This privacy policy (hereinafter the “Privacy Policy”) governs how Zone Media OÜ (hereinafter „Zone”/”us/we/our”) gathers and uses personal data. We always aim to protect the privacy of our client’s and other data subjects (together herein after “you”). Please read this Privacy Policy as it contains important information about the processing of your personal data. If you do not wish for your personal data to be processed as described in the Privacy Policy, you must not use our service nor website. This Privacy Policy applies to all of our services and to our online activities incl., processing in connection to our website and social media. If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.

  1. DEFINITIONS
    Definitions are terms often used in the Privacy Policy. Definitions are defined in this Section of
    the Privacy Policy or in the text of the Privacy Policy.

    1. Personal data protection terms have the same meaning as defined here or in the General
      Data Protection Regulation (2016/679) (hereinafter the “GDPR”).
    2. Terms that are not defined in the Privacy Policy nor the GDPR are defined in our terms
      and conditions (see on our website “Contracts and Terms of Use”).
    3. Client means the legal person or natural person using our Service.
    4. Cookies mean data files stored in the Visitor’s device upon visitation of the Website
      according to the selection made. More information about the use of Cookies by us can
      be found via the Cookie solution on our Website.
    5. Contract means any contract entered into between us and a Client or any other data
      subject, incl. terms of use.
    6. data subject means a natural person regarding whom we have information or
      information that can be used to identify a natural person.
    7. personal data means any information relating to an identified or identifiable natural
      person i.e., data subject.
    8. Privacy Policy means this text, which sets out our principles of personal data
      processing.
    9. Service(s) means services offered by us, e.g., server room services, domain name
      registration services.
    10. Usage Data means data about usage of our Service and Website i.e., data about usage of
      our Service and Website incl. technical data about device used, information about
      browser used, IP address, the pages of our Service visited, the time and date of the visit,
      the time spent on those pages, unique device identifiers and other diagnostic data and
      logs.
    11. Visitor is a person visiting our Website.
    12. Website means our website accessible via https://www.zone.ee/en/ and all its
      subdomains and where applicable also refers to our social media pages.
  2. 2. GENERAL INFORMATION AND CONTACT DETAILS
    Here you will find when the Privacy Policy applies, information about who we are, and how to
    contact us.

    1. About us. We are a private limited company Zone Media OÜ, business registry code
      10577829, address Lõõtsa 5, 11415 Tallinn, Estonia, general email info@zone.ee. We are a
      company offering different server solutions and domain name registration.
    2. Contacts. You can contact us in matters related to personal data processing by emailing our data protection officer at dataprotection@zone.eu .
    3. About the Privacy Policy. The Privacy Policy applies to personal data processing
      done by us. We have the right to unilaterally amend this Privacy Policy. We will notify
      the data subject of all important material changes on the Website or otherwise.
    4. About the Controller-Processor statuses. We offer our Service to our Clients and by
      doing so we may need to process personal data of our clients’ customers’ and other data
      subjects’. We do not define the purpose of the processing of personal data nor decide
      what personal data is processed by our Clients, e.g., when a Client uses our server room
      services. For such cases we are the processor of personal data and our Clients are the
      controllers. We are controllers of personal data when processing personal data of our
      Client’s (if natural person) or our Client’s employees’ and representatives’ when
      providing our Service(s) (e.g., doing accounting, providing customer support).
    5. Other links/apps etc. Please note, that the links on our Website may lead to media
      that is governed by privacy terms of the respective service providers’, and not by this
      Privacy Policy. We are not responsible for anything on those other websites. Processing
      of your personal data on our social media channels by providers of those platforms is
      done according to the privacy terms of relevant platform.
  3. PRINCIPLES OF PERSONAL DATA PROCESSING
    Here you will find the key principles that we are always guided by when processing your
    personal data.

    1. Compliance and aim. Our aim is to process personal data in a responsible manner
      where we are able to demonstrate the compliance of personal data processing with the
      purposes set and the applicable regulations.
    2. The principles. All our processes, guidelines and activities related to personal data
      processing are based on the following principles: lawfulness, fairness, transparency,
      purposefulness, minimisation, accuracy, storage limitation, integrity, confidentiality, and
      data protection by default and by design.
  4. INFORMATION WE PROCESS
    Here you can find categories of data subjects and personal data we process.

