On this page, we provide important information about how we use your personal data.
The controller of personal data is Maxima Eesti OÜ, (registry code: 10765896, address Aiandi 13/2, Tallinn; info@maxima.ee; +372 6230641.
Contact of the Data Protection Officer: dpo@maxima.ee.
This privacy policy is valid from 02.02.2026. The new version explains our data processing in more detail.
The version valid until 01.02.2026 is available here. We will inform you of changes to the privacy policy on our website and in the self-service environment of the loyalty program.
Cookies are small text files that are stored on your device to:
enable basic functions of the website (necessary cookies).
analyse website traffic and improve user experience (analytical cookies),
remember the user's choices (functionality cookies),
display relevant content and ads (marketing cookies).
Necessary cookies are enabled by default and do not require the consent of the website visitor. Analytical, functional and marketing cookies are only used with your consent, which can be given and withdrawn through the cookie settings (bottom right corner of the website) or by deleting the cookies stored on your device. Once the consent has been withdrawn, the cookies will no longer work and no new data will be collected.
A detailed list of cookies used on Maxima's website by function and provider can be found in the bottom right corner of the website in the Cookie settings by clicking on "Show data".
The Company processes your data when you join the AITÄH loyalty program, as well as during your membership in the loyalty program.
To participate in the loyalty program, you must have an AITÄH card, which can be an AITÄH plastic card and/or AITÄH digital card. You can have an AITÄH plastic card and an AITÄH digital card at the same time.
You can create a digital card using the MAXIMA app – you need to authenticate yourself with Mobile-ID, Smart-ID or ID-card. When issuing a plastic card in a store, we need your date of birth and an Estonian mobile phone number – the latter will be sent a confirmation code, which must be entered into the card payment terminal or told to the cashier. With this, the AITÄH card will be activated in the POS system and can be used.
Registering and creating an AITÄH account in the loyalty program
Based on your form data, we will create a unique account for the participant in the loyalty program in the system (hereinafter AITÄH-account). Based on this data, we can identify you as the owner of the respective AITÄH card, for example, if you exchange a worn or lost card for a new one, you want to merge the cards, you want to update or change your data, you contact us for personal information, the exercise of rights related to the processing of personal data, etc.
We also use the contact information (e-mail address, phone number) provided in your form to communicate with you, including to respond to your inquiries and comments, to provide you with important information about changes to the loyalty program, to contact you if you have forgotten your goods or wallet, or if we discover any errors in the transactions made, etc.
Personal data
First and last name, date of birth, e-mail address and +372 prefix mobile phone number, personal identification number, preferred language of communication
Legal basis for processing
Article 6 (1) (b) of the General Data Protection Regulation (GDPR), i.e. performance of a loyalty programme agreement with you
Article 6(1)(f) of the GDPR – legitimate interest
Data retention period
We will store your personal data while you participate in the loyalty programm. Wewill anonymize the data after the end of your participation in the programm.
Receiving digital purchase receipts to your AITÄH account
Personal data
User data about purchases made (date, place and time of purchase, receipt number, name of the products, quantity, total purchase price, amount of discounts, amount and balance of Maxima money used and collected, AITÄH card number.
Legal basis for processing
Article 6(1)(a) of the GDPR – With your consent
Article 6 (1) (c) of the GDPR and § 12 (1) of the Accounting Act – an obligation arising from law
Data retention period
Digital purchase receipts are stored in the AITÄH account for two (2) years from the date of purchase. Your purchase data will be stored for seven (7) years from the date of the purchase, as this is required by law.
Using birthday discounts and sending a notification about it
If you have securely logged in to the Loyalty Program of your AITÄH account using your ID card, Smart ID or Mobile ID and you have agreed to receive birthday discounts, we will send you a reminder (text message or e-mail) about the upcoming birthday discount.
Personal data
Name, surname, date of birth, mobile phone number and e-mail address, personal identification code.
