Data Privacy

Last Updated: December 7, 2024

IMPORTANT: PLEASE READ THIS DATA PRIVACY POLICY CAREFULLY BEFORE USING THIS WEBSITE

This website, www.ligneroset.ee (hereinafter the “Website”), is operated by Daydream OÜ (hereinafter “Controller”, “Ligne Roset Estonia”, “we”, “us”, or “our”), a company registered in the Republic of Estonia under register code 10621140 and VAT number EE100673489, located at Tartu Maantee 6, 10145, Tallinn, Estonia.

Daydream OÜ has been an official franchisee partner of Ligne Roset since 2008, a globally recognized luxury furniture brand operated by ROSET SAS (hereinafter "Ligne Roset"). ROSET SAS is a company registered in the French Republic under SIREN number 545920076 and headquartered at 1 Route du Pont, 01470, Briord, France.

As a franchisee, Daydream OÜ is authorized to exclusively represent, market, and sell Ligne Roset products in Estonia.

This document outlines our Data Privacy Policy (hereinafter “Privacy Notice”) regarding the collection, use, disclosure, processing, storage, and protection of your personal data when accessing and using our Website, including but not limited to placing an order. It also addresses your rights and choices concerning such information. It defines the responsibilities of both you, as the user, and us, as the service provider, in relation to using our Website and any purchases made through it. By setting clear expectations, this policy ensures a transparent, safe, and fair experience for all customers.

These Terms, including any disputes or claims arising out of or in connection with their subject matter, formation, or performance (including non-contractual disputes or claims), are governed by and interpreted in accordance with the laws of the Republic of Estonia and applicable European Union regulations, particularly the General Data Protection Regulation (Regulation 2016/679 or "GDPR") and ePrivacy Directive (Directive 2009/136).

1. "E-Commerce Platform Provider" refers to Shopify, the third-party e-commerce platform used by Ligne Roset Estonia for order fulfillment, inventory management, payment transactions, and customer account services.

2. “Personal Data” refers to any information that relates to an identified or identifiable individual. An identifiable individual is one who can be directly or indirectly identified, particularly by reference to one or more identifiers or factors specific to their identity.

Examples of personal data include, but are not limited to:

• Direct identifiers such as name, email address, phone number, identification number, or physical address.
• Indirect identifiers such as IP address, cookie identifiers, device IDs, or location data.

3. “Applicable Data Protection Laws” refer to all EU laws, regulations, and legal standards governing the collection, use, storage, sharing, and protection of Personal Data. These include, but are not limited to:

1. General Data Protection Regulation (Regulation 2016/679 or "GDPR": The primary data protection regulation in the European Union, governing the processing of Personal Data for individuals within the EU.
2. ePrivacy Directive (Directive 2009/136): European legislation complementing GDPR, focusing on privacy in electronic communications, including cookies and online tracking.
3. Personal Data Protection Act of Estonia (Isikuandmete Kaitse Seadus): National legislation implementing GDPR in Estonia, detailing additional requirements and clarifications specific to data processing activities within the Republic of Estonia.

4. "You" refers to any individual or user who visits, interacts with, or purchases a product through our Website.

5. "Services" refer to the range of offerings provided by Ligne Roset Estonia through its Website and related digital platforms. These include, but are not limited to:

• Facilitating the browsing, selection, purchase, and secure payment processing of Ligne Roset furniture and home accessories.
• Providing tools to track order statuses, manage delivery details, and handle returns or refunds.
• Enabling users to create and manage personal accounts, save preferences, and access purchase history.
• Offering interactive features for exploring and configuring customized furniture designs.
• Allowing users to participate in online campaigns, access exclusive deals, and receive newsletters.
• Providing online assistance via contact forms and email communication for inquiries and troubleshooting.

To use or place an order on this Website, You must be 16 years or older. Ligne Roset Estonia does not knowingly collect, process, or store Personal Data from individuals under the age of 16.

If You are a parent or guardian and believe that Your child under the age of 16 has provided us with personal information, please contact us immediately using the details provided in the Section 1.9: How to Contact Us.

If we discover that Personal Data from an individual under 16 has been collected without verifiable parental consent, we will take immediate steps to delete such data from our systems.

By accessing or using our Website, including but not limited to placing an order, You acknowledge that You have read, understood, and agreed to the terms outlined in this Data Privacy Policy. This acknowledgment establishes a legally binding agreement between You and Ligne Roset Estonia, which is enforceable regardless of its electronic and remote nature, without requiring a physical signature from either party.

