Valid from 30.07.2021
KREEDIX is guided by Regulation (EU) 2016/679 of the European Parliament and of the Council, the Personal Data Protection Act and other data protection legislation when processing personal data.
KREEDIX or “we”is KREEDIX OÜ (registry code 11043745) as the controller of personal data, i.e. the person who determines the purposes and means of processing personal data.
The information portal is a website inforegister.ee and scorestorybook.ee and its subdomains.
A data subject is an identifiable or identified natural person whose personal data are processed,including: (a) the user ofthe information portal;
A user is a data subject who uses the information portal either personally or through a legal person (in which case the personal data of a natural person may be included in the data processed).
Personal data is any information about an identifiable or identified natural person (data subject).
Processing of personal data is any operation performed on personal data (e.g. collection, storage, alteration, transmission, erasure, organisation).
The above personal data are collected from the data subject when creating an account on the Information Portal, using the services of the Information Portal, entering into payment agreements, applying for a demo account, joining a newsletter, responding to surveys/surveys, in the context of customer communication or otherwise, including on the data subject’s own initiative.
We receive confirmation of the user’s identity from a third party who provides the respective service. For example, the user can identify themselves via an ID-card, Mobile-ID, bank link. We do not see or store pin1 or PIN 2 codes. When authenticating via ID-card and Mobile-ID and signing declarations of intent or confirmations, the User is obliged to comply with the security requirements and recommendations established by the respective developers and us. We recommend that you familiarize yourself with additional information on the https://www.id.ee/en/mobile-id/ and https://www.id.ee/en/ websites.
We process personal identification data in order to identify the user, enter into an agreementwith the user for the use of the information portal (for the preparation of the contract and pre-contractual communication) and enable the User to use the information portal (incl. log in to the information portal). In addition, we process payment and contact details to enable the User to pay for the use of the information portal as part of the performance of the contract. We also process contact details in order to provide the user with important notices about the service and performance of the contract and to manage the customer relationship.
We process the user’s personal data based on our legitimate interest in realising our business interests and, among other things, developing and expanding business activities, improving the services and its quality and ease of use, and creating different statistics. The aforementioned activities may not be necessary for the performance of the contract, which is why the processing of personal data for such purposes is based on our legitimate interest. The processing of personal data on the basis of a legitimate interest is in balance with the interests of the user, since in order to provide the best possible service, the processing of the user’s personal data is extremely necessary and obtaining a high quality service is also the user’s expectation of us.
We perform profiling against users for marketing purposes using text files or cookies installed in users’ browsers. Profiling is data processing that aims to provide news, advertisements and other offers of interest to the user that might interest the user. The purpose of profiling is to identify different types of customers and segment the customer base to enable us to make marketing decisions and choices, such as making offers that are likely to be of interest to a particular customer type and displaying customized advertising and content according to the customer type. Profiling for marketing purposes does not result in decisions having legal implications for the user. The user may object to profiling for marketing purposes at any time or prohibit the storage of cookies in their browser.
We may also process your personal data in the event of any contractual or other dispute between us in order to protect our legitimate interests.
We may process your personal data in order to comply with legal obligations, such as ensuring the protection of personal data (including responding to requests from data subjects and requestsfrom competent national authorities),storing personal data for any periodoftimenecessary for the performance of legal obligations (e.g. for accounting purposes) and for the performance of other applicable legalobligations.
The user’s personal data shall be stored for up to five years from the end of the customer relationship,except for the basic accounting documents, which shall be stored for seven years from the end of the financial year related to the respective personal data and personal data related to the contract (including arrears) concluded with the User, which shall be stored for up to 10 years from the end of the customer relationship. Upon expiry of the above periods, the respective personal data will be deleted, unless the processing of personal data is necessary under the circumstances to protect our legitimate interests, e.g. in the event of contractual or other disputes between us (including due to a continuous dispute). We also have the right to anonymize personal data following the aforementioned periods, i.e. to process personal data in such a way that the data are no longer treated as personal data.
Despite the termination of the customer relationship, we may process the User’s personal data for direct marketing with the user’s prior consent until the user has withdrawn the consent. Where a person prohibits direct marketing (I withdraw consent) and there is no other legal basis for processing, information on the prohibition shall be retained to the extent necessary to ensure compliance with the prohibition on directmarketing notifications.
In addition to personal data received from users, we process personal data available from public sourcesrelated to natural persons (data subjects) related tolegal persons. The source of such personal data shall be, in particular, the Business Register. The composition of the personal data of data subjects related to legal persons from public sources that we process is as follows:
We do not collect personal data in relation to property belonging to the data subject. We collect, in particular, court decisions from the register of court decisions, notices of official notices, media articles from mainstream media publications, various data from company-related websites (website, Facebook, etc.), documents related to procurement from the public procurement register and job offers from the Unemployment Insurance Fund, but we do not make enquiries on the basis of the data subject or for the purpose of disclosing personal data of the data subject that are not related to business. We cannot exclude that the data available from these sources contain personal data. However, those personal data are not linked to the non-business activities of the data subject and the links are manifested, in particular, through a company linked to the data subject.
