Privacy

PRIVACY POLICY

The purpose of the privacy policy is to inform how the personal data of data of Data Subjects is collected and processed, to explain how long it is stored, to whom it is provided, what rights data subjects have and where to apply for their implementation or other issues related to the processing of personal data.

Personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 of the European Union (hereinafter - the Regulation), the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data.

Private Limited Liability Company "Nostra" is guided by the following basic principles of data processing:

• personal data are collected only for clearly defined and legitimate purposes;
• personal data are processed only lawfully and fairly;
• personal data are constantly updated;
• personal data shall be stored securely and for no longer than is required by the purposes for which the data are processed or by law;
• personal data are processed only by those employees of the Company who have been granted such a right in accordance with their work functions or by duly authorized data processors.

1. DEFINITIONS

1.1. Data Controller – Closed Private Limited Liability Company "Nostra" (hereinafter – the Company), legal entity code 120897213, registration address Sausių g. 44, Sausių k., Lentvario sen., Trakų r. sav.

1.2. Data Subject – any natural person whose data is processed by the Company. The Data Controller collects only those data of the Data Subject that are necessary for the performance of the Company's activities and (or) when visiting, using, browsing the Company's websites, social network accounts, etc. (hereinafter referred to as the Website) The Company ensures that the personal data collected and processed will be secure and will only be used for a specific purpose.

1.3. Personal data – any information relating directly or indirectly to a Data Subject whose identity is known or can be identified directly or indirectly by reference to the data concerned. Processing of personal data means any operation performed on personal data (including the collection, recording, storage, editing, modification, granting of access, retrieval, transmission, archiving, etc.).

1.4. Consent – any voluntary and deliberate consent by which the Data Subject consents to the processing of his or her personal data for a specified purpose.

1.5. Cookies – The Company's website uses small pieces of textual information that are automatically generated while browsing the website and stored on a computer or other device used by the data subject (website visitor). Cookies are used to improve the browsing experience for website visitors, to analyze website traffic and behavior of visits on the website.

2. SOURCES OF PERSONAL DATA 

2.1. Personal data are provided by the Data Subject themselves. The Data Subject contacts the Company, uses the services provided by the Company, purchases goods and/or services, leaves comments, asks questions, subscribes to newsletters, contacts the Company to request information, etc.

2.2. The personal data is obtained when the Data Subject visits the Company's website. The Data Subject fills in the forms contained therein or leaves their contact details, etc., for whatever reason.

2.3. Personal data is obtained from other sources. Data are obtained from other institutions or companies, publicly available registers, etc.

3. PROCESSING OF PERSONAL DATA 

3.1. By providing personal data to the Company, the Data Subject agrees that the Company will use the collected data to fulfill its obligations to the Data Subject in providing the services that the Data Subject expects.

3.2. The Company processes personal data for the following purposes:

3.2.1. Company business performance and continuity. The following data shall be processed for this purpose:

• For the purpose of concluding and executing contracts, personal data of suppliers (natural persons) may be processed: name(s), surname(s), personal identification number or date of birth, place of residence (address), telephone number, e-mail address, place of work, position, bank account and the bank where the account is located, the date, amount, currency and other data provided by the individual, which the Company receives in accordance with legal acts in the course of the Company's activities and/or which the Company is obliged to process by law and/or other legal acts. E.g. data contained in the business certificate (type of activity, group, code, name, periods of activity, date of issue, amount), number of the individual activity certificate, data on whether the Data Subject is a VAT payer, and any other data necessary for the proper performance of the contract and/or the obligations set out in the legislation.

• Contracts, VAT invoices and other related documents are stored in accordance with the terms specified in the General Documents Storage Index approved by the Order of the Chief Archivist of Lithuania.

• The legal basis for the processing is the need to perform a contract to which the customer is a party as a Data Subject or to take action at the customer's request prior to the conclusion of a contract with the customer (Article 6(1)(b) of the GDPR), where the processing of certain personal data is mandated by law (Article 6(1)(c) of the GDPR).

