FREE DELIVERY FOR ALL ORDERS OVER 100 €

Privacy policy

Privacy Policy

by Skinstep. Last updated: February 18, 2026

Table of Contents:

  1. Introduction
  2. Data Controller
  3. Personal Data Collected
  4. Purposes and Legal Bases of Processing
  5. Marketing Communications
  6. Cookies and Similar Technologies
  7. Disclosure of Personal Data
  8. International Data Transfers
  9. Data Retention
  10. Automated Decision-Making and Profiling
  11. Data Subject Rights
  12. Right to Lodge a Complaint
  13. Data Security
  14. Changes to Privacy Policy
  15. Contact

1. Introduction

This Privacy Policy explains how we collect, use, and protect personal data when you visit or make a purchase from our website. 

We process personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable Estonian data protection laws.

This website is operated in Estonia and is directed exclusively to consumers residing in Estonia.

2. Data Controller

The controller of your personal data is:

Vitamion Estonia OÜ / Skinstep

Registry code: 12829531

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Kentmanni tn 28-22, 10116, Estonia

Contact: info@skinstep.ee

The company is registered in Estonia.

3. Personal Data Collected

We may collect and process the following categories of personal data.

  • identification and contact details (name, email address, phone number, delivery address);
  • order and payment-related information;
  • customer account data (only if you voluntarily create a customer account, as customer account creation is not required to make purchases);
  • communication data (customer support inquiries);
  • technical data (IP address, browser type, device information);
  • website usage data collected via cookies and similar technologies.

4. Purposes and Legal Bases of Processing

We process personal data for the following purposes and legal bases.

  • Order processing, delivery, and customer service

  Legal basis: performance of a contract (Article 6(1)(b) GDPR).

  • Customer account management (only where a customer voluntarily creates a customer account)

  Legal basis: performance of a contract (Article 6(1)(b) GDPR).

  • Legal and accounting obligations 

  Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR).

  • Website security and service improvement 

  Legal basis: legitimate interest (Article 6(1)(f) GDPR).

  • Marketing communications and newsletters

Legal basis: consent (Article 6(1)(a) GDPR).

Our legitimate interest consists of ensuring the functionality, security, and continuous improvement of our website, without overriding the rights and freedoms of customers.

5. Marketing Communications

If you subscribe to our newsletter, we will send you marketing communications by email. We use Klaviyo as our email marketing service provider.

You may withdraw your consent and unsubscribe at any time by clicking the unsubscribe link included in each email or by contacting us directly. 

6. Cookies and Similar Technologies

We use cookies and similar technologies to operate our website, analyze traffic, and measure marketing effectiveness.

Cookies are small text files or similar technologies that are stored on your device to help the website function and improve your user experience.

We use necessary cookies that are essential for the website to function and cannot be turned off.

Non-essential cookies (including analytics and marketing cookies) are used only with your prior consent via our cookie banner.

You can manage or withdraw your cookie consent at any time through our cookie settings, which are accessible via the website interface.

7. Disclosure of Personal Data

We may share personal data with trusted service providers, including:

  • Shopify – e-commerce platform provider,
  • payment service providers,
  • logistics and delivery partners,
  • Google (analytics and advertising services),
  • Meta (Facebook and Instagram advertising),
  • Klaviyo (email marketing).

Personal data is shared only to the extent necessary for the intended purpose. If the services include profiles or listings of independent skincare specialists or clinics, personal data related to these specialists is processed for notification and marketing purposes, based on legitimate interest or consent as needed. Such specialists act as independent controllers for their own services. Depending on the service used, certain partners, such as Google or Meta, may act as independent controllers or joint controllers in accordance with their own data processing terms.

8. International Data Transfers

Some service providers process personal data outside the European Economic Area (EEA), including in the United States.

Where applicable, such data transfers are safeguarded by appropriate measures, including the European Commission’s Standard Contractual Clauses.

9. Data Retention

Personal data is retained only for as long as necessary.

  • Order and accounting data are retained in accordance with Estonian law.
  • Customer account data are retained until the customer account is deleted.
  • Marketing data are retained until consent is withdrawn.
  • Technical and analytical data are retained in accordance with the cookies retention settings.

When data is no longer required, it is securely deleted or anonymized.

10. Automated Decision-Making and Profiling

We may use automated tools to personalize and analyze marketing. Such profiling is limited to basic marketing segmentation and analysis purposes, for example, tailoring content or advertisements, and does not involve automated decision-making that has legal or similarly significant effects on individuals.

11. Data Subject Rights

Under the GDPR, you have the following rights:

  • the right to access personal data,
  • the right to rectify data,
  • the right to erase data,
  • the right to restrict processing,
  • the right to object,
  • the right to data portability,
  • the right to withdraw consent at any time.

Requests may be submitted by email using the contact details provided above.

12. Right to Lodge a Complaint

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate, Tatari 39, Tallinn 10134, phone +372 627 4135, email info@aki.ee.

13. Data Security

We apply appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure.

14. Changes to Privacy Policy

We may update this Privacy Policy from time to time.

The current version will always be available on our website.

15. Contact

For questions regarding this Privacy Policy or personal data processing, please contact us by sending an email to: info@skinstep.ee.

Home Products Professionals Search Cart