LT EN
Book an audit

Privacy Policy

Effective: Last updated:

1. General provisions

This English version is provided for convenience. The Lithuanian version is the legally binding one.

This privacy policy sets out how JESPE, MB processes personal data received through the dirbtuvas.lt website and other contact channels.

The policy is drawn up under the European Union General Data Protection Regulation (GDPR) 2016/679 and the Lithuanian Republic Personal Data Legal Protection Act.

By using the website or sending a request, you agree to the provisions of this policy.

2. Data controller

JESPE, MB

Company code: 307643315

VAT code: LT100020004711

Registered address: Vėjo g. 12-2, Ginduliai, LT-91276 Klaipėda

Phone: +370 622 01777

Email: info@dirbtuvas.lt

3. What data we collect

We collect only the data needed to deliver the service or process the request.

Through the contact form

  • Name
  • Company name
  • Email address
  • Phone number (optional)
  • Request text (if provided)

In email or phone correspondence

  • Name, contact details
  • Content of the correspondence

While browsing the site (technical information)

  • Anonymised browsing data (page visited, source, country, device type) — collected via Cloudflare Web Analytics; no personal data is identified.
  • IP address — Cloudflare processes it for security (DDoS protection); it is not passed to us in personally identifiable form.

4. Why we collect it (legal basis)

We collect and process data on the following legal bases:

  • Consent (GDPR art. 6(1)(a)) — when you fill in the contact form and tick the consent box, you agree that we may process your data to act on the request.
  • Contract performance (GDPR art. 6(1)(b)) — when we begin providing services based on your request.
  • Legitimate interests (GDPR art. 6(1)(f)) — responding to requests, customer service, improving service quality.
  • Legal obligation (GDPR art. 6(1)(c)) — retention of accounting records as required by Lithuanian Republic legislation.

5. How we use the data

We use the data only for clearly defined purposes:

  • To respond to your request and follow up about a proposal
  • To deliver the services you commission (audit, automation rollout, support)
  • To issue invoices and meet accounting obligations
  • To improve site performance (anonymised analytics)

We never pass data to third parties for marketing purposes. We never sell data.

6. Who we may share data with

In some cases data may be passed to third parties who help us deliver services (data processors). Contracts ensuring GDPR compliance are signed with each of them.

Currently used processors:

  • Cloudflare, Inc. (USA) — site hosting, DDoS protection, anonymised analytics. Cloudflare is certified under the EU-US Data Privacy Framework, recognised by the European Commission as ensuring an adequate level of protection (GDPR art. 45).
  • Hostinger International Ltd. (Lithuania / European Economic Area) — domain administration, email hosting.
  • Resend, Inc. (USA) — delivery of contact-form emails. Data transfer is based on Standard Contractual Clauses approved by the European Commission (GDPR art. 46).

If additional processors are needed (for example, accounting software), we will add them to this list and notify you through an updated version of the policy.

7. Data transfers outside the European Economic Area

Some processors are located outside the EEA (USA). Such transfers are carried out only with safeguards set out in GDPR articles 44–49: an adequacy decision of the European Commission (Cloudflare — EU-US Data Privacy Framework) or Standard Contractual Clauses (Resend). For more information, please contact us.

8. Retention period

We keep data only as long as necessary for its purpose:

  • Requests not converted into a contract — up to 12 months from the last contact.
  • Client data (under contracts and invoices) — 10 years, as required by Lithuanian Republic accounting legislation.
  • Anonymised analytics data — indefinitely, as it cannot identify a person.

After the period ends, the data is securely destroyed.

9. Your rights

Under the GDPR you have the right to:

  • Access the data we hold about you (GDPR art. 15)
  • Request rectification of inaccurate or incomplete data (GDPR art. 16)
  • Request erasure of data ('right to be forgotten') if there is no legal duty to retain it (GDPR art. 17)
  • Restrict processing in certain cases (GDPR art. 18)
  • Port your data to another controller in a structured format (GDPR art. 20)
  • Object to processing on the basis of legitimate interests (GDPR art. 21)
  • Withdraw consent at any time (withdrawal does not affect processing carried out before that point)
  • Lodge a complaint with the State Data Protection Inspectorate of Lithuania (vdai.lrv.lt)

To exercise these rights, contact us: info@dirbtuvas.lt or +370 622 01777. We will respond within 30 calendar days.

9.1. Voluntary nature of providing data

You provide personal data in the contact form voluntarily. However, if you do not provide the required data (name, company name, email), we cannot respond to your request or perform the service contract concluded with you (GDPR art. 13(2)(e)).

9.2. Automated decision-making

JESPE, MB does not carry out automated decision-making, including profiling, that produces legal effects on you or similarly significantly affects you (GDPR art. 22). Every request is reviewed by a human.

9.3. Data Protection Officer

The nature and scope of JESPE, MB's activities do not meet the criteria of GDPR art. 37, so a separate Data Protection Officer (DPO) is not appointed. All data protection questions are handled by company management at the contacts listed in section 12.

10. Cookies

The dirbtuvas.lt website does not use marketing or profiling cookies. We use only:

  • Functional cookies, necessary for the site to work (e.g. for contact-form security).
  • Cloudflare security cookies, helping distinguish real users from automated bots.

Cloudflare Web Analytics is not cookie-based — it uses anonymised signals, so a separate cookie consent banner is not required. If we later start using Google Analytics, advertising pixels or similar, we will introduce a cookie consent banner and the policy will be updated.

11. Data security

We take technical and organisational measures to ensure protection:

  • Data is transmitted with TLS encryption (HTTPS)
  • Secrets and credentials are stored in encrypted vaults
  • Access to data is limited on a need-to-know basis
  • Infrastructure security is reviewed periodically

Note that no system can guarantee 100% security, but we work to keep it as high as possible.

12. Policy changes

We may update the policy when service scope, the tools we use or legislation changes. We will announce material changes through the site. The latest version will always be available at /privatumo-politika.

13. Contacts for privacy questions

If you have questions about this policy or want to exercise your rights:

Email: info@dirbtuvas.lt

Phone: +370 622 01777

Address: Vėjo g. 12-2, Ginduliai, LT-91276 Klaipėda

Complaints about personal data processing may be filed with the State Data Protection Inspectorate of Lithuania (L. Sapiegos g. 17, Vilnius; ada@ada.lt; vdai.lrv.lt).