3.2.2. Inquiries, comments and complaints The following data is processed for this purpose:

• Name(s), surname(s) and/or username, e-mail address, telephone number, address, the subject of the message, comment, feedback or complaint, the text of the message, comment, feedback or complaint.

• Data on inquiries, comments and complaints shall be kept for 1 calendar year from the date of their submission.

• Legal basis for processing – processing is necessary for the legitimate interests of the data controller or of a third party, unless such interests of the Data Subject or the fundamental rights and freedoms of the Data Subject override those interests or the fundamental rights and freedoms necessary to ensure the protection of the personal data, in particular in the case of a child (Art. 6 (1)(f) of the GDPR), and the data subject has given his or her consent (Art. 6(1)(a) of the GDPR).

3.2.3. E-commerce. The following data shall be processed for this purpose:

• Name(s), surname(s), purchase history, delivery address, residential address, telephone number, e-mail address, product/service payment details, accumulated loyalty points.

• Personal data is stored only to the extent and for the time necessary to achieve the stated purposes. When the customer's personal data no longer needs to be processed, a decision is made to destroy them, except for those that must be archived in accordance with the requirements of the law or the internal local regulations of the Company.

• The legal basis for data processing is the need to perform a contract to which the customer is a party as a Data Subject or to take action at the customer's request prior to entering into a contract with the customer (Article 6(1)(b) of the GDPR).

3.2.4. Direct marketing.. The following data shall be processed for this purpose:

• Name(s), date of birth, telephone number, e-mail address.

• The data shall be kept for 5 years from the date of receipt of consent. This term may be extended if personal data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including an investigation conducted by the State Security Administration, in a civil, administrative or criminal case, or in other cases prescribed by law. In that case, personal data may be stored for as long as is necessary for those purposes for the processing and shall be destroyed as soon as they are no longer needed.

• The legal basis for processing is the Data Subject's consent (Article 6(1)(a) of the GDPR) and the need to pursue the legitimate interests of the Company in order to improve the performance and success of its activities and business (Article 6(1)(f) of the GDPR).

 3.2.5. For the purpose of ensuring the security of the Company's employees, other Data Subjects and property (video surveillance). The following data shall be processed for this purpose:

• Video image. Video surveillance systems do not use facial recognition and/or analysis technologies, and the image data captured by them is not grouped or profiled according to a specific Data Subject (person). The Data Subject shall be informed about the video surveillance by means of information signs with the symbol of a video camera and the Company's details, which shall be displayed before entering the monitored area and/or premises. The field of surveillance of CCTV cameras excludes premises where the Data Subject expects absolute protection of Personal Data.

• Personal Data obtained by video surveillance cameras (video data) shall be stored for up to 30 (thirty) calendar days from the moment of their capture, after which they shall be automatically destroyed, unless there is reason to believe that a misdemeanor, criminal offense or other illegal activity has been recorded (until the end of the relevant investigation and/or trial).

• The legal basis for processing is that the processing is necessary for the purposes of the legitimate interests of the controller or of a third party, unless such interests of the data subject or the fundamental rights and freedoms of the data subject, which require the protection of personal data, override those interests, in particular in cases where the data subject is a child (Article 6(1)(f) of the GDPR).

3.2.6. Other purposes for which the Company has the right to process the data subject's personal data, where the data subject has expressed his or her consent, where the processing is necessary for the Company's legitimate interest, or where the Company is obliged to process the data by the relevant legal acts.

4. USE OF COOKIES 

4.1. The Company uses cookies on the Website for the purpose of improving and enhancing the experience of buyers and website visitors.

4.2. The following types of cookies may be used on the Company's website:

4.2.1. Technical (required) cookies – help the website visitor to view the website and its content, to ensure the functionality of the website, to create an account, to log in to your account and to manage your orders. Technical cookies are necessary for the proper functioning of the website and their use does not require the consent of the website visitor.

