1. This Privacy Policy (hereinafter – the Privacy Policy) sets out how UAB “Pigu Perku Group”, legal entity code 303006666, registered office address Europos pr. 96, LT-46351 Kaunas, Lithuania (hereinafter – the Company, we or the Data Controller), processes personal data on the website pirkeu.lt, in the customer account, and when providing goods purchasing, delivery, return, customer service and other related services.
2. For questions related to the processing of personal data, the exercise of data subject rights, requests, complaints or other privacy-related matters, you may contact us by email at [email protected].
3. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter – the GDPR), the Law on Electronic Communications of the Republic of Lithuania, other applicable legal acts of the European Union and the Republic of Lithuania, as well as recommendations of competent supervisory authorities.
4. The Company processes personal data in accordance with the following principles:
4.1. personal data is collected for specified, explicit and legitimate purposes;
4.2. personal data is processed lawfully, fairly and transparently;
4.3. only personal data that is adequate, relevant and necessary for achieving the specified purposes is processed;
4.4. personal data is processed only where at least one lawful basis for processing applies:
4.4.1. the consent of the data subject;
4.4.2. the conclusion or performance of a contract;
4.4.3. compliance with a legal obligation;
4.4.4. the legitimate interests of the Company or of a third party, provided that the interests, rights and freedoms of the data subject do not override them;
4.5. reasonable measures are taken to ensure that inaccurate or incomplete data is corrected, supplemented or updated;
4.6. personal data is retained no longer than necessary to achieve the purposes for which it is processed, except where a longer retention period is required by law or where such retention is necessary for the establishment, exercise or defence of legal claims;
4.7. access to personal data is granted only to those persons for whom such access is necessary for the performance of their functions;
4.8. appropriate technical and organisational measures for the security of personal data are applied.
5. The Company’s services may be used by:
5.1. adult natural persons with legal capacity, as well as legal entities and their duly authorised representatives. Minors may use the services only in cases permitted by law. If, under applicable law or due to the nature of a specific service, the consent of parents or other legal representatives is required, such consent must be obtained before the service is used.
6. Where the Company’s services are considered information society services and the processing of personal data is based on a minor’s consent, such consent may be given independently by a minor who has reached the age of 14. In the case of a minor under the age of 14, consent must be given or confirmed by the minor’s legal representative.
7. The Company has the right to request information or documents confirming the lawfulness of the consent or representation.
8. If a specific service, by its nature, is not intended for minors, the Company has the right to refuse registration, order placement or provision of services until the required confirmation from the legal representative or another lawful basis for using the service is received.
II. Collection, Processing and Storage of Personal Data
9. Depending on how you use our services, the Company may process the following personal data:
9.1. first name and surname;
9.2. telephone number;
9.3. email address;
9.4. delivery, collection, return and other addresses related to the provision of services;
9.5. account and registration data, such as login information, account identifiers, password change records and security logs;
9.6. order, purchase, delivery, return and customer service information;
9.7. payment and settlement information to the extent necessary for the provision of services, refunds, accounting and payment administration;
9.8. correspondence and communication data with customer service, including the content of inquiries, complaints and claims;
9.9. IP address, login date and time, device, browser, operating system and other technical information;
9.10. cookie and similar technology data;
9.11. marketing preferences and consent information;
9.12. other data that you provide when using our services or that is generated in the course of providing the services.
10. Personal data is processed for the following purposes and on the following legal bases:
10.1. for registration, account creation and administration – on the basis of contract performance or steps taken prior to entering into a contract;
10.2. for ordering, purchasing, delivery, return of goods and the provision of other services – on the basis of contract performance;
10.3. for issuing invoices and financial documents, accounting and payment administration – on the basis of contract performance and compliance with a legal obligation;
10.4. for resolving issues related to the purchase, shipment, delivery or return of goods or the performance of other contractual obligations – on the basis of contract performance, compliance with a legal obligation or legitimate interest; the Company’s legitimate interest is to ensure proper service provision, avoid losses, manage disputes and defend its rights;
10.5. for handling customer inquiries, requests, complaints, claims and disputes – on the basis of contract performance, compliance with a legal obligation or legitimate interest; the Company’s legitimate interest is to ensure high-quality customer service, resolve disputes, collect and retain communication-related evidence and defend its rights;
10.6. for ensuring website functionality, security, fraud prevention, system protection and service quality improvement – on the basis of legitimate interest; the Company’s legitimate interest is to ensure the security of the website, systems, services, customers and business, identify technical malfunctions, prevent unlawful use and reduce the risk of fraud;
10.7. for statistics, analysis and service improvement – on the basis of legitimate interest and, where required by law, on the basis of consent; the Company’s legitimate interest is to analyse the use of services, improve website performance, user experience and service quality;
10.8. for sending newsletters, offers and other direct marketing communications:
10.8.1. by email or other electronic means of communication – usually on the basis of consent and, where permitted by law, also on another lawful basis, for example when offers for similar goods or services are sent to existing customers, while ensuring a clear and free-of-charge option to opt out of such communications at any time;
10.8.2. by telephone – on the basis of prior consent, where required by applicable law;
10.8.3. for providing offers and information about the Company’s services within the account environment or on the website – on the basis of legitimate interest, where such information is related to the Company’s services and is provided to existing customers, while ensuring a clear possibility to object to such processing at any time; where consent is required for such processing under applicable law, the data is processed on the basis of consent;
10.9. for the establishment, exercise or defence of legal claims – on the basis of legitimate interest; the Company’s legitimate interest is to defend its rights, interests and property in judicial, pre-trial or administrative proceedings.
