DONUT LAB
Privacy Policy
Last updated and effective date: June 17, 2026
Donut Lab OÜ and its affiliate companies (“Donut”, “we”, “us”, “our”) are committed to protecting your privacy and personal data.
This Privacy Policy provides you information on how we collect, process and store your personal data. This Policy applies when you make inquiries about our products and services, visit our website, communicate with our customer support, make purchases from us, sign up for our newsletter or the Global Innovators Program, join a waitlist, or otherwise interact with us via our website or social media, or by phone or any messaging app.
This Policy applies as well to our business contacts, shareholders and other stakeholders as well as job applicants and partners engaging in cooperation with us concerning our products and services.
We process your personal data under this Privacy Policy so please read it carefully. For certain products and services, we may give additional notices about privacy information. Please read those additional privacy notices to understand, how your personal data is collected and processed in such cases.
1. What personal data is collected, stored and processed?
We collect and process various types of personal data. Such personal data may include:
- Contact information. Such as your name, title, position, address, phone number, email address and, if you are a vendor, distributor or other stakeholder, company information.
- Personal details. social security number, gender, age, and ID card, such as your passport or driver’s license details, when required for verifying your identity.
- Agreement and transaction related data. Personal data necessary for maintaining our contractual relationship, such as information about your agreements, orders, purchases, given authorizations, payment status and details, credit card information, bank account number and other payment information, invoices, marketing preferences, as well as your communications with us through different channels, such as online via our website, on social media, or by phone or any messaging app.
- Shareholder information. Such as your name, address, date of birth, nationality, and amount of shares held by you.
- Recruitment information. Such as your application and resume, education and work experience, and other information necessary for the recruitment that you provide to Donut during the recruitment process, including interview information, video interviews and references.
- Online and electronic identification data. Such as your IP address, cookie ID, mobile device ID, time of visit and spent on the website or app, details about browser and device, page interaction information, navigation paths, scrolling, clicks, and location.
Your personal data may be collected and processed in the following situations as applicable and in accordance with the legal basis provided below in section 2 of this Privacy Policy:
- Product orders, rendering services. We may process your personal data to facilitate your orders, deliver the products and to render the services requested by you. This data may include your personal details, contact information, agreement and transaction related data as well as online and electronic identification data.
- Contacts. We need to process your personal data when you contact us e.g. for questions and inquiries concerning our products or services, including customer support or warranty service. We may also need to process your personal data if we need to contact you regarding product safety or regulatory notices. This includes our communications with you when you have signed up for the Global Innovators Program or joined a waitlist, such as to notify you when our products or services become available. Additionally, if you are a stakeholder of ours, we process your personal data in connection with our communications and contacts with you relating to our stakeholder relationship. We may process your personal details and contact information as well as other information you provide to us in connection with these communications.
- Interest and adherence in our offerings. We collect data regarding your interest in our products and services based on, for example, your orders, visits on our website, signing up for our newsletter or the Global Innovators Program or joining a waitlist, feedback, our communications with you, or participation in – or in connection with – any events, surveys, contests, campaigns, perks or incentives we may have. The data collected includes your personal details, contact information and agreement and transaction related data, such as information of your orders as well as online and electronic identification data.
- Advertising and direct marketing. We may process your personal data to provide advertising and direct marketing communications, promotions, and offers that might interest you relating to Donut’s products and services via email, phone, and/or other similar means of communication, in accordance with applicable laws.
- Cookies and other similar technologies. We may use cookies and similar technologies on our website and the information collected includes online and electronic identification data. For more information about cookies, please read our Cookie Policy.
We primarily obtain your personal data directly from you when you order our products and services, sign up for the Global Innovators Program or our newsletter, join a waitlist, browse our website, or otherwise interact with us.
In addition to the information you provide, we may collect information about you automatically when you visit our website. Your personal data may be also obtained from or shared with certain third parties, such as our finance partners, dealers and distributors, in accordance with applicable laws and regulations. These third parties have their own privacy policies that you should also carefully review.
Collection and Use of Non-Personal Data
We may also collect, use, and share information that does not, on its own, personally identify you. Such information may be used for any purpose, including for example, for operational or research purposes, for industry analysis, to improve or modify our products and services, to better tailor our products and services to your needs, and where legally required.
