Privacy Policy
Last updated: September 10, 2025
1. Introduction
This Privacy Policy (the “Policy”) explains how MB “Juridinis Komfortas” (“we”, “our”, “Data Controller”) collects, uses, protects, transfers, and otherwise processes your personal data when you use the Cyrolo.lt website and/or our services.
This policy also defines your rights under Regulation (EU) 2016/679 (GDPR) and the Law of the Republic of Lithuania on Legal Protection of Personal Data. It is worth reviewing before providing us with any personal information.
This Policy applies to all persons whose data we process – both visitors, customers, and other persons providing information.
2. Legal Basis and Scope
- GDPR and the national legal act “Law of the Republic of Lithuania on Legal Protection of Personal Data” form the legal basis for this policy.
- The minimum age at which a person can independently consent to data processing for information society services in Lithuania is 14 years. If the person is younger, consent must be given by a parent or guardian.
Principles of Personal Data Processing
- Lawfulness, fairness, and transparency: data is processed lawfully, fairly, and transparently in relation to the data subject.
- Purpose limitation: data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
- Data minimization: only data that is adequate, relevant, and necessary for the specified purposes is processed.
- Accuracy: data is accurate and, where necessary, kept up to date; measures are taken to ensure that inaccurate data is deleted or corrected without delay.
- Storage limitation: data is stored no longer than necessary for the purposes.
- Integrity and confidentiality: data is processed ensuring appropriate security, including protection against unauthorized processing, loss, destruction, or damage.
3. Data Controller and Responsible Entities
- Controller: MB “Juridinis Komfortas”, company code 306410144, Aukštaičių g. 4B-10, LT-11341 Vilnius, Lithuania.
- Contact email: [email protected]
- State supervisory authority: State Data Protection Inspectorate (VDAI), L. Sapiegos g. 17, Vilnius, Lithuania.
4. Data Subjects and Age Restrictions
- Data subjects: all individuals who visit our website, use our services, communicate with us, or provide information or documents.
- If a person is younger than 14 years old, we will not require them to register or provide data without parental/guardian consent, where this is a requirement under GDPR/Lithuanian law.
5. What Data We Collect
We collect only necessary data related to providing services, security, and other described purposes. Details:
| Data Category | What We Include | Examples |
|---|---|---|
| Registration/account data | Email; name (if obtained via social account); user account settings; language preferences | Email address, selected language, username |
| Authentication data | Information from third parties, e.g., Google (name, email) | When you sign in via Google account |
| Payment data | Transaction dates, amounts, payment identifiers; subscription status | Invoice, bill, ID, payment amount |
| User-provided information | Texts, documents, questions, comments, files | Uploaded documents, your submitted texts |
| Technical/browsing data | IP address, browser type, operating system, session duration, times, referrer, device type | Logs, access journals |
| Cookies and similar technologies | Information that helps recognize sessions, login status, feature performance | Cookies, local storage |
6. Legal Grounds for Data Processing
GDPR provides several legal grounds for data processing – we choose the most appropriate depending on the situation:
- Contract performance – when data processing is necessary to provide you with services.
- Legal obligation – when laws require us to store certain data (e.g., accounting).
- Legitimate interest – when we process data for our business security, proper functioning, abuse prevention, and error management. (We always ensure your rights and freedoms are not violated.)
- Consent – when data is processed based on your freely given, clear, informed consent.
- Vital interests/important public interests – only in rare cases applied to specific data.
7. Detailed Table: Purposes, Data, Legal Basis, Retention Periods
| Purpose | Personal Data | Legal Basis | Retention Period |
|---|---|---|---|
| Registration and account management | Email; name (if obtained via social account); account settings; language preferences | Contract performance | While account is active or until deletion upon your request |
| Service delivery (document processing) | Submitted texts, documents, questions, files, service history | Contract performance and legitimate interest (quality assurance, service improvement) | Only while needed for the request/service; then deleted or anonymized unless laws require otherwise |
| Financial accounting, compliance, and law enforcement | Transaction data, invoice data, payment identifiers, subscription status | Legal obligation | 10 years after the end of the financial year |
| Communication with us | Contact details (email, name), message content, attachments | Legitimate interest (respond to queries and administer them) | 3 months from response/last contact, unless longer retention is necessary (e.g., in case of dispute) |
| Security and incident investigations | IP address, login events, error and access logs, device information | Legitimate interest (system security, abuse prevention) | About 30–90 days; in case of incidents – as long as necessary for investigation |
8. Cookies and Other Tracking Technologies
Our website uses cookies. A cookie is a small file consisting of letters and numbers that, with your consent, we record in your device's browser and hard drive. We use different cookies for different purposes. Cookies also help us distinguish you from other users of our website, thus ensuring a more pleasant user experience and allowing us to improve the website.
Types:
- Essential technical cookies – to maintain sessions, login, security.
- Functional/performance cookies – improve user experience (e.g., remember language selection).
- Analytical cookies – collect anonymous statistics about website performance (e.g., how much time users spend on pages).
