How we treat personal data
We process personal data lawfully, fairly, and only to the extent necessary for website operation, order fulfilment, customer communication, contractual obligations, and compliance with legal requirements.
GDPR and Privacy
Privacy Policy
This page explains how Bonsai Sushi processes personal data of customers, website users, and orderers in line with applicable European Union and Estonian requirements.
1. What data we may process
We may process data you provide directly: name, surname, email, phone number, delivery address, order comments, client card application details, messages sent through forms, and other information you knowingly submit via the website or when communicating with the restaurant.
When placing an order or using the customer account area, we may also process order-related information such as selected products, amounts, fulfilment method, order time, order statuses, discounts, and promo codes used.
Technically, the website may store session data, language preferences, cart data, cookie consent records, and minimum technical logs required for security, stability, and correct website operation.
2. Purposes and legal bases of processing
We process data for contract performance or steps taken prior to entering into a contract, including receiving, confirming, preparing, delivering, handing over, and supporting your order.
Certain data may be processed to comply with legal obligations, including accounting, document retention, consumer protection requirements, complaint handling, and cooperation with public authorities.
Based on legitimate interest, we may process a limited set of data for website and business protection, prevention of abuse, maintenance of security logs, and service improvement, subject to a balancing of interests.
Marketing and analytics cookies, as well as certain marketing communications, are used only on the basis of consent unless applicable law permits another lawful basis.
3. Data sources
The main source of data is you, when you place an order, create or confirm an account, submit a form, apply for a client card, or contact the restaurant.
Some technical data is generated automatically when you use the website, such as session-related data, cookie consent settings, language preferences, and technical logs.
4. Recipients and processors
We may use authorised processors who help us operate the website, hosting, infrastructure, email communication, analytics, order handling, accounting, or other technical services. Such parties process data only on our instructions and only to the extent necessary.
Data may also be shared with payment, courier, IT, or other service partners to the extent objectively required to fulfil an order or keep the website operational.
Where required by law, data may be disclosed to public authorities, supervisory bodies, law enforcement, courts, or other persons who have a legal basis for obtaining such information.
5. Transfers outside the EEA
If the use of certain technical services involves the transfer of personal data outside the European Economic Area, we seek to rely only on transfer mechanisms permitted under GDPR, such as adequacy decisions, standard contractual clauses, or other lawful safeguards.
6. Retention periods
We keep personal data no longer than necessary for the purposes described in this policy, unless a longer retention period is required by law or necessary for the protection of rights and legitimate interests.
Order-related data and accounting records may be retained for periods required by Estonian tax, accounting, and other applicable legislation.
Account data, client card application data, or communication records may be retained until deletion of the account, withdrawal of consent, the end of necessity, or the expiry of a reasonable period for handling potential claims.
7. Data subject rights
Subject to the conditions of GDPR, you have the right to request access to your data, rectification, erasure, restriction of processing, portability, and to object to processing based on legitimate interests or direct marketing.
Where processing is based on consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
To exercise your rights, please contact us using the contact details provided on this page. Where necessary, we may request additional information to verify the identity of the requester.
8. Cookies and similar technologies
The website uses essential cookies and similar technologies for cart operation, sign-in session handling, language preferences, security, and basic website functionality.
Analytics and marketing cookies are activated only after your choice in the cookie banner, except where applicable law allows another approach.
You may change your cookie choices through the website cookie settings banner and through your browser settings, bearing in mind that disabling essential cookies may affect the correct functioning of the website.
9. Data security
We apply reasonable organisational, administrative, and technical security measures to protect personal data against unauthorised access, disclosure, loss, alteration, or destruction.
However, no method of transmission or storage can be considered completely secure, and we therefore continually review and improve our information security practices.
10. Complaints and supervisory authority
If you believe that the processing of your personal data violates applicable law, you may first contact us so that the issue can be addressed directly.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia, website: https://www.aki.ee.
11. Policy updates
We may update this policy from time to time if website functionality, data processing practices, service providers, or legal requirements change. The latest valid version is always published on this page.