    1. Categories of Data Subjects. Generally, we may process personal data of the
      following data subjects:
      (a) our Client’s (if natural person) and
      (b) our Client’s representatives and employees;
      (c) representatives of our cooperation partners;
      (d) our employees or contractors;
      (e) Website Visitors;
      (f) our Client’s clients and other data subjects.
    2. Collection of Personal Data. We collect the following types of personal data:
      (a) Personal data disclosed to us by the data subject (e.g., data submitted for the
      purpose of entering into contract or obtaining information about our Service(s).
      Usually – name, contact details, e-mail address, data sent or made available to us on
      our social media by the data subject);
      (b) Personal data resulting from standard communication between us and the data
      subject (e.g., correspondence regarding the Service(s));
      (c) Personal data resulting from the consumption and use of Service(s);
      (d) Personal data resulting from visiting and using the Website;
      (e) Personal data obtained from third parties (e.g., when verifying identity of the
      Client);
      (f) Personal data provided to us by our Client when Client uses our Service(s) (Zone is
      a processor);
      (g) Personal data generated and combined by us (e.g., correspondence within the
      context of Client relationship, user activity analytics).
    3. Data we process as a Controller. As a controller we mainly process the following
      personal data:
      (a) About Visitors – data gathered from use of Website incl., by Cookies (if enabled);
      (b) Our Client’s representatives or Client (if natural persons) identification data –
      name, date of birth, ID-code, ID document data and copy (if used for identification),
      position and authorisation;
      (c) Client’s and representatives’ contact data – e-mail, phone nr, address, server user
      names;
      (d) Client’s and representatives’ Service usage and preferences data – language
      preferences, Usage Data, Contract data (incl., service plan), billing information;
      (e) Client’s and representatives’ communications – communications with us (sms, chats,
      calls);
      (f) Client and representatives on video recording (if any) e.g., when they visit our
      premises (they on the surveillance recording);
      (g) Client’s payment behaviour data – payments and claims data gathered in the course
      of accounting;
      (h) Client’s and representatives’ other data – e.g., provided in satisfaction surveys in
      feedback.
      We are not controllers for personal data inserted to our systems by our Clients and their
      representatives in their own service provision (e.g., data on their servers, incl., files, logs
      etc.).
      Contact us if you need more precise information on your personal data processing.
      Please note that in case where we are the processor, we redirect you to your data
      controller if you have provided us with necessary information.
  5. GENERAL PURPOSES, GROUNDS FOR, AND ACTIVITIES OF PROCESSING
    Here you will find information about the purposes and grounds for processing of your personal
    data.

