Privacy policy

1. Introduction

1.1. Tiit-Reisid OÜ is considered as a tour operator due to its line of business and uses personal data in its daily economic activities for providing, organizing, coordinating and facilitating various travel and tourism-related services. In our operations, we follow the General Data Protection Regulation (GDPR), the Personal Data Protection Act (IKS), our own Data Protection Strategy, and other applicable data protection norms. This privacy policy (hereinafter referred to as the Privacy Policy) is mainly addressed to data subjects, i.e. natural persons whose personal data is being processed, in accordance with the GDPR and IKS regulations.

1.2. We understand that you, as data subjects, are aware of and care about the processing of your personal data. Therefore, we confirm that we take the compliance with the rules set up for the processing of your data very seriously. The privacy policy describes the principles and practices used by our company regarding the entire data processing chain from collection to use and deletion, focusing on the protection of personal data. We acknowledge that data protection is a continuous responsibility, which is why we periodically review the Privacy Policy, ensure its compliance with the established requirements, and update its content if necessary.

2. Data Protection Officer (DPO)

2.1. To comply with data protection requirements, our company Tiit-Reisid OÜ, registry code 10055108, located at Sadama 13, Kärdla, has appointed the following person as the Data Protection Officer (DPO):

Tiit Randmaa

Tiit-Reisid OÜ

Sadama 13, Kärdla


3. Data Collection

3.1. Tiit-Reisid mainly collects personal data from its individual clients. These data are usually necessary for providing the travel and tourism services selected by the client and may always be specified within the framework of a specific travel service. The data collected may vary depending on the mode of travel (bus/train/plane/ship) and the destination (domestic travel, travel within the EU and equivalent countries, travel to countries outside the EU). Due to different requirements set by countries and service providers, the volume of personal data required for providing the service may vary accordingly. Typically, when traveling, it is necessary to provide one’s first and last name, a travel document/ID card with a photo for identity verification, gender, age, as well as contact information such as email address, phone number, and residential address. When traveling outside the EU, the list may be extended due to other specific requirements of the destination country, such as nationality, passport information, visa, vaccinations, etc. We use your personal data to fulfill our mutual agreement and provide you with travel and tourism services. We do not sell or share personal data with third parties except with those with whom it is necessary to share data by law or to fulfill our mutual agreement.

3.1.1. Processing of personal data in the provision and mediation of accommodation services.

When you purchase accommodation services, your personal data (name, gender, personal identification code, and/or date of birth) are necessary to comply with the requirements set for accommodation establishments and to provide the service. The list of personal data required may vary depending on the requirements established by different countries. To provide accommodation services, it is necessary to collect the personal data of the individuals who will be using the service and the time when accommodation is needed. Accommodation establishments are generally required to keep a register card for the persons accommodated, which includes the information required by law and which is submitted to law enforcement authorities.

Depending on the nature of the service, we may also require different types of personal data that are specific to the accommodation service. For example, this may mean that in case of certain mobility disabilities, we need to know about the presence of mobility aids (wheelchair, lift, etc.), or in case of food intolerances, we need information about special diets (if accommodation and catering services are ordered).

If you purchase accommodation and rehabilitation services, we may also require special types of personal data related to the specific rehabilitation treatment. This will provide us with information about the location and time of the rehabilitation, as well as the extent of its content, which is necessary for the provision of the specific rehabilitation service. In any case, these are different types of personal data that you provide to us yourself in order to receive the service.

When selling accommodation services and related services, if the best price has been offered by wholesalers, we will pass on your data to the service wholesaler, who will then pass on the data to the specific accommodation service or related service provider.

We require the accommodation service providers as wholesalers to comply with GDPR regarding the processing of personal data. Each person involved in providing accommodation services may use personal data only to fulfill the contract.

3.1.2. Processing of personal data in the provision and intermediation of conference services.

During the provision of conference services, we process personal data mainly for the performance of the conference service contract, such as registering participants and issuing invoices (name, personal identification code, phone, email), organizing translation services, arranging photographer and videographer services (photos), organizing and editing video broadcasts, organizing the production and distribution of souvenirs and printed materials (including name tags), arranging catering (information on intolerances, special diets, which are different types of personal data). During the organization of cultural and leisure programs, we process personal data necessary for their organization, such as name, program schedule, and individual preferences for different programs. We also process personal data for accommodation arrangements (see section 3.1.1 for accommodation services) and transportation arrangements between accommodation facilities and the conference venue, including names of individuals, transportation schedule, and locations of accommodation and conference venues.

We require service providers to comply with GDPR regulations regarding the processing of personal data. Every person involved in providing conference services may use personal data only for the performance of the contract.

