1. PERSONAL DATA

1.1 Personal data means information and data relating to a data subject – a natural person (user) which can be directly or indirectly attributed to that natural person.

2. LEGAL BASIS FOR PROCESSING PERSONAL DATA

2.1 The Controller processes personal data on the following basis:

• the contract concluded with the Manager;
• for the purposes of the performance of the Manager’s duties in accordance with the requirements of the regulatory enactments;
• the legitimate interests of the Controller(the Controller, when processing personal data based on its legitimate interests, undertakes not to violate the rights and interests of the user and to comply with the regulatory enactments);
• user consent.

3. PERSONAL DATA COLLECTED BY THE CONTROLLER

3.1 The type of personal data processed by the Controller depends on the type of legal relationship that exists between the Controller and the user (or the merchant on whose behalf the user is acting). For example, when a user uses the Site and enters into a contract with the Controller on his/her own behalf (or on behalf of the trader on whose behalf the user is acting), the Controller may ask the user to disclose the following personal data:

• the word;
• surname;
• personal identification number or date of birth, gender and nationality
• passport number, ID card number or other national identification number
• address (postal address, declared address of residence and/or registered office)
• index paste;
• phone number;
• email address;
• financial information
• bank account number
• information about the workplace
• the registration number, make and model of the vehicle;
• IP address, browser settings, search history – Cookie Policy;
• other information

3.2 In addition to the above, the Manager may also record telephone conversations, video surveillance or take photographs at the Manager’s commercial premises, warehouse, sales outlets or at organised events.

4. SOURCES OF PERSONAL DATA

The controller may obtain the user’s personal data from the following sources:

4.1 From the user:

• the user (or the trader on whose behalf the user is acting) registering and/or using the Site, providing contact information about themselves (or the trader on whose behalf the user is acting) or saving missing information on the Site;
• the user (or the merchant on whose behalf the user is acting) when making purchases, ordering goods on the Site and/or entering into a contract with the Manager;
• by exercising the right of withdrawal(if the user is a consumer) or by the user (or the trader on whose behalf the user is acting) lodging a complaint with the Controller;
• The use ofcookiesby the Controller on the Site collects technical data about the user: IP address, browser settings and search history.

4.2 From third parties:

• state and local authorities, including the registers they keep (e.g, the insolvency register);
• public databases (e.g. Lursoft) and publicly available information;
• the trader on whose behalf the user is acting and/or who is the user’s employer;
• service providers and cooperation partners
• social networks

5. PURPOSES OF PROCESSING PERSONAL DATA

The Controller processes personal data lawfully, in good faith and in accordance with the requirements of regulatory enactments. The Controller shall not use personal data for purposes that are incompatible with the purposes for which the personal data were collected. The Controller processes personal data for the following purposes:

5.1 To enable the Manager to carry on its business:

• to process an order placed by the user (or a trader acting on behalf of the user);
• the sale and delivery of goods ordered by the user (or the trader on whose behalf the user is acting)(e.g. preparation of accounting documents, repayment of overpayments and money for goods returned by the user (or the trader on whose behalf the user is acting), and administration of debts);
• enable the user (or the merchant on whose behalf the user is acting) to make payments on the Site, where such functionality is offered on the Site;
• contact the user (or the trader on whose behalf the user is acting);
• resolve disputes with the user (or the trader on whose behalf the user is acting);
• support the user (or the trader on whose behalf the user is acting) during and after the purchase process, including, but not limited to, after-sales service for the goods sold;
• identify the user (or the trader on whose behalf the user is acting);
• take action to reduce the risk of fraud;
• perform other activities that the Manager is required to perform in accordance with the laws and regulations or in accordance with the terms of an agreement concluded between the Manager and the user (or a merchant on whose behalf the user is acting).

5.1.1. Legal basis for processing:

• the performance of a contract concluded with the Controller;
• Fulfilling the manager’s duties in accordance with laws and regulations;
• The legitimate interests of the controller.

5.1.1. the legitimate interests of the Controller:

• commercial activities
• efficient delivery of goods;
• performance of contractual obligations
• collecting and storing documentation;
• meeting obligations under laws and regulations
• business development
• after-sales service;
• after-sales service;
• cooperation with the Manager’s clients;
• Organisational management of the manager.

5.2 For the operation of the Site – Cookie Policy:

• authenticated access to the Site by the user (or the merchant on whose behalf the merchant is acting);
• ensure the security and integrity of the Site;
• reduce the risks that could arise from illegal use of the Site;
• personalise and improve the Site;
• analyse the behaviour and preferences of users of the Site;
• ensure the proper functioning of the servers;
• analytics(i.e. the generation and analysis of statistics, correlations and trends in processes, services, information systems and network data) on the use of the Site.