    1. Consent. Based on consent, we process personal data precisely within the limits, to the
      extent and for the purposes for which the data subject has given their consent. The data
      subject’s consent must be freely given, specific, informed, and unambiguous, for
      example, by ticking the box on the Website. Please note that you have the right to
      withdraw your consent at any time. Withdrawal of consent will not influence the
      rightfulness of personal data processing done under the consent before the withdrawal
      of the consent.
    2. Entry into and performance of a Contract. Upon entering into and performing a
      Contract, we may process personal data for the following purposes:
      (a) taking steps prior to entering into a Contract, which are necessary for entering into
      a Contract or which the data subject requests (e.g., data marked at clause 4.34.3.1(b),
      c and e are used);
      (b) identifying you to the extent necessary for entering into and performing a Contract
      or taking steps to enable usage of our Service (e.g., data marked at clause 4.34.3.1(b),
      c and e are used);
      (c) performing the obligations assumed (e.g., billing) (e.g., data marked at clause
      4.34.3.1(b), c and d are used);
      (d) communicating with you, incl. sending information and reminders about the
      performance of the Contract or about the usage of the Service (e.g., data marked at
      clause 4.34.3.1(b), c, d and e are used);
      (e) protection of rights and claims (depending on the data all gathered data may be
      used);
      (f) to detect, prevent and address technical issues (depending on the issue all gathered
      data may be processed);
      (g) to provide customer support (mainly data marked at clause 4.34.3.1(b) and e are
      used);
      (h) to provide and maintain our Service, incl. monitor usage of our Service and
      Website (mainly Usage Data is used, but all data may be processed);
      (i) to notify you about changes to our Service or to give you other Contract/Service
      related notice (mainly data marked at clause 4.34.3.1(b) and c are used).
      Please note that exact purpose and grounds may also be defined in the terms and
      conditions and/or Contract.
    3. Legal obligation. We process personal data to comply with a legal obligation in
      accordance with and to the extent provided by law. For example, obligations from
      Cybersecurity Act when reporting or investigating an incident; obligation to retain
      accounting documents from Accounting Act.
    4. Legitimate interest. Our legitimate interest means our interest in managing or
      directing our activities and enabling us to offer the best possible Service. In case we are
      using legitimate interest, we have previously assessed our and your interests. You have
      the right to see conducted assessment connected to processing of your personal data.
      We may process your personal data (except special categories of personal data) based
      on legitimate interest for the following purposes:
      (a) managing and analysing a client database and Service (if not covered with the
      Contract) to improve the availability, functions and quality of Service(s), e.g., using a
      CRM or analytics solutions to enable the foregoing (mainly identification data and
      contact data is used);
      (b) development of our Service and Website (mainly anonymous; however,
      depending on the development all data may be used);
      (c) ensuring a better client/user experience, to provide higher quality Service(s);
      we may monitor the usage of our Service and Website, analyse identifiers and
      personal data collected when our Website, Service, our social media pages and
      other sales channels are used, and we may collect statistics about Clients, users and
      Visitors; and Usage Data may be processed;
      (d) organizing campaigns, incl. organising personalised and targeted campaigns. The
      terms and conditions of campaigns are set out separately;
      (e) sending offers/information to the Client or potential client if the respective
      person has previously purchased or shown interest in a similar product, and if such
      processing is allowed in respective jurisdiction. In this case, the person is always
      guaranteed to have a simple opportunity to resign from the communication, and we
      have considered our and the (potential) client’s interests;
      (f) conducting satisfaction surveys and measuring the effectiveness of marketing
      activities performed (contact data is used and service usage general data e.g., what
      service what package);
      (g) making recordings and logging; we may record messages and orders given both
      in our premises and using means of communication (e-mail, phone etc.) as well as
      information and other activities we have performed. If necessary, we use these
      recordings to prove orders or other activities;
      (h) technical and cyber security reasons, for example measures for combating
      piracy and ensuring the security of the Website as well as for making and storing
      back-up copies and preventing/repairing technical issues (depending on the issue
      all data may be processed);
      (i) processing for organisational purposes, foremost for management and
      processing of personal data for internal management purposes (but also audits and
      other potential supervision), including for processing the personal data of Clients or
      representatives (mainly general service usage and Client data);
      (j) establishing, exercising or defending legal claims, incl. assigning claims to, for
      example, collection service providers, or using legal advisors (depending on the
      claim/issue all data may be processed);
      (k) If you have given us information about not sending you a certain type of
      information – retaining the information about such prohibition.
    5. New purpose. Where personal data is processed for a new purpose other than that for
      which the personal data are originally collected or it is not based on the data subject’s
      consent, we carefully assess the permissibility of such new processing. We will, in order
      to ascertain whether processing for a new purpose is compatible with the purpose for
      which the personal data are initially collected, take into account, inter alia:
      (a) any link between the purposes for which the personal data are collected and the
      purposes of the intended further processing;
      (b) the context in which the personal data are collected, in particular regarding the
      relationship between the data subject and us;
      (c) the nature of the personal data, in particular whether special categories of personal
      data are processed or whether personal data related to criminal convictions and
      offences are processed;
      (d) the possible consequences of the intended further processing for data subjects;
      (e) the existence of appropriate safeguards, which may include encryption or
      pseudonymisation.
  6. TRANSFER AND AUTHORISED PROCESSING OF PERSONAL DATA
    Here you will find information about the transfer and authorised processing of personal data.

    1. Usage of cooperation partners. We cooperate with persons to whom we may
      transmit data, including personal data, concerning the data subjects within the context
      and for the purpose of that cooperation. We may have different type of controllerprocessor-sub-processor relationships with those cooperation partners. When
      transferring personal data to third parties (generally our cooperation partners), we
      comply with the applicable data protection requirements.
    2. Requirements for the usage of cooperation partners that are our
      (sub-)processors. Such third parties may include, among other, advertising and
      marketing partners, payment service providers, customer satisfaction survey companies,
      advisers, IT partners, i.e., service providers for various technical services, provided that:
      (a) the respective purpose and processing are lawful;
      (b) personal data is processed pursuant to the instructions of the controller and on the
      basis of a valid contract.
    3. We are using following co-operation partners: https://zone.ee/static/Zone-EE-2023-06-
      Personal-Data-Processing-ENT.pdf.
    4. Other transfers. In other cases, we may transmit your personal data to third parties
      provided that we have your consent or a legal obligation or there is an exception in the
      event that the transfer is necessary to protect your vital interests.
    5. Transfers outside the EEA. Please note, that our server rooms are in EU. But for our
      other activities, we may use service providers/co-operation partners from outside EEA.
      Such transfer is only commenced if requirements from the GDPR Chapter V are met
      (e.g., adequacy decision or EU SCC). We usually use EU standard contractual clauses for
      transferring your personal data outside of the EEA. We will take all the steps reasonably
      necessary to ensure that your data is treated securely and in accordance with this
      Privacy Policy and no transfer of your Personal Data will take place to an organisation
      or a country unless there are adequate controls in place including the security of your
      data and other personal information. You can find more information under our
      (sub-)processor list (see clause 6.3).
    6. Other disclosures. We may disclose personal data also on the following cases:
      1. For Law Enforcement. Under certain circumstances, we may be required to
        disclose your personal data if required to do so by law or in response to valid
        requests by public authorities. We always assess the lawfulness of information
        requests before disclosing any personal data.
      2. For Information Security Reasons. If it is necessary and proportionate for
        ensuring network and information security by public sector authorities, Computer
        Emergency Response Teams (CERT), Computer Security Incident Response Teams
        (CSIRT), providers of electronic communications networks and services, and
        providers of security technologies and services.
      3. For Business Transactions. If we or our subsidiaries are involved in a merger,
        acquisition or asset sale, your personal data may be transferred.
  7. STORAGE AND SECURITY OF PROCESSING PERSONAL DATA
    Here you will find a description of how we protect your personal data and for how long we
    store personal data.

