Surgitech AS respects your privacy and recognizes the rights of individuals in relation to their personal data. This privacy notice explains what type of personal data Surgitech AS collects and how we can process it. If you wish to exercise your rights with regard to your personal data, please contact us at the “Contact Us” section below.
- Applicability of this privacy notice
This privacy notice applies to all websites (surgitech.ee, fitforme.ee, vivacy.ee, epood.surgitech.ee, tellimine.surgitech.ee, depressiooniravi.ee) owned and managed by Surgitech AS (hereinafter also referred to as “Surgitech” or “we”, “us”, “our”), any services provided by Surgitech, any transactions entered into with Surgitech (including transactions of sale via Surgitech e-shop epood.surgitech.ee) or any other interactions you may have with us where we process your personal data as the data controller. Any person using Surgitech’s website, services or making transactions with Surgitech shall be considered as client or customer or user for the purposes of this privacy notice.
- The purposes of processing your personal data
Surgitech processes your personal data for the following purposes:
- Fulfilment of contract with you – when purchasing products from Surgitech, we will process your personal data to fulfil the transaction and provide you the purchased products.
- Handling inquiries, requests and complaints – when you have any inquiries regarding the products we sell or service we offer, we may process your personal data to solve your inquire or complaint or provide feedback to your requests.
- Handling product complaints – in case you encounter any defect or malfunction of our products, we will process your personal data to transfer the information to the manufacturer of the products for the purpose of solving the complaint.
- Web analytics, monitoring, tracking and advertising technologies – We use analytics tools such as Google Analytics and advertising platforms like Meta (Facebook/Instagram) Ads and Google Ads to promote our products and understand how users interact with our website.
- Communication with cooperation partners – we may process your personal data before entering into negotiations or new agreements with potential cooperation partners.
- Marketing – we are using your personal data when sending marketing materials and sharing information for marketing purposes.
- Depersonalization (anonymization) of personal data for the purpose of optimizing the performance of medical equipment distributed by Surgitech and improving and developing future products and services.
- What type of personal data is collected, on which legal grounds is your personal data processed and for how long is your personal data kept by us
Surgitech collects and processes the following personal data for the purposes described in point 2 above and keeps it for the retention periods as provided in the table below.
Purpose of Processing | Processed Personal Data | Legal Basis for Processing | Retention Period |
Fulfilment of contract (e-commerce purchases) | Identity data (e.g., name, surname, date of birth, personal ID number) Contact data (e.g., email, phone number, address) | GDPR Art 6 (1)(b) | During contract validity and for 3 years after its termination |
Handling inquiries, requests and complaints | Identity data (e.g., name, surname, date of birth, personal ID number) Contact data (e.g., email, phone number, address) Contextual data (the nature and particulars of your situation and the issue raised, depending on your individual inquiry, request or complaint) | GDPR Art 6 (1)(f) Legitimate interest to adequately evaluate, process, take action and provide an answer to your inquiry, request or complaint | Until the complaint is resolved or the issue prompting the inquiry is resolved |
Handling product complaints | Identity data (e.g., name, surname, date of birth, personal ID number) Contact data (e.g., email, phone number, address) Contextual data (the nature and particulars of your situation and the issue raised, depending on individual product complaint | GDPR Art 6 (1)(c), MDR Art 14(5) | Up to 10 years after the product was last placed on the market, 15 years for implantable devices |
Web analytics, monitoring, tracking and advertising technologies | Device information, IP address, browser type, and user behaviour on our website through the use of cookies | GDPR Art 6 (1)(a), GDPR Art 6 (1)(f) – We want to improve our marketing effectiveness, optimize advertisements spending, and understand website usage trends. The legal basis for this processing is your consent, which we request through our cookie banner, and/or our legitimate interests in promoting our business and improving our services | Until consent is withdrawn or as long as necessary for the improvement purpose |
Communication with cooperation partners | Identity data (e.g., name, surname, date of birth, personal ID number) Contact data (e.g., email, phone number, address) | GDPR Art 6 (1)(f) | As long as necessary for the communication purpose or until objection is raised |
Marketing | Contact data (e.g., email, phone number, address) | GDPR Art 6 (1)(a) | Until consent is withdrawn |
Depersonalization (anonymization) of personal data for the purpose of optimizing the performance of medical equipment distributed by Surgitech and improving and developing future products and services | Identity data (e.g., name, surname, date of birth, personal ID number) Contact data (e.g., email, phone number, address) Contextual information regarding the usage of the device, including the content of a complaint or inquiry (if applicable) | GDPR Art 6 (1)(f) Legitimate interest to ensure the safety, reliability, and effectiveness of medical technologies, support innovation, and meet the evolving needs of healthcare providers and patients. | Until the data is anonymized; anonymized data may be stored as long as necessary for development purposes, as it is no longer considered personal data |
- How do we protect your personal data
We take the protection of your personal data very seriously. We implement advanced technical and organizational measures to ensure that your personal data is kept secure, confidential, and protected against unauthorized access, loss, alteration, or disclosure. These measures include secure servers, access controls, password protection, encryption technologies, staff training, and internal policies governing data handling. Access to your data is strictly limited to those who need it to perform their duties and who are subject to confidentiality obligations.
