Privacy policy - nimistu

This policy covers the processing of personal data of nimistu.ee's own users and donors. The processing of data about people sourced from the public register is described separately.

Controller

The controller for this privacy policy is:

Nimistu MTÜ

Registry code: 80673204

Address: Parda tn 8, 10151 Tallinn, Estonia

E-mail: info@nimistu.ee

Website: nimistu.ee

What these terms cover

This privacy policy covers the processing of personal data in the following activities:

Accepting donations — Swedbank LinkPay, bank transfers, other payment services
Use of the website — visiting nimistu.ee, creating a user account, authenticating via eeID
Contacting us via the form — correction requests, general enquiries, data-access requests
Sending a newsletter and notices — where the user has consented

The processing in the nimistu.ee database of data about separately published people (company board members, owners, politically exposed persons, etc.) rests on different legal bases and is described on the methodology pages of each view or source, and in the general terms of use. This document does not cover that — it covers only the data of users and donors themselves.

What personal data we collect

From donors

name (if the donor shares it)
e-mail address (if the donor shares it)
bank account number or payment-method info (received via the payment service; we do not store full payment data ourselves)
the donation amount, date and payment method
IP address at the time of the transaction (for security)

From website users

IP address
browser and device technical data (user agent, screen size, etc.)
pages visited and the time of the visit
referrer URL (the page the visitor came from)
where applicable: user-account data from eeID authentication (personal ID code, first and last name)

From contact-form users

name
e-mail address
message content
organisational affiliation (where the nature of the request requires it)

From newsletter subscribers

e-mail address
subscription start date
unsubscribe date (where applicable)

Legal bases

The legal basis for each processing category is:

Processing and recording donations — performance of a contractual obligation (GDPR Article 6(1)(b)) and a legal accounting obligation (Article 6(1)(c))
Website operation and security — legitimate interest (Article 6(1)(f)) — ensuring security, preventing misuse, service continuity
Contact-form communication — legitimate interest (Article 6(1)(f)) — receiving and handling user enquiries
User accounts via eeID authentication — consent (Article 6(1)(a)) — the user makes a deliberate choice to identify themselves to nimistu
Newsletter — consent (Article 6(1)(a)) — the user can unsubscribe at any time

For processing based on legitimate interest, we have balanced our interests against the rights of data subjects. You can review that assessment by contacting us.

Who we share data with

We process data ourselves, but in some cases use processors (subcontractors) to whom we transfer data in order to provide the service:

Swedbank — to provide payment services (LinkPay, bank transfers)
Hosting provider — to run nimistu.ee's server infrastructure (located in an EU member state)
Accounting provider — to meet obligations under the Accounting Act (where applicable)
eeID / Information System Authority — when a user authenticates
E-mail provider — for contact and newsletter communication
Cloudflare — for website availability, CDN and security

Data is never sold to third parties under any circumstances. Data is not shared with third parties for advertising or marketing purposes.

Data location and transfers outside the EU

Personal data is held on servers in EU member states. If any of our processors transfers data outside the European Economic Area, this happens only on the basis of a European Commission adequacy decision or standard data-protection clauses (GDPR Articles 45-46).

Retention periods

Donation-related data — retained for 7 years from the year of the transaction, under the Accounting Act
Website logs (IP addresses, etc.) — retained generally for up to 12 months, to detect possible misuse
User accounts (eeID) — retained until the user closes the account; we may delete it after 24 months of inactivity
Contact-form communication — retained generally for up to 36 months
Newsletter subscriber data — retained while the user is subscribed; after unsubscribing the e-mail is kept briefly as proof of the opt-out
eeID personal ID code — retained only while the user account is active

Your rights

You have the following rights regarding your personal data:

Right of access — ask us for a copy of the data we process about you
Right to rectification — if data is inaccurate or incomplete, please let us know
Right to erasure — (“right to be forgotten”) we can delete data, except where retention is legally required
Right to restriction — in certain cases we can suspend the use of data
Right to portability — you can receive your data in a structured format
Right to object — in particular against processing based on legitimate interest
Right to withdraw consent — where processing is based on consent, you can withdraw it at any time
Right to lodge a complaint — with the supervisory authority — the Data Protection Inspectorate (aki.ee)

To exercise your rights, contact us via the contact form or by e-mail to info@nimistu.ee. We respond to requests generally within one month.

Security

We apply appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration or unauthorised access:

data exchange with the website uses an encrypted connection (HTTPS/TLS)
passwords and other sensitive data are stored encrypted
access to data is limited to those who need it for their work
servers are located in secure data centres
regular backups are made
continuous security monitoring and updates

Cookies

nimistu.ee uses cookies to keep the service working and to improve the experience. You can manage cookie settings via the cookie dialog at the bottom of the page. More detail on cookies is in the terms of use or ask us via the contact form.

Changes to this policy

We may update this privacy policy over time. We announce significant changes on the website. The date this policy was last updated is shown at the top of the page.

Supervisory authority

Data-protection supervision is carried out by the Estonian Data Protection Inspectorate:

Website: aki.ee

E-mail: info@aki.ee

Address: Tatari 39, Tallinn 10134

You always have the right to contact the supervisory authority directly, but we recommend discussing the matter with us first.

