Privacy Notice
GENERAL
This Privacy Notice (hereinafter the "Notice") provides an overview of how Armitage Labs OÜ, registry code 16977866, with the address Kreiukse road 5, Randvere 74016 Estonia (hereinafter referred to as "Creem", "we" or "us") processes the personal data of the following categories of data subjects as a data controller:
- merchants (hereinafter the "Merchant") who are natural persons and representatives of Merchants where the Merchant is a legal person, who offer products to Buyers via the service provided by us in accordance with Merchant Terms (hereinafter the "Merchant Terms");
- buyers (hereinafter the "Buyer") who are natural persons and representatives of Buyers where the Buyer is a legal person, who purchase Merchant's products via the service provided by us in accordance with Buyer Terms (hereinafter the "Buyer Terms");
- visitors of our website creem.io (hereinafter the "Website");
- visitors of our social media platforms;
- other persons whose personal data we process in the course of our normal business activities, including when they contact us (e.g. by telephone, email or other communication channels).
We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union's General Data Protection Regulation (2016/679) ("GDPR") and other data protection legislation.
In case of personal data protection related inquiries please contact us by writing to support@creem.io.
CATEGORIES AND SOURCES OF PERSONAL DATA
Personal data is any information that can be used to directly or indirectly uniquely identify you as a private individual. We process the following categories of personal data, including its collection, use, storage, and transmission:
Merchant data: name, e-mail address, bank account details, payout data, product information, account verification documentation. Where the Merchant is a legal person, this also includes the representative's name and the connection to a legal person, such as legal person's name and registry code ("Merchant Data").
Sources of data: we receive the data directly from the Merchant upon registration and verification of an account on our service.
Buyer data: name, e-mail address, billing address, payment details, order details. Where the Buyer is a legal person, this also includes the representative's name and the connection to a legal person, such as legal person's name and registry code ("Buyer Data").
Sources of data: we receive the data directly from the Buyer when completing a transaction through the checkout functionality on the Website.
Account data: user credentials and password of the portal designated to Merchant or Buyer ("Account Data").
Sources of data: we receive the data directly from you upon registration and verification of an account on our service.
Communication data: name, e-mail address, date, time, contents of your message ("Communication Data").
Sources of data: we receive the data directly from you when you communicate with us through e-mail, Website or other communication channels.
Marketing data: e-mail address ("Marketing Data").
Sources of data: we receive the data directly from you upon registration of an account on our service.
Social media data: name, ID, contact details, profile picture, gender, username, age, country, list of friends, list of followers, and any other information that you have agreed to share or that becomes available to us through your social media account ("Social Media Data").
Sources of data: we obtain personal data from you when you visit, follow, interact with, or otherwise engage with our social media channels. We may also collect your personal data from social media platforms (e.g. via Facebook or LinkedIn Page Insights), where we are joint controllers for such data processing. Further information on such processing is available for Facebook here, and for LinkedIn here.
Log data: data generated during visits to and use of the Website device's Internet Protocol (IP) address, your browser type and version, the webpages you visit on our Website and the time spent on each page, the time and date of your visit, your device's system activity and hardware settings ("Log Data").
Sources of data: we receive the data directly from you when you visit Website.
Device data: device type, operating system, unique device identifiers, device settings, browser type, hardware model, Internet service provider and/or mobile carrier, system configuration information and geo-location data. The data we collect may depend on the individual settings of your device and its software ("Device Data").
Sources of data: we receive the data directly from you when you visit Website.
Website usage data: data generated during visits to and use of the Website (depending on the specific cookie, this data includes, among other things, various cookie identifiers, IP address, settings, attributes). More detailed information about the cookies used on the Website is provided in Section 7 of the Notice ("Website Usage Data").
Sources of data: we receive the data directly from you when you visit Website.
LEGAL BASES AND PURPOSES OF PROCESSING PERSONAL DATA
We process your personal data for the following purposes and on the following legal grounds:
Consent
Your consent is required for the processing of personal data for the purposes outlined below. You have the right to withdraw your consent at any time by contacting us using the contact details provided in Section 1.3 of this Notice.
