Privacy Policy

Last updated: 14 May 2026

This Privacy Policy explains how AP9 Engineering OÜ (“AP9 Engineering”, “we”, “us”) collects, uses, and protects your personal data when you visit ap9engineering.com (the “Site”) or make a purchase from us.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Estonian Personal Data Protection Act (isikuandmete kaitse seadus).

1. Data Controller

  • Company: AP9 Engineering OÜ
  • Registry code: 14182238
  • Address: Ülejõe tn 7/1, Uusküla, 79530 Rapla vald, Rapla maakond, Estonia
  • Email: info@ap9engineering.com
  • Phone: +372 5811 7902

For any question about this policy or your personal data, contact us at info@ap9engineering.com.

2. What Data We Collect And Why

When you place an order

Data collected:

  • Identification and contact: name, email address, phone number, billing and shipping address.
  • Order details: products purchased, quantities, order value, order date, and order number.
  • Payment data: processed by our payment providers (LHV Pank, PayPal, Google Pay, Apple Pay). We do not see, receive or store your full card number or bank-login credentials.

Why we collect it: to perform the sales contract with you, process payment, ship or arrange the delivery of your order, and comply with our tax and accounting obligations.

Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)).

When you create a customer account

Data collected:

  • Username, email address, encrypted password (stored in hashed form), and any profile details you voluntarily provide.
  • Order history associated with your account.

Why we collect it: to let you manage orders, addresses, and preferences.

Legal basis: performance of a contract (Art. 6(1)(b)).

When you contact us

Data collected:

  • Your name, email address, phone number (if provided), and the contents of your message.

Why we collect it: to respond to your enquiry and, where relevant, to handle pre-contractual or contractual matters.

Legal basis: our legitimate interest in handling customer communication (Art. 6(1)(f)), or performance of a contract where relevant.

When you visit the Site

Data collected:

  • IP address, browser type and language, device type, operating system, referring URL, pages visited, and time spent on the Site — collected via cookies and Google Analytics 4 (subject to your consent).

Why we collect it: to keep the Site secure, diagnose technical issues, and understand how visitors use the Site.

Legal basis: our legitimate interest in operating and securing the Site (Art. 6(1)(f) GDPR); and for non-essential analytics and marketing cookies, your consent via the cookie banner (Art. 6(1)(a) GDPR).

Newsletter (not currently active)

We do not currently operate a newsletter. If we introduce one in the future, we will collect your email address on the basis of your consent (Art. 6(1)(a)) and you will be able to unsubscribe at any time via the link in every email.

3. Who We Share Your Data With

We share personal data only with the service providers we need to run the shop. Each of them acts as a data processor and is bound by a data processing agreement.

ProcessorPurposeLocation
Veebimajutus OÜWebsite hostingEstonia (EU)
Omniva (Eesti Post AS)Shipping and parcel deliveryEstonia (EU); may use partner carriers internationally
LHV Pank ASCard and bank-link paymentsEstonia (EU)
PayPal (Europe) S.à r.l. et Cie, S.C.A.PayPal paymentsLuxembourg (EU)
Apple Inc. / Google LLCApple Pay / Google Pay tokenised paymentsEU and USA (Standard Contractual Clauses)
Google Ireland LimitedGoogle Analytics 4 and Site Kit (website analytics)Ireland (EU); data may be transferred to the USA under SCCs
Automattic Inc. / WooCommerceE-commerce platform functionalityUSA (Standard Contractual Clauses)

We may also disclose personal data to the Estonian Tax and Customs Board, accountants, auditors, or legal advisors where required by law, and to courts or public authorities in response to a lawful request.

We do not sell your personal data to any third party.

4. International Transfers

Some of our processors (e.g. Google, Automattic) are based outside the EU/EEA. Where personal data is transferred outside the EU/EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) to ensure an adequate level of protection for your data.

5. How Long We Keep Your Data

  • Order and accounting data: 7 years from the end of the financial year in which the transaction occurred, as required by the Estonian Accounting Act.
  • Customer account data: for as long as your account is active. You can delete your account at any time; we will retain order data linked to your account for the accounting period above.
  • Customer support correspondence: up to 2 years from the date of last contact.
  • Website analytics data (GA4): retained for up to 14 months on Google’s servers (as configured in GA4 settings). The _ga cookie itself may persist on your device for up to 2 years; you can delete it at any time through your browser settings or cookie preferences panel.
  • Marketing consent and unsubscribe records: kept as long as needed to prove lawful processing.

6. Cookies And Similar Technologies

Our website uses cookies and similar technologies to provide essential functionality, remember your preferences, and — with your consent — to help us understand how the site is used. Full details, including a list of every cookie we set and instructions on how to change your preferences, are in our Cookie Policy.

7. Your Rights Under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data, subject to our legal retention obligations.
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on our legitimate interests.
  • Withdraw consent — at any time, for processing based on consent (e.g. analytics cookies, or in the future, marketing newsletter). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email info@ap9engineering.com. We will respond within one calendar month of receipt of your request.

If you believe we have mishandled your personal data, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): https://www.aki.ee/en.

8. Security

We apply appropriate technical and organisational measures to protect your personal data — including HTTPS/TLS encryption for all data in transit, access controls, and regular backups. No online system is completely secure, and we cannot guarantee absolute security. We take our obligations seriously and will notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) of any personal data breach in accordance with GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required by GDPR Article 34.

9. Changes To This Policy

We may update this policy from time to time. The “Last updated” date at the top of the page indicates the most recent version. Material changes will be announced on the Site.

10. Contact

AP9 Engineering OÜ Ülejõe tn 7/1, Uusküla, 79530 Rapla vald, Rapla maakond, Estonia Email: info@ap9engineering.com Phone: +372 5811 7902