1. General Provisions and Data Controller
1.1 This privacy policy (hereinafter “Privacy Policy”) sets out the manner and conditions under which Nanordica Medical OÜ, registry code 14710113, address Mäealuse 2/1, 12618 Tallinn, Estonia, e-mail: info@nanordica.com (hereinafter “Seller” or “Controller”), collects, processes, stores, and protects the personal data of individuals who use the E-store, the Seller’s website, or otherwise enter into a business relationship with the Seller.

1.2 The Seller is the data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter “GDPR”) with respect to all personal data processed in connection with the E-store, the website, and the Seller’s business activities.

1.3 This Privacy Policy applies to all processing of personal data carried out by the Seller in connection with: (a) the operation of the E-store and the sale of Products; (b) the Seller’s website; (c) communication between the Seller and Customers or other Data Subjects; and (d) any other business relationship between the Seller and the Data Subject.

1.4 This Privacy Policy should be read together with the Terms and Conditions of the E-store (hereinafter “Terms”). In the event of any inconsistency between this Privacy Policy and the Terms regarding data protection matters, this Privacy Policy shall prevail.

1.5 By using the E-store, placing an order, or otherwise providing personal data to the Seller, the Data Subject acknowledges that they have read and understood this Privacy Policy.

2. Definitions
2.1 Unless otherwise defined in this Privacy Policy or required by context, capitalised terms used herein shall have the following meanings:

2.1.1 “Personal Data” means any information relating to an identified or identifiable natural person (Data Subject) within the meaning of Article 4(1) of the GDPR;

2.1.2 “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, within the meaning of Article 4(2) of the GDPR;

2.1.3 “Data Subject” means an identified or identifiable natural person whose Personal Data is processed by the Controller, including Customers and website visitors;

2.1.4 “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, within the meaning of Article 4(7) of the GDPR; for the purposes of this Privacy Policy, the Controller is the Seller;

2.1.5 “Processor” means a natural or legal person which processes Personal Data on behalf of the Controller within the meaning of Article 4(8) of the GDPR;

2.1.6 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

2.1.7 “E-store” means the online store operated by the Seller through which Products are offered and sold;

2.1.8 “Products” means the sterile wound dressings and other veterinary products offered for sale in the E-store;

2.1.9 “Customer” means a natural or legal person who places an order or purchases Products via the E-store or otherwise enters into a contractual relationship with the Seller;

2.1.10 “Consent” means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her, within the meaning of Article 4(11) of the GDPR;

2.1.11 “Cookie Notice” means the Seller’s separate notice regarding the use of cookies and similar tracking technologies on the E-store and website.

3. Categories of Personal Data Collected
3.1 The Seller collects and processes the following categories of Personal Data depending on
the nature of the interaction with the Data Subject:

3.1.1 Identification data – name, surname, date of birth (where applicable for age verification or regulatory purposes);

3.1.2 Contact data – e-mail address, telephone number, postal address, delivery address;

3.1.3 Transaction data – order history, payment information (payment method, transaction references), invoices, delivery records;

3.1.4 Communication data – correspondence with the Seller, complaints, claims, feedback, and any other communications;

3.1.5 Technical data – IP address, browser type and version, device information, operating system, screen resolution, language preferences;

3.1.6 Usage data – browsing behaviour on the E-store and website, pages visited, click patterns, session duration, referral source;

3.1.7 Cookie data – data collected through cookies and similar tracking technologies as further described in the Cookie Notice;

3.1.8 Business customer data – company name, registry code, VAT number, details of authorised representatives, business contact information.

3.2 The Seller does not intentionally collect special categories of Personal Data within the meaning of Article 9 of the GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation). If the Seller becomes aware that such data has been provided inadvertently, it shall be deleted without undue delay.

4. Purposes and Legal Bases for Processing
4.1 The Seller processes Personal Data only where there is a valid legal basis under Article 6(1) of the GDPR. The specific purposes and corresponding legal bases are set out below.

4.2 Performance of a contract (Article 6(1)(b) GDPR). The Seller processes Personal Data where necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract, including for the purposes of: (a) processing and fulfilling orders placed in the E-store; (b) arranging delivery of Products; (c) processing payments and issuing invoices; (d) creating and managing Customer accounts; (e) handling warranty claims, returns, and exchanges in accordance with applicable law and the Terms; and (f) providing customer support related to orders and Products.

