1.1

This Privacy Policy explains how Lagedi Mõis MTÜ ("we", "us", "our"), registry code 80298367, registered at Karukella tee 4-1, Pirita linnaosa, 12015 Tallinn, Estonia, collects, uses, and protects your personal data when you visit lagedicastle.com or use our booking and event-related services.

1.2

This Policy applies to all personal data processed through our website, booking system, contact forms, payment flow, and email communication. It does not cover third-party websites linked from our site.

1.3

We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and the ePrivacy Directive (2002/58/EC).

1.4

If you have questions about this Policy or wish to exercise your rights, contact us at info@lagedicastle.com.

2.1

Booking data — when you make a reservation, we collect your full name, email address, phone number, the number of guests, the chosen date and time, package, venue, and any notes or preferences you provide.

2.2

Payment data — payments are processed by LHV Pank AS / EveryPay AS. We do not store your card details. We receive only the transaction reference, paid amount, and payment status.

2.3

Invoice data — once a booking is paid, we generate an invoice containing your name, email, the service description, amount, date, and a unique invoice number. Invoices are stored for accounting purposes.

2.4

Contact and inquiry data — when you submit our contact form, we collect your name, email, phone number, message text, and any optional fields you fill in (event type, desired date, expected guests).

2.5

Technical data — when you visit the site, we automatically collect your IP address, browser type and version, device type, referring URL, language, pages visited, and timestamps. This data is collected through server logs and, with your consent, through analytics and marketing tools.

2.6

Cookies — small text files stored on your device. We use essential cookies for site functionality (authentication, session) and, with your consent, analytics and marketing cookies. See Section 4.

3.1

Performance of a contract (GDPR Art. 6(1)(b)) — we process your booking data, payment data, and contact information to fulfil your reservation, confirm your booking, deliver the invoice, and provide the venue service.

3.2

Legal obligation (GDPR Art. 6(1)(c)) — we retain invoices and accounting records for seven (7) years as required by the Estonian Accounting Act (Raamatupidamise seadus § 12).

3.3

Legitimate interests (GDPR Art. 6(1)(f)) — we process technical and security-related data to protect our website from abuse, detect fraud, troubleshoot errors, and improve the user experience.

3.4

Consent (GDPR Art. 6(1)(a)) — we use analytics cookies (Google Analytics) and marketing pixels (Meta Pixel) only after you give explicit consent through our cookie banner. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4.1

What cookies are. Cookies are small files placed on your device when you visit a website. They allow the site to remember your actions and preferences over time.

4.2

Essential cookies. These are required for the site to function and cannot be switched off. They include authentication tokens for the admin panel, session cookies, and CSRF protection. No consent is required as they are strictly necessary.

4.3

Analytics cookies. With your consent, we use Google Analytics 4 (_ga, _gid, _gat) to understand how visitors use our website. This helps us improve content and performance. Data is processed by Google LLC (USA) and retained for 14 months by default.

4.4

Marketing cookies. With your consent, we use the Meta (Facebook) Pixel (_fbp, _fbc) to measure the effectiveness of our advertising and to enable retargeting on Meta platforms. Data is processed by Meta Platforms Ireland Ltd. and Meta Platforms Inc. (USA).

4.5

Managing cookies. You can change or withdraw your consent at any time through the cookie banner on our site. You can also clear or block cookies through your browser settings, but this may affect site functionality.

5.1

Supabase Inc. (USA / EU) — database and file storage provider. Hosts booking records, contact requests, and invoice PDFs. Standard Contractual Clauses are in place for non-EEA processing.

5.2

Vercel Inc. (USA) — website hosting and content delivery. Vercel is certified under the EU–US Data Privacy Framework.

5.3

LHV Pank AS / EveryPay AS (Estonia) — payment processor. Receives payment instructions and returns transaction status. Operates under Estonian and EU financial regulations.

5.4

SMTP email provider — used to send transactional emails (booking confirmations, invoices, contact-form notifications). Receives recipient address, subject, and email content.

5.5

Google LLC (USA) — provides Google Analytics 4 and Google Search Console. Certified under the EU–US Data Privacy Framework.

5.6

Meta Platforms Ireland Ltd. / Meta Platforms Inc. (Ireland / USA) — provides the Meta Pixel for advertising measurement. Certified under the EU–US Data Privacy Framework.

5.7

Authorities and legal obligations. We may disclose personal data to public authorities (tax office, law enforcement) when required by Estonian or EU law, court order, or to protect our legal rights.

5.8

We do not sell your personal data to third parties.

6.1

Booking data — kept for three (3) years after the event date, after which it is deleted or anonymised.

6.2

Invoices and accounting records — kept for seven (7) years from the end of the financial year, as required by the Estonian Accounting Act.

6.3

Contact form messages — kept for up to twelve (12) months after the inquiry, unless they relate to an active booking.

6.4

Server logs — kept for ninety (90) days for security and troubleshooting.

6.5

Analytics data — Google Analytics: 14 months. Meta Pixel: as defined by Meta's retention schedule.

6.6

Backups — encrypted database backups are kept for up to thirty (30) days before being permanently deleted.

7.1

Some of our processors (Vercel, Google, Meta) are based in the United States. When personal data is transferred outside the European Economic Area, we ensure that one of the following safeguards is in place:

7.2

EU–US Data Privacy Framework — used for transfers to processors certified under the framework.

7.3

Standard Contractual Clauses — adopted by the European Commission, used where Data Privacy Framework certification does not apply.

7.4

You may request a copy of the safeguards in place by contacting us at info@lagedicastle.com.

8.1

Right of access (Art. 15) — you can request a copy of the personal data we hold about you.

8.2

Right to rectification (Art. 16) — you can ask us to correct inaccurate or incomplete data.

8.3

Right to erasure (Art. 17) — you can ask us to delete your data, except where we are legally required to keep it (e.g. invoices retained under accounting law).

8.4

Right to restriction (Art. 18) — you can ask us to limit the processing of your data in certain situations.

8.5

Right to data portability (Art. 20) — you can receive your data in a structured, commonly used, machine-readable format.

8.6

Right to object (Art. 21) — you can object to processing based on legitimate interests, including direct marketing.

8.7

Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.

8.8

Right to lodge a complaint — you can file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, https://aki.ee) or with the supervisory authority in your country of residence.

8.9

To exercise any of these rights, contact us at info@lagedicastle.com. We will respond within one (1) month.

9.1

All data exchanged between your browser and our website is encrypted using TLS/HTTPS.

9.2

Data stored in our database is encrypted at rest by our hosting provider.

9.3

Access to the admin panel is protected by authentication and limited to authorised personnel.

9.4

We apply the principle of least privilege: staff and processors access only the data they need for their specific task.

9.5

We monitor our systems for unauthorised access. In the event of a personal data breach affecting your rights, we will notify the Estonian Data Protection Inspectorate within 72 hours and inform affected individuals where required by law.

10.1

Our website and booking services are intended for adults. Bookings, contracts, and payments must be completed by a person aged 18 or older. We do not knowingly collect personal data directly from children under 16. If you believe a child has provided personal data without parental consent, contact us and we will delete it.

11.1

We may update this Policy from time to time to reflect changes in law, technology, or our services.

11.2

The "last updated" date at the bottom of this page indicates when the Policy was last revised. We encourage you to review it periodically.

11.3

If we make material changes that affect how we process your personal data, we will notify you through a prominent notice on our website or by email where appropriate.