Privacy Policy

1. Introduction

Fit Labs OÜ ("we", "us", "our") operates the e-commerce website maxfit.ee (the "Website"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in accordance with the European Union General Data Protection Regulation (GDPR) and Estonian data protection laws.

We are committed to protecting your privacy and ensuring you have a positive experience on our Website.

2. Data Controller

Company Name: Fit Labs OÜ
Registry Code: 17442328
Registered Address: Harju maakond, Tallinn, Mustamäe linnaosa, Pöörise tn 7-51, 13520, Estonia
Email: support@maxfit.ee
Website: maxfit.ee

For questions about this Privacy Policy or our data practices, please contact us at support@maxfit.ee.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

Email address (required for account creation)
Password (stored as encrypted hash)
First name and last name
Display name (optional)
Profile picture (if using Google OAuth)

3.2 Order and Shipping Information

Billing and shipping addresses
Phone number
Order history and purchase details
Payment transaction records (payment card details are processed by Montonio and not stored by us)

3.3 Technical and Usage Data

Search queries on our Website
Recent search history (stored locally in your browser for 30 days)
Shopping basket contents (stored locally in your browser)
Language preference
IP address (for security and fraud prevention)
Browser type and user agent (for compatibility and security)

3.4 Authentication Data

Access tokens and refresh tokens (for session management)
OAuth account linkage (if using Google Sign-In)
Password reset tokens (temporary, expire after 60 minutes)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to fulfill your orders, manage your account, and provide customer service.
Consent (GDPR Art. 6(1)(a)): For marketing communications, optional features, and cookies/localStorage usage (where required).
Legal Obligation (GDPR Art. 6(1)(c)): Compliance with Estonian tax and accounting laws (7-year retention of transaction records).
Legitimate Interests (GDPR Art. 6(1)(f)): Fraud prevention, website security, improving user experience, and search functionality optimization.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

Order Fulfillment: Process your orders, arrange shipping, send order confirmations and updates.
Account Management: Create and manage your account, authenticate your identity, enable password resets. Contact information (email, phone) provided during checkout is saved to your account profile for order fulfillment and to streamline future purchases.
Payment Processing: Process payments through Montonio (our payment processor).
Communication: Send transactional emails (order confirmations, password resets), respond to inquiries.
Personalization: Remember your language preference, recent searches, and shopping basket.
Search Functionality: Provide product search with AI-enhanced results and recommendations.
Security: Detect and prevent fraud, protect against unauthorized access, maintain platform security.
Legal Compliance: Comply with tax, accounting, and consumer protection laws.
Service Improvement: Analyze anonymized usage patterns to improve our Website and services.

6. Third-Party Data Processors

We share your personal data with the following trusted third-party service providers:

6.1 Payment Processing

Montonio Finance OÜ (Estonia, EU)
Purpose: Process payment transactions securely (card payments, bank links, wallets)
Data shared: Billing information, payment amounts
Privacy Policy: https://montonio.com/privacy-policy/

6.2 Order Fulfillment

IRON DUST OÜ (Estonia, EU)
Purpose: Product warehousing and order fulfillment (dropshipping)
Data shared: Name, shipping address, phone number (if needed for delivery), order contents
Data NOT shared: Email address, payment information, account credentials
Sub-processor: Omniva AS (parcel delivery)

6.3 Authentication

SK ID Solutions AS (Estonia, EU)
Purpose: Strong customer authentication via Smart-ID
Data shared: National identification number (isikukood) for identity verification

6.4 Email Service

Amazon Web Services (AWS SES) (EU — Sweden)
Purpose: Send transactional emails (order confirmations, password resets)
Data shared: Email address, name, order details
Privacy Policy: https://aws.amazon.com/privacy/

6.5 Authentication (Social Login)

Google LLC (United States)
Purpose: OAuth authentication (optional Google Sign-In)
Data shared: Email, name, profile picture
Privacy Policy: https://policies.google.com/privacy

6.6 Product Content Enhancement

OpenAI, Inc. (United States)
Purpose: Generate product descriptions, FAQs, and translations
Data shared: Product information only (NOT user personal data)
Note: Your personal data, search queries, and orders are NOT sent to OpenAI
Privacy Policy: https://openai.com/privacy

6.7 Cloud Hosting

Amazon Web Services (AWS) (EU Region)
Purpose: Host our application and database
Data location: EU (Ireland)
Privacy Policy: https://aws.amazon.com/privacy

International Transfers: Some of our processors are located in the United States. We rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) for lawful international transfers. Your data is protected by appropriate safeguards.