2. What are the purposes and legal bases for processing personal data?
The table below sets out our purposes for processing your personal data as well as the legal basis for the processing.
| Purpose of processing | Legal basis for the processing | Categories of personal data |
| Managing our contractual and other relationships. Preparing and implementing of our contractual relationship with you, our business partners, including distributors’, suppliers’ and other stakeholders’ contact persons as well as investors. This includes processing orders, delivering our products and services, providing customer service relating to your orders, warranty, refunds, returns and cancellations, managing payments, contracts and transactions as well as contacting you and communicating otherwise with you as one of our stakeholders. | Necessary for our legitimate interests to contact you and communicate with you as one of our stakeholders. Necessary for the performance of the contract between us and you. Necessary for compliance with our legal obligations. Where you have made an order or a purchase with a local Donut company, such company may act as an independent data controller of your personal data for this purpose. | Contact information Personal details Agreement and transaction related data Shareholder information Recruitment information |
| Maintaining and developing our customer relationship with you. Including responding to your inquiries and comments, sending important notices to you and sending you notices requested by you, for example, where you have signed up for the Global Innovators Program or joined a waitlist, and providing you with other customer support. | Necessary for the performance of the contract between us and you. Based on your consent. Necessary for our legitimate interests to provide customer service and process orders. Necessary for our legitimate interest to provide customers with important notices or notices requested by them. | Contact information Agreement and transaction related data |
| Developing our products and services. Improving and developing the quality, safety and functionality of our products, services and business as well as considering customer satisfaction. This may include making anonymized, de identified or aggregated compilations, statistics and analyses of such data. | Based on your consent. Necessary for our legitimate interests to improve and develop the quality, safety and functionality of our products, services and business as well as consider customer satisfaction. Necessary for compliance with our legal obligations. | Agreement and transaction related data Online and electronic identification data |
| Marketing purposes. Providing information related to our products, services, events and campaigns, recommending our products and services that you might find interesting, performing analytics and sending you promotional messages via email, phone, and/or other similar means of communication. | Based on your consent. Necessary for our legitimate interests to market our products and services. When required by applicable law, we will collect your consent before contacting you for direct marketing purposes via email, phone and/or similar means of communication. | Contact information Personal details Agreement and transaction related data |
| Providing the option to opt out. Complying with your request not to send you direct marketing, where applicable. | Necessary for compliance with our legal obligations. | Contact information |
| Compliance with applicable legislation. Complying and fulfilling our legal duties and obligations relating to e.g. tax law, accounting, regulatory compliance, safety issues, litigation, recalls and product liability. | Necessary for compliance with our legal obligations. Based on your consent. | Contact information Personal details Agreement and transaction related data Shareholder information Recruitment information Online and electronic identification data |
| Legal defense & security assurance. Defending and securing our and our customers’ rights, ensuring the security and safety of our products and services and preventing misconduct and fraud. | Necessary for our legitimate interests to defend and secure our and our customers’ rights, ensure the security and safety of our products and services and prevent misconduct and fraud. Based on your consent. | Contact information Personal details Agreement and transaction related data Shareholder information Recruitment information Online and electronic identification data |
| Recruitment and resourcing. Contacting you to inform you about the status of your application or to obtain additional information as well as to carry out interviews and evaluations in connection with the recruitment process. | Necessary for compliance with our legal obligations. Necessary for our legitimate interests to contact you, obtain information from you and evaluate you in connection with the recruitment process. | Contact Information Personal details Recruitment information |
| Administrating shareholder relationships. Maintaining our shareholder register, organizing shareholder meetings and sending investor information to our shareholders. | Necessary for compliance with our legal obligations. | Shareholder information |
Purpose of processing
Preparing and implementing of our contractual relationship with you, our business partners, including distributors’, suppliers’ and other stakeholders’ contact persons as well as investors. This includes processing orders, delivering our products and services, providing customer service relating to your orders, warranty, refunds, returns and cancellations, managing payments, contracts and transactions as well as contacting you and communicating otherwise with you as one of our stakeholders.
Legal basis for the processing
- Necessary for our legitimate interests to contact you and communicate with you as one of our stakeholders.
- Necessary for the performance of the contract between us and you.
- Necessary for compliance with our legal obligations.
- Where you have made an order or a purchase with a local Donut company, such company may act as an independent data controller of your personal data for this purpose.
Categories of personal data
- Contact information
- Personal details
- Agreement and transaction related data
- Shareholder information
- Recruitment information
Purpose of processing
Including responding to your inquiries and comments, sending important notices to you and sending you notices requested by you, for example, where you have signed up for the Global Innovators Program or joined a waitlist, and providing you with other customer support.
Legal basis for the processing
- Necessary for the performance of the contract between us and you.
- Based on your consent.
- Necessary for our legitimate interests to provide customer service and process orders.
- Necessary for our legitimate interest to provide customers with important notices or notices requested by them.
Categories of personal data
- Contact information
- Agreement and transaction related data
Purpose of processing
Improving and developing the quality, safety and functionality of our products, services and business as well as considering customer satisfaction. This may include making anonymized, de identified or aggregated compilations, statistics and analyses of such data.
Legal basis for the processing
- Based on your consent.