If You do not agree with any part of this Data Privacy Policy, we respectfully request that You discontinue use of our Website and refrain from placing any orders.

We reserve the right to update or revise this Data Privacy Policy periodically to reflect changes in our practices, legal requirements, or enhancements to our Services. Each time You use our Website, we encourage You to review the latest version of this policy to ensure You understand the conditions applicable to Your use and our handling of Your Personal Data.

When changes are made, we will post the updated policy on this Website and update the "Last Updated" date at the top of the page to reflect the modifications. If any changes materially affect Your rights or how we process Your Personal Data, we will make reasonable efforts to notify You through additional means, such as an email notification (if we have Your contact information) or a prominent notice on our homepage.

In addition to this Data Privacy Policy, our Terms and Cookies Policy also govern Your use of our Website.

Our Terms outline the rules, conditions, and legal obligations between You and Ligne Roset Estonia when You access or use our Website, including when placing an order.

Our Cookies Policy provides details about the types of cookies used on our Website, their purpose, and how they enhance Your experience. This policy also explains how You can manage Your cookie preferences.

If you have any questions or concerns about this Data Privacy Policy, please contact us at privacy@ligneroset.ee

We respond to emails seven days a week from 09:00 to 21:00 (GMT+3) and aim to reply to all messages within 1–2 days.

We collect and process Your Personal Data in full compliance with the lawful bases established by the Data Privacy Laws of the Republic of Estonia and the European Union. This framework ensures that Your Personal Data is handled lawfully, fairly, and transparently. The lawful bases for processing include:

• Your Consent: When required or appropriate, we process Your Personal Data based on Your explicit consent.
• Performance of Contract: We use Your Personal Data solely to fulfill contractual obligations or to take steps at Your request prior to entering into a contract. This includes:
  • Processing and delivering orders.
  • Managing customer service inquiries related to purchase
• Legitimate Interests: Processing Your Personal Data may also be necessary for our legitimate business interests, such as:
  • Improving our Website and services to provide a better user experience.
  • Ensuring the security of our website and systems.
  • Preventing fraud and other unlawful activities.
  • Providing tailored content or recommendations based on Your interactions with our Website.
• Compliance with Legal Obligations: We process Your Personal Data when required to meet our legal and regulatory obligations, including:
  • Complying with tax laws, financial reporting, or other statutory requirements.
  • Responding to subpoenas or other legal processes.
  • Protecting our rights, property, or safety, as well as the rights, property, or safety of others.
  • Cooperating with regulatory authorities or law enforcement agencies.
• Business Transfers: In the event of an acquisition or sale of all or part of our business assets, we may disclose Your Personal Data as part of the transaction to ensure continuity of service.

Otherwise, Ligne Roset Estonia will not sell, disclose, or share any of Your Personal Data with anyone else.

We collect various types of Personal Data to provide and improve our Services, facilitate transactions, and enhance Your overall experience. The Personal Data we collect falls into two main categories: data You provide directly and data we collect automatically.

This includes Personal Data You knowingly share with us when using our Website, such as:

• Contact Information: Name, email address, phone number, and physical address (e.g., billing and shipping addresses).
• Transactional Information: Payment details (e.g., billing details, payment method, transaction IDs) processed securely by our E-Commerce Platform Provider.
• Order Information: Details about Your purchases, including product names, quantities, prices, discounts, and order status.
• Marketing Preferences: Your preferences for receiving newsletters, promotional updates, and other marketing communications.
• Any Information You Voluntarily Provide: Personal Data shared through inquiries, feedback, surveys, or customer service interactions.

When You engage with our Website, we automatically collect specific Personal Data through cookies, tracking technologies, and analytics tools. This includes:

• Usage Data: Information about Your interactions with our Website, such as pages viewed, time spent on each page, clicks, scrolls, add-to-cart actions, and purchases.
• Technical Data: Details about the devices and technologies Your use to access our Website, such as browser type and version, operating system, screen resolution, device type (e.g., mobile, tablet, desktop), and network provider.
• Location Data: Geographical information derived from Your IP address, including country, region, and city.
• Cookies: Small text files placed on Your device that help us track Your preferences, monitor Website performance, and personalize Your experience. You may choose to delete or not accept our cookies as described in our Cookie Notice.

Our Website includes integrations with third-party services that we share Your Personal Data with and that are not owned, operated, or controlled by Ligne Roset Estonia (hereinafter "Subprocessors"). These services play a vital role in the functionality, efficiency, and Your overall experience with our Website. As part of these integrations, we may share certain Personal Data with these Subprocessors to enable their services.

