I. GENERAL PROVISIONS
1. This Privacy Policy regulates the procedure and principles of collection, processing and storage of personal data of data subjects, according to which the data controller UAB “Vildingo prekyba”, legal entity code 301142685, registered office address: Stirnų 21-9, LT-08101, Vilnius, Lithuania, e-mail: info@latteloft.com, tel. +370 659 11156 (hereinafter referred to as the Company), processes personal data provided by data subjects during its activities, as well as sets rules for the use of cookies.
2. This Privacy Policy regulates the collection, processing and storage of personal data provided by the customers of the Company, including buyers and visitors (hereinafter referred to as the customers or data subjects) of the Company’s website www.latteloft.com (hereinafter referred to as the Website), as well as the use of cookies on the Company’s Website.
3. This Privacy Policy implements Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR), the Law on the Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as the LLPD), the Law on Electronic Communications of the Republic of Lithuania (hereinafter referred to as the LEC) and other legal acts regulating the protection of personal data.
4. The terms used in the Privacy Policy correspond to the terms established in the BDAR, LLPD and LEC.
5. When using the Company’s Website or purchasing goods from it, data subjects agree with the provisions of the Privacy Policy. The Customers must read the Privacy Policy by registering on the Website and confirm their acquaintance and acceptance of the terms of the Privacy Policy by ticking the appropriate section of the Website. The Privacy Policy is also published in the “Privacy Policy” section of the Website, as well as on the blogs administered by the Company or on the website administered by the Company by providing a link to the Privacy Policy. This paragraph does not apply to those actions that require the consent of the individual data subject in the cases provided for in the GDPR, the LLPD and this Privacy Policy.
II. GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING
6. The company shall ensure that the personal data of the data subjects are:
6.1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency principle);
6.2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle);
6.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization principle);
6.4. Accurate and, where necessary, kept up to date (accuracy principle);
6.5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation principle);
6.6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality principle).
III. GROUNDS, SCOPE AND PURPOSES OF THE PROCESSING OF PERSONAL DATA
7. The Company has the right to process personal data if at least one of the following conditions applies and only to the extent that it applies (paragraph 1 of Article 6 of the GDPR):
7.1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
7.2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
7.3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
7.4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
7.5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
7.6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
8. The Company collects and processes the following data of data subjects:
8.1. Of the data subjects who have confirmed their consent to receive the Company’s newsletters:
8.1.1. E-mail address.
8.2. Of the Customers who acquire goods on the Website:
8.2.1. Name, surname;
8.2.2. E-mail address;
8.2.3. Information on the Customer’s consent (refusal) to receive the Company’s newsletters;
8.2.4. IP address (to identify the Customer’s country for VAT purposes);
8.2.5. Customer’s contact telephone number;
8.2.6. Other data provided upon the Customer’s initiative;
8.2.7. Customer’s product order data: order date, ordered goods, quantity, sales price, order execution progress and other data related to the order;
8.2.8. Settlement details for the goods, including payment details;
8.2.9. Data provided by the Customer for invoicing;
8.2.10. Delivery address of the goods;
8.2.11. Date and time of delivery of the goods;
8.2.12. Other data related to the supply of the goods to the Customer.
9. The Company may also process other personal data not specified in Clause 8 of this Privacy Policy, if the Company is obliged by law to process such data or the data subject has given consent to the processing of such personal data for one or more specific purposes.
10. The Company shall store the data of the data subject for the entire period of cooperation with the data subject and for 10 (ten) years after the end of the cooperation. The cooperation referred to in this paragraph covers all the time from the submission of the order to the execution of the order. Upon termination of the Website by the Company, the cooperation shall be deemed terminated.
11. The Company uses the data of the data subject including visitors to the Website for the development of products or services and for improving the quality and selection of services. Actions for improving products or services may include product or content recommendations or personalization of services. Products and services are also developed by utilizing surveys and feedback. The more specific uses and storage of data collected in studies and surveys shall be described separately in the study or survey. The processing of personal data for developing products and services is based on the Company’s legitimate interests in utilizing data for the benefit of its customers and users of its online services.