4.3 Compliance with a legal obligation (Article 6(1)(c) GDPR). The Seller processes Personal Data where necessary for compliance with a legal obligation to which the Controller is subject, including for the purposes of: (a) maintaining accounting records and fulfilling tax obligations under the Estonian Accounting Act and applicable tax legislation; (b) complying with product safety and consumer protection requirements; (c) responding to lawful requests from supervisory authorities, courts, or law enforcement; and (d) fulfilling obligations under the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

4.4 Consent (Article 6(1)(a) GDPR). Where none of the above legal bases applies, the Seller processes Personal Data on the basis of the Data Subject’s freely given Consent, including for the purposes of: (a) sending newsletters and marketing communications (where the Data Subject is not an existing Customer or where the communications relate to products or services materially different from those previously purchased); (b) placing non-essential cookies (analytics, functional, and marketing cookies) on the Data Subject’s device; and (c) optional profiling for personalised marketing content.

4.5 Consent may be withdrawn at any time by contacting the Seller at ravimus@nanordica.com or
by using the unsubscribe mechanism provided in marketing communications or the cookie consent management tool. Withdrawal of Consent shall not affect the lawfulness of Processing based on Consent before its withdrawal (Article 7(3) GDPR).

5. Recipients and Disclosure of Personal Data
5.1 The Seller may disclose Personal Data to the following categories of recipients, solely to the extent necessary for the fulfilment of the purposes set out in Section 4 of this Privacy Policy:

5.1.1 payment service providers – for processing payments in connection with orders placed in the E-store;

5.1.2 delivery and logistics partners – for arranging and tracking the delivery of Products;

5.1.3 IT service providers and hosting providers – for the operation, maintenance, and security of the E-store, website, and related IT infrastructure;

5.1.4 cloud service providers – for data storage and backup services;

5.1.5 accounting and auditing service providers – for the performance of accounting, bookkeeping, and audit functions;

5.1.6 debt collection agencies – for the recovery of overdue payments, where applicable;

5.1.7 legal advisors – for the provision of legal services, establishment, exercise, or defence of legal claims;

5.1.8 marketing and analytics platforms – for the sending of marketing communications and the analysis of website usage, where the Data Subject has given Consent;

5.1.9 public authorities, courts, and law enforcement – where disclosure is required by applicable law or a binding order.

5.2 All Processors engaged by the Seller are bound by data processing agreements concluded
in accordance with Article 28 of the GDPR, which ensure that such Processors implement appropriate technical and organisational measures to protect Personal Data and process it only on the documented instructions of the Controller.

5.3 The Seller does not sell, rent, or otherwise commercially transfer Personal Data to third parties for their own independent purposes.

6. International Transfers of Personal Data
6.1 Personal Data is primarily processed within the European Economic Area (hereinafter “EEA”). The Seller’s servers and principal service providers are located within the EEA.

6.2 Where it is necessary to transfer Personal Data to a country outside the EEA (a “third country”), the Seller ensures that such transfer is carried out in compliance with Chapter V of the GDPR, relying on one or more of the following safeguards: (a) an adequacy decision adopted by the European Commission pursuant to Article 45 of the GDPR; (b) standard contractual clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR; or (c) other appropriate safeguards as provided for in Article 46 of the GDPR, including binding corporate rules or approved codes of conduct.

6.3 The Data Subject may request a copy of the safeguards relied upon for international transfers by contacting the Seller at info@nanordica.com. Where commercially sensitive information is contained in such safeguards, the Seller may redact such information to the extent permitted by law.

7. Data Retention
7.1 The Seller retains Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The general principle applied by the Seller is that Personal Data shall be securely deleted or anonymised once the purpose of Processing has been achieved and no further legal basis for retention exists.