7. Data Retention

We retain your personal data for the following periods:

Active Accounts: Indefinitely, until you delete your account or request deletion.
Deleted Accounts: 30-day grace period, then personal data is anonymized.
Order Data: 7 years from purchase date (Estonian accounting law requirement), with personal details anonymized after account deletion.
Payment Transactions: 7 years (tax law requirement).
Search Query Logs: 90 days, then automatically deleted.
Access Tokens: 15 minutes (automatic expiry).
Refresh Tokens: 7 days (automatic expiry).
Password Reset Tokens: 60 minutes (automatic expiry).
Browser Storage (localStorage/sessionStorage): Recent searches expire after 30 days; basket persists until you clear it.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Art. 15)

You can download all your personal data in JSON format from your account settings.

8.2 Right to Rectification (Art. 16)

You can update your profile information, addresses, and preferences at any time in your account settings.

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

You can delete your account from your account settings. We will anonymize your personal data while retaining order records for legal compliance (7 years).

8.4 Right to Data Portability (Art. 20)

You can download your data in a structured, machine-readable format (JSON) from your account settings.

8.5 Right to Object (Art. 21)

You can object to processing based on legitimate interests by contacting support@maxfit.ee.

8.6 Right to Restrict Processing (Art. 18)

You can request restriction of processing by contacting support@maxfit.ee.

8.7 Right to Withdraw Consent

You can withdraw consent for marketing communications or optional features at any time in your account settings.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate:
Andmekaitse Inspektsioon
Email: info@aki.ee
Website: www.aki.ee

9. Cookies and Local Storage

We do not use traditional cookies. Instead, we use browser localStorage and sessionStorage to enhance your experience:

Essential (Required): Authentication tokens (accessToken, refreshToken) to keep you logged in.
Functional (Optional with consent):
- Language preference (localStorage)
- Shopping basket (localStorage)
- Recent searches (localStorage, expires after 30 days)

9.1 Session Recordings

With your analytics consent, we record limited on-page interactions (clicks, scrolls, page transitions, form field focus and blur events) across our site, after you grant Analytics consent in the cookie banner, so we can diagnose technical issues and improve the shopping experience. We do this using open-source software (rrweb) hosted on our own EU servers — no third-party analytics provider receives this data.

What we never record:

The contents of any form field — email, name, phone, address, notes, etc. are always masked as asterisks in the recording.
Payment card or bank details — these are entered into isolated payment widgets (Stripe, Montonio) that we cannot see into.
Interactions before you grant consent — the recorder does not start, and no rrweb code is loaded, until you accept the Analytics toggle.

Storage and retention: Recordings are stored encrypted in our EU cloud infrastructure, retained for 90 days, and then automatically deleted. Access is restricted to authorised staff for debugging purposes only.

Legal basis: Your consent (GDPR Art. 6(1)(a)), given via the "Analytics" toggle in the cookie banner. You can withdraw consent at any time by revoking analytics consent in the cookie banner; future recordings will stop, and if you want past recordings deleted sooner than the 90-day cycle, contact support@maxfit.ee.

You can manage your preferences in the cookie consent banner that appears on your first visit. You can withdraw consent at any time by clearing your browser's localStorage.

10. Security Measures

We implement industry-standard security measures to protect your personal data:

Encryption: All data in transit is encrypted using HTTPS/TLS. Passwords are hashed using BCrypt (strength 10).
Access Controls: Role-based access control (RBAC) limits who can access your data.
Authentication: Secure JWT-based authentication with short-lived tokens (15 min access, 7 day refresh).
Tokenization: Payment card data is processed by Montonio; we never store full card numbers.
Monitoring: Continuous security monitoring and logging to detect unauthorized access.
Regular Audits: Regular security audits and penetration testing.

While we take all reasonable precautions, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that may adversely affect your rights and freedoms, we will:

Notify the Estonian Data Protection Inspectorate within 72 hours (GDPR Art. 33)
Notify affected users without undue delay if the breach poses a high risk (GDPR Art. 34)
Provide information about the nature of the breach, potential consequences, and mitigation measures

12. Children's Privacy

Our Website is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact support@maxfit.ee, and we will delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page
Updating the "Last Updated" date
Sending an email notification for significant changes (if you have an account)

Your continued use of the Website after changes constitutes acceptance of the updated policy.

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Fit Labs OÜ
Email: support@maxfit.ee
Website: maxfit.ee
Address: Harju maakond, Tallinn, Mustamäe linnaosa, Pöörise tn 7-51, 13520, Estonia