4.2.2. Functional cookies – used to help the website visitor use the Company's website and to remember the choices and preferences made during the browsing process. Functional cookies are not necessary for the website to be fully functional, but they do add functionality and improve your experience of using the Company's website.

4.2.3. Analytical Cookies – used to obtain information about how website visitors use the Company's website. This is necessary in order for us to optimize and improve the Company's website. With the help of analytical cookies, we may collect data about the web pages you have viewed, the pages from which you came, the e-mails you opened and responded to, and date and time information. It also means that we may use information about you and your use of the site, such as the frequency of visits, the number of clicks on a particular page, the search terms used, and more.

4.2.4. Commercial (targeted or promotional) cookies – used to deliver personalized advertising to a visitor to the Company's website. This is called "remarketing", which is based on your browsing activity, such as the products and/or services you've searched for and viewed.

4.3. The Company's employees, who are responsible for the analysis of these data and the improvement of the website, have access to the statistical data about visitors to the Company's website

4.4. Technical records may also be accessed by the Company's partners who provide content management tools for the Company's website.

4.5. The Google Analytics tool is provided by Google Inc., a U.S. company, so it also has access to the statistical data collected by Google Analytics. This provider is subject to contractual and statutory privacy obligations.

4.6. Data collected by means of cookies shall not be stored by the Company for longer than is necessary to achieve the purposes of the processing or for longer than is required by the Data Subjects and/or provided for by law.

4.7. You can find more information about cookies at: AllAboutCookies.org.

4.8. If you do not agree to our use of cookies, you have the option to change your browser settings and control the amount of cookies. Useful links to opt out of cookies can be found below:

• For Chrome browser: https://support.google.com/chrome/answer/95647?hl=en;
• For Firefox browser: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer?redirectlocale=en-US&redirectslug=Cookies;
• For Safari browser: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac;
• For Edge Browser: https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy.

4.9. The following cookies are currently used on the Company's website:

5. USE OF SOCIAL NETWORKS

5.1. All information you provide on social media (including posts, the use of the "Like" and "Follow" fields, and other communications) is controlled by the operator of the relevant social network.

5.2. Our Company currently has an account on the social network Facebook, the privacy policy of which is available at https://www.facebook.com/privacy/explanation;

5.3. Our Company currently has an account on the social network Instagram, the privacy policy of which is available at https://help.instagram.com/519522125107875;

5.4. Our Company currently has an account on the social network LinkedIn, the privacy policy of which is available at https://www.linkedin.com/legal/privacy-policy;

5.5. Our Company currently has an account on YouTube, the privacy policy of which is available at https://policies.google.com/privacy?hl=en-US.

5.6. We encourage you to read third-party privacy notices and contact service providers directly if you have any questions about how they use your personal information.

6. SENDING NEWSLETTERS 

6.1. The Company uses the services of a third party Omnisend to send newsletters. The third party Omnisend only uses the e-mail address of the recipient of the newsletter to successfully send it. The Omnisend Privacy Policy is available at:

• Omnisend privacy policy: https://www.omnisend.com/privacy/.

6.2. You can unsubscribe from the newsletters by clicking on the "Unsubscribe" button at the bottom of each e-mail you receive, by replying to the e-mail you receive, or by contacting the Company directly by e-mail and expressing your wish to stop receiving the Company's newsletters.

7. E-COMMERCE 

7.1. The e-shop of the Private Limited Liability Company "Nostra" has been created using the Electronic-LAB platform. Data collected for the purpose of e-commerce is stored on Electronic-LAB servers. The privacy policy of the e-shop platform is available at:

• Electronic-LAB privacy policy: https://www.e-lab.lt/lt/privatumo-politika/.

7.2. The Company uses the Swedbank payment collection platform Bank Link, Paysera and EveryPay to accept payments. The privacy policy of the payment acceptance platforms is available at:

• Swedbank privacy policy: https://www.swedbank.lt/private/home/important/gdpr;
• Paysera privacy policy: https://www.paysera.lt/v2/en-LT/legal/privacy-policy-2020;
• EveryPay privacy policy: https://every-pay.com/privacy-policy/.

