Last updated: February 24, 2026
ARPO NETWORK OÜ (“we,” “us,” “our,” or “the Company”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our online store, place an order, or otherwise interact with us.
This Privacy Policy has been drafted in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and other applicable data protection legislation.
1. Data Controller
The data controller responsible for the processing of your personal data is:
ARPO NETWORK OÜ Männimäe/1, Pudisoo küla, Kuusalu vald 74626 Harju maakond, Estonia Registry Code: 17164094 Email: privacy@mail.arpo.cc
For all privacy-related inquiries or to exercise your data subject rights, please contact us at privacy@mail.arpo.cc.
2. What Personal Data We Collect
We collect different categories of personal data depending on how you interact with our store:
2.1. When You Place an Order
- Identity data: first name, last name
- Contact data: email address, phone number (if provided)
- Address data: billing address, shipping address
- Transaction data: order details, product(s) purchased, order value, payment method used, transaction reference numbers
- Communication data: any messages, inquiries, or correspondence you send us in connection with your order
2.2. When You Visit Our Store
- Technical data: IP address, browser type and version, operating system, device type, screen resolution, referring website, pages visited, time and date of visit, time spent on pages
- Cookie data: information collected through cookies and similar technologies (see Section 9)
2.3. When You Create an Account
- Account data: username, email address, encrypted password, order history, saved addresses
2.4. When You Subscribe to Communications
- Marketing data: email address, communication preferences
3. How and Why We Process Your Data
We process your personal data only when we have a valid legal basis to do so. The table below sets out the specific purposes, the categories of data involved, and the legal basis for each processing activity.
3.1. Contract Performance (Article 6(1)(b) GDPR)
We process your data as necessary to fulfill our contractual obligations to you:
- Processing and fulfilling your orders, including producing, shipping, and delivering products — using your identity, contact, address, and transaction data.
- Processing payments through our payment service providers — using your identity, contact, and transaction data.
- Transmitting shipping details to our production and fulfillment partners so they can produce and deliver your order — using your name, shipping address, phone number, and order details.
- Providing customer support, including responding to inquiries, handling complaints, processing returns and refunds — using your identity, contact, transaction, and communication data.
- Delivering Digital Products by sending download links or access credentials — using your identity, contact, and transaction data.
- Managing your account, if you create one, including maintaining your order history and saved preferences — using your account and transaction data.
3.2. Legal Obligation (Article 6(1)(c) GDPR)
We process your data when required by law:
- Tax and accounting records: We retain invoices, transaction records, and associated personal data as required by Estonian tax legislation and EU VAT regulations. Retention period: 7 years from the end of the financial year in which the transaction occurred.
- Responding to lawful requests from competent authorities, including tax authorities, courts, and regulatory bodies.
3.3. Legitimate Interest (Article 6(1)(f) GDPR)
We process your data when it is necessary for our legitimate interests, provided those interests do not override your fundamental rights and freedoms:
- Fraud prevention and security: Analyzing transaction patterns and technical data to prevent fraudulent purchases and protect the security of our store and systems.
- Website improvement and analytics: Analyzing aggregated and anonymized usage data to understand how visitors use our store, identify technical issues, and improve performance and user experience.
- Enforcing our Terms and Conditions, including protecting our intellectual property rights and preventing abuse of our services.
3.4. Consent (Article 6(1)(a) GDPR)
We process your data based on your freely given consent for:
- Marketing communications: Sending you newsletters, promotional offers, product updates, and other marketing emails. You can withdraw your consent at any time by clicking the “unsubscribe” link in any marketing email or by contacting us at privacy@mail.arpo.cc.
- Non-essential cookies: Placing analytics and any other non-strictly-necessary cookies on your device. You can manage your cookie preferences at any time through our cookie settings (see Section 9).
When processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
4. Who We Share Your Data With
We share your personal data only when necessary for the purposes described in this Privacy Policy and only with the following categories of recipients:
4.1. Payment Processors
Stripe Technology Europe, Limited (Ireland) Stripe processes your payment card data to complete transactions and performs fraud detection. For payment processing, Stripe acts as our data processor. For fraud prevention purposes, Stripe acts as an independent data controller. Stripe is certified under the EU-US Data Privacy Framework. Your data shared with Stripe includes: name, email, billing address, payment card details, IP address, and device identifiers. Stripe Privacy Policy: https://stripe.com/privacy
PayPal (Europe) S.à r.l. et Cie, SCA (Luxembourg) When you choose PayPal as your payment method, your data is shared with PayPal to process the transaction. PayPal acts as an independent data controller and processes your data in accordance with its own privacy policy. Your data shared with PayPal includes: name, email, billing address, transaction amount, and order details. PayPal Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full
Wise Payments Limited (United Kingdom) For bank transfer payments, your data is shared with Wise to facilitate the transaction. Wise acts as an independent data controller. Wise is based in the United Kingdom, which benefits from an EU adequacy decision for data transfers. Your data shared with Wise includes: payment amount, transaction reference, and banking details. Wise Privacy Policy: https://wise.com/privacy-policy
4.2. Production and Fulfillment Partners
Lulu Press, Inc. (Durham, North Carolina, USA) Lulu produces and ships our printed books directly to you. Lulu acts as our data processor and processes your data solely for the purpose of fulfilling your order. Since Lulu is based in the United States, international data transfers are safeguarded by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Your data shared with Lulu includes: name, shipping address, phone number (if provided), and order details. Lulu Privacy Policy: https://www.lulu.com/privacy-policy
Gelato AS (Oslo, Norway) Gelato produces and ships our merchandise directly to you. Gelato acts as our data processor under formal Data Processing Terms (available at https://www.gelato.com/legal/data-processing-terms). As Gelato is headquartered in Norway (EEA), no special transfer mechanism is required for EU personal data. Gelato’s worldwide sub-processors are covered by Standard Contractual Clauses and/or the EU-US Data Privacy Framework. Gelato is ISO 27001 certified. Your data shared with Gelato includes: name, shipping address, phone number (if provided), and order details. Gelato Privacy Policy: https://www.gelato.com/legal/privacy-policy
4.3. Hosting and Technology Providers
Our store runs on WooCommerce (self-hosted WordPress). Our web hosting provider processes data on our behalf as a data processor and stores data on servers located within the European Union. We do not use WooCommerce Payments, Jetpack, or other Automattic-hosted services that would result in data transfers to the United States.
4.4. Other Disclosures
We may disclose your personal data to competent authorities (tax authorities, courts, law enforcement) when required by law, and to professional advisors (legal counsel, accountants) when necessary to protect our legitimate interests — in each case only to the extent required and permitted by applicable law.
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
5. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically:
- United States — via Lulu Press, Inc. and Stripe (for fraud detection). These transfers are protected by Standard Contractual Clauses (SCCs) adopted by the European Commission and/or the EU-US Data Privacy Framework (DPF), where the recipient is certified.
- United Kingdom — via Wise Payments Limited. The European Commission has issued an adequacy decision for the United Kingdom, meaning your data benefits from an equivalent level of protection.
We do not transfer personal data to any country outside the EEA without ensuring that appropriate safeguards are in place in accordance with Chapter V of the GDPR. You may request a copy of the relevant safeguards by contacting us at privacy@mail.arpo.cc.
6. How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes for which it was collected:
| Data Category | Retention Period | Reason |
|---|---|---|
| Order and transaction data | 7 years from the transaction date | Estonian tax and accounting obligations |
| Customer account data | Until you delete your account, plus 30 days | Contract performance |
| Customer support correspondence | 3 years from resolution of the inquiry | Legitimate interest (dispute resolution) |
| Digital product access records | Duration of your account or 5 years from purchase | Contract performance and license enforcement |
| Marketing consent records | Until consent is withdrawn, plus 1 year | Demonstrating lawful consent |
| Technical/analytics data | 26 months from collection | Legitimate interest (website improvement) |
| Cookie data | See Section 9 for individual cookie durations | Consent or legitimate interest |
After the applicable retention period, personal data is permanently deleted or irreversibly anonymized.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data. You can exercise these rights at any time by contacting us at privacy@mail.arpo.cc.
Right of Access — You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data along with information about the processing.
