sviby OÜ collects, processes, and stores personal data (first and last name, phone number, email address, bank account number, payment card details) as an authorized processor when providing the service requested by the Organizer, i.e., for the Event. Sviby OÜ itself collects, processes, and stores personal data (first and last name, phone number, email address, bank account number, payment card details) as the responsible controller only in cases related to creating a user account on www.sviby.com, developing and using the website, mobile application, and platform software, selling gift tickets on www.sviby.com, and in connection with prize draws (hereinafter referred to as the responsible and authorized processor "Data Processor" regarding the processing of data provided when purchasing tickets for the Event) i.e., in cases where data processing is not for the Event but for the operation of the mobile application and website, service development, communication with registered users. For unregistered users, Sviby processes only payment-related data and email addresses because otherwise it is not possible to purchase Event tickets through Sviby. Anonymous data regarding purchased tickets is provided to the Organizer, both for registered and unregistered buyers.
- In the context of the Privacy Policy, a data subject is a client or other natural person whose personal data the Data Processor processes.
- A data subject, in the context of the Privacy Policy, is anyone who purchases products or services from the Data Processor's website www.sviby.com or mobile application.
- The Data Processor follows the principles of data processing established in the legislation, including processing personal data lawfully, fairly, and securely. The Data Processor can confirm that personal data has been processed in accordance with the legislation.
- Collection, Processing, and Storage of Personal Data
- The personal data collected, processed, and stored by the Data Processor are collected from the website www.sviby.com and the mobile application.
- The Data Processor collects, organizes, uses, and manages the personal data of the Data Subject that the Data Subject provides directly or indirectly to the Data Processor when purchasing goods or services on the website or mobile application for the purposes of processing defined in the privacy terms (clause 3.3) and processing bases (clause 3.2).
- Processing of Client Personal Data
- The Data Processor processes the following Data Subject data when purchasing a Ticket: first and last name, phone number, email address, bank account number, payment card details. If the Data Subject does not provide this data, it is not possible to purchase Tickets from the Organizer via the www.sviby.com website or mobile application.
- The Data Processor processes personal data based on consent, for the performance and ensuring the
performance of the contract, for legal obligations, or legitimate interests.
- Based on consent, the Data Processor processes personal data only to the extent and for the purposes for which the Data Subject has given consent. Consent can be withdrawn at any time by sending a corresponding email to Sviby customer support at help@sviby.com.
- For the performance and ensuring the performance of the contract, the Data Processor processes personal data necessary for fulfilling the agreed rights and obligations between the Data Processor and the Data Subject (including the personal data mentioned in clause 3.1 for the provision of the main service of Sviby and for fulfilling the obligations arising from the terms of use).
- For legal obligations, the Data Processor processes personal data if the Data Processor has a legal obligation arising from the law or other legal acts (including name and payment data for fulfilling requirements arising from the Accounting Act).
- Based on legitimate interests, the Data Processor processes personal data necessary for business purposes, including improving service quality and promoting business activities, taking into account the basic rights and freedoms of the Data Subject (including informative notifications from Sviby about updates, maintenance work, gift ticket offers, ongoing draws). The analysis of legitimate interests can be reviewed by sending a corresponding request to help@sviby.com.
- The purpose of processing personal data is:
- ensuring the operation of Sviby services;
- customer management, including selling Event tickets to the client and providing information related to the Event before, during, and after the Event;
- payment-related activities, accounting;
- direct marketing according to ESS 103 1.
- Storage of Personal Data
- The Data Processor retains personal data for as long as necessary to fulfill the purpose for which the personal data was collected, unless other retention requirements arise from legislation applicable to the Data Processor. Specifically, retention is as follows: based on consent until the consent is withdrawn (to withdraw consent, send an email to help@sviby.com); for the performance and ensuring the performance of the contract until the expiry of the statutory limitation period for asserting claims arising from the contract, which is three years from the date of providing the data, unless intentional violation, in which case it is ten years from the commission of the violation; for legal obligations 7 years (pursuant to the Accounting Act); or in the case of legitimate interests until the expiry of the statutory limitation period for possible claims, which is ten years according to the law.
- The Data Processor deletes the Data Subject's personal data when the retention period has expired or when consent for processing personal data is withdrawn (applies if the legal basis for processing personal data is consent).
- The Data Processor has the right to share Data Subjects' personal data with the Event Organizer (the Organizer as the responsible data controller does not automatically have access to the Data Subject's data), and authorized Data Processors, such as the company providing accounting services to Sviby OÜ regarding customer payments (for more information, Sviby OÜ customer support at help@sviby.com); transport and courier companies for sending printed tickets or ordered goods related to the Event (only if the Data Subject orders such a service, the name of the service provider is visible when ordering); companies providing transfer services if the Organizer's Event takes place via transfer; and the payment processor Montonio Finance OÜ for payment processing.
- The Data Processor applies organizational and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, or any other unlawful processing.
- Data Subject Rights
- The Data Subject has the right to access their personal data and familiarize themselves with it.
- The Data Subject has the right to receive information about the processing of their personal data.
- The Data Subject has the right to supplement or correct inaccurate data.
- If the Data Processor processes the Data Subject's personal data based on the Data Subject's consent, the Data Subject has the right to withdraw consent at any time by sending an email with the relevant content to Sviby customer support at help@sviby.com.
- The Data Subject has the right to delete data based on their written request in accordance with the GDPR unless the Data Processor has a legal obligation to retain the data. Providing personal data is a mandatory prerequisite for using www.sviby.com services, so if data processing is prohibited, the Data Subject cannot be provided with the service, unless the legal basis for processing personal data is solely consent. Sviby OÜ is not responsible for any resulting damages.
- The Data Subject can contact Sviby customer support at help@sviby.com to exercise their rights.
- To protect their rights, the Data Subject can also file a complaint with the Data Protection Inspectorate (www.aki.ee, info@aki.ee, Tatari 39, Tallinn, Estonia).
- Final Provisions
- These data protection terms have been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR), the Personal Data Protection Act of the Republic of Estonia, and the legislation of the Republic of Estonia and the European Union.
- The Data Processor has the right to partially or completely amend the data protection terms, with the current privacy terms published in Sviby being valid at any given time.
- The privacy terms are effective from 26.10.2023.