RIYA | Privacy Policy

Last Updated: May 01, 2025

This Privacy Policy explains how Erivora OÜ (“Company”, “we”, “us”, “our”) collects, uses, stores, and protects your personal data when you visit our website https://riya.bio (“Website”) or interact with us. We process your data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable EU data protection laws.

1. Data Controller
Erivora OÜ
Registration number: 17124545
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 10-24, 10124, Estonia
VAT number: EE102822791
Email: info@riya.bio

2. Personal Data We Collect
We may collect and process the following categories of personal data, depending on how you interact with our Website and services:

Contact and Identification Data – such as your full name, billing and delivery address, email address, and telephone number. This information is necessary for processing your orders, delivering Products, and communicating with you regarding your purchase or inquiries.
Order Information – details relating to the Products you have purchased or intend to purchase, order date, delivery preferences, and payment method. For cash on delivery (COD) orders, payment details are processed by our authorised fulfilment partners and courier companies; we receive only aggregated payment confirmation data, not your bank or card details.
Communication Data – content of any messages, requests, or inquiries you send to us via our contact form, email, or other communication channels, along with related metadata (e.g., time and date of the communication).
Subscription Data – your email address and communication preferences if you sign up for our newsletter or other marketing communications. We may also record your interaction with such communications (e.g., whether you opened an email or clicked on a link) to improve our marketing efforts.
Technical Data – information automatically collected when you access our Website, such as your Internet Protocol (IP) address, browser type and version, device type and model, operating system, referral URLs, pages viewed, time spent on the Website, and cookie identifiers. This data helps us maintain Website security, improve functionality, and perform analytics.

We do not intentionally collect special categories of personal data (such as health data, racial or ethnic origin, political opinions, or biometric data) through the Website. If you voluntarily provide such data in a communication with us, we will process it only to the extent necessary for the purpose of your inquiry and in accordance with applicable law.

3. How We Collect Data
We collect personal data in the following ways:

Directly from you – when you place an order on the Website, create or confirm delivery details, communicate with us via email, contact forms, or other channels, or subscribe to our newsletter. In these cases, you knowingly provide the data necessary for us to fulfill your request or perform our contractual obligations.
Through your use of our Website – certain data is collected automatically when you browse the Website, such as technical data described above. This is done using cookies, web beacons, and similar technologies, subject to your cookie preferences and applicable law.
From third parties – in some cases, we may receive your personal data from our fulfilment partners, couriers, or marketing service providers. For example, if you pay for your order via COD, the courier or fulfilment partner will confirm to us that the payment was collected and provide us with the delivery status.
Through marketing and analytics tools – when you interact with our newsletters, advertisements, or social media campaigns, we may collect interaction data from marketing platforms and analytics services, in compliance with your consent settings.

4. Purpose and Legal Basis of Processing
We process your personal data only when we have a valid legal basis under the General Data Protection Regulation (GDPR) and other applicable EU data protection laws. Depending on the nature of our interaction, your data may be processed for the following purposes:

Performance of a Contract (Art. 6(1)(b) GDPR) – We process your contact, identification, and order information to register, confirm, process, and deliver your purchases, arrange cash-on-delivery payments through our fulfilment partners, handle returns and refunds, and provide post-sale support. This also includes notifying you of order status, delivery updates, and any changes that may affect your purchase.
Customer Support (Art. 6(1)(b) GDPR) – When you contact us via email, contact forms, or other communication channels, we process the information you provide (including any personal data contained in your messages) to respond to your questions, resolve issues, and fulfill your requests.
Marketing Communications (Art. 6(1)(a) GDPR) – With your explicit consent, we may process your subscription data to send newsletters, promotional offers, or information about new products. We may also track your interactions with these communications (e.g., whether you opened an email or clicked a link) to measure effectiveness and tailor future content. You may withdraw your consent at any time.
Website Functionality and Analytics (Art. 6(1)(f) GDPR) – We process technical data collected through cookies and similar technologies to maintain the security, performance, and stability of the Website, to enhance user experience, and to analyse Website usage trends. Our legitimate interest is to operate an effective, secure, and user-friendly Website and improve our services.
Legal and Regulatory Compliance (Art. 6(1)(c) GDPR) – We process certain personal data to comply with our obligations under applicable laws, such as tax and accounting regulations, consumer protection requirements, and anti-money laundering (AML) legislation. This may require us to retain certain transaction records and, in rare cases, share information with competent authorities.

We do not process your personal data for purposes incompatible with those described above without first informing you and, where applicable, obtaining your consent.

5. Cookies and Similar Technologies
Our Website uses cookies and similar technologies to ensure proper functionality, enhance user experience, and provide insights into Website performance. Cookies are small text files that are stored on your device when you visit our Website. They may be set by us (“first-party cookies”) or by third-party service providers (“third-party cookies”).
We use the following categories of cookies:

Essential (Strictly Necessary) Cookies – These cookies are necessary for the operation of the Website and cannot be switched off in our systems. They are usually set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms. Without these cookies, certain features of the Website may not function properly. These cookies do not require your consent.
Analytics Cookies – With your consent, we use analytics cookies to collect information about how visitors interact with our Website, such as which pages are visited most often, how users navigate the site, and any error messages encountered. This information is aggregated and anonymous, and it helps us improve the performance and usability of the Website.
Advertising and Marketing Cookies – With your consent, these cookies may be used to deliver advertisements relevant to your interests, limit the number of times you see an ad, and measure the effectiveness of marketing campaigns. They may be set by us or by our advertising partners.