We compile different scores (reputation and credit scores) for companies, which are derived by combining business data using different technologies. We do not compile any scores for the data subject, but only for companies related to the data subject. We may also publish the score with the data subject, but we will make sure that the score is marked accordingly, that the score applies to related companies. In doing so, we will ensure that the public does not attribute corporate scores to data subjects.
The personal data of data subjects collected from public sources can be accessed by the users of the information portal. The composition of the personal data disclosed to users depends on the level of access (unregistered user, registered user, registered contractual client user), while the user can make available to a certain extent the personal data collected about him/her from public sources on the information portal to all users of the information portal.
We delete personal data collected from public sources after 5 years from the end of the data subject’s last valid relationship with the legal person. This retention period ensures the integrity andusefulness of the information published on the information portalto users. When drawing up the retention policy, we have taken into accountthat the time limit for making claims against a member of the management body is at least 5 years, but in certain cases (in case of intentional violation) 10 years. Thus, the 5-year erasure period balances the maximum limitation period (10 years) and the interests of the data subject arising from law and case law. When storing personal data, we also proceed from the fact that as long as the person is active in business and claims against him or her are possible only in the event of an intentional breach (i.e. after 5 years of business activities), third parties have a legitimate interest in accessing the data subject’s data.
In addition, at the request of the data subject, personal data which have proved to be incorrect or which, in the opinion of the controller, are not related to business or are excessively harmful to the data subject shall be erased. We will delete the data that has been found to be incorrect or not related to business immediately, even if it becomes known to us.
We do not inform the data subject when processing personal data available from public sources about the data subject, as we do not seek personal (non-business) contact dataof the data subject from public sources, and the identification of the contact details of the data subjects would require impossible or disproportionate efforts from us. In addition, we wish to restrict the processing of personal data as far as possible, and the processing of the personal contact details of the data subject only for the purpose of informing the data subject is not justified.
We have the right to disclose and transfer personal data of data subjects (users and data subjects whose personal data are collected from public sources) in particular:
The recipients of personal data are located in Estonia, the European Union or the Economic Area of the European Union. In the event that we should transfer personal data to recipients who are not located in the aforementioned areas, we will take all necessary measures to ensure the security of the processing of personal data and compliance with the law, including by concluding appropriate agreements with the recipient.
In accordance with applicable law, the data subject (the user and the data subjectwhose personal data have been collected from publicsources) has the right to:
If we process personal data on the basis of consent, the data subject may withdraw the consent at any time, in which case the processing of personal data will be terminated. This shall not affect processing operations carried out in the past.
When submitting requests, the User must take into account that the services may not be partially or fully available to the User when deleting personal data or restricting the processing necessary for the performance of the contract.
An additional feature has been created for users to supplement, modify and delete certain personal data on the Information Portal. Such a possibility ensures a heightened level of protection of the interests of data subjects, in particular those whose personal data have been collected from public sources.
We process personal data only if there is a legal basis and for legitimate purposes. In order to ensure the security of personal data, we use measures and store personal data in such a way as to ensure the security and confidentiality of personal data. Internal information security and data protection will be achieved, for example, by implementing preventive risk assessment practices in the development of products and services, as well as by training staff on information security and data protection issues. We take the necessary organisational, physical andIT securitymeasuresto ensure the security ofour data.
Our employees are obliged to keep confidential the personal data entrusted to them in the course of their duties in accordance with the employment contracts concluded with them and the legislation in force, while the confidentiality of employees and former employees is indefinite.
When we transfer personal data to processors acting on our behalf, we verify the reliability of these persons and enter into appropriate agreements and data processing agreements withthem.
If a personal data breach occurs and this poses a likely threat to the rights and freedoms of the data subject, we will notify the Data Protection Inspectorate of such a breach. In addition, we will take measures to put an end to the infringement as soon as possible.
In the case of inquiries, questions and complaints related to the processing of personal data, the data subject has the right to contact CREEDIX as the controller in the following contacts:
Tähe tn 129b, 50113 Tartu
You can contact the CREEDIX data protection specialist by e-mail at email@example.com.
We will respond to inquiries as soon as possible, taking into account legal deadlines. We will respond to thedata subject’s requestwithin 30 days and inform thefounder whether and what measureshave been taken to resolve the request. If the application is complex or voluminous, the deadline for reply may be extended by 60 days. If we do not take action at the request of the data subject, we will inform the data subject of the reasons for not taking action and explain the possibility of submitting a complaint to the Data Protection Inspectorate or going to court to protect our rights.
The data subject has the right to lodge a complaint with the national data protection supervisory authority if you consider that the processing of personal data relating to you does not comply with the legislation. In Estonia, the state supervisory authority is the Data Protection Inspectorate (firstname.lastname@example.org; tel. 627 4135).
The Storybook extension tells you which company's website you are currently on and how reliable that company is today. Download extension