7.2 The specific retention periods applied by the Seller are as follows:

7.2.1 Contract and order data – retained for the duration of the contractual relationship and for a period of three (3) years thereafter (the general limitation period under the Estonian Law of Obligations Act), or for ten (10) years where required for accounting purposes;

7.2.2 Accounting records – retained for seven (7) years from the end of the financial year in which the transaction occurred, in accordance with the Estonian Accounting Act;

7.2.3 Marketing consent data – retained until withdrawal of Consent by the Data Subject, after which it shall be deleted without undue delay (except that a record of the withdrawal itself may be retained for the purpose of demonstrating compliance);

7.2.4 Cookie data – retained for the periods specified in the Cookie Notice, which vary depending on the type and purpose of the cookie;

7.2.5 Communication records – retained for a period of three (3) years from the date of the last communication;

7.2.6 Technical and usage data – retained for up to twelve (12) months from the date of collection, unless longer retention is necessary for the investigation of security incidents or fraudulent activity.

7.3 Upon expiry of the applicable retention period, Personal Data shall be securely deleted or irreversibly anonymised. Anonymised data (from which the Data Subject can no longer be identified) is no longer Personal Data and may be retained indefinitely for statistical or analytical purposes.

8. Data Subject Rights
8.1 Under the GDPR, Data Subjects have the following rights in relation to their Personal Data, subject to the conditions and limitations set out in the GDPR:

8.1.1 Right of access (Article 15 GDPR) – the Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data and specified information about the Processing;

8.1.2 Right to rectification (Article 16 GDPR) – the Data Subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her, and to have incomplete Personal Data completed;

8.1.3 Right to erasure (Article 17 GDPR) – the Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay where one of the grounds set out in Article 17(1) applies (the “right to be forgotten”), unless the Processing is necessary for the grounds set out in Article 17(3);

8.1.4 Right to restriction of processing (Article 18 GDPR) – the Data Subject has the right to obtain from the Controller restriction of Processing where one of the conditions set out in Article 18(1) applies;

8.1.5 Right to data portability (Article 20 GDPR) – the Data Subject has the right to receive Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without
hindrance, where the Processing is based on Consent or on a contract and is carried out by automated means;

8.1.6 Right to object (Article 21 GDPR) – the Data Subject has the right to object, on grounds relating to his or her particular situation, at any time to Processing of Personal Data based on legitimate interests (Article 6(1)(f)). Where Personal Data are processed for direct marketing purposes, the Data Subject has the right to object at any time to such Processing, including profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to Processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes;

8.1.7 Right not to be subject to automated decision-making (Article 22 GDPR) – the Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except in the
circumstances set out in Article 22(2);

8.1.8 Right to withdraw consent (Article 7(3) GDPR) – where Processing is based on Consent, the Data Subject has the right to withdraw his or her Consent at any time. The withdrawal of Consent shall not affect the lawfulness of Processing based on Consent before its withdrawal.

8.2 To exercise any of the rights set out in this Section 8, the Data Subject may submit a written request to the Seller by e-mail at info@nanordica.com or by post to the Seller’s address specified in clause 1.1. The Seller may request the Data Subject to verify his or her identity before responding to the request.

8.3 The Seller shall respond to a request pursuant to clause 8.2 without undue delay and in any event within one (1) month of receipt of the request. That period may be extended by two (2) further months where necessary, taking into account the complexity and number of the requests, in accordance with Article 12(3) of the GDPR. The Seller shall inform the Data Subject of any such extension within one (1) month of receipt of the request, together with the reasons for the delay.

8.4 Where the Seller has reasonable doubts concerning the identity of the natural person making the request, the Seller may request the provision of additional information necessary to confirm the identity of the Data Subject in accordance with Article 12(6) of the GDPR.

8.5 If the Data Subject considers that the Processing of his or her Personal Data infringes the GDPR, the Data Subject has the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia, e-mail: info@aki.ee, website: www.aki.ee, without prejudice to any other administrative or judicial remedy.

9. Automated Decision-Making and Profiling
9.1 The Seller does not, as a general rule, make decisions based solely on automated processing, including profiling, which produce legal effects concerning the Data Subject or similarly significantly affect the Data Subject within the meaning of Article 22(1) of the GDPR.