7.3. Our website is protected by a security protocol that relies on a data encryption system certificate (SSL). The web address of such a store contains the letter "s": "https://".

8. PROVISION OF PERSONAL DATA

8.1. The Company undertakes to respect the obligation of confidentiality vis-à-vis Data Subjects. Personal data may be disclosed to third parties only if this is necessary for the conclusion and performance of a contract for the benefit of the Data Subject or for other legitimate reasons.

8.2. The Company may provide personal data to its data processors who provide services to the Company and process personal data. The Company's data processors shall have the right to process personal data only on the Company's instructions and only to the extent necessary for the proper performance of their obligations under the Contract. The company shall only use processors that provide sufficient guarantees that appropriate technical and organizational measures will be implemented in such a way as to ensure that the processing complies with the requirements of the Regulation and that the Data Subject's rights are protected.

8.3. The Company may also provide personal data in response to requests from a court or public authority to the extent necessary to properly comply with applicable law and the instructions of public authorities.

8.4. The Company guarantees that personal data will not be sold or rented to third parties.

9. PROCESSING OF PERSONAL DATA OF MINORS

9.1. Individuals under the age of 14 may not provide any personal data through the Company’s website. If a person is under 14 years of age, in order to use the Company's services, the written consent of one of the representatives (parent or guardian) regarding the processing of personal data must be provided prior to the provision of personal information.

10. TERM OF STORAGE OF PERSONAL DATA

10.1. Personal data collected by the Company is stored in hard copy documents and/or in the Company's information systems. Personal data shall be processed for no longer than is necessary for the purposes of the processing or for no longer than required by the data subjects and/or provided for by law.

10.2. Although the Data Subject may terminate the agreement and waive the Company's services, the Company must continue to retain the Data Subject's data due to possible future claims or legal claims until the data retention periods have expired.

11. RIGHTS OF THE DATA SUBJECT

11.1. The right of access to information about data processing.

11.2. The right of access to processed data.

11.3. The right to request rectification of data.

11.4. The right to request deletion of data ("the right to be forgotten"). This right shall not apply if the personal data requested to be deleted is also processed on another legal basis, such as processing necessary for the performance of a contract or the fulfillment of an obligation under the applicable law.

11.5. The right to restrict data processing.

11.6. The right to object to data processing.

11.7. The right to data portability. The right to data portability must not adversely affect the rights and freedoms of others. The Data Subject shall not have the right to data portability in respect of personal data processed in non-automated files, such as paper files.

11.8. The right to request that a decision based solely on automated processing, including profiling, not be applied.

11.9. The right to submit a complaint regarding the processing of personal data to the State Data Protection Inspectorate.

12. The Company shall be obliged to enable the Data Subject to exercise the aforementioned rights of the Data Subject, except in the cases prescribed by law when it is necessary to ensure state security or defense of the state, public order, prevention, investigation, detection or prosecution of criminal activities, the protection of the state's important economic or financial interests, the prevention, investigation, detection or prosecution of breaches of professional or official conduct, or the protection of the rights and freedoms of the Data Subject or of other individuals.

13. PROCEDURES FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT 

13.1. The Data Subject may contact the Company in order to exercise their rights:

13.1.1. by submitting a written request in person, by post, by a representative or by electronic means – by e-mail: info@nostra.lt;

13.1.2. orally – by phone: +370 521 62016;

13.1.3. in writing to: Sausių g. 44, Sausių k., Lentvario sen., Trakų r. sav..

13.2. You can also contact the Company’s Data Protection Officer via e-mail: asmensduomenys@sdg.lt.

13.3. In order to protect the data from unauthorized disclosure, the Company must verify the identity of the Data Subject upon receipt of a request from the Data Subject to provide data or exercise other rights.

13.4. Company response