Legal basis for processing
Consent (Article 6(1)(a) GDPR).
Data retention period
Until you delete your app account or withdraw your consent. We will retain your consent and evidence of consent until the application account is deleted or, for a longer period of time, to defend against claims, claims or actions brought against us until a final solution is reached.
To provide you with loyalty program offers and information
If you give your consent, we will send you newsletters and advertisements with offers from our partners, birthday discount reminders and Maxima balance notifications via the channels of your choice (SMS or e-mail).
Personal data
Your AITÄH card number, your name, personal identification code, e-mail address and mobile phone number with +372 prefix, date of birth.
Legal basis for processing
The user has given consent (Article 6(1)(a) GDPR).
Information notices: expiring money, birthday discounts, newsletters, changes to the privacy policy and the terms and conditions of the loyalty programme – GDPR art 6 (1) p f – legitimate interest.
Data retention period
During the time you participate in the loyalty program AITÄH.
In newsletters, we use tracking pixels, which are small graphic elements in an email. They allow us to know if and when an email has been opened and which links have been clicked. We use this information to evaluate the effectiveness of our newsletters and, if necessary, to send repeat emails to recipients who have not opened the previous email.
It is possible to unsubscribe from newsletters by using the unsubscribe link provided with the notification. It is possible to unsubscribe from SMS messages by changing the channel for receiving the newsletter in the self-service.
In addition, it is possible to opt out of all notifications at once in the self-service or by contacting klienditugi@maxima.ee or by calling the information line 800 2121. We will stop sending offers to the programme as soon as possible, but no later than within seven (7) days.
Managing the AITÄH account and administering the AITÄH loyalty program
By processing this data, we can manage the AITÄH account and offer you the benefits of the AITÄH loyalty program.
Personal data
Your AITÄH card number, the data provided during registration, the data provided in the AITÄH account (including login data to the AITÄH account, operations on the AITÄH account, technical browsing data: IP address, technical information about logging in and browsing), information about the status of the AITÄH card (active or blocked), personal data history, card activation time, consents given by you, purchase data (store address, date and time, name and quantity of products, total price (including before and after) deduction of all discounts), data on the money earned by MAXIMA (amount, amount used at the time of purchase, balance on the AITÄH account), the amount of discounts received with the AITÄH card, the history of personal offers made to you and information about their use, coupon numbers (identifying which offers are valid with the AITÄH card), technical information necessary for data transfer (e.g. session ID), information about the offers of the partners of the loyalty program AITÄH.
Legal basis for processing
Article 6(1)(b) GDPR, i.e. performance of the loyalty programme agreement with you
Article 6 (1) (c) of the GDPR and § 12 (1) of the RPS – legal obligation
Data retention period
As a legal obligation, we store purchase data in the loyalty system for seven (7) years from the date of the purchase transaction.
We store the rest of the data while you participate in the loyalty program AITÄH.
At the end of the term, we will delete the personally identifiable data. We will only retain your personal data for the future if this is necessary for us to be able to defend ourselves in the event of claims, claims or actions against us (Article 6(1)(f) GDPR). After the disputes have reached a final resolution, the data will be deleted.
The session ID and other data provided in the AITÄH account are necessary for the user to remain logged in, as well as for ensuring security and availability. For example, to verify account actions when actions have been performed on a user's account without their consent.
Creating statistics to analyze buyer behavior
We use automated data analysis to study statistical data, the market and consumer behaviour, and to prepare reports necessary for our business. For this analysis, we use your data, but do not process your contact information, only your personal identification code to identify your age and gender. Data analysis for the purpose of compiling statistics, our buyer behaviour and market research allows us to make important business decisions, such as designing a range of goods that meet the needs of our buyers, pricing, displaying goods, etc. Data analysis for the purpose of studying statistical indicators, the market and buyer behaviour does not bring you legal effects or have any other significant impact.
We may also analyse the data to provide additional benefits to certain categories of buyers: on the occasion of a birthday; for those who make their purchases in specific stores; for those who purchase certain products; or other offers.