Right to Rectification — You have the right to have inaccurate personal data corrected and incomplete personal data completed.
Right to Erasure (“Right to Be Forgotten”) — You have the right to request the deletion of your personal data where there is no compelling reason for continued processing, subject to legal retention obligations (e.g., tax records).
Right to Restriction of Processing — You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.
Right to Data Portability — You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible.
Right to Object — You have the right to object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes at any time.
Right to Withdraw Consent — Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Right Not to Be Subject to Automated Decision-Making — You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in solely automated decision-making of this nature.
We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt.
There is no fee for exercising your rights. However, if a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.
8. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR or applicable data protection laws, you have the right to lodge a complaint with a supervisory authority.
The supervisory authority for Estonia is:
Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate) Tatari 39, 10134 Tallinn, Estonia Phone: +372 627 4135 Email: info@aki.ee Website: https://www.aki.ee
You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.
9. Cookies and Similar Technologies
9.1. What Are Cookies
Cookies are small text files placed on your device when you visit our store. They help the store function, improve your experience, and provide us with information about how the store is used.
9.2. Types of Cookies We Use
Strictly Necessary Cookies — These cookies are essential for the operation of our store and cannot be disabled. They include cookies that maintain your shopping cart, manage your session, authenticate you when you log in, and protect against cross-site request forgery (CSRF). Legal basis: legitimate interest (no consent required, as these cookies are strictly necessary for the service you have requested).
The following WooCommerce cookies are strictly necessary:
| Cookie | Purpose | Duration |
|---|---|---|
| woocommerce_cart_hash | Stores cart contents hash for caching | Session |
| woocommerce_items_in_cart | Indicates whether the cart contains items | Session |
| wp_woocommerce_session_ | Unique session identifier | 2 days |
| wc_cart_created | Timestamp of cart creation | Session |
| wordpress_logged_in_ | Authentication after login | Session |
| wordpress_sec_ | Security token for logged-in users | Session |
| wp-settings- | User interface customization preferences | 1 year |
| PHPSESSID | Server-side session identifier | Session |
Analytics Cookies — These cookies help us understand how visitors interact with our store by collecting and reporting information anonymously. These cookies are only placed with your prior consent. You can enable or disable them through our cookie consent banner.
Marketing Cookies — If we implement marketing or advertising cookies in the future, they will only be placed with your prior consent. We do not currently use marketing or advertising cookies.
9.3. Managing Your Cookie Preferences
When you first visit our store, a cookie consent banner will appear allowing you to accept or reject non-essential cookies. You can change your preferences at any time through the cookie settings link in the footer of our website.
You can also control cookies through your browser settings. Please note that disabling strictly necessary cookies may impair the functionality of our store.
9.4. Third-Party Cookies
Our payment processors (Stripe, PayPal) may place their own cookies when you interact with their payment forms embedded in our checkout process. These cookies are governed by the respective third-party privacy policies linked in Section 4.1.
10. Security of Your Data
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encrypted data transmission (TLS/SSL) across our entire store
- Secure storage of all personal data on servers located within the European Union
- Restricted access to personal data on a need-to-know basis
- Regular updates and security patches to our store software
- Secure payment processing through PCI-DSS compliant payment providers (Stripe, PayPal)
While we take all reasonable measures to protect your data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
11. Data Provision Requirements
Providing your identity, contact, address, and payment data is a contractual requirement necessary for us to process and fulfill your order. If you do not provide this data, we will be unable to enter into or perform the contract with you (i.e., we cannot process your order).
Providing your email address for marketing purposes is entirely voluntary and is not a condition for making a purchase.
12. Children’s Data
Our store is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@mail.arpo.cc and we will take steps to delete such data.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will publish the updated Privacy Policy on this page with a revised “Last updated” date. For material changes, we will notify you by email or by a prominent notice on our store.
14. Contact Us
For any questions about this Privacy Policy, to exercise your data subject rights, or for any privacy-related concerns, please contact us:
ARPO NETWORK OÜ Privacy Contact Email: privacy@mail.arpo.cc General Email: contact@mail.arpo.cc Address: Männimäe/1, Pudisoo küla, Kuusalu vald, 74626 Harju maakond, Estonia