EN
Updated April 23, 2026
Privacy Policy
This privacy policy explains how the Travel Maniac website processes personal data when you use the shop, join a newsletter or early-access list, or interact with us about merch drops and orders.
Important note
This page now covers the main GDPR transparency topics in substance, but the final public version still needs the full trader identity, registry details and a dedicated legal/privacy contact. In the current shop flow, the payment recipient is shown inside the product payment details.
1. Scope of this policy
This policy applies to all locale versions of the Travel Maniac website, the merch shop, newsletter forms, early-access forms and any direct data submission made through the site.
Where a specific seller, payment recipient or fulfilment party is shown in product payment details, that party may also process data required to fulfil the relevant manual order.
2. What data we collect
We follow data minimisation and collect only what is reasonably needed for the relevant purpose.
- contact data, especially your email address when you join a notification list
- form metadata such as signup type, product slug, locale and page path
- technical security and service data such as request logs, error logs and abuse-prevention metadata
- order-related details only if you voluntarily provide them in a payment note or later communication, such as parcel locker, phone number or size
3. Purposes and legal bases
We process signup data primarily to send merch-drop, newsletter and early-access notifications. The main basis is your consent or your own active request to receive that communication.
We may also process limited operational and technical data under legitimate interest for spam protection, deduplication, platform security and service maintenance.
If data is used to handle a concrete order, delivery or accounting obligation, the relevant basis may be contract performance or a legal obligation.
4. Recipients and disclosures
We do not sell personal data. We only share it where necessary to run the service or comply with law.
- hosting and infrastructure providers keeping the website and server functions online
- database and storage providers used to hold signup data
- payment, shipping or fulfilment parties where needed for a concrete order
- authorities where disclosure is required by law or a valid legal request
5. Retention
Notification list data is kept for as long as reasonably necessary to run the relevant list, until you withdraw consent, ask for deletion or the purpose ends.
Technical logs are kept for shorter periods and only for reliability, security and troubleshooting.
Where an order creates bookkeeping or statutory retention duties, relevant data may be retained for the legally required period.
6. International transfers and security
We aim to use providers operating in the EEA or otherwise offering appropriate safeguards. If a provider processes data outside the EEA, an applicable transfer basis and suitable safeguards must be in place.
We apply reasonable technical and organisational measures, including restricted access, server-side validation and minimised data collection.
7. Your rights
You have the right to know whether and how your personal data is processed, to request correction of inaccurate data and, where applicable, deletion.
You may also request restriction, object to processing based on legitimate interest and receive the data you provided in a structured format where the law gives you that right.
If you believe processing is unlawful, you may lodge a complaint with the Estonian Data Protection Inspectorate.
8. Cookies, analytics and automated decisions
As of April 23, 2026, this Next.js version does not appear from the codebase to use separate behavioural analytics, ad pixels or user-account profiling tools. If that changes, this policy and any required consent flows must be updated.
We do not make automated decisions in the signup flow that produce legal or similarly significant effects for users.