11. When registering, placing an order or otherwise providing data, the customer must provide correct, accurate and complete information. If data necessary for registration, order fulfilment, delivery, return, payment or response to an inquiry is not provided, the Company may be unable to conclude or perform a contract, provide services or properly examine the request.
12. Personal data is generally obtained directly from the customer when the customer registers, places an order, uses the website, contacts us or otherwise uses our services.
13. In certain cases, where necessary for the provision of services, compliance with legal obligations or the protection of legitimate interests, personal data may be obtained not directly from the customer but from third parties, for example:
13.1. from payment service providers, banks or financial intermediaries – information on payment status, payment confirmation, refund, failed payment or other information necessary for payment administration;
13.2. from parcel, logistics, warehousing and delivery service providers – information on parcel acceptance, transportation, delivery progress, delivery status, failed delivery, return or other data related to parcel fulfilment;
13.3. from persons acting on behalf of the customer, such as representatives, authorised persons or employees of a legal entity – customer identification, contact, order or delivery data;
13.4. from public registers or institutions, where permitted by law and necessary for fulfilling legal requirements, preventing fraud, handling disputes or defending rights;
13.5. from IT, communication, customer service or other service providers where they act on our behalf and transfer information generated through the use of their solutions;
13.6. from other third parties, where the customer requests that their data be included in the provision of the service or where such receipt of data is permitted by law.
14. When processing and storing personal data, the Company implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or any other unlawful processing.
15. Personal data is retained no longer than necessary to achieve the purposes for which it was collected and processed, except where a longer retention period is required by law or where such retention is necessary for the establishment, exercise or defence of legal claims. The following main retention periods apply:
15.1. account and registration data is retained for as long as the account remains active and for 3 years after the last active login or account closure, except where longer retention is necessary due to incomplete orders, disputes, debt administration or the defence of legal claims;
15.2. order, purchase, delivery, return and related transaction data is retained for 10 years from the date of completion, cancellation or return of the order to the extent necessary for accounting, fulfilment of tax obligations, dispute administration and defence of rights;
15.3. invoices, payment, accounting and other financial documents are retained for 10 years, unless applicable law provides for a longer or shorter period;
15.4. customer service inquiries, correspondence, complaints, claims and dispute-handling data are retained for 3 years from the date of resolution of the matter or the last contact, and if a dispute or legal proceeding is initiated, until its final completion and for 1 additional year after its conclusion, where necessary for the defence of rights;
15.5. direct marketing data is retained for 3 years from the last active confirmation of consent or the last meaningful interaction with a marketing communication, unless the person withdraws consent or objects to such processing earlier;
15.6. the fact of opting out of direct marketing and the related minimum data may be retained for 5 years from the date the opt-out is received, in order to ensure that no unwanted communications are sent to the person and to demonstrate compliance with the opt-out;
15.7. consent records and evidence of obtaining consent are retained for 5 years from the withdrawal of consent or the expiry of its validity in order to demonstrate the fact and scope of the consent obtained;
15.8. technical logs, security records, IP addresses, login records and system records are generally retained for 90 days, except where longer retention is necessary for incident investigation, fraud prevention, security assurance or the defence of legal claims; in such cases, they may be retained for up to 1 year;
15.9. where a mandatory retention period is established by law for a specific category of data, the retention period prescribed by law shall apply.
16. The website may use necessary, functional, analytical, statistical, marketing and other cookies and similar technologies.
16.1. necessary cookies are used to ensure the functioning of the website and the provision of services;
16.2. analytical, functional, marketing or other non-essential cookies are used only after obtaining the user’s consent, where required by law;
16.3. detailed information about cookies, their purposes and management options is provided in a separate Cookie Policy.