4.1.1 Shopify

Purpose: Shopify provides the e-commerce infrastructure for our Website, enabling payment transactions, order management, and customer account functionality.

Data Shared:

• Customer Information: name, email address, phone number, shipping and billing addresses
• Order Details: order ID, products purchased, quantities, prices, discounts, taxes, shipping details, order status
• Payment Information: payment method, transaction IDs, billing details, currency

4.1.2 Vercel

• Purpose: Vercel powers the global hosting and deployment of our Website, tools such as Speed Insights to monitor and optimize Website performance, as well as Web Analytics for advanced analytics and performance tracking.
• Data Shared:
  • Performance Metrics: response times, server logs, error logs, page load speeds
  • Interactions: API requests, page views, user requests
  • Traffic Sources: referral sources, campaign parameters, search terms, medium (e.g., organic, paid), source (e.g., Google, direct)
  • Engagement: frequency of visits, recency of visits, engagement over time
  • Session Information: session duration, pages per session, bounce rate, time on page
  • Device and Technology: device type [e.g., mobile, desktop, tablet], browser type and version, operating system
  • Geographical Data: IP address, country, region, city
  • Custom Dimensions and Metrics: any additional data points defined by Ligne Roset Estonia for specific tracking purposes

4.1.3 Google Analytics 4

Purpose: A tool by Google for advanced analytics and performance tracking.

Data Shared:

• Interactions: page views, clicks, scrolls, form submissions, add-to-cart actions, purchases
• Session Information: session duration, pages per session, bounce rate, time on page
• Device and Technology: device type [e.g., mobile, desktop, tablet], operating system, browser type and version, screen resolution, network provider
• Geographical Data: IP address, country, region, city
• Demographics and Interests: age range, gender, interests
• Traffic Sources: referral sources, campaign parameters, search terms, medium (e.g., organic, paid), source (e.g., Google, direct)
• Engagement: frequency of visits, recency of visits, engagement over time
• Custom Dimensions and Metrics: any additional data points defined by Ligne Roset Estonia for specific tracking purposes

Subprocessors operate under their own terms of use and privacy policies, which are separate from this Privacy Notice. We strongly encourage You to review these documents to understand how Your Personal Data is collected, used, and protected by these Subprocessors. Below are links to their respective data security policies:

• Shopify:
  • https://www.shopify.com/legal/dpa
  • https://www.shopify.com/security
• Vercel:
  • https://vercel.com/legal/dpa
  • https://vercel.com/docs/security
  • https://security.vercel.com
• Google:
  • https://business.safety.google/adsprocessorterms

We are not responsible for the content, accuracy, or practices of Subprocessors. Additionally, we do not monitor or verify the accuracy, completeness, or security measures implemented by them.

Before using our Website and engaging with Subprocessors, we strongly recommend that You:

• Carefully review the terms and data privacy policies of each service.
• Ensure their compliance, privacy, and security practices align with Your expectations and requirements.

Any interactions, transactions, or exchanges of Personal Data with Subprocessors through Ligne Roset Estonia are conducted at Your own discretion and risk. While we carefully select these providers to improve Your experience, their operations and practices are independent of our direct control.

We disclose Your Personal Data only when it is necessary to provide our Services, comply with legal requirements, or as otherwise permitted by Applicable Data Protection Laws. Each disclosure is carefully managed to ensure compliance with data protection regulations and to protect Your rights. Below are the circumstances under which Your Personal Data may be shared:

1. Ligne Roset Estonia Partners and Event Sponsors: If You participate in events, promotions, or collaborations hosted by Ligne Roset Estonia in partnership with other sponsors or affiliated entities, Your Personal Data may be shared with these partners to facilitate the event or provide relevant services.
2. New Owner and Other Corporate Transactions: In the event of a business transfer, such as acquisition or sale of all or part of Ligne Roset Estonia’s assets, Your Personal Data may be disclosed to the new owner or other relevant parties involved in the transaction.
3. Subprocessors: We use trusted Subprocessors to enhance our Website’s functionality, manage transactions, deliver communications, and analyze user behavior. These providers process Your Personal Data solely on our behalf and are contractually obligated to adhere to strict data protection standards.
4. Legal or Public Authorities: We may disclose Your Personal Data to comply with legal obligations, such as responding to court orders, subpoenas, or lawful requests from public authorities. Additionally, Your Personal Data may be shared to protect our rights, enforce our terms, or ensure the safety of our users, customers, employees, or the public.
5. Any Other Party with Your Consent.

