Skip to content Skip to footer

Privacy Policy

Last updated: 12 June 2026 · Applies to eco-hearth.com (Ireland / EU)

This Privacy Policy explains how your personal data is collected, used, shared and protected when you visit eco-hearth.com, contact us, subscribe to our communications, or place an order. It is provided in accordance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and the Irish Data Protection Act 2018 / ePrivacy Regulations.

1. Who we are (Data Controller)

Legal entitySENTARMAX OÜ, trading as Eco Hearth
Company registration no.14536655 (Estonia)
Registered officeKatusepapi 6-502, Tallinn, 11412, Harjumaa, Estonia
Correspondence address (Ireland)51 Bracken Road, Sandyford, Dublin, D18 CV48, Ireland
Privacy contact[email protected]

SENTARMAX OÜ is an Estonian-incorporated company; our central administration and data-processing decisions are made in Estonia, and the Irish address is a correspondence address. As an EU-established controller, we are not required to appoint a representative under Article 27 GDPR.

2. Scope

This policy covers the eco-hearth.com website and the services offered through it to visitors and customers in Ireland and the EU/EEA: browsing, contact and enquiry forms, our newsletter, live chat, and online purchases. It does not cover third-party websites we link to, which have their own policies.

3. What personal data we collect

3.1 Data you give us directly

  • Enquiry / contact forms: name, email address, phone number, and the content of your message.
  • Orders & checkout: name, billing/delivery address, email, phone, order details, and payment information (card data is processed directly by our payment providers — we do not store full card numbers).
  • Newsletter: your email address.
  • Live chat: any information you choose to share in a chat conversation.

3.2 Data we collect automatically

  • Device & usage data: IP address, browser type, device, pages viewed, referring source, and interactions, collected via cookies and similar technologies (see Section 5), after your consent.
  • Session analytics & recordings: we use Microsoft Clarity to record anonymised interaction sessions (mouse movement, clicks, scrolling). The content of all input fields is masked and is not recorded.

4. How and why we use your data

PurposeLegal basis (GDPR Art. 6)
Respond to your enquiries and provide quotesPre-contractual steps and our legitimate interest in answering you — Art. 6(1)(b) / 6(1)(f)
Process, fulfil and support your ordersPerformance of a contract — Art. 6(1)(b)
Send marketing emails / newsletterYour consent — Art. 6(1)(a) (withdrawable at any time)
Analytics, session recording and website improvementYour consent via the cookie banner — Art. 6(1)(a)
Advertising and measurement (Google Ads, Reddit, Meta/Facebook)Your consent — Art. 6(1)(a)
Security, fraud prevention, and protecting our siteOur legitimate interest — Art. 6(1)(f)
Comply with accounting, tax and legal obligationsLegal obligation — Art. 6(1)(c)

Marketing communications are sent only to people who have explicitly opted in (for example, by subscribing to our newsletter). We do not enrol you in marketing simply because you contacted us or placed an order. You can unsubscribe at any time.

5. Cookies, analytics & tracking

We use cookies and similar technologies. Strictly-necessary cookies (needed for the site, cart and security) are always active. All other cookies — analytics, advertising and functional — are set only after you consent via our cookie banner. You can change or withdraw your choice at any time using the cookie preferences control on the site.

Provider / cookieCategoryPurposeDuration
WordPress / WooCommerceStrictly necessarySession, cart, checkout, securitySession – 2 days
Concord (consent)Strictly necessaryStores your cookie choicesup to 12 months
Google Analytics 4 (_ga, _ga_*)AnalyticsUsage measurementup to 13 months
Microsoft Clarity (_clck, _clsk)AnalyticsSession recording / heatmapsup to 1 year
Google Ads (_gcl_*)MarketingAd measurement & remarketingup to 90 days
Reddit (_rdt_uuid)MarketingAd measurementup to 90 days
Meta / Facebook (_fbp)MarketingAd measurement & remarketingup to 90 days
HubSpot (hubspotutk, __hstc, __hssc)Marketing / CRMVisitor identification for CRMup to 13 months
Crisp live chatFunctionalMaintains your chat sessionup to 6 months

This list reflects the marketing and analytics tools in our current stack. Some of these tools may not be active at all times — we may pause or resume individual tools depending on our campaigns — but where a tool sets cookies it is listed here and is gated behind your consent.

6. Who we share your data with

We do not sell your personal data. We share it with the service providers (processors) that run our website and business, each under a data-processing agreement:

RecipientWhat they doLocation
Hosting providerWebsite & database hostingGermany (EU)
Google LLC (Analytics 4, Google Ads)Website analytics & advertisingUSA
Microsoft Corporation (Clarity)Session recording / usability analyticsUSA
HubSpot, Inc.CRM — managing enquiries & leadsUSA
Intuit / MailchimpNewsletter / email deliveryUSA
Reddit, Inc.Advertising measurementUSA
Meta Platforms, Inc.Advertising measurement & remarketingUSA
Crisp IM SASLive chatFrance (EU)
Stripe / WooPaymentsPayment processingUSA / EU
ConcordCookie-consent managementUSA

We are currently migrating our CRM from HubSpot to Pipedrive (an EU-based provider); this notice will be updated when that change takes effect. We may also disclose data where required by law, or to protect our legal rights.

7. International data transfers

Your data is hosted within the EU (Germany). Some of the providers above are located in the United States, so using their services involves transferring personal data outside the EU/EEA. Where this happens, we rely on a lawful transfer mechanism:

  • Google LLC, Microsoft Corporation, HubSpot Inc., Intuit/Mailchimp, Stripe and Concord are certified under the EU–U.S. Data Privacy Framework (DPF), which the European Commission recognises as providing an adequate level of protection.
  • Meta Platforms, Inc. relies on the EU–U.S. Data Privacy Framework.
  • Reddit, Inc. relies on the European Commission’s Standard Contractual Clauses (SCCs).

8. How long we keep your data

DataRetention
Order & invoice records7 years from the end of the financial year (required by the Estonian Accounting Act § 12)
Enquiries & CRM leadsFor as long as we have an active relationship with you or a legitimate business interest in keeping your data. We review lead data periodically and delete it where it is no longer relevant, and in any case within 3 years of our last contact with you unless an ongoing relationship justifies keeping it.
Newsletter subscriptionUntil you unsubscribe
Analytics & cookiesFor the cookie durations in Section 5
Live-chat transcriptsUp to 12 months

9. Your rights

Under the GDPR you have the right to: request access to your data (Art. 15); have inaccurate data corrected (Art. 16); request erasure (Art. 17); request restriction of processing (Art. 18); object to processing based on legitimate interest, and to direct marketing at any time (Art. 21); receive your data in a portable format (Art. 20); and withdraw consent at any time, without affecting prior processing (Art. 7(3)).

To exercise any of these rights, email [email protected]. We will respond within one month.

10. Complaints

If you believe we have not handled your data properly, you have the right to lodge a complaint with a data protection supervisory authority. As an Estonian-established controller, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)aki.ee. If you are in Ireland or elsewhere in the EU, you may also complain to your local supervisory authority, including the Irish Data Protection Commission (dataprotection.ie).

11. Children

Our website and products are not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us data, contact us and we will delete it.

12. Security

We apply appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS), access controls, and EU-based hosting. No method of transmission is completely secure, but we work to protect your data and to notify you and the relevant authority of any breach where legally required.

13. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top reflects the latest version, and material changes will be highlighted on this page.

Got Questions?

We're happy to help! Leave your phone number and we'll call you back