Contact

Nimistu MTÜ

Registry code: 80673204

Address: Parda tn 8, 10151 Tallinn, Estonia

E-mail: info@nimistu.ee

For any data-protection questions, get in touch via the contact form.

This policy covers the processing of personal data of nimistu.ee's own users and donors. The processing of data about people sourced from the public register is described separately.

Controller

The controller for this privacy policy is:

Nimistu MTÜ

Registry code: 80673204

Address: Parda tn 8, 10151 Tallinn, Estonia

E-mail: info@nimistu.ee

Website: nimistu.ee

What these terms cover

This privacy policy covers the processing of personal data in the following activities:

Accepting donations — Swedbank LinkPay, bank transfers, other payment services
Use of the website — visiting nimistu.ee, creating a user account, authenticating via eeID
Contacting us via the form — correction requests, general enquiries, data-access requests
Sending a newsletter and notices — where the user has consented

What personal data we collect

From donors

name (if the donor shares it)
e-mail address (if the donor shares it)
bank account number or payment-method info (received via the payment service; we do not store full payment data ourselves)
the donation amount, date and payment method
IP address at the time of the transaction (for security)

From website users

IP address
browser and device technical data (user agent, screen size, etc.)
pages visited and the time of the visit
referrer URL (the page the visitor came from)
where applicable: user-account data from eeID authentication (personal ID code, first and last name)

From contact-form users

name
e-mail address
message content
organisational affiliation (where the nature of the request requires it)

From newsletter subscribers

e-mail address
subscription start date
unsubscribe date (where applicable)

Legal bases

The legal basis for each processing category is:

Processing and recording donations — performance of a contractual obligation (GDPR Article 6(1)(b)) and a legal accounting obligation (Article 6(1)(c))
Website operation and security — legitimate interest (Article 6(1)(f)) — ensuring security, preventing misuse, service continuity
Contact-form communication — legitimate interest (Article 6(1)(f)) — receiving and handling user enquiries
User accounts via eeID authentication — consent (Article 6(1)(a)) — the user makes a deliberate choice to identify themselves to nimistu
Newsletter — consent (Article 6(1)(a)) — the user can unsubscribe at any time

For processing based on legitimate interest, we have balanced our interests against the rights of data subjects. You can review that assessment by contacting us.

Who we share data with

We process data ourselves, but in some cases use processors (subcontractors) to whom we transfer data in order to provide the service:

Swedbank — to provide payment services (LinkPay, bank transfers)
Hosting provider — to run nimistu.ee's server infrastructure (located in an EU member state)
Accounting provider — to meet obligations under the Accounting Act (where applicable)
eeID / Information System Authority — when a user authenticates
E-mail provider — for contact and newsletter communication
Cloudflare — for website availability, CDN and security

Data is never sold to third parties under any circumstances. Data is not shared with third parties for advertising or marketing purposes.

Data location and transfers outside the EU

Retention periods

Donation-related data — retained for 7 years from the year of the transaction, under the Accounting Act
Website logs (IP addresses, etc.) — retained generally for up to 12 months, to detect possible misuse
User accounts (eeID) — retained until the user closes the account; we may delete it after 24 months of inactivity
Contact-form communication — retained generally for up to 36 months
Newsletter subscriber data — retained while the user is subscribed; after unsubscribing the e-mail is kept briefly as proof of the opt-out
eeID personal ID code — retained only while the user account is active

Your rights

You have the following rights regarding your personal data:

Right of access — ask us for a copy of the data we process about you
Right to rectification — if data is inaccurate or incomplete, please let us know
Right to erasure — (“right to be forgotten”) we can delete data, except where retention is legally required
Right to restriction — in certain cases we can suspend the use of data
Right to portability — you can receive your data in a structured format
Right to object — in particular against processing based on legitimate interest
Right to withdraw consent — where processing is based on consent, you can withdraw it at any time
Right to lodge a complaint — with the supervisory authority — the Data Protection Inspectorate (aki.ee)

To exercise your rights, contact us via the contact form or by e-mail to info@nimistu.ee. We respond to requests generally within one month.

Security

We apply appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration or unauthorised access:

data exchange with the website uses an encrypted connection (HTTPS/TLS)
passwords and other sensitive data are stored encrypted
access to data is limited to those who need it for their work
servers are located in secure data centres
regular backups are made
continuous security monitoring and updates

Cookies

Changes to this policy

We may update this privacy policy over time. We announce significant changes on the website. The date this policy was last updated is shown at the top of the page.

Supervisory authority

Data-protection supervision is carried out by the Estonian Data Protection Inspectorate:

Website: aki.ee

E-mail: info@aki.ee

Address: Tatari 39, Tallinn 10134

You always have the right to contact the supervisory authority directly, but we recommend discussing the matter with us first.

Contact

Nimistu MTÜ

Registry code: 80673204

Address: Parda tn 8, 10151 Tallinn, Estonia

E-mail: info@nimistu.ee

For any data-protection questions, get in touch via the contact form.