- Advertising/marketing cookies – (if planned in the future) – track behavior, show ads.
Your choices:
- You can delete or block cookies in your browser at any time.
9. Personal Data Transfer
Your personal data will not be disclosed to any persons, except for our business partners (service providers, suppliers, etc.), without which our website could not function, services could not be provided, or our legitimate interests could not be ensured.
Your personal data may also be provided to government or law enforcement authorities, but only when required by applicable law or when necessary to protect our rights and legitimate interests, as well as the rights and interests of our employees, customers, or business partners.
Our business partners process personal data only to the extent necessary for the performance of the relevant contract. We are responsible for the actions of our engaged data processors regarding your personal data as if they were our own.
In certain cases, we may transfer your personal data outside the EU or EEA. However, in such cases, we will ensure that the transfer of data complies with the conditions set out in Chapter V of GDPR (e.g., Standard Contractual Clauses – SCC or other appropriate transfer mechanisms are applied).
Third-party data processing/transfer
- Payment service providers – e.g., Stripe. They process card data; we receive only what is necessary for accounting/administration.
- Social login services – e.g., Google OAuth. Only what you agree to transfer.
- Server hosting/infrastructure providers – secure EU/EEA servers with data protection agreements.
- IT service providers/consultants/technical support – when necessary for operational support.
- Law enforcement authorities/supervisory authorities – when required by law.
- International transfer – if data must be transferred outside the EEA, this is done only with safe mechanisms (e.g., Standard Contractual Clauses – SCC), or other lawful grounds.
10. Your Rights as a Data Subject under GDPR
You as a data subject have the following rights – you have these rights and can exercise them:
| Right | Brief Description |
|---|---|
| Right to access your personal data that we process about you | You have the right to obtain confirmation from us whether we process personal data concerning you and to access the processed data together with certain additional information: processing purposes, categories, recipients, retention periods, etc. We provide you with a copy of your personal data if this does not violate the rights and freedoms of others. |
| Right to request correction of personal data | You have the right to correct all inaccurate or incomplete personal data about you, taking into account the purposes of processing, and to supplement missing data. |
| Right to request deletion (“right to be forgotten”)* | You can exercise this right when: (i) personal data is no longer necessary for the purpose for which it was collected or otherwise processed; (ii) you withdraw your consent and there is no other legal basis for processing the data; (iii) you object to the data being processed on the basis of our legitimate interest and there are no overriding legitimate reasons; (iv) the data was processed unlawfully; (v) the data must be deleted to comply with a legal obligation. |
| Right to restrict processing | You can request to restrict processing when: (i) you contest the accuracy of the data – until we verify its accuracy; (ii) processing is unlawful, but you request restriction instead of deletion; (iii) we no longer need the data, but you need it to establish, exercise, or defend legal claims; (iv) you have objected – until it is verified whether our legitimate interests override yours. |
| Right to object | You can object at any time to processing when it is based on our legitimate interest (including profiling). In the case of direct marketing – you can always object and we will immediately stop such processing. |
| Right to data portability | Receive data concerning you in a structured, commonly used, and machine-readable format and transfer it to another data controller or request that we do so directly, where technically feasible. This right applies when processing is based on consent or contract and is carried out by automated means. |
| Right to withdraw consent | If processing is carried out with your consent – you can withdraw it at any time, without affecting the lawfulness of processing before withdrawal. Withdrawal may affect the provision of certain services. |
| Right to file a complaint with a supervisory authority | If you believe that we process your personal data unlawfully, you have the right to contact the supervisory authority and file a complaint. In the Republic of Lithuania, this is the State Data Protection Inspectorate (VDAI). |
* Note: the “right to be forgotten” has limits – e.g., when processing is necessary for the performance of legal obligations, law enforcement, or other legitimate obligations.
You can exercise your rights by contacting us by email: [email protected], as well as by registered mail: Aukštaičių g. 4B-10, LT-11341 Vilnius, Lithuania.
11. Data Security and Protection Measures
- Technical measures: SSL/TLS encryption during data transmission; proper server security/encryption where necessary.
- Organizational measures: access control; employee training; only authorized persons process data; data processing in compliance with “privacy by design” principle.
- Backups are made regularly, data recovery plans are in place.
- Incident management: we have procedures for responding to data security breaches, informing authorities/data subjects if required by law.
12. Responsibility
You are responsible for ensuring that the personal data and documents provided to us are accurate, correct, and lawful. If you provide third-party data, you must have a legal basis to provide it and inform the relevant persons.
We, in turn, are responsible for the proper protection and processing of your personal data, in compliance with applicable laws, including GDPR, and the principles and measures set out in this Policy.
13. Privacy Policy Changes
- The Policy may be updated due to changes in laws, technologies, or practices.
- We will announce significant changes on the website, possibly by email if you have an account.
- New changes take effect on the date we publish, unless otherwise stated.
14. Contact
- Controller: MB “Juridinis Komfortas”
- Address: Aukštaičių g. 4B-10, LT-11341 Vilnius, Lithuania
- Contact email: [email protected]
This document was last updated on September 10, 2025