Privacy policy

‍

Privacy policy

‍

‍

The Privacy Policy (hereinafter referred to as the "Privacy Policy") of the website www.watalook.lt (hereinafter referred to as the "Website") of UAB "Telas", legal entity code 304139032, registration address Mindaugo g. 14B, LT-03225 Vilnius, Lithuania (hereinafter referred to as the "Company"), explains how the Company, as the controller of the Personal Data, collects, uses, and otherwise processes the Personal Data when Data Subjects are visiting the website and using the features of the Website and the Mobile App, and informs about the rights of the Data Subject, as well as the ways in which they may exercise them. When processing personal data, the Company is guided by and complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as "GDPR"), the Law of the Republic of Lithuania on the Legal Protection of Personal Data, and any other applicable legal acts governing the protection of personal data. If you are using the Website and/or the Mobile Application, it means that you have read and understood this Privacy Policy and the purposes, grounds and procedures for the processing of Personal Data set out therein.

‍The controller of your personal data is UAB "Telas" (registered office address Mindaugo g. 14B, LT-03225 Vilnius, Lithuania) (hereinafter referred to as the "Company"). You can write to us at Mindaugo g. 14B, LT-03225 Vilnius, Lithuania, or by e-mail to hello@watalook.com. The Company informs that it does not transfer or otherwise disclose the Personal Data of the Data Subject, either gratuitously or not, to third parties, except as provided in paragraph 7 ("Transfer of Personal Data").

The Company seeks to protect the privacy of its Users and customers. This Privacy Policy is intended to inform you of how we collect, define and use personally identifiable information such as your name, email address, address, other contact details or online identifiers that you provide to us through your use of the Platform ("Personal Data"), and what cookies we use. Please take the time to read this privacy policy carefully.‍

‍

1. Definitions

‍1.1. Website – a website for searching, advertising, booking and managing beauty services www.watalook.lt;

1.2. Mobile App – an Application for searching, advertising, ordering and managing beauty services on the website www.watalook.lt on mobile devices;

1.3. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

1.4. Company (Data Controller) – UAB "Telas", a private joint stock company incorporated in the Republic of Lithuania, legal entity code 304139032, address - Partizanų g. 61, LT-49282 Kaunas;

1.5. Data Subject - a natural person whose data is processed by the Company (Visitors, Service Providers, Registered Visitors and/or other natural persons);

1.6. Person – a natural or legal person or their authorized representatives (legal person's representative: owner, shareholder, director or other authorized person of the legal person);

1.7. Visitor – A person who is not registered on the Website and/or Mobile Application and who has the right to view the information posted on the Website and/or Mobile Application;

1.8. Registered Visitor – A person who has registered on the Website and/or Mobile App and is entitled to use the services for searching and booking beauty services;

1.9. Service Provider – a Person who has registered on the Website and/or Mobile App and has the right to create a Personal Page, advertise the Beauty Services provided and/or administer their own Beauty Professionals, as well as to use the tools for the administration of the services provided on the Website and/or Mobile App;

1.10. Registration Type - the type of registration on the Website, which determines the scope of the Website services available to the Person and which the Person, depending on their needs, chooses when registering on the Website and/or the Mobile Application.

1.11. Personal page – a Personal Page created by an Individual during registration on the Website and/or Mobile Application, which, depending on the type of Registration selected, may be used to either order Beauty Services, offer Beauty Services or manage your Beauty Professionals;

1.12. Beauty specialist – A person who has registered on the Website and/or Mobile App by selecting the Registration Type "Beauty Specialist" and has created a Personal Page based on this registration to promote and offer beauty services;

1.13. Services - the services for searching and ordering beauty services and the advertising and administration of the beauty services provided by the Company on the Website and/or the Mobile App. For the purposes of this Privacy Policy, the Services provided on the Website and/or the Mobile Application include any and all actions that a Visitor may take on the Website and/or the Mobile Application, including, but not limited to, the use of the search facilities, the reading of posted information and the submission and receipt of information and/or data of any kind.

1.14. Account – the personal account of the Registered Visitor, Service Provider on the Website and/or Mobile Application;

1.15. Partners – shall be deemed to be such legal entities with whom the Company cooperates in providing the Services on the Website and/or Mobile Application;

1.16. A Cookie – is a small file that is sent to the device being used when any Person visits the Website and/or Mobile App;

1.17. Browser – a program used to display web pages on the web or on a personal computer;

1.18. Personal data – means any information relating to a natural person - the Data Subject - whose identity is known or can be established, directly or indirectly, by reference to data such as a personal identification number, one or more physical, physiological, psychological, economic, cultural or social characteristics specific to that person;

1.19. Privacy policy – this information document, which provides the basic rules for the collection, storage, and other processing of Personal Data when using the Website and/or Mobile Application;

1.20. Administrator – the person responsible for the administration of the Website and/or Mobile Application;

‍

1.21. Internet Protocol (IP) address – a unique number assigned to each computer connected to the internet;

1.22. Other terms used in this Privacy Policy correspond to the terms defined in the Site Rules and their meaning, unless certain terms are specifically defined in this Privacy Policy.

2. GENERAL PROVISIONS:

‍2.1. This Privacy Policy sets out the basic rules for the collection, storage and other processing of Personal Data and other information relevant to the Data Subject in connection with the use of the Website and the Mobile Application by the Data Subject and the Services provided on the Website and the Mobile Application.