5.2.1. Legal basis for processing:

• the performance of a contract concluded with the Controller;
• Fulfilling the manager’s duties in accordance with laws and regulations;
• The legitimate interests of the controller.

5.2.1. the legitimate interests of the Controller:

• commercial activities
• efficient delivery of goods;
• performance of contractual obligations
• meeting obligations under laws and regulations
• Maintaining IT systems and addressing security threats.

5.3 For the development of the Manager’s business:

• develop and improve the Manager’s business;
• market analysis
• to determine the effectiveness of the advertising and other marketing activities carried out by the Manager;
• improve the user’s (or the trader on whose behalf the user is acting) service experience.

5.3.1. Legal basis for processing:

• the performance of a contract concluded with the Controller;
• Fulfilling the manager’s duties in accordance with laws and regulations;
• The legitimate interests of the controller.

5.3.1. the legitimate interests of the Controller:

• commercial activities
• efficient delivery of goods;
• business development
• meeting obligations under laws and regulations

5.4. to provide advertising for the Manager’s business and the goods offered for sale:

• determine the user’s (or the merchant on whose behalf the merchant is acting) willingness to receive information from the Manager about products available on the Site, upcoming events, marketing activities, campaigns and news;
• inform the user (or the merchant on whose behalf the merchant is acting) about products available on the Site, upcoming events, marketing activities, campaigns and news by sending information to the user’s e-mail address, if the user has agreed to receive such information from the Manager.

5.4.1. Legal basis for processing:

• the performance of a contract concluded with the Controller;
• Fulfilling the manager’s duties in accordance with laws and regulations;
• The legitimate interests of the controller;
• user consent.

5.4.1. the legitimate interests of the Controller:

• commercial activities
• efficient delivery of goods;
• collecting and storing documentation;
• business development
• meeting obligations under laws and regulations

5.5 To ensure safety:

• The Manager may record telephone conversations, video surveillance or take photographs in the Manager’s commercial premises, warehouse, sales outlets or at organised events.

5.4.1. Legal basis for processing:

• the performance of a contract concluded with the Controller;
• Fulfilling the manager’s duties in accordance with laws and regulations;
• The legitimate interests of the controller.

5.4.1. the legitimate interests of the Controller:

• commercial activities
• meeting obligations under laws and regulations
• Organisational management of the manager.

6. UPDATING PERSONAL DATA

6.1 The Controller undertakes to ensure that the personal data collected from users is adequate, accurate and correct, and includes only the data necessary for the purposes of processing personal data as set out in this Privacy Policy. Inaccurate personal data will be deleted or rectified without delay. The user is entitled to view, modify, update or delete the personal data stored about him in his user account on the Site at any time.

7. SECURITY OF PERSONAL DATA

7.1 The Controller shall take all reasonable appropriate technical and organisational measures necessary to ensure the confidentiality, integrity, privacy and security of personal data in relation to the processing of personal data by the Controller in accordance with laws and regulations. The Controller shall apply internal procedures and controls to prevent unauthorised use, access, disclosure, copying, alteration or corruption of personal data. The User’s personal data shall be disclosed only to those employees of the Controller who need it to perform their duties.

7.2 Where payments are possible on the Site, the encrypted channel for the transfer of data between banks ensures the security of the user’s personal data and bank details. The Controller shall not have direct access to the confidential information(i.e. card numbers, banking system logins) of the user’s payment instrument. The Controller only receives confirmation of payment from the payment service provider.

8. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

8.1 For the purposes of the Manager’s business activities, the performance of contractual obligations and the better servicing of the user (or the merchant on whose behalf the user acts), the Manager may disclose and transfer the personal data of certain users to third parties, which may be divided into the following categories:

• business partners, such as delivery service providers, credit institutions, the Manager’s auditors, consultants, debt recovery service providers and other business partners providing services to the Manager;
• state and local authorities and law enforcement authorities, which are entitled to request information from the Controller in accordance with the rights established for them in regulatory enactments.

8.2 In addition to the foregoing, there may be instances where the Controller may transfer personal data to another person in connection with a transfer, merger, acquisition or sale of the Controller or a part of the Controller’s assets, as well as in other similar transactions.

8.3 When transferring Personal Data to third parties, the Controller undertakes to ensure that such third parties:

• use the personal data received only for the purposes for which they were provided and in accordance with the applicable laws and regulations;
• maintain the confidentiality of personal data and ensure security measures in accordance with the requirements of regulatory enactments and this Privacy Policy.

