Privacy policy

1. Policy purpose, basic concepts

This Privacy Policy (hereinafter the Policy) UAB Refra, company number 300502970 (hereinafter referred to as the Company) acknowledges that the protection of personal data is important to you – our clients and other data subjects (hereinafter referred to as the data subjects) and is committed to respecting and protecting the privacy of each data subject. Data subjects trust us in providing their personal information and we are responsible for justifying their trust every day as we work.

Therefore, this Privacy Policy:

defines the commitments and responsibility of the Company in order to protect and respect the privacy of individuals;

Explains how the Company collects, uses and stores personal data;

The data subjects are informed about how their personal data is being processed and what rights each data subject has.

When we process personal data of data subjects, we comply with the General Data Protection Regulation of the European Parliament and the Council, the Law on Legal Protection of Personal Data of the Republic of Lithuania, the Law on the Electronic Communications of the Republic of Lithuania and other directly applicable legal acts regulating the protection of personal data, as well as instructions from the competent authorities. This Privacy Pocily applies in cases where a person is using the Company’ services as well as when visiting Company website, which is www.refra.eu.

1.1. Definition of key terms used in the Policy:

1.1.1. data subject means a natural person or legal personality whose data is managed by the Company;

1.1.2. personal data shall mean any information relating to a natural person legal personality, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or company registration code.

1.1.3. personal data processing shall mean any operation, which is performed with personal data such as: collection, recording, accumulation, storage, classification, grouping, combining, alteration (supplementing or rectifying), disclosure, making available, use, logical and/or arithmetic operations, retrieval, dissemination, destruction or any other operation or a set of operations;

1.1.4. data subject’s consent means any express, free and unequivocal expression of consent of the duly notified data subject in a statement or in unambiguous manner in which he accepts the processing of personal data relating to him, such as a written, including, given by electronic means, or an oral statement. Tacit behaviour, pre-marked boxes or omissions are not considered to be consent;

1.1.5. data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. In this Policy the Company is considered to be the Data Controller;

1.1.6. data processor shall mean a legal or a natural person other than an employee of the data controller, processing personal data on behalf of the data controller.

1.1.7. employee is a person who has a contract of employment or a contract of similar nature with the Company;

1.1.8. supervisory authority – the State Data Protection Inspectorate;

1.1.9. direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services.

1.1.10. Company’s website – Company’s website which is www.refra.eu

1.1.11. General Regulation on the Protection of Personal Data – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the Protection of Personal Data).

1.1.12. client is a natural person or legal personality, who has registered on the Company’s website and uses or intends to use the services of the Company and for this purpose has submitted his/her personal data to the Company;

1.1.13. other terms used in the Rules meet the definitions provided for in the General Data Protection Regulation and the Law on the Legal Protection of Personal Data of the Republic of Lithuania.

1.2. The purpose of this Policy is to facilitate the exercise of the data subjects’ rights.

1.3. This Policy also applies to the protection of personal data of other data subjects (i.e. not clients and not employees) whose personal data is managed by the Company or will be managed in the future.

1.4. Personal data processed by the Company shall be accurate, adequate and not excessive in relation to the purposes for which they are collected and further processed; Where personal data is processed, personal data is constantly updated.

1.5. To willing order services or send query on the Company’s website, persons who are 16 years of age or older are entitled to submit their personal data for processing through the Company’s website.

1.6. Customers’ personal data is collected:

1.6.1. For the provision of the Company’s services (order processing, administration), customer identification in the Company’s information system, for issuing invoices and other financial documents;

1.6.2. subject to the consent of the data subject, for direct marketing purposes.

1.7. The Company manages the following personal data for the purposes specified in clause 1.6.1. of the Policy: name, company name, email address, telephone number.

1.8. The Company manages the following personal data for the purposes specified in clause 1.6.2. of the Policy: name, company name, email address, telephone number.

1.10. The legal basis for the processing of personal data referred to in clause 1.6.1. is the Company’s obligation to execute a contract concluded with the data subject and/or at the request of the data subject (order) to engage and actions in order to conclude an agreement.

1.11. The legal basis for the processing of the data referred to in paragraph 1.6.2. shall be the consent of the data subject.

1.12. When personal data is processed for direct marketing purposes, the data subject has the right at any time to oppose such personal data at no cost by withdrawing his/her consent.

2. Personal data processing

2.1. Only the employees have a right to manage personal data of the clients within the Company, including their transfer to the third parties provided for in clause 2.2. of the Policy. Each employee is required to protect the confidentiality of personal data of a client and to comply with personal data protection legal acts and the requirements of these Rules.

