PRIVACY POLICY

1. Data Controller

The Data Controller:

UAB “Serenity IN”

Company code: 304703166

VAT code: LT100011447015

Email: projektavimas@darnioserdves.lt

The Company operates under the trademark “Darnios erdvės”.

---

2. Applicable Legal Acts

Personal data is processed in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR);

• The Law on Legal Protection of Personal Data of the Republic of Lithuania;

• The Civil Code of the Republic of Lithuania;

• Other applicable European Union and Republic of Lithuania legal acts.

---

3. Categories of Personal Data Processed

The Company may process the following categories of personal data:

• Name and surname;

• Contact details (phone number, email address);

• Delivery address;

• Payment information (processed via secure and certified payment service providers);

• Order history;

• IP address;

• Device, operating system, and browser data;

• Cookie data;

• Correspondence with the Company.

If a product is personalized, additional data voluntarily provided by the Customer may be processed (e.g., project-specific information required for customization).

The Company does not intentionally collect special categories of personal data (e.g., data concerning health, religion, or political opinions), unless such data is provided by the Customer without the Company’s request.

---

4. Purposes of Data Processing

Personal data is processed for the following purposes:

• to conclude and perform a purchase–sale contract;

• to administer orders and payments;

• to organize product delivery;

• to prepare personalized projects;

• to provide customer service;

• to resolve disputes and defend legal claims;

• to ensure the security of the website and information systems;

• to carry out accounting obligations;

• to comply with legal obligations;

• to send marketing offers (only with explicit consent).

---

5. Legal Bases for Data Processing

Personal data is processed on the following legal grounds:

5.1. Performance of a contract (Article 6(1)(b) GDPR).

5.2. Compliance with a legal obligation (Article 6(1)(c) GDPR).

5.3. Legitimate interest (Article 6(1)(f) GDPR), where the purpose is to:

• protect intellectual property;

• prevent fraud;

• establish, exercise, or defend legal claims;

• ensure information system security.

5.4. Consent (Article 6(1)(a) GDPR) – in the case of direct marketing.

---

6. Data Recipients and Processors

Personal data may be transferred to:

• payment service providers;

• IT, server, and hosting service providers;

• accounting service providers;

• courier services;

• legal and consulting service providers;

• public authorities, where required by law.

Data is transferred only to the extent necessary to provide the relevant service.

Data is processed within the European Economic Area (EEA). If data is transferred outside the EEA, appropriate safeguards as required by the GDPR are ensured (e.g., European Commission-approved Standard Contractual Clauses).

---

7. Data Retention Periods

Personal data is retained:

• for the duration of contract performance;

• for 10 years after contract completion (for tax and legal compliance purposes);

• marketing data – until consent is withdrawn.

Upon expiry of the retention period, data is deleted or anonymized so that it can no longer be linked to a specific individual.

---

8. Rights of the Data Subject

The Customer has the following rights:

• the right to receive information about data processing;

• the right of access to their personal data;

• the right to request rectification of inaccurate or incomplete data;

• the right to request erasure of data (“right to be forgotten”), where this does not conflict with legal obligations;

• the right to restrict processing;

• the right to data portability;

• the right to object to processing based on legitimate interest;

• the right to withdraw consent at any time;

• the right to lodge a complaint with the State Data Protection Inspectorate.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

---

9. Data Security

The Company implements appropriate technical and organizational security measures to protect personal data against:

• unauthorized disclosure;

• loss;

• alteration;

• destruction;

• unauthorized access.

Access to personal data is granted only to employees or service providers who require such access to perform their duties.

---

10. Cookies

The website may use cookies for the following purposes:

• to ensure proper functioning of the website;

• to analyze traffic and usage statistics;

• to improve user experience;

• to carry out marketing activities (with consent).

The Customer may change cookie settings at any time in their browser or via the website’s cookie management tool.

---

11. Amendments to the Privacy Policy

The Company reserves the right to amend this Privacy Policy by publishing an updated version on the website.

The updated version becomes effective from the date of its publication.