As far as cookies are concerned, you always have the right to withdraw your consent by changing your preferences on our Website. The withdrawal of consent does not affect the lawfulness of the processing of personal data prior to its withdrawal.
| Purpose of processing | Categories of personal data |
|---|---|
| For Website development and improvement purposes, we process data related to your recent visits to the Website for analytical purposes, in order to enhance its functionality and make the services more user-friendly. | Website Usage Data |
| For marketing purposes, we collect and process data about your visits to the Website using cookies, in order to provide you with personalized offers based on your browsing history. | Website Usage Data |
Performance of the contract
The processing of personal data is necessary for the performance of a contract to which you are a party or to take steps prior to entering into a contract in accordance with your request as a data subject.
| Purpose of processing | Categories of personal data |
|---|---|
| Taking pre-contractual measures, including pre-contractual negotiations and concluding the contracts in accordance with either Merchant Terms or Buyer Terms with natural persons | Merchant Data Buyer Data Account Data |
| Performance and management of the contract in accordance with either Merchant Terms or Buyer Terms with natural persons | Merchant Data Buyer Data Account Data |
| Termination of a contract in accordance with either Merchant Terms or Buyer Terms and management of the termination process with natural persons | Merchant Data Buyer Data Account Data |
Compliance with a legal obligation
We process your personal data in order to comply with a legal obligation, where such an obligation arises from a law or other legal act.
| Purpose of processing | Categories of personal data |
|---|---|
| Organisation of accounting, including the storage of accounting documents, for compliance with legal obligations related to financial reporting and record-keeping. | Merchant Data Buyer Data |
| Compliance with legal or regulatory obligations or requests | All data categories |
Legitimate interests
For these purposes, we process your personal data based on legitimate interests. You have the right to request an explanation regarding the processing of your personal data based on legitimate interests by sending a request using the contact details provided in Section 1.3 of this Notice. You also have the right to object if you believe that the processing of your personal data for the purposes outlined below adversely affects your rights.
| Purpose of processing | Categories of personal data |
|---|---|
| Taking pre-contractual measures, including pre-contractual negotiations and concluding the contracts in accordance with either Merchant Terms or Buyer Terms with legal persons | Merchant Data Buyer Data Account Data |
| Performance and management of the contracts in accordance with either Merchant Terms or Buyer Terms with legal persons | Merchant Data Buyer Data Account Data |
| Termination of a contract in accordance with either Merchant Terms or Buyer Terms termination and management of the termination process with legal persons | Merchant Data Buyer Data Account Data |
| Creation and provision of analytics derived from Buyers' transactions to Merchants | Buyer Data (name, email address, IP address) |
| Responding to your enquiries and requests, including but not limited to providing information about our service | Communication Data |
| Sending information about our service's updates, including information about new features | Marketing Data |
| Implementing and managing access to the Website, including implementing data security measures to protect our data | Log Data Device Data |
| Diagnosing and repairing problems with the Website | Log Data Device Data |
| Managing and interacting with social media, including responding to user comments or messages and providing platform-specific visibility | Social Media Data |
| Storing information containing personal data in our backup systems | All data categories |
| Disclosure of data to service providers and professional advisers | All data categories |
| Disclosure of data to successors and/or potential acquirers | All data categories |
| Disclosure of data to public, law enforcement and supervisory authorities | All data categories |
| Analysing data as necessary to establish, exercise or defend legal claims, whether in court proceedings or in an administrative or out-of-court procedure | All data categories |
| Establishing, exercising, or defending legal claims | All data categories |
| Arranging the sale or merger of our company and providing information for conducting the legal or other audit and the data exchange thereof | All data categories |
Direct marketing
We process your personal data in accordance with Section 103¹ (3) of the Estonian Electronic Communications Act, which permits the use of electronic contact details for direct marketing without prior consent, provided that such details were obtained in connection with selling a product or providing a service, and that the marketing concerns our similar products or services.
| Purpose of processing | Categories of personal data |
|---|---|
| Sending newsletters and other marketing information regarding our service | Marketing Data |
RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS
In certain cases, in order to comply with our legal or contractual obligations or to pursue our legitimate interests, we may need to transfer your personal data to the following categories of recipients, who process your personal data as separate controllers:
| Category | Purpose and legal basis of disclosure |
|---|---|
| Public authorities and law enforcement agencies | If necessary, we disclose your personal data to public authorities and law enforcement agencies to comply with legal obligations, court orders, or in other cases to detect and prevent unlawful activities. |
| Professional advisors | If necessary, we disclose your personal data to professional advisors, such as auditors or attorneys, to ensure the proper conduct of our business operations. |
| Successors and/or potential acquirers of the company/company | If necessary for the purposes of a company transfer, merger, or acquisition, your personal data may be disclosed to potential acquirers or successors, as well as their representatives and/or financial and legal advisors. |
| Merchants | To perform the contract with Merchants in order to offer products to Buyers via the service provided by us and to perform the contract with Buyers in order to enable access to the products. |
We may engage processors of personal data to process personal data on our behalf. These processors will have access to your personal data solely for the purpose of fulfilling a contract with us and are required to implement appropriate safeguards to ensure the protection of your personal data. The categories of processors we engage include:
| Category | Purpose and legal basis of disclosure |
|---|---|
| IT service providers | To operate our day-to-day business, our IT service providers (such as data backup and storage service providers) who manage and enable us to use the technical infrastructure may have access to your personal data. |
| Accounting service providers | To operate our day-to-day business, our accounting service providers may have access to your personal data. |
| Providers of work facilitation services | To facilitate the performance of our daily work, our service providers may have access to your personal data. |
For service providers located outside the European Union or the European Economic Area ("EU/EEA"), we use safeguards (e.g., standard contractual clauses approved by the European Commission) to ensure that a level of protection of personal data comparable to that applicable in the EU/EEA is applied to your personal data. You have the right to obtain further information about these safeguards by contacting us using the details provided in Section 1.3 of this Notice.