2.2. In the course of the conclusion of the agreement on the provision of the Company’s services, personal data of the client may be transferred only to the Company’s partners acting on behalf of the Company as data processors who provide services related to the execution of the service contract (personal data shall be disclosed only to the extent necessary for the provision of the relevant services). Clients personal data may be provided only to data processors with whom the Company has signed agreements containing provisions on the transfer/delivery of personal data and if the data processor ensures the protection of personal data which is required by the General Data Protection Regulation. In all other cases, personal data of clients may be disclosed to third parties only in the cases and according to the procedure established by legal acts of the Republic of Lithuania.

2.3. The Company must comply with the principle of confidentiality and keep confidential any information related with personal data, to which they were given access in the course of their duties, unless such information is publicly available in accordance with applicable laws or regulations.

2.4. Term of personal data processing: personal data is processed until it becomes redundant for the purpose of processing it:

2.4.1. The personal data of clients are collected and processed for the purposes of the provision of services of the Company (clause 1.6.1.) for a maximum of 10 years.

2.4.2. personal data of clients are processed for the purposes of direct marketing referred to in clause 1.6.2. and processed no more than until cancellation (withdrawal) of the consent to receive advertising.

2.5. When personal data are no longer needed for the purposes of their processing, they are destroyed, except in cases prescribed by law, where the data must be transferred to state archives.

2.6. Personal data protection is organized, provided and maintained by an employee authorized by the Company.

3.     Rights of the data subject and the procedure for their implementation

3.1. Rights of the data subject:

3.1.1. to know (be informed) about the processing of your personal data in the Company;

3.1.2. to have an access to your personal data and to be informed of how they are processed in the Company;

3.1.3. to object to the processing of their personal data;

3.1.4. request rectification, correction or addition of incorrect or incomplete personal data, except for storage, destruction of personal data or suspension of processing of his/her personal data;

3.1.5. request to delete the data (the right to be forgotten). This right is valid on one of the following grounds:

3.1.5.1. personal data are no longer needed to achieve the purposes for which the data were collected or otherwise processed;

3.1.5.2. the data subject withdraws the consent on which the processing was based and there is no other legal basis for processing the data;

3.1.5.3. personal data were processed illegally;

3.1.5.4. personal data must be erased in accordance with a legal obligation imposed by European Union or national law;

3.1.6. right to data transferability: the data subject has the right to receive personal data relating to him that he provided to the data controller in a systematic, commonly used and computer-readable format and has the right to transfer that data to another data controller and the data controller to whom the personal data has been provided must not create obstacles, when:

3.1.6.1. data processing is based on a consent or a contract;

3.1.6.2. data are processed by automated means.

3.2. The data subject has the right to submit a complaint to the supervisory authority regarding the allegedly unlawful processing of his or her personal data.

3.3. The data subject has the right to authorize a non-profit institution, organization or association which is properly established in accordance with the law of the Republic of Lithuania and the objectives established by its statutes correspond to the public interest which is in the domain of the protection of the rights and freedoms of the data subject as regards the protection of their personal data on his/her behalf to file a complaint and to exercise on his/her behalf certain rights under the General Data Protection Regulation.

3.4. Procedure for the implementation of the data subject’s rights:

3.4.1. a person must submit a written request to the Company (in person, by post, through a representative, or by electronic means) in order to fulfil the rights specified in clause 3.1. The application must be legible, signed by the person, and must contain: the person’s or company name, place of residence or company registration address, data to maintain contact and information on which of the above rights and to what extent and purpose wishes it to be implemented;

3.4.2. when submitting an application, the person must confirm his/her identity:

3.4.2.1. if the application is submitted upon arrival directly to the Company – to provide a personal identification document or a copy certified by the legal acts of the Republic of Lithuania;

3.4.2.2. if the application is submitted by post – to provide a copy of a person’s identity document approved in accordance with the procedure established by the Republic of Lithuania;

3.4.2.3. if the application is filed through a representative – submit a document confirming the representation;

3.4.2.4. if the application is submitted by electronic means – to sign by electronic signature;

3.4.3. the right of the data subject to refuse to process his/her personal data for direct marketing purposes is implemented by informing the data subject about his/her disagreement with the Company by e-mail.

3.5. The requests specified in clause 3.4.1. of this Policy are handled by an authorized person of the Company. The application is examined and the response to the person is submitted not later than within 30 days from the date of receipt of the request.

3.6. When submitting requests under clause 3.4.1., the data subject should not manifestly abuse his/her rights. In the event that the data subject abuses his/her right (for example, he/she contacts the Company for information about the processing of his/her personal data more than once every six months), the Company has the right to demand from the data subject to compensate the administrative costs associated with the execution of such requests.

3.7. The data subject’s refusal to process his/her personal data for direct marketing purposes shall respond promptly, within the shortest possible time. Employees of the Company responsible for the computer maintenance take care that the personal data is not further processed for direct marketing purposes.