12. The Company may use the data of the data subject including visitors to the Website for marketing, advertising or other commercial activities. Data may be utilized in things like targeting advertising, direct marketing or displaying advertisements on third-party platforms. For direct marketing, the processing of data for commercial purposes is based on the data subject’s consent. For other advertising and products, the processing of personal data is based on the Company’s legitimate interests. The data subject including visitors to the Website can influence the targeting of advertising through cookie settings, or third-party advertising displays by adjusting the platforms’ own advertising settings.
13. The Company also processes data about visitors to the Website in accordance with the procedure set forth in the “Cookies” section of this Privacy Policy.
14. The Company does not collect special categories of personal data referred to in paragraph 1 of Article 9 of the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic, biometric data specifically intended to identify a natural person, health data, data on the sexual life and sexual orientation of a natural person), as well as personal data referred to in Article 10 of the GDPR (data on convictions and criminal offenses or related security measures).
15. The Company processes the personal data of data subjects for the following purposes:
15.1. For identification of the Customer in the Company’s information systems when the latter forms an order on the Website;
15.2. For processing and execution of the order submitted by the Customer;
15.3. For administration of disputes between the Customer and the Company;
15.4. For direct marketing purposes, only with the consent of the data subject;
15.5. To ensure the proper functioning of the Website and to improve it;
15.6. For other purposes which comply with the principles, terms and conditions for the processing of personal data laid down in the GDPR.
16. The Company receives personal data of data subjects from the following sources:
16.1. The data subject submits personal data to the Company individually (the data subject applies to the Company, uses the services provided by the Company, buys goods, participates in surveys on the Company’s Website, leaves feedback, asks questions, subscribes to newsletters, requests information from the Company, etc.);
16.2. Personal data is obtained when the data subject visits the Company’s Website. The data subject fills in the forms on the Website or for some reason leaves his contact details and etc.
17. The data subjects providing personal data are responsible for the accuracy of their provided data.
IV. DATA PROCESSORS
18. The Company may use data processors to process personal data in accordance with this Privacy Policy – to authorize data processors to process personal data, i.e. providers of information technology and electronic communication services, advisors, auditors, consultants, security services and other entities which would process the data managed by the Company for the purposes set out in the Privacy Policy of the Company and in accordance with its instructions, in full confidentiality of personal data processing.
V. DATA RECIPIENTS
19. Personal data processed by the Company shall be provided to third parties (data recipients) only in the cases and according to the procedure established by laws and other legal acts, with the consent of the data subject or on other legal grounds for data provision:
19.1. Personal data of the data subject may be provided to the employees of the Company, whose functions include the processing of personal data and who must process the personal data of the data subject in the performance of their direct functions. When processing personal data of the data subject, the employees of the Company observe the requirements for protection of personal data, confidentiality and other requirements;
19.2. Personal data of the data subject may be provided to data processors (for example, to the company maintaining the Company’s IT system). The Company uses only those data processors who ensure that the appropriate organizational and technical measures are implemented in such a way that the processing of personal data of the data subject complies with the requirements of the GDPR and other legal acts;
19.3. When executing an order for goods, data on the consignee of the goods and the delivery address shall be provided to third parties providing delivery services, when their assistance is used;
19.4. Data of accounting documents for the purpose of tax administration shall be submitted to the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania (STI);
19.5. Personal data of the data subject may be provided for a marketing action, survey or delivery of materials. Such service providers always work for the Company and under the supervision of the Company. The Company shall never sell or hand over personal data to third parties for marketing in a way that would allow third parties to use the personal data for independent marketing;
19.6. Data is provided to other third parties when the Company’s obligation to provide personal data is established by laws or other legal acts or upon the request of the data subject.
20. In the absence of legal grounds to provide data managed by the Company, the person or institution that submitted the data request shall be informed thereof by a reasoned written response to the request of the Head of the Company or the Data Protection Officer.
VI. DATA PROTECTION OFFICER
21. Data processing in the Company shall be organised by the Data Protection Officer within the limits of her competence.
22. Contact details of the Data Protection Officer appointed by the Company: Natalija Kilikevičienė, natalija@latteloft.com, +370 659 11156.
