Privacy and Data Security Policy

PRIVACY POLICY

1. GENERAL TERMS

1.1. This Privacy Policy describes how IRVISS.LV, REG. NO., LEGAL ADDRESS_____ (hereinafter also referred to as the "Data Controller") collects, processes, and stores personal data obtained from its clients and individuals visiting the website (hereinafter referred to as the "Data Subject" or "You").

1.2. Personal data refers to any information related to an identified or identifiable natural person, i.e., the Data Subject. Processing means any operation related to personal data, such as collection, recording, modification, use, viewing, deletion, or destruction.

1.3. The Data Controller complies with the data processing principles stipulated by law and ensures that personal data is processed in accordance with applicable legislation.

2. COLLECTION, PROCESSING, AND STORAGE OF PERSONAL DATA

2.1. The Data Controller collects, processes, and stores personally identifiable information primarily through the online store website and email communication.

2.2. By visiting and using the services provided on the online store, You agree that any information provided is used and managed in accordance with the purposes outlined in this Privacy Policy.

2.3. The Data Subject is responsible for ensuring that the personal data submitted is correct, accurate, and complete. Knowingly providing false information is considered a violation of this Privacy Policy. The Data Subject is required to promptly notify the Data Controller of any changes to the submitted personal data.

2.4. The Data Controller is not responsible for any losses incurred by the Data Subject or third parties due to falsely submitted personal data.

3. PROCESSING OF CUSTOMER PERSONAL DATA

3.1. The Data Controller may process the following personal data:

3.1.1. Full name

3.1.2. Date of birth

3.1.3. Contact information (email address and/or phone number)

3.1.4. Transaction data (purchased goods, delivery address, price, payment details, etc.)

3.1.5. Any other information submitted during the use of website services or product purchases or when communicating with us.

3.2. In addition to the aforementioned, the Data Controller has the right to verify the accuracy of the submitted data using publicly available registers.

3.3. The legal basis for processing personal data is Article 6(1)(a), (b), (c), and (f) of the General Data Protection Regulation (GDPR):

(a) The Data Subject has given consent for their personal data to be processed for one or more specific purposes;

(b) Processing is necessary for the performance of a contract to which the Data Subject is a party or for carrying out pre-contractual measures at the Data Subject’s request;

(c) Processing is necessary to comply with a legal obligation applicable to the Data Controller;

(f) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the Data Subject’s rights and freedoms requiring protection of personal data, especially if the Data Subject is a child.

3.4. The Data Controller stores and processes the Data Subject’s personal data for as long as at least one of the following criteria applies:

3.4.1. The personal data is necessary for the purposes for which it was collected;

3.4.2. As long as the Data Controller and/or the Data Subject may exercise their legitimate interests in accordance with applicable laws, such as submitting objections or filing claims in court;

3.4.3. As long as there is a legal obligation to retain the data, such as under the Accounting Law;

3.4.4. As long as the Data Subject’s consent remains valid for the relevant personal data processing, unless another legal basis applies.

Upon the expiration of these conditions, the Data Subject’s personal data will be permanently deleted from the computer systems and electronic and/or paper documents containing such personal data or anonymized.

3.5. To fulfill its obligations to You, the Data Controller has the right to transfer Your personal data to cooperation partners, data processors who process necessary data on our behalf, such as accountants, courier services, etc. The data processor acts as the personal data controller. Payment processing is provided by !!!!!NAME!!!!!, and for the execution of payments, our company transfers the necessary personal data to Maksekeskus AS.

Upon request, we may disclose Your personal data to state and law enforcement authorities if necessary to defend our legal interests, submit claims, or protect against legal actions.

3.6. When processing and storing personal data, the Data Controller implements organizational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure, or any other unauthorized processing.

4. RIGHTS OF THE DATA SUBJECT

4.1. In accordance with the General Data Protection Regulation and Latvian legislation, You have the following rights:

4.1.1. Access Your personal data, obtain information about its processing, request an electronic copy, and the right to transfer such data to another controller (data portability);

4.1.2. Request correction of incorrect, inaccurate, or incomplete personal data;

4.1.3. Request deletion of Your personal data (“right to be forgotten”), except in cases where the law requires retention of data;

4.1.4. Withdraw Your previously given consent for personal data processing;

4.1.5. Restrict the processing of Your personal data – the right to request that we temporarily cease all processing of Your personal data;

4.1.6. Submit a complaint to the Data State Inspectorate.

Requests regarding Your rights can be submitted electronically by contacting customer support at info@irviss.lv.

5. FINAL PROVISIONS

5.1. This Privacy Policy is developed in accordance with Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) as well as applicable Latvian and European Union laws.

5.2. The Data Controller reserves the right to make changes or amendments to this Privacy Policy at any time without prior notice. Amendments take effect upon publication on the website https://irviss.lv.

DATA SECURITY POLICY

1. GENERAL TERMS

1.1. This Data Security Policy (hereinafter referred to as the "Policy") establishes IRVISS.LV (hereinafter referred to as the "Company") approach to ensuring data security, including the protection of personal and corporate data.

1.2. The Policy applies to all Company employees, partners, and third parties who process or access the Company's systems and data.

1.3. The purpose of the Policy is to protect data from unauthorized access, theft, damage, or destruction and to ensure the security of the Company's information.

2. DATA PROTECTION MEASURES

2.1. Access Control

Access to data is restricted to authorized employees and partners only.

Two-factor authentication (2FA) is used for system access.

2.2. Data Encryption

All sensitive data is encrypted both in storage and during transmission.

Industry-standard encryption protocols are used (e.g., AES-256, SSL/TLS).

2.3. Security Monitoring and Incident Response

The Company regularly monitors systems and conducts security audits.

An incident response procedure is in place to promptly identify and mitigate security threats.

2.4. Data Backup and Recovery

Regular data backups are performed and stored in a secure location.

Testing procedures are carried out to ensure the effectiveness of data recovery.

2.5. Security Training and Employee Responsibility

All Company employees receive regular training on data security and cybersecurity threats.

The security policy is reviewed and improved as necessary.

3. DATA STORAGE AND DELETION

3.1. All data is stored only as long as necessary for the Company's operations and compliance with regulatory requirements.

3.2. Data that is no longer needed is permanently deleted or anonymized.

3.3. All backed-up data is stored for a specified period and automatically deleted according to the security policy.

4. THIRD-PARTY ACCESS TO DATA

4.1. Third-party access to the Company's systems is granted only for a limited period and based on a justified contract.

4.2. All partners are contractually bound to comply with data protection requirements.

4.3. Data transfer to government authorities occurs only in accordance with legal requirements and in legally justified cases.

5. FINAL PROVISIONS

5.1. This Policy is developed in accordance with Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) and other applicable laws of the Republic of Latvia.

5.2. The Company reserves the right to make changes or amendments to this Policy at any time, publishing updates on its official website www.irviss.lv.