4. Cookies and their use

4.1. In order to improve our client experience, we use cookies when visiting the Company’s website – small pieces of text information that are created automatically when you browse the site and are stored on the client’s computer or other terminal device. The information collected by the cookies allows us to provide the customer with the opportunity to browse through more convenient, attractive offers and learn more about the behaviour of the users of the site, to analyze trends and improve both the website and the service, as well as the services provided by the Company.

4.2. The client agrees with the Company’s procedures the use of cookies on the website and can choose whether to accept cookies. By disconnecting cookies on the computer or other end device, the client can change its Internet browser settings and turn off all cookies or enable/disable them one by one. However, please bear in mind that in some cases this may slow down the speed of browsing, restrict the functionality of certain sites or block access to the website. More details are available at AllAboutCookies.org[G1]  or www.google.com/privacy_ads.html[G2] .

4.3. The information we collect using cookies is used for the following purposes:

4.3.1. For functional cookie usage and service provision. Cookies are very important for the operation of our website, and they ensure the smooth use of their experience for the consumer.

4.3.2. For service development. By monitoring the use of cookies, we can improve the functioning of our website. We receive information, for example, about which parts of our website are most popular, how much time users spend on our site.

4.3.3. For the use of analysis. The Company uses cookies for statistical data on the number of users visiting our website and evaluation of the effectiveness of advertising. The Company can collect information, for example, from emails and newsletters for marketing purposes, in order to find out if the emails were opened and whether they prompted users to take any action, such as whether the user clicked on the link provided in the letter, to our website.

4.3.4. Targeted marketing orientation. Using cookies, the Company can collect information to provide advertisement or content for a specific browser by creating different targeting groups.

4.4. Third-party cookies

Those cookies used by other organisations through the Company’s website. For example, pixels and tags help the Company deliver relevant ads more effectively and use it for remarketing purposes. They also help the Company to provide research and reporting to advertisers, understand and improve services, and know when the content has been shown to customers.

The Company is using different types of Google cookies. Cookies listed below may be stored in customers browsers:

4.4.1. Google cookies. Detailed information about the types of cookies can be found under the Google’s cookie policy.

4.4.2. Google Analytics cookies. These cookies are used to analyse website traffic. Google Analytics collects anonymous information about the number of visitors, the location from which Company‘s site has been accessed, and which parts of the site were visited by visitors. These cookies are created by Google Analytics.

Customer can manage ads personalisation via personal Google account.

5. Personal Data Safety

5.1. The Company must implement appropriate organisational and technical measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.

5.2. When personal data security breaches are detected, the Company will immediately remove them.

5.3. Company’s employees respect the principle of confidentiality, as provided for in clause 2.3. of the Policy.

5.4. Antivirus software should be constantly updated on the Company’s computers.

5.5. In case of breach of personal data security, the Company informs the supervisory authority without undue delay and, if possible, within 72 hours after becoming aware of a breach of personal data security, unless the personal data breach should not jeopardize the rights and freedoms of natural persons or legal personality. If the personal data breach is not reported to the supervisory authority within 72 hours, the reasons for delay must be attached to the report.

5.6. In the event of a breach of personal data security that could seriously jeopardize the data and rights of natural persons or legal personality, the Company without unjustified delay informs the data subject about the breach of personal data security.

6. Liability

6.1. The data subject must provide the Company with complete and correct personal data of the data subject and inform about the relevant changes in personal data.

6.2. The Company does not have a possibility to fully guarantee that the Company’s website will function without any interruption and that it will be completely protected against viruses. Under no circumstances shall the Company be liable for direct or indirect damages related to the use of the materials available on the Company’s website. The data subject is informed that any material that the data subject downloads, reads or otherwise receives using the Company’s website is obtained solely at the discretion and risk of the data subject, and therefore the data subject is responsible for the damage caused to the data subject himself/herself or his/her computer system.

6.3. Unless otherwise specified, the intellectual property rights (including copyrights) on the content and information of the Company’s web site are owned by the Company. It is prohibited to reproduce, translate, adapt or otherwise use any part of the Company’s web site without the prior written consent of the Company. It is prohibited to perform any other actions that violate or may violate the Company’s intellectual property rights on the website and also contravene fair competition.

7. Final provisions

7.1. This Policy shall be updated at least once every two years or after amendments to the legislation regulating the protection of personal data.

7.2. The policy is publicly available on the Company’s website.

7.3. The Employees are introduced to the Policy with signature confirmation.

7.4. The Company shall have the right to partially or completely review this Policy. Employees shall be introduced to changes with signature confirmation.

7.5. Data subjects may apply to the Company’s employee by e-mail on any matter related to this Policy to info@refra.eu.

Last update: 9th of November 2021