Privacy Policy

Privacy policy

This Privacy Policy sets out the principles on the basis of which Impact Day processes the personal data of its customers.  We process personal data in accordance with the EU General Data Protection Regulation, the Personal Data Protection Act and other legislation on the processing of personal data. We process data on the basis of the principle of minimal processing – we only process the data that is necessary for the provision of the service to you and for the fulfilment of our purposes.


1.1 The controller is the person who determines the principles and purposes of the processing. For the purposes of this Privacy Policy, the controller is Impact Week OÜ (hereinafter Impact Day) (registered in the Commercial Register of the Republic of Estonia, registry code 16817818). Impact Day may be the data controller alone or jointly with another legal entity with which Impact Day has concluded a data processing contract. In certain cases, Impact Day may also be an authorised processor, in which case the controller is the company with which the Data Subject has concluded a contract, as a result of which the company transfers the Data Subject’s personal data to Impact Day.
1.2. An authorised processor is a person who processes personal data on behalf of and under contract with a controller and to the extent specified in the contract. An authorised processor is a partner of Impact Day providing services to Impact Day. Impact Day will contract and verify the reliability of such parties in accordance with data protection requirements. Impact Day may also act as an authorised processor, but in such a situation, the data processing principles of the controller will apply in the first instance.
1.3. A Data Subject is an identifiable natural person whose personal data is processed by Impact Day (hereinafter also referred to as Customer or you). This may be, for example, a person with whom Impact Day has entered into a contract or a person who has expressed a wish to enter into a contract with Impact Day. It may also be a person treated as a Data Subject on the basis set out in the Contract, whose data has been provided to Impact Day by the Customer.
1.4. Personal data are any information relating to a data subject which makes it possible to identify that data subject, directly or indirectly.
1.5. Processing of personal data is any activity that relates to personal data.
1.6. The Contract is a rental contract between Impact Day and the Customer.


2.1. Impact Day can be contacted by e-mail at for questions regarding the processing of personal data.


3.1. Impact Day processes personal data on the following bases and for the following purposes:
3.1.1. Conclusion and performance of the contract – On these grounds, we will process the data contained in the request for conclusion of the contract and will conclude the contract. On these grounds, we will also perform our obligations under the contract.
3.1.2. Consent – Consent is given voluntarily by ticking a box when filling in the online form and signing the contract. On the basis of consent we will be able to send you offers and newsletters. Consent can be withdrawn at any time by notifying us by email at
3.1.3.Legitimate interest – A legitimate interest is a business interest of Impact Day where we process data to improve our service and protect our interests. Where we have a legitimate interest, we may process your personal data for the following purposes:

  • To ensure a trusted customer relationship and prevent fraud;
  • Drafting, presenting and defending legal claims;
  • To handle customer complaints;
  • For the purposes of customer base management and marketing (except for sending direct marketing offers to natural persons, unless consent has been given);
  • To organise campaigns and satisfaction surveys;
  • For information security purposes;
  • To develop and improve IT solutions;
  • For organisational purposes, e.g. due to internal management and audits.

3.1.4. Fulfilling legal obligations (for example, obligations related to accounting).


4.1. Impact Day collects the following personal data:
4.1.1. Personal data disclosed by the Data Subject and the person treated as such, to the controller – first name and surname, date of birth or personal identification number, address where the smart mailbox is to be installed, e-mail address, telephone number, payment method information and invoicing information.
4.1.2. Personal data generated in the course of the conclusion and performance of the contract (for example, the data set out in clause 4.1.1. if included in the contract);
4.1.3. Personal data generated in the course of regular communication (for example, the content of a request sent to us by a Data Subject);
4.1.4. Data that is manifestly disclosed by the Data Subject (for example, data disclosed by the Data Subject on Impact Day’s social media accounts);
4.1.5. Data generated by the use of the self-service portal;
4.1.6. Data generated when visiting the Impact Day’s website (see more details on the use of cookies below);
4.1.7. Data received from cooperation partners, authorised processors or joint controllers.


