Privacy Policy

In this privacy policy we explain how and on what basis we collect, store and process Your personal data. Personal data means any information relating to an identified or identifiable natural person (You), directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal data”). 

We explain also, what are your rights concerning your personal data and our obligations and liability.

Please review this privacy policy carefully. If You disagree with the way we process personal data, do not use our services. Kindly note that we may modify the policy from time to time. We will notify of any amendments on our webpage (“website”). 

You are the natural person, whose personal data we process (“you”). Controller of the processing of personal data is CupLoop OÜ, registry code 14590695, address Ehitajate tee 114, Tallinn 13517, Estonia, e-mail: (“we”, “us”).

  1. Our main privacy principles 

Compliance with privacy policy is integrated into our day-to-day activities, services and processes, and our development efforts.

We respect each person’s right to the protection of their personal data and we shall do our best to ensure that personal data collected by us is well protected. We evaluate regularly the risks associated with the processing of personal data and shall apply appropriate mitigation strategies to hedge risks.

We process personal data lawfully. We set clear goals for the processing of personal data and process personal data for these purposes only. We don´t collect or process the data that we do not need.

We may transfer personal data to our authorized processor if this is necessary to achieve the purpose of processing personal data. Processor is a person who processes personal data on behalf of the controller and with whom the controller has entered into a written agreement regarding the processing of personal data (“processor“).

Due to regulatory requirements, we may be obligated to disclose or provide personal data to the authorities.

We require and we expect our contractual partners to be careful on processing of personal data, to prevent the unauthorized disclosure or inappropriate use of personal data, and to process personal data in an honest and lawful manner.

We shall storage personal data only for as long as the maintenance is required by law or contract or necessary for our business. When we stop storing, we shall permanently delete the personal data.

  1. The content of personal data we process 

We offer You to automated collection and deposit refund for reusable packages (“Service”).  We will start offering the service if you return the reusable packaging to our Cuploop machine and you have pressed the “confirm” button on the Cuploop machine screen (“Agreement”).

When returning the package, we will process the last four digits of your bank card.

In some cases, it may be necessary to process more personal data of you. Our  Service operator then processes the following personal data to fulfil the Agreement:

(1) Your mobile phone number.

(2) Your first name, last name and e-mail address.

(3) Bank account number.

(4) Data about payment and debt (if applicable).

We obtain personal data directly from you. 

Please note that we cannot provide services to an anonymous customer and therefore you must disclose personal information to us to use our services and agree to their processing. 

  1. Cookies

We use ”cookies” on our website, that you can accept if you choose to use our website. A „cookie“ is a small text file that may be stored on the hard drive of Your device when you access our webpage.

We use cookies on Your device to help Us collect, maintain and use this information, for the following purposes: 

(1) personalize Your experience and provide You with customized content. 

(2) monitor site usage for better understanding how you interact.

(3) remember You when You return to the site.

(4) conduct research to improve Our content and services. 

You may refuse to accept cookies, but by doing so You may not be able to use certain features on the webpage, or take full advantage of all of Our offerings. All web browsers offer You some form of ability to manage Your cookie preferences.

We may also use a third-party analysis partner, who may employ some form of software technology to help us better manage content on our webpage by informing Us about what content is effective. This knowledge is used by Us in order to optimize our webpage and to give You the best possible experience. We use systems from Google Analytics and Google User Content.

Our webpage also includes social media features, such as the Facebook “like” button and Instagram “like” button. These features may collect Your IP address and page visits and may set a cookie to enable their feature to function properly. Social media features are either hosted by a third party or hosted directly on our webpage. Your interactions with these features are governed by the privacy policy of the company providing it.

If you prefer that your personal data will not be processed on our website, you can activate the private browsing feature of Your web browser. This is your choice.

  1. The purpose and legal ground of processing your personal data

We process your personal data during Service provision for the following purposes:

(1) for conclusion of the Agreement, for performance of the Agreement (including for the provision of the Service), for realization of rights arising from the Agreement and for performance of the obligations arising from the Agreement.
(2) for the purpose of realization of rights and fulfilment of obligations deriving from legal acts.
(3) for processing your inquiries and requests.
(4) for analysing the use of our Service, and using research and analysis results, among other, for developing our products and services.
(5) For the transmission of information about our Service.