Personal data
Gender and date of birth based on personal identification code, purchase data (including store, date and time of purchase, name and quantity of products, total purchase price, amount of discounts received with the AITÄH card). (When compiling statistics, no other information is used from the personal identification code than is necessary for determining a person's date of birth and gender – i.e. the result of the statistics is not personalised)
Legal basis for processing
The processing of personal data is necessary on the basis of our legitimate interest (Article 6 (1) (f) GDPR)
It is in our legitimate interest to analyze data and prepare reports necessary for business in order to evaluate our activities and create value for both customers and the company.
Data retention period
Seven (7) years. If the User's participation in the AITÄH loyalty program is terminated earlier than the seven-year retention period of the purchase data, all the User's form data and other personal information will be deleted and the purchase data will be made anonymous (only the purchase history will remain)
In which cases and to which third parties do we disclose data?
For the purpose of sending and managing newsletters, we share your personal data (name, e-mail address, date of birth, consent to receive newsletters, AITÄH account ID code) with our partner Sendsmaily OÜ, who provides e-mail marketing services. To display targeted advertising, we share an email address with Meta Platforms Ireland Limited (Facebook and Instagram). The data is used to show personalized ads based on our customers and visitors to the website/app and to create lookalike audiences to reach potential interested parties who may have similar preferences or interests.
The data may also be provided to the competent authorities or law enforcement authorities, such as the police or supervisory institutions, but only if they request it and only if it is required by the legislation in force.
We may exchange your data with Maxima Grupe companies that are partners of the AITÄH loyalty program, in particular with Supersa OÜ (Barbora online store), in order to apply discounts or promotions at the points of sale or service of the AITÄH loyalty program partners and to ensure the management of the AITÄH loyalty program.
For the purpose of administering the AITÄH loyalty program, we may forward the following information to the program partner: information about the status of your AITÄH card, detected errors regarding the status of the cards, AITÄH card number, MAXIMA cash balance on AITÄH card, coupon identification numbers, offers valid with your AITÄH card, technical information necessary for data transfer (e.g. session ID).
The Company processes your personal data when you apply for a job with us. We have divided the recruitment process into stages, and the following is a description of what data we use at different stages, and how long we store the data.
Purpose of processing
Composition of data
Legal basis
Retention period
Stage 1 – the candidate submits their application and their details.
On the basis of this information, the candidates to be interviewed are selected.
· First and last name;
· e-mail; telephone;
· CV (education, work experience, language skills and other information that the candidate has added to the CV)
· In the case of candidates for store employees, personal identification code
· Data from the search for court decisions in the Riigi Teataja to check punishment history (at this stage only for candidates for store employees)
· Information about previous jobs published on LinkedIn, press articles published about the candidate found through Google search
GDPR art 6 (1) p f – legitimate interest:
· to assess the candidate's suitability for the job and the company
· Two (2) months after the end of the competition
· in the case of legal disputes until the dispute is resolved
· With the candidate's consent, 12 months from the announcement of the results of the competition, in order to make job offers or proposals to participate in the following competitions
Stage 2 – Interviewing suitable candidates
In addition to the above:
· E-mail correspondence or text message exchange with the candidate to arrange an interview and provide information about the application process
· Notes taken during the interview about the candidate's work experience, education, motivation and expectations
IKÜM art 6 lg 1 p f:
· legitimate interest in assessing the candidate's suitability for the job and the company
· After the competition has ended, we will retain data if it is necessary for the establishment, exercise or defence of a legal claim related to the recruitment process
GDPR art 6 (1) p a – consent – to store the candidate's data for 12 months for the next competitions
Stage 3 – Evaluation of the successful candidates and notification of the results of the competition to the candidates
In addition to the above:
· Homework solution (written work or video, certain positions)
· TRIPOD or other personality test solution and result (certain positions)
· Data from the search for court decisions in the Riigi Teataja on the basis of personal identification code (certain office positions)
· References and their testimonials about the candidate (certain positions)
