SA Rannarahva Muuseum / Naissaar Visitor Centre

1. General Provisions

This Privacy Policy governs the collection, use, storage, and protection of personal data by SA Rannarahva Muuseum (hereinafter the Data Controller).

The Data Controller considers the protection of personal data important and processes personal data in accordance with all applicable legislation, including the EU General Data Protection Regulation (EU) 2016/679 (GDPR) and data protection laws in force in the Republic of Estonia.

This Privacy Policy applies to the website www.naissaarekeskus.ee, its subpages, and the services and functions offered through the website.

2. Data Controller

SA Rannarahva Muuseum
Registry code: 90009565
Email: info@naissaarekeskus.ee
Phone: +372 5694 6949

3. Categories of Personal Data Processed

The Data Controller collects and processes personal data only to the extent necessary for providing services or fulfilling legal obligations.

Personal data processed may include:

  • first and last name
  • email address
  • phone number
  • postal address (if necessary)
  • order and booking details
  • purchase history
  • feedback and opinions provided by the client
  • communication with the Data Controller (email, phone, correspondence)
  • technical data related to website usage (IP address, browser, device type, visit time)

4. Methods of Collecting Personal Data

Personal data may be collected through the following means:

  • placing orders or bookings via the website
  • filling in contact or feedback forms on the website
  • contacting via email or phone
  • subscribing to the newsletter
  • participating in public events
  • visiting the website (via cookies and log files)

5. Purposes of Processing Personal Data

Personal data is processed for the following purposes:

  • providing and managing services
  • processing orders and bookings
  • customer communication and support
  • billing and accounting
  • collecting and analyzing customer feedback to improve service quality
  • ensuring the functionality, security, and development of the website
  • compiling statistics and visitor analytics
  • fulfilling legal obligations

IPersonal data will not be processed for purposes inconsistent with this Privacy Policy.

6. Legal Basis for Processing Personal Data

Personal data is processed on the following legal bases:

  • performance of a contract with the data subject
  • compliance with legal obligations of the Data Controller
  • legitimate interest of the Data Controller (e.g. service development, analysis of customer feedback, website security)
  • consent of the data subject (e.g. newsletter)

7. Cookies and Log Files

The website uses cookies and log files to ensure proper functioning and to collect statistical information.

Types of cookies used:

  • necessary cookies essential for website functionality
  • analytical cookies that help understand website usage and improve user experience

Users can restrict or disable cookies in their web browser settings.

8. Retention of Personal Data

Personal data is retained only for as long as necessary to achieve the purpose of processing or to comply with legal obligations.

Retention periods:

  • accounting data – 7 years
  • customer communication – up to 1 year
  • customer feedback – up to 2 years or until the purpose of feedback is fulfilled
  • newsletter data – until consent is withdrawn
  • website logs – for a limited period

9. Transfer of Personal Data to Third Parties

Personal data may be transferred:

  • to service providers (e.g. web hosting, payment solutions, IT services)
  • only to the extent necessary for service provision
  • only within the European Union or the European Economic Area.

Third parties process personal data based on the Data Controller’s instructions and are required to ensure data protection.

10. Photos and Videos at Public Events

During public events and activities, the Data Controller may take photos and videos for documenting and promoting the organization’s activities (e.g. on the website and social media).

The data subject has the right to request the removal of their image by contacting info@naissaarekeskus.ee.

11. Children’s Personal Data

The Data Controller does not knowingly collect personal data of minors without the consent of a parent or guardian.

12. Rights of the Data Subject

The data subject has the right to:

  • receive information about the processing of personal data
  • request access to their personal data
  • request correction of inaccurate data
  • request deletion of personal data
  • restrict the processing of personal data
  • object to the processing of personal data
  • withdraw consent
  • esitada kaebus järelevalveasutusele

13. Personal Data Security

The Data Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction.

14. Dispute Resolution

IFor questions or disputes related to personal data processing, please first contact the Data Controller at info@naissaarekeskus.ee.

If the dispute cannot be resolved, the data subject has the right to contact the supervisory authority:
Estonian Data Protection Inspectorate – info@aki.ee

15. Amendments to the Privacy Policy

he Data Controller has the right to amend this Privacy Policy. The current version is always available at www.naissaarekeskus.ee.

Last updated: 10 February 2026