1. GENERAL PROVISIONS, PURPOSE AND DATA CONTROLLER

1.1. This Privacy Policy governs the principles concerning the collection, processing, and retention of personal data on Yester OÜ’s website yester.eu and in connection with the provision of its platform and services.

1.2. Yester’s objective is to clearly explain what personal data we collect, why we collect it, how we use it, with whom we share it, and how we ensure its security.

1.3. Yester OÜ is obligated to follow the principles of lawfulness, purpose limitation, data minimisation, security, and individual participation in the processing of personal data.

1.4. The Data Controller (as defined in IKAS § 7(1)) is:

Yester OÜ

Registry Code: 16107160

Address: Harju maakond, Viimsi vald, Lubja küla, Uus-Pärtle tee 5-4, 74010

E-mail: info@yester.eu

1.5. Yester OÜ acts as the Data Controller to the extent that the data processing occurs on this domain or in services whose management and control belong to Yester OÜ.

2. DIFFERENTIATION OF YESTER’S ROLES (IKAS § 7, § 8)

2.1. Data Controller Role: Yester is the Data Controller, determining the purposes and means of processing for data collected directly from the data subject (e.g., on the website or for marketing purposes).

2.2. Authorised Processor Role: When Yester provides platform services to the Client (the employer, who is the Data Controller) and processes data entered into the Service (e.g., the Client's employee data) based on the Client’s instructions, Yester acts as the Authorised Processor.

2.3. Notification to Data Subjects: If Yester acts as an Authorised Processor on behalf of its Client (the employer), the Client is the Data Controller for that data. Therefore, all data subject requests (e.g., requests for access, rectification, or erasure, IKAS § 31) related to such data must be submitted directly to Yester’s Client (the employer).

3. PERSONAL DATA COLLECTED, COMPOSITION, AND SOURCES (IKAS § 4, § 15)

Yester collects personal data, which is information concerning an identified or identifiable natural person.

3.1. User Data on the Website (Automatically Collected Data) When visiting yester.eu, the following information may be automatically collected (subject to consent), forming the composition of the data (IKAS § 15(1) p 2):

• IP address, browser type and version, operating system, device type;
• Page browsing data – which pages are visited, at what time, and via which link they were accessed;
• Referral URLs, referrer page address, client-specific session data;
• User activity on the site (e.g., button clicks, form submissions);
• Behavioural data obtained through analytics services (e.g., Google Analytics, Facebook Pixel, or other).

3.2. Data Provided via Forms and Contact Information: Name, organisation, position, e-mail address, phone number, and any additional information voluntarily entered (e.g., comments, needs).

3.3. Service Usage Data: If you are a user of Yester’s software or services, the following may also be processed:

• Employee data (e.g., name, personal identification code or other identifier, contact details, HR statistics) – according to the Client's contractual needs;
• Log and auditing data;
• Transaction or activity history;
• Other statistical or technical information on service operation.

3.4. Sources of Data: The primary source of personal data is the data subject. Additionally, data may be obtained from public sources (e.g., business registries, credit registries) for the purpose of client background and credit analysis.

4. PURPOSES AND LEGAL BASIS OF DATA PROCESSING (IKAS § 14)

Yester processes personal data only for defined and legitimate purposes.

Purpose (IKAS § 15 p 1)               /  Legal Basis (IKAS § 14)

Service Provision and Management

/Contractual relationship (IKAS § 14(1) p 1) or necessity for service delivery

Communication and Customer Support

/Data subject's consent or legitimate interest

Development and Analytics

/Data subject's consent or legitimate interest

Marketing and Advertising

/Data subject's consent (unless direct marketing is permitted otherwise by law)

Legal and Regulatory Obligations

/Obligation provided for by law (IKAS § 14(1) p 3)

If processing is based on the data subject's consent (IKAS § 12), they have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5. DATA RETENTION AND DELETION (IKAS § 19)

5.1. Yester retains personal data only as long as necessary to achieve the purposes of processing or to fulfil statutory obligations. Personal data unnecessary for the achievement of purposes shall be immediately deleted or closed, unless otherwise provided by law (IKAS § 19(1) p 1).

5.2. Contractual Data Retention (Consistent with Agreement):

• Upon termination of the Service Agreement, Yester shall retain the collected data for 3 months free of charge (Retention Period). 
• Retention of data for up to 6 months is possible upon the Client's request and for a fee.
• After the respective period, the data shall be permanently deleted.

5.3. Accounting records are retained in accordance with the law (e.g., 7 years). 5.4. Backup copies and system logs are retained for a limited time (e.g., 12–24 months).

6. DISCLOSURE AND TRANSFER OF DATA (IKAS § 28)

6.1. Yester does not sell or publicly disclose personal data to third parties, except where necessary for the provision of the Service (e.g., cloud service providers, maintenance, analytics providers), required by law (e.g., court order), or based on the Client’s instructions.

6.2. Authorised Sub-processors: Sub-processors are engaged for the provision of the Service (IKAS § 8) who are contractually obliged to ensure confidentiality. These include: Amazon Web Services (Ireland), Microsoft Inc. (Ireland), Pipedrive (Germany, Ireland, Sweden), and Zendesk (Germany).

6.3. Data Transfer Outside the EEA (IKAS § 28): Personal data may be transferred outside the European Economic Area (EEA) only to countries ensuring an adequate level of data protection (IKAS § 28(1), (3)) or where appropriate safeguards are applied (e.g., standard contractual clauses).

7. DATA SUBJECT RIGHTS (IKAS Chapter 7)

7.1. Right of Access (IKAS § 29): The data subject has the right to be informed of their personal data being processed, the purposes, composition, sources, and the name and address of the data controller.

7.2. Right to Rectification and Erasure (IKAS § 31): The data subject has the right to demand the rectification of inaccurate data or the closing/erasure of data if processing is not compliant with legal acts. Yester is obliged to inform third parties to whom the data was transferred of the rectification or erasure.

7.3. Right to Restriction: The right to restrict the processing of personal data for a certain period.

7.4. Right to Object (IKAS § 31): The right to object to processing based on legitimate interest, including processing for direct marketing purposes.

7.5. Right to Data Portability: The right to receive personal data in a structured, commonly used, and machine-readable format and to request its transmission to another service provider.

7.6. Request Deadline (IKAS § 29): The Controller or Processor must provide the information or justify the refusal within five working days following the receipt of the application.

8. SECURITY AND COMPLAINT PROCEDURES (IKAS § 19, § 32)

8.1. Security Measures (IKAS § 19): Yester implements appropriate organisational, physical, and informational security measures to protect personal data against accidental or unauthorised alteration, disclosure, or destruction. Measures include: encryption (SSL), access restrictions, backups, and staff training. Yester must ensure that it is possible to determine retrospectively when, by whom, and which personal data was recorded, modified, or deleted (IKAS § 19(2) p 3).

8.2. Right to Lodge a Complaint (IKAS § 32): If the data subject finds that their rights are violated during the processing of personal data, they have the right to appeal to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or a court to protect their rights and interests.

9. AMENDMENTS TO THE PRIVACY POLICY

Yester may update these terms from time to time. Users will be notified of material changes via email or on the site's homepage. The new terms take effect from the moment of publication.

For any questions about this Privacy Policy or our data processing practices, please contact us at info@yester.eu or by phone at +372 5757 0300.