9. TRANSFER OF PERSONAL DATA ABROAD

9.1 The Controller undertakes to use its best endeavours to ensure that if the personal data of a user is transferred to a country outside the European Economic Area (hereinafter referred to as EEA) Member State, an adequate level of security is provided.

9.2 The Controller undertakes not to disclose the User’s personal data to a third party located in a country which does not ensure an adequate level of protection of personal data and which is not a member of the EEA, except in the following cases:

• the user has given his or her consent;
• the transfer of personal data is necessary for entering into a contract with the user (or the trader on whose behalf the user is acting) or for the performance of a contract with the user (or the trader on whose behalf the user is acting);
• the transfer of personal data is necessary for entering into a contract or for performance of a contract for the benefit of the user (or the trader on whose behalf the user is acting);
• the transfer of personal data is permitted in accordance with applicable laws and regulations.

9.3 If the user’s personal data is transferred to a third party located in a country that is not a member of the EEA, the Controller will take all necessary steps to ensure that the user’s personal data is protected and processed as set out in this Privacy Policy. Where personal data is transferred outside the EEA, the Controller will ensure that one of the following safeguards is in place:

• the country to which the user’s personal data has been transferred ensures the same level of protection of personal data as in the EEA;
• there is an agreement on the processing of personal data between the Controller and the person to whom the personal data have been transferred;
• the personal data is transferred to a person who is a member of the PrivacyShield(the Privacy Shield is an international treaty between the European Union and the United States of America protecting the privacy rights and civil liberties of individuals).

9.4 If the user’s personal data is transferred abroad, the Controller guarantees that the user has access to his/her rights as a data subject under the laws and regulations and to effective legal remedies. The user gives his/her consent to the transfer of personal data abroad.

10. AUTOMATED PROCESSING OF PERSONAL DATA

10.1 The Controller shall carry out automated processing of personal data, including profiling. The User is entitled to contact the Controller about automated decision-making and to request the Controller to make decisions involving an employee of the Controller.

10.2 The Controller uses automated processing of personal data, i.e. profiling, for its advertising purposes (see Section 11 – Advertising of this Privacy Policy). The User has the right to object to such profiling by notifying the Manager in writing.

11. ADVERTISEMENT

11.1 The Controller may use the user’s personal data for advertising purposes, namely to inform the user (or the merchant on whose behalf the merchant is acting) about products available on the Site, upcoming events, marketing events, campaigns and news by sending information to the user’s e-mail address, if the user has agreed to receive such information from the Controller (hereinafter referred to as advertising).

11.2 The Manager may also take film or photographs of the Manager’s commercial premises, warehouse, outlets or events for promotional purposes.

11.3 The Controller is entitled to use the user’s personal data for advertising purposes only if the Controller has obtained the user’s individual consent or on the basis of the Controller’s legitimate (legitimate) interests.

11.4 For advertising purposes, the Manager will contact the User using the User’s e-mail address, unless the User has indicated to the Manager that they do not wish to receive advertising from the Manager by notifying the Manager in writing using the e-mail address: [email protected]. However, notwithstanding the fact that the user has indicated that he/she does not wish to receive advertising from the Manager, the Manager is entitled to send to the user’s e-mail address information of an important nature, such as information related to the performance of the user’s (or the merchant on whose behalf the user is acting) contractual obligations.

12. STORAGE OF PERSONAL DATA

12.1 The Controller shall keep personal data for as long as necessary to achieve the purposes set out in this Privacy Policy, unless longer storage of personal data is required or permitted by applicable laws and regulations. For the purpose of determining the period of retention of personal data, the Controller shall use criteria that comply with those set out in the laws and regulations ( e.g. (i) the provisions of the Law on Accounting or the Law on Archives, as well as (ii) the handling of claims, the protection of rights, the resolution of disputes, the respect of limitation periods, etc. ). In any event, the Controller will not process and delete personal data that is unnecessary or not in accordance with the purposes of the processing of personal data set out in this Privacy Policy.

