Privacy Policy
THE CLUB PRIVACY POLICY
Last updated: 08.06.2026
1. INTRODUCTION
1.1. This Privacy Policy explains how Väo Factory OÜ (registry code 12185654, trademark The Club; hereinafter The Club) collects, uses, stores, shares and protects personal data in connection with the use of The Club's website, the App and other Services.
1.2. Väo Factory OÜ is the controller of the personal data described in this Privacy Policy.
1.3. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the legislation of the Republic of Estonia and this Privacy Policy.
1.4. When using the Services or creating a user account, the Client confirms that they have read the Privacy Policy.
2. CONTROLLER
Väo Factory OÜ
Registry code: 12185654
VAT no.: EE102750614
Email: info@theclub.ee
3. PERSONAL DATA COLLECTED
3.1. Data provided by the Client
We collect personal data that the Client provides to us directly, for example when joining a waiting list, creating a user account, purchasing a membership or Service, registering a guest or contacting us, including:
name;
email address;
telephone number;
billing data;
user account data;
access and authentication data;
booking and Service usage data;
data of guests registered by the Club Member;
other information that the Client voluntarily provides to us.
3.2. Automatically collected data
When using the website or the App, we may collect the following technical and usage data:
IP address;
browser type and version;
device type and operating system;
pages visited, clicks, scrolling behaviour and session recordings (service provider: PostHog);
referring URL and navigation paths;
date and time of the visit;
approximate geographic location based on the IP address.
3.3. Payment data
The data necessary for processing payments is forwarded to the authorised processor Maksekeskus AS (registry code 12268475).
Payment data relating to card payments and recurring payments is processed by Maksekeskus AS. The Club does not have access to the Client's payment card or bank account data.
3.4. Data from third parties
The Club may receive, to a limited extent, personal data from marketing partners, social media platforms or public sources for the purpose of improving its Services and marketing activities.
3.5. Special categories of personal data
The Club generally does not collect or process special categories of personal data (including health data, biometric data or other categories of data referred to in Article 9 of the GDPR).
If the Client chooses to voluntarily disclose health data or other special-category information in connection with the use of the Services, The Club may process such data to the extent necessary to provide the Service requested by the Client, to ensure the Client's safety or to fulfil obligations arising from legislation.
When processing such data, The Club applies appropriate technical and organisational protective measures and processes the data only to the extent necessary to achieve the specific purpose.
3.6. Video surveillance
The Club may use video surveillance in the Club's common areas for the purpose of ensuring safety, protecting property and preventing and resolving possible violations.
Video surveillance recordings are processed on the basis of The Club's legitimate interest pursuant to Article 6(1)(f) of the GDPR. Only persons authorised for this purpose have access to the recordings.
Video surveillance is not used in changing rooms, showers, toilets or other areas where a person has a heightened expectation of privacy.
Recordings are stored only for as long as is necessary to achieve the purposes of their processing or to fulfil obligations arising from legislation.
4. PURPOSES OF PROCESSING AND LEGAL BASIS
The Club processes personal data only where there is a legal basis for doing so.
Performance of a contract (GDPR Art. 6(1)(b)) – managing memberships, managing user accounts and access rights, managing bookings, processing payments and providing Services;
Fulfilment of a legal obligation (GDPR Art. 6(1)(c)) – fulfilling accounting, tax and other obligations arising from legislation;
Legitimate interest (GDPR Art. 6(1)(f)) – developing Services, ensuring security, preventing fraud and improving the quality of Services;
Consent (GDPR Art. 6(1)(a)) – newsletters, marketing cookies and other consent-based activities.
5. COOKIES AND TRACKING TECHNOLOGIES
The Club uses cookies and similar technologies for the functioning of the website and the App, to improve the user experience and to collect usage statistics.
The cookies used may include:
strictly necessary cookies;
analytics cookies;
marketing cookies.
The use of cookies can be managed via the cookie banner or the settings of the web browser.
6. SHARING OF PERSONAL DATA
The Club does not sell personal data.
We may share personal data with authorised processors who provide us with services necessary for offering the Services, including:
the payment intermediary Maksekeskus AS;
cloud and hosting service providers;
analytics service providers (for example PostHog and Google Analytics);
marketing and communication service providers;
accounting, audit and legal advisory service providers;
other cooperation partners necessary for providing the Services.
We may also disclose personal data:
to fulfil an obligation arising from legislation;
to protect the rights, property or safety of The Club or third parties;
in the context of a merger, division, acquisition or other transaction related to corporate reorganisation.
7. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
If personal data is transferred outside the European Economic Area, The Club applies appropriate safeguards, including standard contractual clauses (SCC) approved by the European Commission or other mechanisms permitted by law.
8. STORAGE OF PERSONAL DATA
The Club stores personal data only for as long as is necessary to achieve the purposes of processing or to fulfil obligations arising from legislation.
General storage periods:
membership and Service usage data – duration of the contract + 5 years;
accounting data – 7 years;
marketing data – until consent is withdrawn;
analytics data – up to 14 months.
After the storage period has expired, the data is deleted or anonymised.
9. CLIENT'S RIGHTS
The Client has the right to:
access the data collected about them;
request the correction of data;
request the erasure of data;
restrict the processing of data;
receive the data in a structured form;
object to processing;
withdraw consent given;
lodge a complaint with a supervisory authority.
Please send requests to info@theclub.ee.
9.1. Lodging a complaint
In the case of data protection matters, the Client has the right to turn to:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn
Email: info@aki.ee
Website: https://www.aki.ee
10. SECURITY OF PERSONAL DATA
The Club applies reasonable technical and organisational security measures to protect personal data, including TLS encryption, access controls and secure hosting.
The security of payments is ensured by Maksekeskus AS in accordance with the PCI DSS standard and other applicable security requirements.
11. CHILDREN'S PRIVACY
The Services are intended for persons at least 14 years of age.
The Club does not knowingly collect the data of persons under 14 years of age. Upon discovering such data, The Club applies reasonable measures to delete it.
12. DO-NOT-TRACK SIGNALS
The Club's website does not automatically respond to the Do-Not-Track signals of web browsers.
13. AMENDMENTS
The Club has the right to amend this Privacy Policy.
Clients are notified of significant changes within a reasonable time, generally 30 days before the changes take effect.
14. CONTACT
The Club (Väo Factory OÜ)
Registry code: 12185654
VAT no.: EE102750614
T1 Centre, PK D5
Peterburi tee 2
11415 Tallinn
Email: info@theclub.ee