17. Direct marketing communications are sent only where there is a valid legal basis.
17.1. the customer has the right to opt out of direct marketing communications at any time by clicking the unsubscribe link in the newsletter or by contacting us using the contacts provided in this Privacy Policy;
17.2. opting out of direct marketing communications does not affect the sending of communications that are not considered direct marketing, such as communications related to order fulfilment, account administration, security, service changes or legal obligations.
18. The Company may use statistical, aggregated, anonymised or otherwise non-personally identifiable data for business analysis, planning, service improvement and other legitimate business purposes.
III. Use and Disclosure of Personal Data to Third Parties
19. The Company may transfer personal data to third parties only to the extent necessary for the purposes specified in this Privacy Policy, for the performance of a contract, for compliance with legal requirements or for the protection of the Company’s legitimate interests.
20. Personal data may be transferred to the following categories of recipients:
20.1. payment service providers, banks and financial transaction intermediaries (for example, UAB “Paysera LT”) or other payment administration partners;
20.2. parcel, logistics, warehousing and delivery service providers (for example, UAB “Omniva LT”, UAB “SmartPosti”), courier companies, parcel locker operators and warehousing partners;
20.3. IT, hosting, cloud, system maintenance and data storage service providers;
20.4. customer service, communication, marketing and analytics service providers;
20.5. accounting, audit, legal, debt administration, fraud prevention and other related service providers;
20.6. other partners or service providers where necessary for the provision of the Company’s services or the protection of legitimate interests.
21. Personal data may also be transferred to state and municipal authorities, courts, law enforcement authorities, supervisory authorities and other competent institutions where such transfer is required by law or is necessary for the protection of the Company’s rights and legitimate interests, including for the establishment, exercise or defence of legal claims.
22. Where third parties process personal data on behalf of the Company, they act as data processors and process personal data only in accordance with the Company’s instructions and while applying appropriate technical and organisational security measures.
23. If personal data is transferred outside the European Economic Area, the Company shall ensure that such transfer is carried out in compliance with GDPR requirements and subject to appropriate safeguards, such as the European Commission’s approved standard contractual clauses, an adequacy decision or other lawful data transfer mechanisms.
24. Information about the safeguards applied and, where applicable, a copy thereof or information about where they may be accessed may be obtained by contacting us by email at [email protected].
IV. Amendment, Updating of Personal Data and Data Subject Rights
25. The customer has the right to change, update, correct or supplement the data provided in their account or by other means. Where necessary, the Company may request additional information required to verify the identity of the person in order to protect personal data and the rights and freedoms of others.
26. The customer has the right to:
26.1. obtain information about the processing of their personal data;
26.2. access their personal data;
26.3. request the correction of inaccurate data or completion of incomplete data;
26.4. request the erasure of data where there is a legal basis for doing so;
26.5. request the restriction of data processing;
26.6. exercise the right to data portability where applicable;
26.7. object to data processing where it is based on legitimate interest;
26.8. withdraw consent at any time where data is processed on the basis of consent; withdrawal of consent shall not affect the lawfulness of processing carried out before the withdrawal;
26.9. object at any time to the processing of their personal data for direct marketing purposes;
26.10. lodge a complaint with the State Data Protection Inspectorate.
27. Where personal data is processed on the basis of legitimate interest, the customer has the right to object to such processing on grounds relating to their particular situation.
28. Where the right to data portability applies, the customer has the right to receive the personal data concerning them in a structured, commonly used and machine-readable format or, where technically feasible, to request that it be transferred to another data controller.
V. Submission of Information or Claims
29. In order to exercise their rights, obtain information about the processing of personal data, or submit a request, complaint or claim, the customer may contact us by email at [email protected].
30. Where necessary, the Company may request additional information required to verify the identity of the person in order to protect personal data and the rights and freedoms of others.
31. The Company provides information about the personal data processed and responses to requests in accordance with the procedure and time limits established by law, usually no later than within one month from the date of receipt of the request, except where this period may be extended in accordance with legal requirements due to the complexity or number of requests.
32. The customer has the right to lodge a complaint with the State Data Protection Inspectorate.
VI. Amendments to the Privacy Policy
33. The Company has the right to amend this Privacy Policy in part or in full by publishing it on the website pirkeu.lt.
34. Amendments to the Privacy Policy shall enter into force from the date of their publication on the website, unless another effective date is specified in the Privacy Policy itself or in its amendment.
35. In the event of material amendments to the Privacy Policy, the Company may additionally inform customers by email, through the account or by other usual means of communication.