VII. RIGHTS OF DATA SUBJECTS AND PROCEDURE FOR THEIR EXERCISING
23. Data subjects have the following rights:
23.1. Right of access to personal data (information on whether personal data are processed; information on the processing of personal data provided for in paragraph 1 of Article 15 of the GDPR; copy of personal data processed);
23.2. Right to rectification of inaccurate or incomplete personal data (Article 16 of the GDPR);
23.3. Right to request erasure of data (paragraph 1 of Article 17 of the GDPR; not applicable if there are grounds referred to in paragraph 3 of Article 17 of the GDPR);
23.4. Right to request restrictions of the processing of personal data of the data subject (Article 18 of the GDPR);
23.5. The right to data portability, provided that it does not adversely affect the rights and freedoms of others, i.e. the right to obtain personal data related to the data subject which have been provided to the Company in a structured, commonly used and computer-readable format, including the right to request the Company to transfer such data to another controller where technically possible (Article 20 of the GDPR);
23.6. The right to object, as well as at any time thereafter, to the processing of his data, as well as to the processing of personal data of the Customer or the Company’s Website visitor for direct marketing purposes, including sending newsletters/new articles by the specified e-mail (Article 21 of the GDPR). If the person referred to in this Clause does not agree/subsequently does not agree on the processing of his personal data for the purposes of direct marketing, this shall not affect his rights to use other services provided by the Company. The personal data of the persons referred to in this paragraph shall be stored for the purpose of direct marketing until their separate waiver. Personal data will be deleted from the backup (back-up) within 30 days after the cancellation;
23.7. Other rights of the data subject provided for in the GDPR and the LLPD.
24. The data subject has the right to exercise his rights individually or through a representative.
25. The representative of the data subject must indicate in the request his name, surname, address and (or) other contact details for using which the representative of the data subject wishes to receive a reply, as well as the name, surname of the represented person and provide a document confirming the representation or a copy thereof.
26. In case of doubts about the identity of the data subject, the Company has the right to request additional information necessary.
27. The Company must provide information on the action taken upon the request no later than within one month from the date of receipt of the request of the data subject or his representative. If the Company is not able to provide the information within the term specified in this Clause, the Company must inform the data subject thereof, indicating the reasons for the delay in providing the information and the term within which the requested information will be provided to the data subject.
28. The data subject’s request for information must be signed with a secure electronic signature that allows the data subject to be reliably identified, and submitted to the Data Protection Officer at the contact e-mail address specified in Clause 20 of this Privacy Policy. If it is impossible to sign the request with a secure electronic signature, the original request shall be sent by registered mail to the Company at the registered office address: Stirnų Str. 21-9, LT-08101 Vilnius, Lithuania.
29. If the request is submitted in violation of the procedure and requirements established in this Privacy Policy, it shall not be processed, and the data subject shall be informed thereof without delay, but not later than within 5 business days, specifying the reasons.
30. All actions shall be performed upon the request of the data subject, and the information shall be provided free of charge. In the event of a manifestly unfounded or disproportionate request, including in cases of repetitive content, the Company shall be entitled to charge a reasonable fee based on the administrative costs actually incurred.
VIII. COOKIES
31. The main purpose of cookies is to identify the needs of data subjects, to better adapt to the needs of data subjects and to make the operation of the Website, blogs administered by the Company or the website administered by the Company as efficient and useful as possible for the data subject.
32. Cookies are small text files that are sent to the Website visitor’s device from the Website server. They are used to make the Website remember the visitor’s browsing history on the page. Cookies collect information that shows how visitors browse the Website, what browser they use, or come to the Website from another page by a link, which is the language setting. If the visitor is a registered user or has subscribed to the newsletters by e-mail, this information (such as name and e-mail) can be passed on to the data controller.
33. Data are collected every time you visit the Website, when visitors consent to the transfer of cookies. Cookies store information about the browsing features of the Website visitors and help us to improve our Website for your convenience. The provided cookies help to analyse the information about how the visitor uses the Website and thus help to improve the Website for the needs of the visitors, thus trying to provide the visitors with the information that is most relevant to them.
34. Cookies may be temporary or fixed:
34.1. Temporary cookies are stored until the browser is closed. They expire after each session. These cookies are used to identify the country from which the Website is connected, the methods and how the Website was visited – directly or using a link from another website;
34.2. Fixed cookies are stored on your device (computer, mobile phone, etc.) for a certain period of time after you close your browser and are activated every time you return to the page where the cookie was created.