- Necessary for our legitimate interests to improve and develop the quality, safety and functionality of our products, services and business as well as consider customer satisfaction.
- Necessary for compliance with our legal obligations.
Categories of personal data
- Agreement and transaction related data
- Online and electronic identification data
Purpose of processing
Providing information related to our products, services, events and campaigns, recommending our products and services that you might find interesting, performing analytics and sending you promotional messages via email, phone, and/or other similar means of communication.
Legal basis for the processing
- Based on your consent.
- Necessary for our legitimate interests to market our products and services.
- When required by applicable law, we will collect your consent before contacting you for direct marketing purposes via email, phone and/or similar means of communication.
Categories of personal data
- Contact information
- Personal details
- Agreement and transaction related data
Purpose of processing
Complying with your request not to send you direct marketing, where applicable.
Legal basis for the processing
- Necessary for compliance with our legal obligations.
Categories of personal data
- Contact information
Purpose of processing
Complying and fulfilling our legal duties and obligations relating to e.g. tax law, accounting, regulatory compliance, safety issues, litigation, recalls and product liability.
Legal basis for the processing
- Necessary for compliance with our legal obligations.
- Based on your consent.
Categories of personal data
- Contact information
- Personal details
- Agreement and transaction related data
- Shareholder information
- Recruitment information
- Online and electronic identification data
Purpose of processing
Defending and securing our and our customers’ rights, ensuring the security and safety of our products and services and preventing misconduct and fraud.
Legal basis for the processing
- Necessary for our legitimate interests to defend and secure our and our customers’ rights, ensure the security and safety of our products and services and prevent misconduct and fraud.
- Based on your consent.
Categories of personal data
- Contact information
- Personal details
- Agreement and transaction related data
- Shareholder information
- Recruitment information
- Online and electronic identification data
Purpose of processing
Contacting you to inform you about the status of your application or to obtain additional information as well as to carry out interviews and evaluations in connection with the recruitment process.
Legal basis for the processing
- Necessary for compliance with our legal obligations.
- Necessary for our legitimate interests to contact you, obtain information from you and evaluate you in connection with the recruitment process.
Categories of personal data
- Contact Information
- Personal details
- Recruitment information
Purpose of processing
Maintaining our shareholder register, organizing shareholder meetings and sending investor information to our shareholders.
Legal basis for the processing
- Necessary for compliance with our legal obligations.
Categories of personal data
- Shareholder information
3. How do we share your personal data?
For the purposes described in this Privacy Policy, personal data may be disclosed to:
- Other Donut group companies. We may share your personal data within the Donut Group of companies, including our subsidiaries, affiliates, joint venture and other associated companies for any of the legitimate purposes described in this Privacy Policy. If you make an order or a purchase from a local group company, your data will be shared with such group company for handling it.
- Authorized third parties. Your personal data may be shared with and processed by third party service providers (such as dealers, distributors, payment processors, banks and vehicle finance providers, debt collectors, professional advisers, and email providers) to help carry out the services they are performing for us to support our business operations.
- Business partners. Your personal data may be shared with third parties with whom we co-sponsor events or promotions or jointly offer products or services, such as our business partners.
- Third parties for compliance with laws and other legal business purposes. We may share your personal data i) when necessary or required to comply with applicable laws, regulations or a court decision; ii) to detect, prevent, or otherwise address fraud, money laundering, terrorism financing, or technical or data security problems; or iii) to defend and exercise our or our customers’ rights. In addition, if you accept a government-offered purchase incentive or otherwise participate in government incentive programs, such as rebates or tax incentives for electric vehicles, we may be required to provide information to the government, or its designated administrators, pertaining to your purchase, participation and eligibility.
- Third parties in connection with a business sale. If we are involved in a merger, business/stock/asset transfer or similar M&A activity or financing in or reorganization of our business, we may transfer your personal data to one or more third parties (including their advisors) as part of that transaction.
- Bankruptcy or insolvency. In the event of bankruptcy, insolvency, or dissolution proceedings, we may share your personal information with third parties as part of the sale or reorganization process.
4. Where is personal data processed?
We primarily process personal data on servers within the EU/EEA.
However, the processing of personal data may also involve possible disclosures, transfers, storage, and processing of data to other countries outside the EU/EEA, such as the UK, where the data protection laws may differ from those in the EU/EEA. In such an event, Donut engages appropriate safeguards under applicable data protection legislation to ensure an adequate level of data protection for your personal data. These measures include, for example, transfer on the basis of an adequacy decision or the European Commission’s standard contractual clauses on transferring personal data to third countries.
For more information on data transfers, please contact us using the information provided at the end of this Privacy Policy.
5. How does Donut protect personal data?
We have taken reasonable technical and organizational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access and any other unlawful forms of processing.