4. Collecting the data necessary for concluding an employment contract from the selected candidate and, in the case of certain positions, filling in the declaration of private interests
In addition to the above:
· Personal identification code, if not previously provided
· Residential address
· Bank account number
· Information on joining the II pension pillar
· Withholding tax %
· Identity document number and validity period
· For certain key positions: Declaration of private interests: data on other jobs, holdings in companies and the employment of close people in competing companies or those involved in conflicts of interest
GDPR art 6 (1) b – data necessary for the preparation of the conclusion of the contract
GDPR art 6 (1) clause c and Employment Contracts Act § 5 (1)
In the case of a declaration of private interests, Article 6 (1) f of the GDPR – legitimate interest
10 years after the termination of the employment relationship (ECA § 5 (5))
The declaration of private interests is stored until the end of the employment relationship
5. To make future job offers to employees who have left their jobs in Maxima or to invite them to participate in competitions
· Name
· Phone, e-mail
· Time and positions at Maxima
· CV
GDPR art 6 (1) point a – consent
Five (5) years after leaving work
Special cases
In the case of candidates who have been punished for an offence against property, against a person or a drug-related offence, or in the case of whom other circumstances (e.g. extreme unstable behaviour) preclude suitability for any job in the company in the coming year, we will keep the last four digits of the phone number and the first and last name (to distinguish the namesake) for one year from the date of receiving a negative answer in the competition – in order not to make repeated inquiries about the same person and collect additional personal data, whereas it has already been established that the candidate is not suitable for any position in the company. We store such data on the basis of Article 6 (1) (f) of the GDPR, i.e. legitimate interest.
Transfer of data
We use TeamDash software to manage the recruitment process, which is provided by the company Recruitment Software OÜ – the company is our data processor, who processes personal data only on the basis and to the extent provided by us. Recruitment Software OÜ, in turn, uses sub-processors – a valid list of them can be found at: Data processing agreement DPA Annex 2. These include U.S.-based subprocessors. Thus, personal data is also transferred to the USA as a third country. The basis for the transfer of data is the European Commission's adequacy decision.
The Company also processes your personal data in cases where you contact us and ask an inquiry, question or provide us with other information by sending an e-mail, calling customer support or information line, contacting us through social network channels or filling out a paper customer application form in our store or office. Calls made to the customer support line 800 2121 are recorded.
What data do we process?
We receive the data from you, so the composition of the data depends on what you disclose to us in your written or oral address. In addition, the caller's voice will inevitably remain on the call recordings.
In most cases, the data includes the contacter's name, e-mail or phone number, documents certifying the purchase (purchase receipt, photo), AITÄH card number, bank account number (for refunds), less often health data (if the request concerns your health) and other content of the contact. If we need additional information to analyse your enquiry, we may link your enquiry data to other data in our possession, in particular cashier transaction data, your AITÄH card usage history, and your previous enquiries.
In order not to receive unnecessary data about you, we ask you to provide as little personal data as is necessary for resolving the request when contacting us. If we need additional information for this purpose, we will let you know.
Purposes of processing
The Company processes your data primarily to resolve your request. We remove the name and contacts when we forward a request during an internal investigation. If the response has to be organised by an department other than customer service, as a rule, our legal department, then the request will be forwarded together with the client's contact details. Where necessary, we use the data we receive to protect our rights.
In addition, we use the data obtained to improve the quality of services - as a rule without data that allows you to be directly identified. The customer service manager listens to call recordings randomly to improve and develop the skills of our customer support specialists.
Retention period
Recordings of calls made to the customer support line 800 2121 are stored for 30 days.
We store inquiries sent to klienditugi@maxima.ee address for 90 days from the date of receipt of the request. If it takes more time to resolve it, we will hold the request until it is resolved. After that, we only store a general description of the content of the request without the personal data of the person making the request.
report@maxima.ee – TÕRTKS § 10 obliges to retain notifications of labour violations for 3 years. If possible, we will delete the personal earlier.
