Changes to privacy notice

Personal privacy is important to Elsavie and we update this privacy policy regularly. The version published on our website is always the latest version.

Last update: 18.03.2024

Privacy notice

We want you to understand how and why Elsavie OÜ (“we” or “us”) collects, uses, and shares information about you when you use our site, fill in our questionnaires, sign up to an account with us or purchase our products or services online (collectively, the “Services”) or when you otherwise interact with us or receive a communication from us. This Privacy notice applies to all of our Services.

Who is the controller of your data?

The data “controller" means the entity that will make the decisions about how your data is used and that is responsible for deciding how it holds personal information about you. Elsavie OÜ (registry number 14991039) Laki tn 4, Tallinn 10621, Estonia is the controller for all personal data referred to in this Privacy Notice unless otherwise explicitly stated. The controller can be contacted on info@elsavie.com 

What type of personal data we process?

Personal data – first and last name

Contact data – phone number, e-mail address, home address;

Health data – your responses when you fill in the health questionnaires on our website or account, microbiome results

Invoice data – data that is on the invoices when purchase services or products from us;

Internet data – to enable a better service in our e-shop we use cookies on our website and e-shop.

Why do we process your data?

We process your personal data because you have given us your consent, for the performance of a contract with you, in our legitimate business interest or to comply with legal obligations.

  • Processing data based on your consent

When we ask for your consent, we only process what you have consented to. We will be very clear asking consent for specific purposes and you are not obliged to consent to any of the Services but sometimes it means we cannot deliver a Service to you. When you give consent you have a right to withdraw your consent at any time by using unsubscribe in the messages, deleting your account or writing to info@elsavie.com. When you withdraw consent, we will delete the data we are processing with your consent.

Purpose of processing

Personal data categories

Creating an account on Elsavie

Personal data, Contact data

Newsletter

Personal data, Contact data

Cookies

Internet data

Feedback left by the customers for advertising purposes.

We will obtain your consent by contacting you on the e-mail you provided us when you left a comment.

  • Data processing required for performance of a contract.

Data processing is necessary for performance of a contract concluded with you or for taking measures required prior to signing of the contract  which in Elsavie’s case is purchasing our services or products from our e-shop.

Purpose of processing

Personal data categories

Purchases in the e-shop

Personal data, Invoice data

Providing response to filled in questionnaires and microbiome test data

Personal data, Contact data, Health data

Collecting reference group for microbiome testing results

Health data

  • Processing to fulfil Elsavie’s legal obligations

Legal obligations of processing include all personal data processing under relevant laws and regulations in all of our locations for example Accounting Act in Estonia.

Purposes of processing

Personal data categories

Invoice data

Personal data, Contact data, Invoice data

Responding to public authorities’ and state institutions’ information requests

Contact data

 

  • Data processing based on our legitimate interest

A legitimate interest means that data processing is necessary for our business purposes. You have the right to object to processing based on legitimate interest, if you consider that processing of your data for the following purposes breaches your privacy and data protection rights.

Purpose of processing

Personal data categories

Marketing activities

Contact and internet data

Do we make any automated decisions?

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. Elsavie doesn’t make any automated decisions that can have legal or material consequences to you.

What are your rights?

  • Right of access

You have the right to receive information about what data we process about you. To receive a copy of what personal data we hold about you contact us on the e-mail below.

We have a legal obligation to make sure that a person requesting information about themselves is indeed the person who has the right to receive the data. For this reason, you may have to prove your identity or right to request the data.

  • Right to erasure

You have the right to request deletion of your personal data. Please keep in mind that we cannot delete any data that we process to fulfil contractual or legal obligations.

Users of the Gut Health Tracking & Insights application have the option to delete their account by navigating to the 'User Account' section in the top menu of the application's landing screen, proceeding to 'Account Settings,' and selecting 'Delete Account'.

Users of the Tervisekoto health account have the ability to delete their account within the "Account Settings" section (https://app.elsavie.com/en/account-settings).