However, no data transmission or storage over the Internet can be guaranteed to be completely secure. As a result, while we strive to protect your personal data, we cannot guarantee or warrant the security of any information we have collected.
You should also be mindful of the security of your own computer or mobile device – and their internet connection – when you browse our website. We recommend you protect your computer and mobile device with a passcode and change your log-in passwords periodically.
6. How long does Donut store personal data?
We will retain personal data only for as long as is necessary to fulfill the purpose for which it was collected. Generally, this means that we retain personal data for the duration of our customer relationship with you unless you request the data to be deleted earlier. When no longer required, personal data will be destroyed or erased. Please note that we may be obligated to store your other kind of personal data in order to comply with our legal obligations. For more information on our data retention policies and storage times, please contact us using the information provided at the end of this Privacy Policy.
7. Your rights
If you are an EU/EEA, Monaco, or UK resident or if required by your local law, you may at any time exercise the following rights in relation to your personal data that we process:
- Right to access personal data. You have the right to be informed about our processing of your personal data and to request a copy thereof.
- Right to correct personal data. You have the right to ask us for rectification of any inaccurate personal data we hold about you.
- Right to erasure. We will delete the data at your request if it is no longer legitimately needed.
- Right to object to the processing. You have the right to object to the processing of your personal data when the processing is based on our legitimate interest.
- Right to restrict processing. Under certain circumstances, you may have the right to restrict our processing of your personal data.
- Right to data portability. Where the legal basis for processing your personal data is your consent or an agreement directly entered between you and Donut, and we process your data by automated means, you may have the right to be provided with the personal data we hold about you in structured, commonly used and machine-readable format and to transmit the data to another controller.
- Right to withdraw your consent. If the processing is based on your consent, you have the right to withdraw your consent to such processing at any time. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
- Right to opt-out from marketing. If you no longer wish to receive marketing messages from Donut, you can choose to opt-out at any time by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us.
You may exercise these rights by contacting us by using the information provided at the end of this Privacy Policy.
If you consider that our processing of your personal data infringes the applicable data protection laws, you may have the right to lodge a complaint with a competent data protection supervisory authority. If you are an EU resident and believe your rights under the GDPR have been violated, you have the right to file a complaint with the supervisory authority. Contact details for all EU supervisory authorities can be found at https://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=612080.
Please note that residents of certain jurisdictions may have additional privacy rights compared to the ones described above. Depending on your jurisdiction, you may have, for example, the following right in respect of our data processing:
- Right to communicate after-death instructions. You have the right to communicate your instructions to us relating to the processing of your personal data in case of death.
8. Children’s Privacy
We do not target our products, services or website to children under the age of 16 years and do not knowingly collect personal data from children. In the event that we learn that we have gathered personal data from anyone under the age of 16, we will delete such information as soon as possible.
Our website and services are not intended for children under 13 years of age, and we do not knowingly collect personal information from children under 13. In the event that we learn that we have collected personal information from a child under age 13 without verification or parental consent, we will immediately delete that information. If you believe that we might have any information from or about a child under 13, please contact us using the information provided in the “Contact details” section below.
9. Cookies
We may use cookies and other similar technologies on our website. A “Cookie” is a small text file that is placed on a web browser or internet-enabled device to record information related to how a website is used. In most cases, your personal data collected through cookies and other technologies is collected automatically for our legitimate business interests. In some jurisdictions, we ask for your consent before collecting your personal data.
We do not use any cookies, pixels, or other tracking that discloses to any third party information that identifies a person as having viewed specific video materials.
For more information about cookies, please read our Cookie Policy.
10. Changes to this Privacy Policy
We may update and change this Privacy Policy from time to time. You can see the date of the latest change or update at the top of this Policy. Any changes and updates will become effective upon our posting of the revised Privacy Policy.
We may provide notice to you of any changes. This notice may be provided by email, by posting the revised Privacy Policy on our website or by other means prior to the change becoming effective, consistent with applicable laws.
11. “Do Not Track” Signals
Your web browser may have settings that allow you to transmit a “Do Not Track” signal when you visit various websites or use online services. Like many websites and online services, our websites are not designed to respond to “Do Not Track” signals received from browsers. To learn more about “Do Not Track” signals, you may wish to visit http://www.allaboutdnt.com/.
12. Contact details and controller of your personal data
If you have further questions or comments regarding your privacy or wish to exercise your rights,
please contact us by using the following contact information:
Donut Lab OÜ (Business ID: 17054738)
Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 2a, 11415, Estonia
Email address:
For individuals in the EEA, UK, Monaco or Switzerland, the main data controller for the processing of your personal data as described in this policy is Donut Lab OÜ.
Additionally, when you order our products and services, the independent data controller responsible for the processing of your personal data may be the local Donut company you have contracted.