9.2 Where the Seller uses profiling for the purposes of personalised marketing (e.g., recommending Products based on previous purchases or browsing behaviour), such profiling is carried out solely on the basis of the Data Subject's Consent (Article 6(1)(a) GDPR) and does not produce legal effects or similarly significantly affect the Data Subject. The Data Subject has the right to object to such profiling at any time.

9.3 The Seller does not make any decisions with legal effects or similarly significant effects based solely on automated processing without meaningful human intervention.

10. Security of Personal Data
10.1 The Seller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

10.2 In the event of a personal data breach within the meaning of Article 4(12) of the GDPR, the Seller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (Andmekaitse Inspektsioon) in accordance with Article 33 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

11. Cookies and Tracking Technologies
11.1 The E-store and the Seller's website use cookies and similar tracking technologies to ensure the proper functioning of the website, to analyse website traffic, and to provide personalised content and advertisements where the Data Subject has given Consent.

11.2 The categories of cookies used are as follows:

11.2.1 Essential (strictly necessary) cookies – these cookies are necessary for the operation of the E-store and website (e.g., session management, shopping cart functionality, security features). These cookies do not require the Data Subject's Consent in accordance with Article 5(3) of Directive 2002/58/EC (ePrivacy Directive);

11.2.2 Analytics and functional cookies – these cookies allow the Seller to recognise and count the number of visitors and to see how visitors move around the website, helping to improve the way the website works. These cookies require the Data Subject's prior Consent;

11.2.3 Marketing and advertising cookies – these cookies are used to deliver advertisements relevant to the Data Subject and to measure the effectiveness of advertising campaigns. These cookies require the Data Subject's prior Consent.

11.3 The Data Subject may manage cookie preferences at any time through the cookie consent management tool available on the E-store and website. In addition, the Data Subject may
configure his or her browser settings to block or delete cookies. However, disabling essential cookies may impair the functionality of the E-store. For detailed information regarding specific cookies used, their purposes and retention periods, please refer to the Cookie Notice.

12. Children's Data
12.1 The E-store and the Seller's Products are not directed at children under the age of sixteen (16) years. The Seller does not knowingly collect or process Personal Data from children under the age of sixteen (16) without the consent of the holder of parental responsibility over the child, in accordance with Article 8 of the GDPR and the Estonian Personal Data Protection Act.

12.2 If the Seller becomes aware that it has collected Personal Data from a child under the age of sixteen (16) without appropriate parental consent, the Seller shall take reasonable steps to delete such Personal Data promptly and without undue delay.

13. Amendments to the Privacy Policy
13.1 The Seller reserves the right to amend this Privacy Policy at any time. Amendments may be necessary due to changes in applicable legislation, supervisory authority guidance, the Seller's business practices, or the services offered through the E-store.

13.2 Material changes to this Privacy Policy shall be communicated to Data Subjects by: (a) publishing the updated Privacy Policy on the E-store and the Seller's website with a clear indication of the date of last update; and (b) where the Seller holds the Data Subject's e￾mail address, by sending an e-mail notification regarding the material changes.

13.3 For Data Subjects who are not consumers within the meaning of the Estonian Law of Obligations Act, continued use of the E-store or the Seller's services after the effective date of the amended Privacy Policy constitutes acceptance of the amended Privacy Policy.

14. Contact Details and Supervisory Authority

14.1 The data controller is:

14.1.1 Nanordica Medical OÜ

14.1.2 Registry code: 14710113

14.1.3 Address: Mäealuse 2/1, 12618 Tallinn, Estonia

14.1.4 E-mail: ravimus@nanordica.com

14.2 The competent supervisory authority for data protection matters is:

14.2.1 Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)

14.2.2 Address: Tatari 39, 10134 Tallinn, Estonia

14.2.3 E-mail: info@aki.ee

14.2.4 Website: www.aki.ee

14.3 For any questions, requests, or complaints regarding the Processing of Personal Data, the
Data Subject is welcome to contact the Seller at ravimus@nanordica.com.

15. Final Provisions
15.1 This Privacy Policy and all matters arising out of or in connection with it are governed by the laws of the Republic of Estonia and the GDPR. Any disputes arising in connection with this Privacy Policy that cannot be resolved amicably shall be settled in the courts of the Republic of Estonia, unless otherwise required by applicable mandatory consumer protection legislation.