Privacy Policy
Last updated: 12 June 2026 · Applies to eco-hearth.com (Ireland / EU)
This Privacy Policy explains how your personal data is collected, used, shared and protected when you visit eco-hearth.com, contact us, subscribe to our communications, or place an order. It is provided in accordance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and the Irish Data Protection Act 2018 / ePrivacy Regulations.
1. Who we are (Data Controller)
| Legal entity | SENTARMAX OÜ, trading as Eco Hearth |
| Company registration no. | 14536655 (Estonia) |
| Registered office | Katusepapi 6-502, Tallinn, 11412, Harjumaa, Estonia |
| Correspondence address (Ireland) | 51 Bracken Road, Sandyford, Dublin, D18 CV48, Ireland |
| Privacy contact | [email protected] |
SENTARMAX OÜ is an Estonian-incorporated company; our central administration and data-processing decisions are made in Estonia, and the Irish address is a correspondence address. As an EU-established controller, we are not required to appoint a representative under Article 27 GDPR.
2. Scope
This policy covers the eco-hearth.com website and the services offered through it to visitors and customers in Ireland and the EU/EEA: browsing, contact and enquiry forms, our newsletter, live chat, and online purchases. It does not cover third-party websites we link to, which have their own policies.
3. What personal data we collect
3.1 Data you give us directly
- Enquiry / contact forms: name, email address, phone number, and the content of your message.
- Orders & checkout: name, billing/delivery address, email, phone, order details, and payment information (card data is processed directly by our payment providers — we do not store full card numbers).
- Newsletter: your email address.
- Live chat: any information you choose to share in a chat conversation.
3.2 Data we collect automatically
- Device & usage data: IP address, browser type, device, pages viewed, referring source, and interactions, collected via cookies and similar technologies (see Section 5), after your consent.
- Session analytics & recordings: we use Microsoft Clarity to record anonymised interaction sessions (mouse movement, clicks, scrolling). The content of all input fields is masked and is not recorded.
4. How and why we use your data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Respond to your enquiries and provide quotes | Pre-contractual steps and our legitimate interest in answering you — Art. 6(1)(b) / 6(1)(f) |
| Process, fulfil and support your orders | Performance of a contract — Art. 6(1)(b) |
| Send marketing emails / newsletter | Your consent — Art. 6(1)(a) (withdrawable at any time) |
| Analytics, session recording and website improvement | Your consent via the cookie banner — Art. 6(1)(a) |
| Advertising and measurement (Google Ads, Reddit, Meta/Facebook) | Your consent — Art. 6(1)(a) |
| Security, fraud prevention, and protecting our site | Our legitimate interest — Art. 6(1)(f) |
| Comply with accounting, tax and legal obligations | Legal obligation — Art. 6(1)(c) |
Marketing communications are sent only to people who have explicitly opted in (for example, by subscribing to our newsletter). We do not enrol you in marketing simply because you contacted us or placed an order. You can unsubscribe at any time.
5. Cookies, analytics & tracking
We use cookies and similar technologies. Strictly-necessary cookies (needed for the site, cart and security) are always active. All other cookies — analytics, advertising and functional — are set only after you consent via our cookie banner. You can change or withdraw your choice at any time using the cookie preferences control on the site.
| Provider / cookie | Category | Purpose | Duration |
|---|---|---|---|
| WordPress / WooCommerce | Strictly necessary | Session, cart, checkout, security | Session – 2 days |
| Concord (consent) | Strictly necessary | Stores your cookie choices | up to 12 months |
| Google Analytics 4 (_ga, _ga_*) | Analytics | Usage measurement | up to 13 months |
| Microsoft Clarity (_clck, _clsk) | Analytics | Session recording / heatmaps | up to 1 year |
| Google Ads (_gcl_*) | Marketing | Ad measurement & remarketing | up to 90 days |
| Reddit (_rdt_uuid) | Marketing | Ad measurement | up to 90 days |
| Meta / Facebook (_fbp) | Marketing | Ad measurement & remarketing | up to 90 days |
| HubSpot (hubspotutk, __hstc, __hssc) | Marketing / CRM | Visitor identification for CRM | up to 13 months |
| Crisp live chat | Functional | Maintains your chat session | up to 6 months |
This list reflects the marketing and analytics tools in our current stack. Some of these tools may not be active at all times — we may pause or resume individual tools depending on our campaigns — but where a tool sets cookies it is listed here and is gated behind your consent.
