Last updated: 01.09.2025
Yaga OÜ, registry code 14203706, postal address Erika 15-17, Tallinn 10416, e-mail address support@yaga.ee processes the data of persons who use the virtual shopping and selling platform online (www.yaga.ee) or in a mobile application (hereinafter the Platform or Yaga).
GENERAL PROVISIONS
Yaga ensures that the processing of personal data complies with personal data protection and security legislation (including the General Data Protection Regulation of the European Union, hereinafter referred to as the "GDPR"), other personal data protection legislation and good business practices.
Yaga considers the privacy of individuals and the protection of personal data a priority and takes all possible measures to guarantee the security and safety of the platform.
DEFINITIONS
User means a person who creates an account on the Platform or uses the services offered on the Platform.
Processing of personal data means viewing, collecting, recording, storing, modifying, transmitting or receiving personal data and other operations related to personal data.
Platform means virtual buying and selling environment offered at www.yaga.ee and in the Yaga mobile application.
Services means the services provided by Yaga through the Platform for account creation, management, mediation of purchase and sale transactions and other services described in the terms and conditions of the User Agreement.
HOW YAGA COLLECTS AND USES PERSONAL INFORMATION
Yaga processes personal data that is necessary for the administration of the Platform, the creation of user accounts created on the Platform and the mediation of purchase and sale transactions.
In general, the legal basis for such an objective is to be found in Article 6(1)(b) of the GDPR. Such processing is necessary for the performance of a contract entered into with the participation of the User, i.e. for the provision of a service or for taking measures prior to entering into a contract in accordance with the User's request. In some cases, the processing of data is necessary for the purposes of legitimate interests set out in Article 6(1)(f) GDPR, provided that these interests are not overridden by the users' own rights and interests.
- Personal data collected when creating an account and using the platform
We collect and use your personal data to enable you to use our Platform, provide our services and perform our contract with you, and in particular to conduct business transactions, use the electronic payment system and communicate with other users through the Platform. To use these services, you need a Yaga account. For this, you need to register as a member on the website or app.
Yaga allows you to register an account using your existing Facebook, Google or Apple ID profile (only possible in the IO app). The data received from Google, Facebook or Apple is used to set up your Yaga account. This means that we use the profile name of your Google, Facebook or Apple ID account as the profile name of your Yaga account so that it is visible to other users of the platform.
Users can also add additional information to their profile, such as their location, social media accounts, etc.
Most of your personal data is necessary for the performance of a contract with you. If you do not provide us with this personal data, we will not be able to enter into or perform a contract with you.
Some of your data is necessary to comply with our legal obligations when you become a member of our platform. If you do not provide us with this personal data, we will not be able to comply with legal requirements or provide our services.
In order to ensure the security of the platform, prevent fraud and the sale of counterfeit goods, we also automatically collect some data about your behavior on the platform. This data is also used to improve the platform to improve the user experience for our members.
| Processing operation | Data category | Goal |
Legal basis
|
| Account creation and profile information | Google, Facebook or Apple ID, name, email address, profile photo, location with county and city accuracy |
Registering a user account on the Yaga platform, managing a user account
|
Performance of the contract |
| Contact details | First and last name, phone number |
Ensuring communication with the user by providing the necessary information about the service, billing, subscriptions
|
Performance of the contract |
|
Data on the income generated on the platform
|
first and last name; birthdate; address; personal identification code; VAT number.