5.1. Impact Day does not transfer personal data to third parties. Except in the following cases:
5.1.1. Impact Day may transfer personal data to companies that have concluded a contract with Impact Day to provide a service (for example, to a courier company or other transport company that has concluded a contract with the data subject).
5.1.2. Impact Day may transfer personal data in the case of a legal obligation. For example, court judgments and inquiries from competent authorities (courts, notaries, enforcement agents, prosecutors, police, etc.).
5.1.3. Impact Day may transfer data if they are necessary to ensure the performance of the contract.
5.1.4. Impact Day may transfer personal data with event partners and included in our marketing and communication activities about the name, organization and title of attendees and customers.
5.1.4. As a rule, Impact Day does not transfer personal data outside the European Economic Community. Impact Day may transfer personal data outside the European Economic Community only if it is in compliance with the EU General Data Protection Regulation, which means that when transferring personal data outside the European Economic Community, we will implement additional safeguards such as contracting under model clauses approved by the European Commission or other appropriate measures. A copy of the implemented safeguards can be obtained at


6.1. Impact Day obtains the data from the Customer (in which case Impact Day is the Data Controller) or the data is provided to Impact Day by a courier or other company that has obtained the Customer’s data from the Customer in the course of entering into a contract (in which case Impact Day is the Joint controller or Authorised processor).
6.2. Impact Day, as the Data Controller, will store the data collected during the pre-contractual negotiations until the moment when the fact of the conclusion of the contract becomes clear. If the contract is not concluded, Impact Day will delete the personal data within three months of becoming aware of the fact that the contract is not concluded.
6.3. Personal data collected in the course of the performance of the contract will be stored until the performance or termination of the contract or until the expiry of the claims related to the contract, whichever is the later. Impact Day shall store personal data for a maximum period of 3 years on the basis of a 3-year limitation period for claims, except where the circumstances do not justify the choice of a 10-year retention period and except to the extent that a longer retention period is required by the obligation to keep accounting records.
6.4. The data received by Impact Day in its capacity as an authorised processor shall be kept by Impact Day for the period of time specified by the controller.
6.5. Subject to legal requirements, Impact Day may also retain data for longer periods, but to no greater extent and for no longer than is necessary to comply with the law. For example, we keep documents necessary for accounting purposes for up to 7 years.


7.1. Organisationally, access to the personal data collected by Impact Day is restricted to authorised persons who are contractually bound to Impact Day or to members of the management body, where the processing is necessary for the performance of their duties. Employees and members of the management body who do not carry out day-to-day tasks requiring the processing of personal data do not have access to personal data and are prohibited from processing the data.
7.2. Authorised processors may only process personal data transferred to them if this is necessary for the conclusion or performance of a contract.


8.1. The Data Subject has the right at any time to make a request about the disclosure of the data collected about him or her and to be informed of the data collected and processed about him or her, and, in the event of inaccurate data, the Data Subject has the right to request their rectification.
8.2. The Data Subject has the right to notify the data controller at any time of his or her wish to withdraw consent to the processing of personal data. Withdrawal of consent shall not affect the lawfulness of the processing carried out at the time of consent. In the event that the controller processes personal data on any other basis, the controller shall erase the personal data in accordance with the provisions referred to in this Privacy Policy.
8.3. In cases where the data controller has processed the data solely on the basis of consent or where the controller no longer has a valid legal basis for processing the personal data, the Data Subject has the right to request the erasure of all data.
8.4. The Data Subject has the right to object to the processing of his or her personal data, for example where the processing is based on the legitimate interest of the Controller.
8.5. The Data Subject has the right to data transferability, i.e. the right to request that his or her data be transferred to another controller, if the personal data are processed in the performance of a contract with the Data Subject and the transfer of personal data is technically feasible.
8.6. The Data Subject has the right to turn to the Data Protection Inspectorate or a court at any time. Contact the Data Protection Inspectorate:,
8.7. If the Data Subject has suffered damage as a result of the processing of the data, the Data Subject has the right to claim compensation.
8.8. The Data Subject has the right to lodge a complaint or a claim with Impact Day. For complaints, questions or claims regarding the processing of personal data, please contact


9.1. The Impact Day website ( uses cookies to analyse data.
9.2. The Customer has the right to refuse all or part of the cookies by configuring their web browser and cookie settings accordingly.
9.3. The Impact Day website uses Google Analytics cookies to analyse customer behaviour on the website. The data collected during this process is anonymous and individual website users are not identified.
9.4. In order to maintain the functionality of the website, also uses session cookies. Temporary information collected during this process will be deleted when you close your browser.
9.5. You can disable cookies by following the instructions in the “help” function of your web browser. When disabling functional cookies, please note that not all website functions may work correctly.
9.6. You can also find more information on how cookies work or how to disable cookies at


10.1. Impact Day reserves the right to amend this Privacy Policy in accordance with changes in legislation or practice and will publish it immediately on the website.

Link to Facebook account
Link to Linkedin account
Link to Instagram account