3.1.3. Processing of personal data during the provision and mediation of tour guide, guide-interpreter and tour escort services

For providing guide, guide-translation and tour escort services, we require personal data from you such as name, personal identification code, service provision time, languages for translation and destinations to be visited. During the provision of travel companion service, certain types of personal data may become known, such as the need for a wheelchair in case of mobility impairment, as well as information on the travel of accompanying children. Depending on the destination and country, it may also be necessary to transmit your personal data in advance to the relevant authority or institution in the destination or country if required.

If you have purchased from us a mediation of guide service, guide-translation service or travel companion service, we usually forward the data to the wholesaler of guide service, guide-translation service or travel companion service, who in turn forwards the data to the specific service provider.

Nõuame teenusepakkujatelt isikuandmete töötlemise vastavust GDPR´le. Each person used to provide tour guide service, guide-translation service, or travel companion service can only use personal data for the purpose of fulfilling the contract.

3.1.4. Providing and intermediating passenger transport services.

In order to provide passenger transport services, we require personal information such as name, personal identification code, travel document information, contact information, and service-related information from you. During the provision of passenger transport services, information about various types of personal data may also become known (such as the need for a wheelchair in case of mobility disability, as well as information about the travel of children and their accompanying persons). In accordance with legal acts, the service provider has an obligation to transmit personal data to law enforcement authorities.

Nõue teenusepakkujatele tagada isikuandmete töötlemine vastavalt Euroopa Liidu üldisele andmekaitse määrusele (GDPR). Every passenger transport service provider and person involved in the provision of passenger transport services may only use personal data for the performance of the contract.

3.1.5. Providing and intermediating visa services.

In order to provide visa services, we require personal information such as name, personal identification code, valid travel document information, destination country, preferred validity period of the visa, purpose of the visit to the destination country, and other information required by the countries being visited.

The requirement for service providers is to ensure the processing of personal data in accordance with the European Union’s General Data Protection Regulation (GDPR). Every person involved in the provision of the service may only use personal data for the performance of the contract.

3.1.6. Intermediating travel-related insurance services.

In order to provide intermediary services for travel-related insurance, we require personal information such as name, personal identification code, place of residence, contact information, and so on. During the performance of the relevant contract, we may also become aware of personal data regarding illness of you or your family member (in case of insurance claim or travel disruption insurance), accidents, medical expenses, as well as other personal data that has become known due to unforeseeable insurance events.

The personal data provided by you will be transmitted to the insurance provider, and we require the insurance provider to ensure that the processing of personal data complies with GDPR.

3.1.7. Providing or intermediating vehicle rental services.

In order to provide or mediate vehicle rental services, we require personal information such as name, personal identification code, place of residence, contact information, the necessary information regarding the driving license for the respective category of vehicle, credit card information, and so on. During the performance of the contract, we may also become aware of information such as your preferences when selecting different types of cars, the individuals who will be driving the car, the times and routes of travel. We emphasize that items left in the car may also contain personal data about you.

In the case of intermediation of vehicle rental services, we will transmit the personal data provided by you to the specific vehicle rental service provider, and we require the vehicle rental service provider to ensure that the processing of personal data complies with GDPR.

3.1.8 Providing payment by bank transfer and credit/debit card.

Tiit-Reisid OÜ is the data controller of personal data and transmits the necessary personal data for making payments to the authorized processor Montonio AS.

3.2. Our website, communication platforms, and various social media channels (such as Facebook, Instagram, Twitter) as well as many other similar platforms automatically collect and store certain information in log files. This information may include your IP address, the region or general location where your computer or device is connected to the internet, the type of browser you are using, the operating system and other usage-related information including browsing history. We use this information to improve, simplify, and make our online environment more user-friendly. We may also use your IP address to diagnose problems on our server, administer the website, analyze trends, track visitor activity on the website, and collect more extensive demographic information to better determine the preferences of visitors to our online environment. Our online environment also uses a cookie system, which does not track the activities of website visitors on third-party websites.

3.3. If you have given your consent to receive newsletters and advertising or participate in our organized or mediated drawings or other campaigns, we will ask for your name and contact information. We use this information to send you information about the services offered by our company, our services/products, or anything else that may be of interest to you. Our newsletter may occasionally contain links to other websites. Our company is not responsible for the content or privacy policy of those websites. If you no longer wish to receive newsletters and direct mail, you can unsubscribe from such letters by clicking on the link located under each newsletter and/or advertisement.

3.4. If you wish to place an order through our online environment, we will need your contact information such as name, email address, and in some cases, place of residence and other contact information. This information is only needed to contact you regarding information related to your order and to fulfill the contract that has been or will be concluded with you. We may share your personal data with companies that are directly involved in providing services to you. In other cases, we do not share your personal data with anyone else. During the order process, we also ask for information regarding payment such as credit card number or bank transfer details. We use a secure online connection to ensure that your personal data is protected.

4. Our company’s data storage policies and practices.

4.1. Data collected about you through your purchases is kept in our company for the period during which the legal requirements for submitting claims apply, after which the personal data is deleted. The data is stored in one or more databases that are administered by a third party located in the Republic of Estonia. The said third party does not have access to the data and does not use your personal data for any other purpose than storage and backup.