- Who Has Access to Your Personal Data
Access to your personal data is limited to:
- Authorized personnel within our company who require the information to fulfil orders, provide support, or manage regulatory obligations.
- Suppliers and manufacturers of medical devices with whom we have entered into data processing agreements.
- Third-party service providers, such as IT support, logistics partners, or cloud storage providers, who process data on our behalf under strict contractual agreements that ensure compliance with applicable data protection laws.
- Regulatory authorities (e.g., health authorities or notified bodies) when required to comply with legal or regulatory obligations related to medical device distribution and safety monitoring.
We ensure that all third parties with access to your data are bound by data protection agreements.
- Transfers of Personal Data to Third Countries
As part of our operations, we may transfer your personal data to countries outside the European Economic Area (EEA), including to countries that may not offer the same level of data protection as your home jurisdiction.
Such transfers may occur, for example, when:
- We work with international suppliers, service providers, or affiliates based outside the EEA;
- Cloud-based systems or data hosting services we use are located outside your jurisdiction;
- We are required to share data with manufacturers or regulatory bodies located in third countries as part of post-market surveillance, product support, or complaint handling.
When we transfer personal data to a third country, we ensure that appropriate safeguards are in place to protect your rights in accordance with applicable data protection laws. These safeguards may include:
- Transfers to countries deemed to provide an adequate level of protection by the European Commission;
- Standard Contractual Clauses approved by the European Commission.
You may request further information about the safeguards in place for international transfers by contacting us using the details provided in section 8.
- What are your rights with regard to your personal data and how can you exercise them
You have the following rights:
- Right of access – You can request details of the personal data we hold about you.
- Right to rectification – You can request corrections to inaccurate or incomplete data.
- Right to erasure – You can request deletion of your data, subject to any legal or regulatory retention obligations.
- Right to restrict processing – You can ask us to limit the use of your data in certain circumstances.
- Right to data portability – Where applicable, you can request a copy of your data in a commonly used format to transfer to another controller.
- Right to object – You can object to the processing of your data where it is based on our legitimate interests.
- Right to withdraw consent – Where processing is based on your consent, you may withdraw it at any time.
- You may also opt out of personalized advertising by adjusting your preferences in your Google and Meta accounts.
To exercise your rights, please contact us using the information provided below. We may need to verify your identity before responding to your request. We aim to respond within one month as of receiving your request.
- Contact information for questions or complaints
If you have any questions, concerns, or complaints regarding the processing of your personal data, or if you would like to exercise any of your data protection rights or file a complaint, please contact:
aktsiaselts Surgitech
Email: surgitech@surgitech.ee
Phone: +372 646 0660
Address: Pärnu mnt 148, III floor, Tallinn 11317, Estonia
If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority:
Andmekaitse Inspektsioon
Address: Tatari 39, Tallinn 10134, Estonia
Phone: +372 627 4135
Email: info@aki.ee