PERSONAL DATA RETENTION PERIOD
We retain your personal data as long as reasonably necessary to attain the objectives stated in Section 3 of this Notice, or until the legal obligation stipulates that we do so. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations.
- Contractual data will be stored for 3.5 years from the termination of the contract;
- Accounting data is stored for 7 years in accordance with the provisions of the Estonian Accounting Act;
- For information about additional retention periods or the retention of a specific category of personal data, please contact us using the contact details provided in Section 1.3 of this Notice.
Following the retention period or if we no longer need the respective personal data for the purposes for which it was collected, we will delete the personal data or anonymise it, unless a longer retention period is required to perform duties or fulfil requirements arising from the legislation or to protect against ongoing or threatened disputes.
RIGHTS OF THE DATA SUBJECT
You have the right to contact us using the contact details provided in Section 1 of this Notice in order to exercise the following rights with respect to our processing of your personal data:
- The right to access your personal data, including the right to obtain a copy of your data and information about how it is being processed.
- The right to request the rectification of inaccurate or incomplete personal data that we process.
- Right to erasure of personal data ("right to be forgotten"), for example, if the data is no longer necessary for the purpose for which it was collected, you withdraw your consent and no other legal basis for processing exists, or if the processing is unlawful.
- The right to request the restriction of the processing of your personal data, for example, if you contest its accuracy, the processing is unlawful, or we no longer need the data for processing purposes, but you require the personal data to establish, exercise or defend legal claims.
- The right to data portability, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller, where technically feasible, if the processing is carried out by automated means and is based on your consent or a mutual contractual relationship.
- The right to object to the processing of your personal data, for example, where the processing is based on our legitimate interests or for direct marketing purposes.
- The right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing of personal data prior to the withdrawal.
- The right to contact the supervisory authority, to submit your claim to the data protection authority, e.g., in Estonia to the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) at info@aki.ee or www.aki.ee.
USE OF COOKIES AND SIMILAR TECHNOLOGIES
We use all cookies, except "essential" technical cookies, with your prior consent. You always have the right to withdraw your consent by changing your preferences through our Website.
We use both first-party cookies (i.e. cookies that we have set ourselves) and third-party cookies (i.e. cookies from service providers such as Google).
The cookies we use are divided into both session cookies and persistent cookies. Session cookies are only valid while you are browsing the Website and they are automatically deleted when you close your web browser. Persistent cookies, on the other hand, are stored on your device for a specified period of time, which may be set by us or by a third party, and they expire either on a specific date or after a certain period of time.
For convenience, we have categorized the cookies used on our Website according to their purpose as follows:
Strictly necessary cookies
We use these types of cookies to ensure the functionality of basic functionalities of our Website. Without the use of these cookies, our Website would not function as intended. By law, we have the right to use such cookies without your prior consent.
Analytics cookies
We use these types of cookies to analyse your experience on our Website. These cookies allow us to collect and evaluate information about your recent visits in order to improve the functionality of the Website and make it more user-friendly. We will only use such cookies with your prior consent.
Marketing cookies
We use these types of cookies to show you advertising that is relevant to your interests. We will only use such cookies with your prior consent.
Below we have listed all the cookies that are used on our Website. You can find information here about their purpose, how long they are stored, and whether they are first-party or third-party cookies.
| Category | Name | Goal | Deadline | First-party or third-party cookie |
|---|---|---|---|---|
| Analytics | Vercel Infrastructure | Used to provide insights if a user is a returning or new visitor | Until browser cache is cleaned | Third party |
| Analytics | Affiliate | Used to provide information if the visitor came through a partner link | Until browser cache is cleaned | First party |
| Strictly necessary | _stripe_mid | Set by Stripe for fraud prevention purposes | 1 year | First party |
| Strictly necessary | _stripe_sid | Set by Stripe for fraud prevention purposes | 30 minutes | First party |
| Marketing | _gcl_au | Set by Google for marketing purpose in order to store and track conversions | 90 days | First party |
CHANGES TO THIS NOTICE
This Notice may be amended or modified from time to time to reflect the changes in the way we process personal data, and in such case, the most recent version of the Notice will be published on this webpage.
Version: November 2025