Otherwise, Ligne Roset Estonia will not sell, disclose, or share any of Your Personal Data with anyone else.

We collect and use Your Personal Data with a clear purpose: to improve Your experience, fulfill our obligations, and ensure the smooth and reliable operation of our Website and Services.

• To Provide and Manage Our Services: To process and deliver Your orders, manage payments, handle shipping, and address returns. This includes ensuring secure transactions, preventing fraudulent activities, and maintaining the core functionality of our Website.
• To Develop and Improve the Website: To enhance functionality, quality, and Your overall experience while developing new features. This involves analyzing Your behavior to identify performance issues, optimizing loading speeds, refining navigation, and evolving the Website to meet Your needs.
• To Personalize Your Experience: To create a tailored journey by recommending products based on Your browsing and purchasing history and customizing content and communications to reflect Your preferences and interests.
• To Communicate with You: To send transactional emails, such as order confirmations, shipping updates, and account-related notifications. Your Personal Data also enables us to respond to inquiries, provide customer support, and resolve issues effectively.
• To Share Updates and Improve Marketing: To analyze trends, usage patterns, and interactions to personalize and optimize marketing activities. With Your consent, we may share newsletters, promotional updates, and exclusive offers to keep You informed about new developments and special deals.
• To Ensure Security and Compliance: To safeguard the systems of our Subprocessors and protect Your Personal Data. Our Subprocessors implement advanced security measures to detect fraud, address unauthorized activities, and comply with legal and regulatory obligations.
• For Business Operations: To utilize Your Personal Data to maintain continuity of service during events such as acquisitions or business transfers.
• Legal, Safety, and Compliance: To comply with Applicable Data Protection Laws a court or legal order, and to review compliance with applicable terms.
• For Any Other Purposes with Your Consent.

At Ligne Roset Estonia, we retain Your Personal Data only for the minimum period necessary to:

• Fulfill our legal and contractual obligations.
• Enhance our Website and Services.
• Resolve disputes and enforce our rights.
• Meet legitimate business needs, such as tax and accounting requirements.

When Your Personal Data is no longer required for these purposes, we will either delete it or anonymize it. Anonymization ensures that the Personal Data cannot be traced back to You or any specific individual. In cases where deletion is not feasible (e.g., due to technical constraints like backup systems), we secure Your Personal Data and restrict its use strictly to purposes compliant with Applicable Data Protection Laws.

Our Personal Data retention periods are determined based on the following factors:

• Duration of Our Relationship: The length of time we maintain an ongoing relationship with You, such as when You place orders, hold an account, or continue to use our services.
• Modification or Deletion Requests: Whether You choose to modify or delete Your Personal Data by contacting us at privacy@ligneroset.ee.
• Legal Obligations: Whether applicable laws require us to retain certain Personal Data, such as tax regulations that mandate keeping records of transactions for a specified period.
• Legal Considerations: Whether retention is advisable to protect our legal position, such as for enforcing agreements, resolving disputes, complying with statutes of limitations, or managing litigation or regulatory investigations.

Our Subprocessors implement and maintain reasonable data security policies and processes (including technical, administrative and physical safeguards) that are designed to prevent unauthorized access to or use or disclosure of their services and any of Your Personal Data.

1. Access Controls: Subprocessors restrict system access to authorized personnel only, applying least privilege principles and managing authorizations with technologies such as firewalls and authentication controls.
2. Restricted User Access: System access is provisioned based on job functions and requires two-factor authentication (2FA) to ensure secure handling of sensitive data.
3. Vulnerability Assessments: Subprocessors perform regular vulnerability assessments and penetration testing to identify and mitigate security threats.
4. Application Security: Dedicated programs protect their services from application security threats, ensuring system resilience.
5. Data Integrity: Measures are in place to maintain the accuracy and integrity of data during transmission, storage, and processing.
6. Availability: Subprocessors implement redundancy, failure-tolerant systems, and recovery protocols to minimize disruptions and ensure consistent service availability.

Subprocessors take reasonable measures to protect their services or any of Your Personal Data from unauthorized physical access, damage, or interference, including:

• Restricting physical access to authorized personnel with a legitimate business need.
• Utilizing access control devices at secure facilities.
• Conducting periodic reviews to validate adherence to physical security standards.

Subprocessors require employees with access to your Personal Data to adhere to strict confidentiality obligations as part of their employment terms. Regular security awareness training ensures employees remain updated on data protection and security requirements, with periodic program reviews to reflect evolving best practices.