    1. Storage. If we are the controller of personal data, we comply with the purpose of
      processing, limitation periods for potential claims in the event of filing claims, and
      storage periods provided for in the law. We store personal data as long as need
      depending on the purpose of the processing. Client data is generally retained, for the
      duration of the period of validity of the Contract and additional 3 years for protection of
      possible claims. Certain personal data is stored depending on the requirement deriving
      from applicable law e.g., 7 years accounting data, 10 years data of employment
      contracts. Personal data for which the storage period has expired are destroyed or made
      anonymous. Personal data for which we are processor are retained as instructed by the
      controller.
      Please note that data that is retained on our severs by our Client will be deleted in the
      end of Client relationship (there is a 14 day backup).
    2. Security measures. We have established guidelines and rules of procedure on how to
      ensure the security of personal data through the use of both organisational and technical
      measures. Zone systems aligned with the ISO27001:2014 standard. Among others, we do
      the following to ensure security and confidentiality:
      (a) We have access-level management system in use;
      (b) We process the personal data transferred to us only for the purpose and to the
      extent necessary for providing the Website and/or Services; and other purposes
      laid out in this Privacy Policy;
      (c) we use software solutions that help ensure a level of security that meets the market
      standard.
    3. Incident. In the event of any incident involving personal data, we do our best to
      mitigate the consequences and alleviate the relevant risks in the future. We will follow
      notice requirements of the GDPR.
  8. GDPR DATA PROTECTION RIGHTS
    Here you can read about your rights in connection to your personal data.

    1. We would like to make sure you are fully aware of all of your data protection rights.
      Every data subject is entitled to the following rights (under certain preconditions):
      (a) The right to access – you have the right to access and to request copies of your
      personal data.
      (b) The right to rectification – you have the right to request that we correct any
      information that is inaccurate.
      (c) The right to erasure – you have the right to request that we erase your personal
      data, under certain conditions (e.g., we are processing your personal data under
      your consent).
      (d) The right to restrict processing – you have the right to request that we restrict
      the processing of your personal data, under certain conditions (e.g., we are
      processing your personal data under consent).
      (e) The right to object to processing – you have the right to object to our processing
      of your personal data, under certain conditions (e.g., we are processing your
      personal data under legitimate interest).
      (f) The right to data portability – you have the right to request that we transfer the
      data that we have collected to another organization, or directly to you, under
      certain conditions.
      (g) Rights related to automated processing and profiling mean that the data subject,
      on grounds relating to their particular situation, has the right to object at any time to
      the processing of personal data concerning them based on automated
      decisions/profiling and to require human intervention. The data subject may also
      require an explanation regarding the logic of making an automated decision. For
      avoidance of doubt, even though our solution uses automatic processing (and AI),
      we do not use automated processing or profiling that has a significant effect on the
      data subject or their rights.
      (h) The right to file a complaint – you have the right to file a complaint with us or
      supervisory authority or court if you think that your rights in connection to
      personal data have been infringed. We kindly ask you to contact us first for
      finding a solution. If needed our data protection supervisory authority is Office of
      Data Protection Inspectorate (Andmekaitse Inspektsioon) contacts can be find:
      https://www.aki.ee/en/contacts.
    2. Responses and additional information. If you make a request connected to personal
      data processing, we have one month to respond to you. If you would like to exercise
      any of these rights or need more information on your rights, please contact us. Please
      note, that we may need to identify you before granting you any of the rights connected
      to your personal data.
  9. CHILDREN’S INFORMATION
    1. We as controllers do not knowingly collect any personal data from children under the
      age of 18. If we find out that we have obtained data of children, we will delete such data
      immediately or seek approval from legal guardian or parent. In case where we are a
      processor all grounds for processing derive from our Client.
  10. CHANGES
    1. The latest changes and entry into force of the Privacy Policy:
      Publication: June 2023
      Entry into force: June 2023
      Key changes: 1 st version of new Privacy
      Policy; previous privacy policy can be found here:
      https://www.zone.ee/en/terms-of-use/privacy-notice/