|
We forward the data to the Tax and Customs Board due to the obligation arising from the DAC7 directive
|
Compliance with legal obligations
|
| Bank account details | Bank account holder's name, account number |
Getting paid out for products sold
|
Performance of the contract |
|
Data related to product delivery
|
Name, phone number, shipment tracking route |
Product delivery using shipping providers
|
Performance of the contract |
| Transactional notifications | Email address |
Notifications of orders and execution of the transaction
|
Performance of the contract |
| Messaging with other users |
The name of the user who sent the message, the pictures sent, the date and time the message was sent, information about the device from which the message was sent, whether another user has seen the message, other information shared in the message
|
Sharing information between users to fulfill an order | Performance of the contract |
| Providing user support |
Name, e-mail address, profile information, platform usage information, transaction information, content and images of messages sent to customer support, messages exchanged with other users
|
Processing of requests forwarded to the help desk | Performance of a contract, legitimate interest |
| User dispute resolution | Dispute-related information about the transaction and the user | Resolving disputes and complaints, ensuring the honesty and security of the service |
Legitimate interest, fulfilment of legal obligations
|
| Information about activities on the platform | Technical information about how our services and platform are used, including feedback provided; |
To support and improve the Platform and the services we offer
|
Legitimate interest |
|
Technical data collected automatically |
Information collected by website cookies according to user preferences |
We use cookies on our website |
Assent |
Your personal information may be used to aggregate and anonymize information about you and your use of the Service to create aggregate statistics that we may use to provide certain features of the Service and to promote and improve the Service based on our legitimate interests. In cases where the customer and/or statistical data is anonymized, we ensure that no personal data is added (meaning that no individual can be identified) and therefore the provisions of the GDPR do not apply to such processing.
To the extent required by the applicable data protection regulation, you have the right to object to the processing of your personal data based on legitimate interest.
2. Personal data collected to ensure the security of the Platform
In order to ensure that transactions on the Platform comply with the law and the User Agreement, we have the right to use technical solutions to detect fraud or prohibited activities and the sale of prohibited items on the Platform.
For advertisements of items added to the Platform, we may collect the data provided in the advertisement, including product description, images of the product.
The legal basis for such collection and use of your personal data is our legitimate interest in protecting the Platform and our members from possible falsification.
We may share photos of advertisements or other certificates of authenticity with brand owners without your personal information to verify the authenticity of certain items.
3. Marketing activities
You can sign up for our newsletter and other marketing emails ("direct marketing"). When you register, we ask for permission to use your email address to send you direct marketing that includes the latest information about our products and services, in particular about the goods, special offers and marketing campaigns available on the platform. If you do not give your consent during registration, you can change your mind at any time and agree to receive direct marketing by changing your Yaga account settings.
Such collection and use is based on your consent.
4. Compliance with legal obligations
In certain cases, we need to process personal data in order to comply with legal obligations. This includes, for example:
- accounting obligations (reporting and document storage);
- responding to requests from public authorities;
- supervisory authorities of potential and fixed breaches.
In such situations, the legal basis for processing personal data is a legal obligation imposed on us.
Who has access to my personal data?
Access to personal data is strictly needs-based and related to the fulfilment of Yaga employees' obligations arising from the employment contract or job description. In certain cases, limited access to personal data may also be granted to partners and service providers who provide us with specific services (e.g. accounting services, IT services).
To whom does yaga transfer my personal data?
Yaga transfers or shares personal data with service providers only to the extent necessary and permitted in accordance with applicable laws.
We carry out continuous technical maintenance and updates of the Platform to protect the security and confidentiality of the personal data we process and to perform certain business-related functions that help make our services accessible and functional. For this reason, we transfer your data to service providers who provide cloud and hosting services, IT security, maintenance and technical services, and communication services. In such cases, Yaga is the controller of the personal data and enters into appropriate data processing agreements with the service providers to ensure the confidentiality and security of the data.
The following service providers are established outside of the European Economic Area, which may result in the transfer of your data outside of the European Economic Area. In such cases, we will take additional measures and use service providers who are able to ensure an adequate level of security for the data in accordance with European Union law and have signed the EU Standard Contractual Clauses for the transfer of data approved by the European Commission:
- Meta Platforms Inc. (Meta)
- Zendesk Inc.
- Open AI Inc.
- Twilio Inc.
How does Yaga ensure the security of my personal information?
We have implemented information technology, organisational and physical security measures to ensure the security of personal data. Access to any personal data is strictly needs-based and workplace-based for personal data stored both physically and digitally.
Personal data is stored in a protected information system that requires logging in using a secure authentication tool, and access to personal data is regulated by user rights.
