Privacy Policy

Last updated 22 June 2026

1. Who is responsible for your data

The data controller is Mosticare OÜ, Business Register code 17360990, registered at Müürivahe tn 33-1, 10140 Tallinn, Estonia. For any privacy question, or to exercise your rights, contact us at contact@mosticare.org.

2. What data we collect

• Account data — your email address, used to create and sign in to your account.
• Authentication data — short-lived magic-link tokens we send to your email to sign you in (we use passwordless sign-in), and a session cookie that keeps you logged in.
• Order data — the products you buy, made-to-measure dimensions you enter, your delivery and billing address, and order history.
• Payment data — handled by Stripe. We receive confirmation of payment and limited details (such as the card brand and last four digits); we never receive or store your full card number.
• Communications — messages you send us and quote requests you submit.
• Technical data — basic, privacy-respecting analytics about how the site is used (see our Cookie Policy). We do not use third-party advertising trackers.

3. Why we use it and the legal basis

• To perform our contract with you (Art. 6(1)(b) GDPR) — creating your account, processing and delivering your orders, handling returns, and providing customer support.
• To comply with legal obligations (Art. 6(1)(c) GDPR) — keeping accounting, tax, and VAT records as required by law.
• For our legitimate interests (Art. 6(1)(f) GDPR) — keeping the store secure, preventing fraud, and improving the site through aggregate analytics, balanced against your rights.
• With your consent (Art. 6(1)(a) GDPR) — for any non-essential cookies or optional marketing emails, which you can withdraw at any time.

4. Processors we share data with

We use trusted service providers who process personal data only on our instructions, under a data-processing agreement:

• Stripe (Stripe Payments Europe, Ltd.) — payment processing and VAT calculation.
• Amazon Web Services — Amazon SES — sending transactional and account emails (order confirmations, magic-link sign-in).
• Neon (Neon, Inc.) — the managed PostgreSQL database that stores your account and order records.
• Vercel (Vercel Inc.) — website hosting and delivery.

Where a processor transfers data outside the EU/EEA, that transfer is covered by an adequacy decision or by EU Standard Contractual Clauses. We do not sell your personal data.

5. How long we keep it

We keep your account data for as long as your account is active. Order, invoice, and tax records are kept for the period required by Estonian and EU accounting and tax law (generally seven years). Magic-link tokens are short-lived and expire shortly after issue. Analytics data is held only in aggregate. When data is no longer needed, we delete or anonymise it.

6. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased (the “right to be forgotten”);
• restrict or object to certain processing;
• receive your data in a portable, machine-readable format;
• withdraw consent at any time, without affecting prior processing.

You can exercise the two most common rights directly from your account while signed in. You can download a copy of your data as a machine-readable file (served by the /api/account/export endpoint), and you can delete your account and associated data from your account settings (handled by the /api/account/delete endpoint). For any other request, email contact@mosticare.org.

7. Complaints

If you believe we have mishandled your data, please contact us first. You also have the right to lodge a complaint with a supervisory authority — in our case the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), or the authority in your country of residence.

8. Changes to this policy

We may update this policy from time to time. The current version is always available on this page, with the “last updated” date above reflecting the latest change.