35. Cookies are used for the following functions:
35.1. To ensure that the functions of the Website are performed properly;
35.2. For development and monitoring of the Website traffic statistics;
35.3. For the Website usage monitoring;
35.4. For reviewing visitor behaviour on the Website.
36. Session cookies are divided into:
36.1. Session (performance enhancing) cookies. These cookies improve the performance of the Website and collect general, encrypted (anonymous) information about your use of a particular website;
36.2. Analytical cookies. These cookies enable the Company to count the number of visitors to the Website and to see how users navigate through these websites. They help to improve the performance of the Website by ensuring that it meets the expectations of a data subject.
36.3. Functional cookies that help identify visitors to the Website when they revisit them. This enables the Company to provide content on social networks adapted to the needs of visitors.
37. In most cases, web browsers allow cookies to be stored on end-user devices by default. Website visitors can change their cookie settings at any time. Cookies can be deleted in your web browser settings. Moreover, it is possible to prevent cookies from being stored, but without them some functions of the Website will not work and/or the Website will be connected incorrectly.
38. A data subject has the right to disable cookies in his browser, but in this case the Company cannot guarantee that he will be able to use some of the functions that are necessary for the proper functioning of the Website.
39. The Website uses the following cookies:
| Cookie | Purpose | Duration | Type |
| User identification | Designed to identify and authenticate the user. Stores technical data about the user’s session, such as connection duration, session ID, and etc. | Until the end of the session | Data Controller Cookie |
| Session identification | Identifies the user’s HTTP session. Common to all web applications for use in identifying requests per session | Until the end of the session | Data Controller Cookie |
| Browsing status | Allows to identify the user’s browsing status (session start, page) | Until the end of the session | Data Controller Cookie |
| User options | Records user-selected session values (for example, language, product, sizes, etc.) | Until the end of the session | Data Controller Cookie |
| Favourite latest options | Allows you to remember items left in the shopping cart and use them during subsequent connections to the system | Permanent | Data Controller Cookie |
| Shopping cart | Records information about the shopping cart and the user credentials associated with the cart | Until the end of the session | Data Controller Cookie |
40. The Website also uses the following browsing analysis cookies, which are designed to collect general information about the user’s logins to the platform (not to its specific content) in order to collect aggregated access information for statistical purposes:
| Cookie | Purpose | Duration | Type |
|
Origin (WC_GASource) |
Designed to determine where a user accessed a particular page on the platform (either from a browser or from an external site) | Permanent | Data Controller Cookie |
|
GoogleAnalytics (__UTMA, __UTMB, __UTMC, __UTMD, __UTMV, __UTMZ, __UTMT, __GA, __GAT. |
Allows you to track a Web page with “Google Analytics”. This is a service provided by “Google” to help you obtain information about your access to the Website. The analysis collects certain data, such as how many times the user visited the page, the date, visit duration, and etc. The “Google Analytics” tool is provided by Google in accordance with the Terms and Conditions of Service. “Google” has access to the statistics collected by this tool and may process them on servers in the United States, but is committed to the EU-US Privacy Policy, which ensures that your service provider complies with the EU privacy standards. For more information on “Google Analytics”, click here. An alternative way to disable “Google Analytics” is to install a small plugin offered by “Google”, which can be found here. | Permanent | Data Controller Cookie |
41. The management and deletion of cookies can be managed and changed in the options of the browser you are using:
41.1. Google Chrome – https://support.google.com/chrome/answer/95647?hl=en&ref_topic=14666
41.2. Internet Explorer – https://support.microsoft.com/en-us/topic/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d
41.3. Mozilla Firefox – https://support.mozilla.com/en-US/kb/cookies-information-websites-store-on-your-computer?redirectlocale=en-US&redirectslug=Cookies
41.4. Safari web – https://support.apple.com/kb/PH17191?locale=en_US
41.5. iOS – https://support.apple.com/lt-lt/HT201265
IX. FINAL PROVISIONS
42. By transferring personal data to the Company, the data subject agrees to this Privacy Policy, understands its provisions and agrees to abide by it.
43. In developing and improving the Company’s operations, the Company has the right to unilaterally change this Privacy Policy at any time. The Company reserves the right to unilaterally, partially or completely change the Privacy Policy by notifying through the Website.
44. Supplements or changes to the Privacy Policy enter into force from the date of their publication, i.e. from the date the supplemented or amended Privacy Policy is published on the Website.