Our E-Commerce Platform Provider is certified as Level 1 PCI DSS compliant, the highest standard for organizations handling credit and debit card information. This certification extends to our Website, safeguarding your payment data throughout the transaction process.

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework requiring:

• Data encryption, robust access controls, and continuous risk management.
• Annual on-site assessments to ensure ongoing compliance.

For more information on Shopify's PCI compliance, please visit:

• Shopify Compliance Reports
• Shopify’s PCI Compliance Overview.

Our Subprocessors undergo regular, independent audits and are certified under SOC 2 Type II and SOC 3 standards, which validate their adherence to rigorous standards for ensuring the security, availability, and integrity of their services.

System and Organization Control (SOC) 2 Type II is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) to assess and certify how effectively an organization secures its services and protects customer data. The framework is built around five Trust Services Categories (TSCs) — Security, Availability, Processing Integrity, Confidentiality, and Privacy — which define criteria for evaluating an organization's controls and service commitments.

Key aspects of SOC 2 Type II compliance include:

• Verifying that sensitive information, such as payment details, is encrypted during both storage and transmission to prevent unauthorized access or breaches.
• Ensuring that only authorized personnel can access sensitive data, minimizing risks of internal misuse or accidental exposure.
• Confirming that payment transactions are processed with accuracy, validity, and proper authorization, ensuring a seamless and secure payment experience for users.
• Identifying and mitigating potential vulnerabilities or breaches in real time, using advanced threat detection systems to safeguard against evolving security threats.

The SOC 3 report provides a general overview of compliance with security, availability, processing integrity, confidentiality, and privacy standards, serving as an added layer of transparency.

All Personal Data transmitted between your browser and our Website is protected using TLS encryption, which employs the Advanced Encryption Standard (AES) with a 256-bit key to ensure secure and robust data protection.

Ligne Roset Estonia ensures that You have full control over how Your Personal Data is collected and used. Below is the summary of Your data privacy rights, along with guidance on how You can exercise them:

• Right to Be Informed: You have the right to be informed about how Your Personal Data is collected, used, shared, and stored.
• Right to Access: You have the right to request confirmation of whether we process Your Personal Data. Upon request, You can access a copy of Your Personal Data along with detailed information about how it is processed, used, and shared.
• Right to Rectification: If Your Personal Data is inaccurate or incomplete, You have the right to request corrections or updates to ensure the accuracy of Your Personal Data.
• Right to Erasure (Right to be Forgotten): You may request that we delete Your Personal Data if:
  • Data is no longer necessary for the purposes for which it was collected.
  • You withdraw Your consent, and consent is the sole legal basis for processing.
  • You object to processing, and there are no overriding legitimate grounds.
  • Data has been unlawfully processed.
  • Data deletion is required to comply with legal obligations.
• Right to Restrict Processing: You can request that we limit the processing of Your Personal Data in certain circumstances, such as:
  • While we verify the accuracy of the Personal Data You have contested.
  • If the processing is unlawful, but You prefer restriction over deletion.
  • If You need the Personal Data for legal claims but no longer require it for the original purpose.
• Right to Data Portability: You have the right to receive Your Personal Data in a structured, commonly used, and machine-readable format. Additionally, You can request that we transfer Your Personal Data to another controller, where technically feasible.
• Right to Object: You can object to the processing of Your Personal Data if:
  • It is based on our legitimate interests, unless we demonstrate compelling legitimate grounds that override them.
  • It is for direct marketing purposes, in which case processing will cease immediately upon Your objection.
• Right to Withdraw Consent: Where processing is based on Your consent, You have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to Be Notified of a Data Breach: If a Personal Data breach occurs that is likely to result in a high risk to Your rights and freedoms, we will notify You without undue delay. This notification will include:
  • A description of the nature of the breach.
  • Details of the Personal Data affected.
  • Potential consequences of the breach.
  • Recommendations on steps You can take to mitigate potential risks.
• Right Against Automated Decision-Making and Profiling: You have the right to object to decisions made solely by automated means, including profiling, if these decisions have a significant legal or similar effect on You. This right ensures human intervention in such cases unless the processing is necessary for a contract, authorized by law, or based on Your explicit consent.
• Right to Lodge a Complaint: If You believe Your privacy rights have been violated, You have the right to lodge a complaint with the Estonian Data Protection Inspectorate. This authority oversees the enforcement of data protection laws in Estonia:
• Address: Tatari 39, 10134, Tallinn, Estonia
• Phone: +372 627 4135
• Email: info@aki.ee

Website: www.aki.ee