5. When and how our company uses your personal data.

5.1. Your personal data is primarily used, with your agreement, to provide you with the services you have requested.

5.2. Personal data is also used to update our online environment according to your preferences, interests, and needs, as well as to better understand your desires and preferences in order to improve aspects of our online service.

5.3. If you have given consent to receive newsletters, special advertisements, direct mail, etc. from us, we will send you the requested information. It is possible to unsubscribe from such emails in the future.

5.4. Your personal data is shared with service providers whose service is essential for fulfilling the concluded contracts and providing services.

5.5. We may also share your personal data if such a need arises from criminal investigations, court orders, fulfilling your vital needs, in connection with sales, purchases, mergers, reorganizations, financing, liquidation, termination or a similar transaction related to the company. Indeed, in such cases we confirm that we take all necessary measures to ensure that your personal data is sufficiently protected.

5.6. When collecting the necessary information for participating in sweepstakes and similar activities, the obtained personal data is used to be able to contact you in case of winning. If the prize is provided by another contractual partner, your personal data will be transferred to them to contact the winner. Typically, participation in such prize games requires giving consent for the use of your personal data for other purposes, so we kindly ask you to carefully review the terms and conditions of the prize game before participating.

6. Movement of personal data outside the EU or equivalent regions

6.1. We are located in the Republic of Estonia, which is one of the member states of the European Union. The personal data we collect is mainly processed in the Republic of Estonia. In case it is necessary to transfer data outside the European Union or to territories which are deemed equivalent during the provision of a service, according to GDPR Article 45, it is necessary to guarantee a level of data protection that is equivalent to the protection provided within the EU. We hereby inform that our company has no other legal means to provide such guarantee than contractual, i.e. we can receive confirmations from those service providers with whom it is possible to conclude contracts and negotiate contractual terms, to ensure the adequate protection and to oblige them to guarantee such protection themselves, but we cannot in any way guarantee the adequacy of such measures and compliance with GDPR requirements.

6.2. However, if we cannot reach an agreement with the service provider on compliance with the General Data Protection Regulation (GDPR) requirements, we warn you that data protection in the target country may not be at the same high level as established by the GDPR. We also explain that we have no means to guarantee the high level of data protection in such a destination country. If, despite this warning, you still wish to receive services in such a destination, we will obtain separate consent from you to allow us to transfer your personal data to that destination.

7. Data subject rights

7.1. The privacy notice is intended to provide you with information about what information our company collects about you and how it is used. We are happy to assist you with any questions you may have about your personal data. Please feel free to contact us at the following email address:

7.2. If you want to know if our company processes your personal data or if you want access to your personal data, please contact us via the following email address:

8. Your data security

8.1. To protect personal data and identifying information that you enter into our online environment, we use physical, technical, and administrative security measures. We regularly update and test the protective technologies we use. Our internet networks are protected by firewalls and intrusion detection software. Access to your personal data is limited only to those employees who need such information to provide you with the agreed-upon service or on another legal basis.

8.2. We take reasonable measures to protect your personal data and our activities are subject to relevant information security legislation. However, we find it necessary to point out that no internet page or database is completely secure. so-called hack-proof Make sure to protect yourself and help us prevent cybercrime by carefully storing and protecting your passwords. Our website does not use spyware. If you suspect that your account has been hacked, please contact us immediately.

8.3. In addition to that, we train our employees to increase awareness among them regarding the importance and necessity of personal data protection. Our commitment is also reflected in internal company regulations that include data protection provisions and directly affect employees.

9. Updating and amending the Privacy Policy.

9.1. As with any organization, our company is likely to evolve over time, so it is only right to assume that there may be a need for Privacy Policy changes and updates in the future. Due to the above, we hereby inform you that we have the right to change and supplement the content of the Privacy Policy at any time without prior notice to you. We will publish the changes on the same Privacy Notice webpage. While we may notify you by email of significant changes to the Privacy Policy, the best way to stay up to date with the latest version of the Privacy Policy is to regularly visit the Privacy Policy webpage.

10. Employees’ Privacy Notice

10.1. The employee privacy notice is compiled as a separate document and is only available to employees.

11. Questions, complaints

11.1. If your personal data has changed, please contact us. If you have any additional questions regarding your personal data, please do not hesitate to contact us. We will respond within the deadline set by law. Please be prepared that in the context of protecting personal data, we may ask you for more detailed information to verify your identity before answering your questions. We need to be sure that the information is only provided to the correct person. In most cases, we will correct or delete any inaccuracies that you have discovered. In some cases, we may also refuse your request in whole or in part if the law allows or requires us to do so.

11.2. If you have any questions or complaints regarding your personal data, please contact our data protection officer at:

Tiit Randmaa

Tiit-Reisid OÜ

Sadama 13, Kärdla