Cookie Consent Management
When you first visit our Website, you will see a cookie banner that allows you to accept or reject non-essential cookies. You can also adjust your cookie preferences at any time by accessing the cookie settings through the banner or your browser’s privacy controls. Please note that disabling certain cookies may affect the functionality and performance of the Website.
Third-Party Services
Some cookies may be placed by third-party service providers, such as analytics and advertising networks, which may process your data outside the EEA. In such cases, we ensure appropriate safeguards, such as Standard Contractual Clauses, are in place to protect your data.
Retention
Cookies remain on your device for varying periods:

Session cookies expire when you close your browser.
Persistent cookies remain on your device until deleted manually or automatically by your browser.

You can delete cookies at any time through your browser settings.

6. Data Sharing
We do not sell, rent, or trade your personal data to third parties. However, in order to operate our business, fulfill your orders, and comply with legal obligations, we may share your personal data with carefully selected third parties under strict contractual and confidentiality obligations. Such sharing is always carried out in compliance with the General Data Protection Regulation (GDPR) and other applicable laws, and only to the extent necessary for the relevant purpose.
We may share your personal data with the following categories of recipients:
Fulfilment Partners and Couriers – We work with authorised fulfilment service providers and established courier companies to store, prepare, and deliver your orders. For cash-on-delivery (COD) transactions, these partners also handle the collection of payments on our behalf and transfer the collected amounts to us as aggregated payments. They receive only the information necessary to complete the delivery and payment process (e.g., your name, delivery address, contact details, and order reference).
Marketing and Advertising Service Providers – With your consent, we may use external marketing platforms, email campaign services, social media advertising tools, and analytics providers to manage promotional activities, measure campaign effectiveness, and improve targeting. These providers receive only the data required to perform the agreed services (e.g., email addresses for newsletter distribution or anonymised interaction data for ad analytics).
IT and Hosting Providers – We engage IT infrastructure, hosting, and website maintenance service providers to ensure the secure and reliable operation of our Website. This may include cloud hosting providers, content delivery networks (CDNs), and security monitoring services.
Professional Advisors – In certain cases, we may share data with legal, tax, or accounting professionals where such sharing is necessary to protect our rights, meet compliance obligations, or pursue or defend legal claims.
Public Authorities and Regulators – We may be required by law to disclose certain personal data to competent authorities, such as tax offices, customs agencies, law enforcement bodies, or anti-money laundering regulators. Such disclosure will only take place when legally required or permitted, and we will ensure that only the minimum necessary information is provided.

7. Data Retention
We retain your personal data only for as long as it is necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, or as required by applicable law. The retention period may vary depending on the type of data and the applicable legal or regulatory requirements.
In particular:

Order and Transaction Records – We retain order-related data, including contact details, order history, delivery records, and payment confirmations, for a minimum of seven (7) years from the end of the financial year in which the transaction took place, in accordance with tax and accounting regulations.
Customer Support Communications – Correspondence and related personal data are retained for as long as necessary to respond to your inquiries, resolve issues, and maintain records of communications, typically up to two (2) years unless a longer period is required for legal or evidentiary purposes.
Marketing and Subscription Data – We retain your subscription data for marketing communications until you withdraw your consent, unsubscribe, or object to further processing. After that, we will remove your contact details from our marketing lists, but may retain a record of your request to ensure it is respected in the future.
Technical and Analytics Data – Data collected through cookies and similar technologies is retained for the period stated in our Cookies section, after which it is automatically deleted or anonymised.

When retention periods expire, we will securely delete or anonymise the data, unless its continued storage is necessary for the establishment, exercise, or defence of legal claims, or for compliance with a legal obligation.

8. Your Rights under GDPR
Under the General Data Protection Regulation (GDPR), you have a number of rights regarding your personal data. These rights are not absolute and may be subject to certain legal conditions or limitations. Your rights include:

Right of Access – You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is processed.
Right to Rectification – You have the right to request the correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure (“Right to be Forgotten”) – You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (if applicable), or where you successfully object to processing. This right may be limited where data retention is required by law.
Right to Restrict Processing – You may request that we temporarily suspend the processing of your personal data in certain situations, for example, while we verify its accuracy or consider an objection.
Right to Object – You have the right to object to the processing of your personal data based on our legitimate interests, including profiling, unless we can demonstrate compelling legitimate grounds to continue the processing. You also have the right to object to processing for direct marketing purposes at any time.
Right to Withdraw Consent – Where processing is based on your consent, you can withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to Data Portability – You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to request that it be transferred to another controller, where technically feasible.

To exercise any of these rights, please contact us at info@riya.bio. We may need to verify your identity before fulfilling your request, to protect your data from unauthorised access. We will respond to all requests within one month of receipt, in accordance with GDPR requirements, and will inform you if additional time is required due to the complexity or number of requests.
You also have the right to lodge a complaint with your local data protection authority if you believe that your rights have been violated.

9. Security Measures
We implement appropriate technical and organisational measures to protect your personal data, including encryption, access control, and secure storage systems.

10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The latest version will always be available on our Website.

11. Contact Us
If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact us:
Email: info@riya.bio
Postal address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 10-24, 10124, Estonia