NB! Our website and platform may contain references and links to other websites, such as social media platforms, which are controlled by third parties. If you click on the relevant link or navigate to our group/profile on one of the social media platforms on your own initiative, you are located on a third party website through which the data processing is beyond our control. Therefore, we recommend that you also familiarize yourself with the privacy policies and information regarding cookies of the respective third parties.
How long will my data be stored?
We will keep your personal information secure for the lifetime of your account. We will only retain personal data for as long as necessary to fulfil the purposes for which we collected it, including to comply with legal, accounting or reporting obligations or to resolve disputes.
The data required for accounting purposes are stored in accordance with applicable legislation and industry standards. Generally, at least 5 or 7 years from the end of our business relationship, respectively, but no longer than 10 years.
Information related to user account and activity on the Platform is retained until the end of the life of the account and for up to 7 years after the deletion of the account for the protection of legal interests.
Information collected through technical means such as cookies, web page counters and other analytical tools is stored for up to 3 years from the expiration of the cookie.
You can ask for more detailed information about the shelf life by data categories by sending a corresponding inquiry to support@yaga.ee.
What are my data protection rights?
In connection with the processing of personal data by Yaga, you have the following data protection rights:
| Right | What does this mean and when can this right be exercised? |
|
Right to be aware of the processing and to access the personal data being processed
|
You have the right to request information about whether and what personal data we process about you, on what legal basis and in what way. You also have the right to request the submission of a copy of the personal data processed about you. |
| Right to request correction of personal data |
You can exercise this right if the personal data we process about you is incomplete, outdated or incorrect.
|
| Right to request erasure of personal data |
You can request the deletion of personal data if: · the personal data processed is no longer necessary for the purposes of the processing; · you withdraw the consent based on which the personal data is processed; · in the case of processing based on legitimate interest, your rights and interests outweigh those of Yaga;
|
| Right to restrict the processing of personal data |
You can request the restriction of the processing of personal data if: · you contest the accuracy of the personal data; · you object to the processing of personal data on the basis of legitimate interest; · it appears that there is no legal basis for processing personal data, but you do not want the personal data to be deleted; · you need personal data to establish, exercise or defend a legal claim.
|
| Right to object |
If the legal basis for processing your personal data is our legitimate interest, you have the right to object to the respective processing of personal data. You also have the right to object to any automated decision-making by us and to the processing of personal data related to direct marketing.
|
| Right to portability of personal data |
Where we process your personal data on the basis of consent or on the basis of a contract, you have the right to request that we provide you with the relevant personal data in a structured, commonly used and machine-readable format. If technically feasible, you also have the right to request that we transfer the personal data to another controller referred to by you.
|
| Right to withdraw consent |
If the legal basis for processing your personal data is consent, you have the right to withdraw such consent at any time. Please note that the withdrawal of consent does not, however, affect the lawfulness of data processing based on a prior, valid consent.
|
NB! Data protection rights are not absolute, and for each request we must assess whether, and to what extent, the applicable laws and the rights of other data subjects allow us to fulfil your request.
What should I do if I have questions or would like to file a complaint about the processing of personal data?
If you have any questions or complaints related to the processing of personal data, please feel free to contact us via the e-mail address support@yaga.ee. We respond to inquiries within one month of receiving your question or complaint. If it is not possible to respond to the application within one month, we may extend the deadline for responding by two months by notifying you of the extension of the deadline and the reason for it within one month of receipt of the application.
If you do not agree with our response, you have the right to file a complaint with the Data Protection Inspectorate (address: Tatari 39, Tallinn 10134; e-mail: info@aki.ee; phone: +372 627 4135).
Is the content of the Privacy Policy subject to change in the future?
We are constantly striving to ensure that both our data processing and the related documentation are simple, clear and transparent, and comply with all legal requirements and best data protection practices. Accordingly, we regularly update and improve the Privacy Policy, and notify all users of updates via the contact details provided to us or via the platform.
You can always find the most up-to-date version of the Privacy Policy on our website and platform.