6. Who we share your data with
We do not sell your personal data. We share it with the service providers (processors) that run our website and business, each under a data-processing agreement:
| Recipient | What they do | Location |
|---|---|---|
| Hosting provider | Website & database hosting | Germany (EU) |
| Google LLC (Analytics 4, Google Ads) | Website analytics & advertising | USA |
| Microsoft Corporation (Clarity) | Session recording / usability analytics | USA |
| HubSpot, Inc. | CRM — managing enquiries & leads | USA |
| Intuit / Mailchimp | Newsletter / email delivery | USA |
| Reddit, Inc. | Advertising measurement | USA |
| Meta Platforms, Inc. | Advertising measurement & remarketing | USA |
| Crisp IM SAS | Live chat | France (EU) |
| Stripe / WooPayments | Payment processing | USA / EU |
| Concord | Cookie-consent management | USA |
We are currently migrating our CRM from HubSpot to Pipedrive (an EU-based provider); this notice will be updated when that change takes effect. We may also disclose data where required by law, or to protect our legal rights.
7. International data transfers
Your data is hosted within the EU (Germany). Some of the providers above are located in the United States, so using their services involves transferring personal data outside the EU/EEA. Where this happens, we rely on a lawful transfer mechanism:
- Google LLC, Microsoft Corporation, HubSpot Inc., Intuit/Mailchimp, Stripe and Concord are certified under the EU–U.S. Data Privacy Framework (DPF), which the European Commission recognises as providing an adequate level of protection.
- Meta Platforms, Inc. relies on the EU–U.S. Data Privacy Framework.
- Reddit, Inc. relies on the European Commission’s Standard Contractual Clauses (SCCs).
8. How long we keep your data
| Data | Retention |
|---|---|
| Order & invoice records | 7 years from the end of the financial year (required by the Estonian Accounting Act § 12) |
| Enquiries & CRM leads | For as long as we have an active relationship with you or a legitimate business interest in keeping your data. We review lead data periodically and delete it where it is no longer relevant, and in any case within 3 years of our last contact with you unless an ongoing relationship justifies keeping it. |
| Newsletter subscription | Until you unsubscribe |
| Analytics & cookies | For the cookie durations in Section 5 |
| Live-chat transcripts | Up to 12 months |
9. Your rights
Under the GDPR you have the right to: request access to your data (Art. 15); have inaccurate data corrected (Art. 16); request erasure (Art. 17); request restriction of processing (Art. 18); object to processing based on legitimate interest, and to direct marketing at any time (Art. 21); receive your data in a portable format (Art. 20); and withdraw consent at any time, without affecting prior processing (Art. 7(3)).
To exercise any of these rights, email [email protected]. We will respond within one month.
10. Complaints
If you believe we have not handled your data properly, you have the right to lodge a complaint with a data protection supervisory authority. As an Estonian-established controller, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — aki.ee. If you are in Ireland or elsewhere in the EU, you may also complain to your local supervisory authority, including the Irish Data Protection Commission (dataprotection.ie).
11. Children
Our website and products are not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us data, contact us and we will delete it.
12. Security
We apply appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS), access controls, and EU-based hosting. No method of transmission is completely secure, but we work to protect your data and to notify you and the relevant authority of any breach where legally required.
13. Changes to this policy
We may update this policy from time to time. The “last updated” date at the top reflects the latest version, and material changes will be highlighted on this page.