  • Right to rectification

You have the right to ask us to rectify personal information you think is inaccurate. This could also include the right to ask us to complete information you think is incomplete.

In some circumstances and subject to certain exceptions, you may have the right to ask us to erase your personal information. We cannot erase any data that we have a legal obligation to process.

  • Right to restrict processing

In certain circumstances, you have the right to ask us to restrict the processing of your information.

  • Right to object to the processing of your personal information

You have the right to object to the processing of your information. The right to object to the processing of personal information is most commonly used by individuals when asking a business to cease direct marketing.

  • Right to data portability

You have the right to data portability which means that if technologically possible we can forward your data in a digital format to other similar services.

To exercise any of the aforementioned rights via e-mail to: info@elsavie.com.

  • Right to complain to Data Protection Inspectorate

In case you consider your privacy and data protection rights breached you have the right to lodge a complaint to a Data Protection regulator at locations where we operate.

Who else processes Your data in addition to us?

Your personal data is accessible only to those Elsavie employees who need the data to perform their work duties (on so-called need-to-know basis).  Outside Elsavie and strictly limited by necessity and pursuant to the purposes of processing, Elsavie forwards data to the following categories of data processors:  

  • service provides such as (not a complete list and subject to change): IT maintenance service provider, server housing, email server provider, website administrator, nutrition councellors auditor, lawyers;
  • if legally obliged, your data to public authorities and institutions (e.g. police, courts, alarm centre, Data Protection Inspectorate).

We have concluded a data protection agreement with our partners to ensure secure and lawful processing of personal data. These contracts oblige the other parties to:

  • take appropriate measures to ensure confidentiality and security of the personal and
  • process personal data in compliance with legal requirements and the agreement.

We do not store or transfer your data outside the European Economic Area or to countries without the European Commission’s adequacy decision.

How long do we retain Your personal data?

Your personal data is retained for as long as required by legal requirements or until the purpose of processing is fulfilled. Below are some examples of data retention periods:

Retention period

Examples

Until withdrawal of consent for processing

We delete the data that we process based on your consent immediately after you withdraw the consent.

30 days after you delete your profile on Elsavie or 12 months after your last communication with us

We delete the data of the account you created

7 years

All accounting base documents such as, investment transactions, invoices and bills.

 Security of your personal data

Elsavie employs necessary legal, organisational, physical and technical security measures to protect your personal data. Some examples of the measures we use:

Physical measures – the offices are locked and paper-based documents containing personal data are stored in locked cabinets.

Technical measures – computers are password protected and encrypted as necessary; firewalls and antivirus programmes are in use; backups are done regularly; all IT system users are assigned roles and profiles.

Organisational means – data protection, information security and access management policy; regular employee training, confidentiality requirements for employees.

Cookies

A cookie is a small piece of data or message that is sent from an organisation's web server to your web browser and is then stored on your hard drive. Cookies can't read data off your hard drive or cookie files created by other sites, and do not damage your system.

However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org. If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.

At Elsavie we only use cookies to monitor the performance of our website and to improve your shopping experience.

Cookie type

Purpose

Retention period

Facebook connect

Facebook Connect lets you use your Facebook ID and password to sign-in to third-party sites.

2 years

Facebook _fbp

This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.

3 months

Stripe

__stripe_mid

__stripe_sid

Stripe sets these cookies to process payments.

1 year

30 minutes

Google Analytics _ga

Calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

2 years

Google Analytics _gid

Stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

1 day

Klaviyo __kla_id

Cookie set to track when someone clicks through a Klaviyo email to a website.

2 years

Hotjar

_hjFirstSeen

_hjAbsoluteSessionInProgress

Stores a true/false value to identify a new user’s first session or the first pageview session of a user respectively.

30 minutes

Hotjar

_hjIncludedInSessionSample

_hjIncludedInPageviewSample

Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit or site's pageview limit respectively.

2 minutes