We mainly process your personal data as a controller in order to fulfil the Agreement (clause 4 (1)), we also process your personal data if processing is necessary for compliance with our legal obligation (clause 4 (2) and (3)) and if processing is necessary for the purposes of the legitimate interests (clause 4 (4), (5) and (6)). The Service operator processes personal data as Our authorized processor only for the purpose of performing the Agreement and this is Our written instruction to the authorized processor.

  1. Your rights in relation to personal data

You have the following rights in relation to your personal data:

(1) Right of access to personal data – you have the right to know which of your personal data we store and how we process it, including the right to know the purpose of the processing, the persons to whom we will disclose your personal data, information about automated decision-making and the right to receive copies of personal data.

(2) Right to rectification of personal data – you have the right to request the rectification of inadequate, incomplete and misleading personal data.
(3) Right to erasure of personal data („right to be forgotten“) – you have the right to request that we erase your personal data (for example, if you take back the consent for the processing of personal data, or if personal data is no longer needed for the purpose for which it was collected). We have the right to refuse
the erasure of personal data if the processing of personal data is necessary for the fulfilment of our legal obligation, to exercise the right to freedom of expression and information, for the preparation, presentation and protection of legal claims, or in the public interest.
(4) Right to withdraw the consent given for the processing of personal data – you have the right at any time to withdraw the consent given to us for the processing of personal data. Please note that withdrawal of your consent shall not affect the legality of the processing that was made on the basis of consent before the withdrawal.
(5) Right to restriction of processing – In certain cases, you have the right to prohibit or restrict your processing of personal data for a certain period (e.g., if you have filed an objection to personal data processing).
(6) Right to object – you have the right to file an objection to processing of your personal data if your personal data processing takes place on the basis of our legitimate interest or public interest. You shall have the right to object at any time to processing of personal data for direct marketing purposes, and we shall respond immediately.
(7) Right to data portability – In case your personal data processing is based on your consent and personal data is processed automatically, you shall be entitled to receive personal data about you that you submitted to us as the controller, in a structured, commonly used and machine-readable format, and you shall have the right to transmit this personal data to another controller. You also have the right to request that we transfer personal data directly to another controller, where technically feasible.
(8) Automated decision-making (including profiling) – provided that we have informed You that we perform automated decision-making (including profiling) that will bring about legal consequences for you or have a significant effect on you, then you may require that an automated decision cannot be made only on the basis of automated processing.
(9) Submission of complaint. You shall have the right to file a complaint against us regarding the processing of personal data to the competent data protection authority, which depends on your country of residence (list of data protection authorities in EU you can find here:

Please read more about your rights from chapter 3 of the GDPR (EU General Data Protection Regulation 2016/679).

If you wish to use any right regarding personal data or ask questions about the Privacy Policy, please submit a corresponding request to us at We will respond to your request by e-mail as a rule no later than within one month. Please note that before we can provide you with the requested information regarding your personal data, we need to verify your identity.

  1. Security of personal data

We apply various measures (physical, technical, organizational) to protect your personal data from unauthorized or arbitrary rectification, disclosure, acquisition, destruction, loss or unauthorized access to them.

If you have any information about the actual or suspected breach of the processing of personal data, please inform about it immediately at We will deal with the issue immediately.

  1. Disclosure of personal data 

Please note that due to legal requirements, we may be obliged to disclose your personal data or to grant access to your personal data to the authorities and the supervisory authority.

We will disclose your personal data to Our authorized processors primarily for the purpose of performing the Agreement, as well as to persons who have a legal right to receive your personal data.

When we conclude an agreement with a processor for the processing of your personal data, we shall ensure the existence of appropriate contractual safeguards to protect your personal data.

  1. Geographical area of the Processing

We process your personal data in the EEA.

If we use service providers with whom we share personal information, this is directly necessary for the Services.

  1. Storing of personal data

We shall store your personal data for as long as required by law or in accordance with the law, or for the purposes stated in this Privacy Policy. 

We store the data of you during the period set forth in the Agreement.

After the expiration of the personal data storage period, we shall permanently delete your personal data.

  1. Availability of the Privacy Policy

This Privacy Policy is available on our webpage.

We shall have the right to unilaterally change the Privacy Policy at any time. We shall notify you of the changes via webpage.