Legal bases for processing personal data
If the client's request is related to a consumer dispute (e.g. filing a complaint), filling in accounting documents, responding to a supervisory body, then the legal basis for processing personal data is an obligation arising from legislation, i.e. Article 6 (1) clause c of the GDPR together with the relevant provision of national legislation, in the case of resolution of a consumer complaint, for example, §§ 24-25 of the Consumer Protection Act, and in the case of notification of a work-related violation TÕRTKS § 10.
If the customer's request is related to a transaction that has already been made or a wish to conclude a transaction or enter into a contract (e.g. joining the AITÄH loyalty program), the legal basis for processing personal data is the performance of the contract – GDPR art. 6 (1) clause b.
If the inquiry is not directly about a contract, but is a general question, giving feedback, etc., then the legal basis for processing personal data is legitimate interest – GDPR art. 6 (1) clause f. We rely on the same basis for recording calls for the purpose of improving customer service and when we need to use your personal data in connection with your request to establish, defend or present legal claims.
Transfer of personal data
Our company's IT services partner is Franmax UAB. The latter acts as a data processor, which means that it may only process personal data on the basis of the instructions of Maxima Eesti OÜ. The call management service is provided to us by Telia Eesti AS.
Sometimes it may be necessary to forward a customer request to a company in the Maxima Group, but as a rule, the request is forwarded without data that allows the person to be identified.
Maxima uses camera surveillance on the premises of the stores (both indoors and outdoors), which is why the images of the store visitors are also captured in the recordings. Camera surveillance does not extend to toilets or fitting rooms. The cameras do not record or transmit sound.
The objectives of video surveillance are:
protect the integrity of the company's assets and goods – prevent, detect theft and other offences (e.g. vandalism, burglary) and, if necessary, file claims for damages;
protect employees and customers from attacks;
investigate cases of serious bodily injury or death;
resolve conflicts, complaints (e.g. cash register disputes) and the loss of personal belongings of employees and customers (e.g. a phone left behind in a fall) and theft.
The Company processes personal data with the help of surveillance cameras on the following legal bases:
GDPR art 6(1)(f) – the legitimate interest of the company to protect the company's property, employees and customers, to defend itself against the claims and, if necessary, to file claims for damages for damage to property;
GDPR art 9(2)(f) – for the preparation, submission or defence of a legal claim – if special categories of personal data have been left on the recording;
Subsection 9 (9) of the Security Activities Act; § 10 (1) clauses 7-71 in conjunction with Article 6(1)(c) of the GDPR – verification of compliance with the requirements of the Security Activities Act.
Camera recordings are stored for one (1) month. If an offence, damage to property or an accident resulting in serious bodily injury or death has been recorded on the recording, the recording shall be kept until it is handed over to the investigating body and/or the insurer or in accordance with an order received from the investigating body.
Transfer of camera images and recordings
Maxima also uses the services of security companies, which is why the camera images can also be seen by the respective security personnel of security companies. Security companies are processors of personal data processing who process personal data only on the basis of Maxima's instructions.
If an offence or an accident resulting in death or serious bodily injury has been recorded on the camera recording, the company must send the relevant camera recording to the investigative authorities (primarily the Police and Border Guard Board, the Labour Inspectorate) on their lawful request.
You have the right to:
receive information about whether and why your data is being processed and receive a copy of your data;
request correction, deletion, restriction of use or portability of your data;
to object to the processing if the processing is based on Article 6(1)(e) or (f) of the GDPR;
withdraw your consent where the processing is based on consent;
file a complaint with the Data Protection Inspectorate (www.aki.ee).
You can read more about the content of these rights on the website of the Data Protection Inspectorate.
More detailed information about the company's legitimate interests can be requested at dpo@maxima.ee.