13. USER RIGHTS

13.1 In accordance with the provisions of the regulatory enactments, the user (data subject) has the following rights:

• right of access – the user has the right to obtain from the Controller information about (i) the user’s personal data processed by the Controller and their categories; (ii) the source of the user’s personal data(if such is used and disclosure is permitted by law or regulation); (iii) the date on which the user’s personal data were last modified; (iv) the purposes for which the user’s personal data are processed; (v) the persons to whom the user’s personal data have been transferred; (vi) the retention period of the user’s personal data; (vii) whether the personal data are processed by automation; and (viii) other information as required by the laws and regulations. Upon the exercise by the user of the rights referred to in this paragraph, the Representative shall be entitled to require the user to pay a reasonable fee based on its administrative costs;
• Right to rectification – the user has the right to request that his or her personal data be rectified or updated if it is inaccurate;
• the right to erasure or the right to be forgotten – the user has the right to request the Controller to erase the user’s personal data without undue delay if (i) they are no longer necessary in relation to the purposes for which they were collected or processed, (ii) the user objects to their processing; or (iii) they have been unlawfully processed. If the user exercises his or her rights under this paragraph, the Controller shall be entitled to continue to process the user’s personal data in order to enable the Controller to exercise or defend its legitimate interests and rights;
• the right to restrict processing – the user has the right to restrict the processing of his personal data if (i) they are inaccurate, outdated, incomplete, untrue, unlawfully processed or no longer meet the originally stated purposes of the processing; (ii) they are not necessary for the Controller to process the data, but are necessary for the user to assert, exercise or defend his legal claims; or (iii) the user, exercising his right, has objected to their processing in the cases provided by the regulatory enactments. If the user exercises his or her rights under this paragraph, the Controller shall be entitled to continue to process the user’s personal data in order to enable the Controller to exercise or defend its legitimate interests or rights or to protect the legitimate interests and rights of another person;
• right to object – the user has the right to object to the processing of his/her personal data in the cases provided for in the regulatory enactments;
• the right to unsubscribe – to opt-out of receiving communications about products, upcoming events, marketing, campaigns and news on the Site;
• the right to lodge a complaint – the user has the right to lodge a complaint regarding the processing of personal data by the Data Controller in accordance with the procedure established by the laws and regulations, including lodging a complaint with the Data State Inspectorate (the data protection supervisory authority in the Republic of Latvia). The Data Controller asks the user to first address the Data Controller before filing a complaint with the Data Inspectorate.

13.2 If the user wishes to exercise one or more of the aforementioned data subject rights, the user shall submit a written request to the Controller by sending it to the Controller’s (i) e-mail address: [email protected] or (ii) registered office address: Miera iela 4-17, Ļaudona, LV-4862.The Controller shall send a response to the user’s submission in the same manner in which the user submitted it to the Controller, unless the user requests otherwise.

13.3 When submitting a request, the user shall ensure that the Controller is able to identify the user as a specific data subject and verify the nature and justification of the request. The Controller shall examine the User’s submissions free of charge and without undue delay within one month from the date of receipt of the submission. Taking into account the complexity of the user’s request for information, the Controller shall be entitled to extend the aforementioned time limit by two months by informing the user in writing.

14. RESPONSIBILITY

14.1 The User certifies that the personal data and other data provided by the User are true, valid, legal and complete. In case of submission of false or misleading data, as well as in case of detection of fraud or its attempt, the Manager shall be entitled to immediately terminate the User’s access to the Site and/or inform the law enforcement authorities in accordance with the procedure established by the laws and regulations in force in the Republic of Latvia.

14.2 The User is responsible for all actions and their consequences, which he or a third party, using the User’s data, performs using the Site, in accordance with the applicable laws and regulations of the Republic of Latvia.

14.3 The User (or the merchant on whose behalf the User is acting) is obliged to familiarize himself with this Privacy Policy, as well as to acquaint with it any natural person whose interests may be affected by the personal data processing processes carried out by the Controller.

15.

15.1 The Controller is entitled to collect data about the Website user by using cookies. For information on the use of cookies on the Site, please see the Cookie Policy.

16. THE CONSEQUENCES OF THE USER’S FAILURE TO PROVIDE PERSONAL DATA

16.1 In the event that a User chooses not to disclose their personal data to the Manager or exercises any of their rights as a data subject, this may limit the Manager’s ability to provide the functionality of the Site, deliver goods or provide other services(including, but not limited to, after-sales service) as originally intended by the Manager. In some cases, if the user does not provide personal data to the Manager, the Manager may not be able to sell goods, deliver goods or provide other services(including but not limited to after-sales service) to the user (or to the merchant on whose behalf the user is acting).

17. CHANGES TO THE PRIVACY POLICY

17.1 The Controller may amend this Privacy Policy at its sole discretion by notifying users on the Site.

18. THIRD PARTY WEBSITES AND PROCESSING OF PERSONAL DATA

18.1 This Privacy Policy does not apply to the processing of personal data by third parties, including third party websites or services. In such cases, please refer to the privacy policy or personal data security safeguards provided by the third party.

19. CONTACT DETAILS

19.1 For all questions and problems related to this Privacy Policy or the processing of personal data, as well as in cases where a user wishes to (i) opt-out from receiving advertising from the Manager, (ii) completely delete their data from their user account created on the Site or (iii) exercise their rights as a data subject, please contact us through the Manager:

• email: [email protected] or
• registered office at Miera iela 4-17, Ļaudona, LV-4862.