Privacy policy

1. Data controller

This privacy policy applies to the processing of personal data in connection with the website www.avelg.ee. A-Velg OÜ is the controller of the personal data collected within the meaning of the General Data Protection Regulation (GDPR).

For privacy questions, please contact us at the email address above.

2. Data we collect

We collect and process personal data only to the extent necessary to provide our services and to comply with our legal obligations. Depending on which features you use, we may process the following categories of data:

• Account data: first and last name, email address, phone, saved addresses.
• Order data: products ordered, quantities and prices, delivery method and address, an alternate recipient if applicable, payment method and payment reference, and — for business customers — registry code and VAT number, plus vehicle information where relevant.
• Service-booking data: the chosen service and time slot, the vehicle’s registration plate and vehicle information, contact details, and any special conditions or comments.
• Contact-form data: name, email, phone, the topic of the enquiry and the content of the message.
• Newsletter subscription data: email address.
• Plate-lookup logs: the IP address of the request, the queried registration plate, country and request status (kept for security and abuse-prevention purposes).
• Technical logs: IP address, browser and device information, error logs and request statistics.

Providing personal data is generally voluntary, but if certain data is missing (for example data needed for payment and delivery) we will not be able to provide the relevant service.

3. Use of data

We use your personal data for the following purposes:

• Receiving, processing and shipping orders, mediating payments and issuing invoices.
• Booking services, confirming bookings, sending reminders and providing the service on site.
• Customer support: answering enquiries and complaints, handling returns and warranty cases.
• Accounting and complying with statutory tax and bookkeeping obligations.
• Maintaining the security of the website, detecting fraud and abuse, and fixing errors.
• Improving the website and our services, statistical analysis and — with separate consent — sending newsletters and marketing messages.

The legal bases for processing under the GDPR are:

• Performance of a contract or pre-contractual measures (point b) — to manage orders and bookings.
• Legal obligation (point c) — accounting and the statutory retention periods.
• Legitimate interests (point f) — site security, fraud prevention, service development and ordinary running of our business.
• Consent (point a) — analytics and session-replay cookies, the newsletter and other marketing. You can withdraw your consent at any time.

4. Cookies and local storage

We use cookies, browser local storage (localStorage) and similar technologies on the website. Below is a list of the main mechanisms, grouped by category.

Browser local storage (localStorage)

• avelg_cart — the contents of your shopping cart, so they are kept after the browser is closed.
• avelg_customer_token — your authentication token (JWT).
• avelg-cookie-consent — your accept/decline state for the cookie notice.
• Product-search preferences (e.g. vehicle and tyre size selections) to speed up your next search.

Third-party scripts (loaded only after cookie consent)

• PostHog — product and usage analytics, including session replay. Data is hosted in the European Union region.
• Google Tag Manager and Google Analytics 4 — for marketing and conversion measurement.

Always-loaded third-party content

• The Google Maps embed on the contact page — Google may store browser-side information in accordance with its own privacy policy.

You can change your choice at any time by clearing your browser cache, after which the cookie notice will appear again. You can also manage cookies through your browser’s settings.

5. Sharing with third parties

We share personal data only with such authorised processors and partners as are necessary to provide the service. An appropriate data-processing agreement is in place with each partner, and data is shared only to the extent necessary.

We do not sell your data to third parties or share it with partners for marketing purposes. We may also disclose data to law-enforcement authorities where we have a legal obligation to do so.

6. Transfers outside the EEA

Some of our partners (in particular Google and CarsXE) process data outside the European Economic Area, mainly in the United States. In such cases the relevant service provider ensures the protection of the data on the basis of an European Commission adequacy decision (e.g. the EU–US Data Privacy Framework) or standard contractual clauses (SCCs).

For PostHog we use the EU regional instance (eu.i.posthog.com) where possible, so that the data stays within the European Union.

7. Data retention

We keep personal data only for as long as is necessary to fulfil the purpose of the processing or to comply with our legal obligations. The main retention periods are:

• Account data: until you request the deletion of your account (info@avelg.ee).
• Order and invoice data: 7 years, in accordance with § 12 of the Estonian Accounting Act.
• Service-booking data: 3 years from the booking date (to handle any subsequent claims).
• Contact-form messages: up to 2 years from resolution of the enquiry.
• Newsletter data: until you unsubscribe.
• Plate-lookup logs: 180 days, after which they are deleted automatically.
• Email-verification and password-reset tokens: 24 hours.
• Authentication JWT: 7 days.
• Analytics data (PostHog and, where applicable, GA4): according to the service provider’s defaults and our project settings; session replay is kept no longer than is necessary for product development.

After the relevant retention period has expired, the data is deleted or anonymised.

8. Security

We apply appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, alteration, disclosure or access. The website uses an encrypted HTTPS connection, passwords are stored only as hashes, and failed login attempts trigger protective safeguards.

Internally we apply need-to-know access — only authorised employees and authorised processors have access to the database and back-end systems.

9. Your rights

Under the General Data Protection Regulation (GDPR) you have the following rights:

• Right of information and access to your data (Article 15).
• Right to request rectification of inaccurate data (Article 16).
• Right to request erasure of data, where we have no other legal basis for retaining it (Article 17).
• Right to request restriction of processing (Article 18).
• Right to data portability — to have your data transferred to another service provider (Article 20).
• Right to object to processing based on legitimate interests, and to withdraw consent at any time (Articles 21 and 7(3)).

To exercise your rights, contact us at info@avelg.ee. We generally respond to your request within 30 days. Where necessary we may ask for additional information to verify your identity.

You always have the right to lodge a complaint with the Estonian Data Protection Inspectorate (https://www.aki.ee).

10. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our activities and the applicable law. Each updated version is published on this page with a new effective date; for material changes we will notify logged-in users by email.