2.2. This Privacy Policy is intended to inform Data Subjects about the Company's processing of Personal Data and regulates the basic principles and procedures for collecting, storing and otherwise processing Personal Data on the Website and the Mobile Application

2.3. Data Subjects may access this Privacy Policy at any time on the Website and the Mobile Application and may also download and print this document from the Website and the Mobile Application at any time.

2.4. This Privacy Policy applies in all cases where the Company receives Personal Data as a result of the Data Subject's visit to the Website and/or Mobile Application and/or use of the Website and/or Mobile Application Services.

2.5. In addition to this Privacy Policy, the collection, processing and storage of Personal Data on the Website and the Mobile Application is governed by the GDPR, the Law on Legal Protection of Personal Data of the Republic of Lithuania, the Law on Electronic Communications of the Republic of Lithuania, and other directly applicable legal acts regulating the protection of personal data.

‍

3. COMPANY AND SERVICE PROVIDER

‍3.1. The Company hereby informs that for the purposes of compliance with the GDPR and other data protection legislation:

3.1.1. The Company is the controller of the personal data of the Visitors, Registered Visitors and the Service Provider;

3.1.2. The Service Provider is the controller of the Personal Data of the Service Provider's customers who subscribe to the Service Provider's services and the Company is the processor of the Personal Data;

3.1.3. In certain cases, the Service Provider and the Company act as independent controllers of Personal Data in relation to the Service Provider's customers (e.g. when sending individual promotional or other marketing communications from the Company or the Service Provider, etc.)

3.2. Where the Company and the Service Provider act as independent controllers of Personal Data, each party shall independently ensure that the processing of Personal Data under its control complies with the GDPR and other data protection legislation.

3.3. The Service Provider undertakes to notify the Company immediately, but no later than 24 hours after the Service Provider has become aware of any accidental or intentional corruption, alteration, destruction, unauthorised disclosure, loss, misuse, theft or other security incident to the personal data of any of its customers. The Service Provider undertakes to cooperate with the Company and to use its best endeavours to investigate, rectify, mitigate the consequences of any security incident involving the Customer's personal data and to comply with all obligations under the GDPR and other data protection legislation in relation to the Customer and the data protection supervisory authority.

‍

4.PRINCIPLES FOR PROCESSING PERSONAL DATA

‍4.1. In collecting, storing and otherwise processing Personal Data and other information relating to the Data Subject, the Company shall be guided by the following Personal Data Processing Principles:

4.1.1. Personal data is processed in a lawful, fair and transparent manner (principle of lawfulness, fairness and transparency). The Company will process Personal Data lawfully, i.e. only where the Personal Data is processed on the basis of a legal basis set out in the GDPR, such as:

4.1.1.1. The Data Subject has given consent to the processing of his or her Personal Data, or where it can be inferred that the Data Subject has consented to the use of his or her Personal Data for a specific purpose (e.g., entered an email address to receive the Company's newsletter, participated in a survey, emailed or otherwise made enquiries to the Company);

4.1.1.2. the conclusion or performance of a contract where the Data Subject is one of the parties;

4.1.1.3. The processing of Personal Data is necessary for the legitimate interest pursued by the Company or by the third party to whom the Personal Data of the Data Subject is provided, unless the interests of the latter are overriding.

4.1.2. Personal data shall be processed for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes (purpose limitation principle);

4.1.3. Personal data are appropriate, relevant and only necessary for the purposes for which they are processed (principle of data minimisation);

4.1.4. Personal data are accurate and updated as necessary (principle of accuracy);

4.1.5. Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed (the principle of limitation of storage period);

4.1.6. Personal data shall be processed in such a way as to ensure, through appropriate technical or organisational measures, adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (integrity and confidentiality principle).

4.2 All information about the personal data processed is confidential.

‍

5. THE LEGAL BASIS FOR PROCESSING PERSONAL DATA

‍5.1. The Company will process the Personal Data of Data Subjects on the following legal grounds:

5.1.1 in the conclusion, performance, modification and administration of the contract (Art. 6(1)(b) GDPR);

‍

5.1.2 to comply with legal obligations and regulatory requirements applicable to the Company (GDPR 6(1)(c));

5.1.3. the legitimate interest of the Company (GDPR Article 6(1)(f));

5.1.4. implementing the consent given by the Data Subject (Art. 6(1)(a) GDPR).

5.2. To the extent and under the conditions set out in the applicable law, one or more of the above legal bases may apply to the processing of Personal Data of Data Subjects.

6. PURPOSES OF PROCESSING PERSONAL DATA

‍6.1. The Personal Data that the Company collects from the Data Subject depends on the Services of the Website and/or Mobile Application that the Data Subject subscribes to or uses and the Personal Data that the Data Subject provides to the Company when using the Services of the Website and/or Mobile Application and/or registering on the Website and/or Mobile Application.

6.2. The Company processes Personal Data of Data Subjects for the following purposes:

6.2.1. For the purpose of registering on the Site and using the services provided on the Site:

6.2.1.1. Data categories - User name; surname; phone number; email, password. Service provider online booking function (status - enabled/disabled); Facebook booking function (status - enabled/disabled); Instagram booking function (status - enabled/disabled); profile name and type; services and categories; address (street, house number, city) and facilities; opening hours; profile picture; gallery of work; description; social media profiles and links to social media site profiles; bookings; past bookings; customer contact details (name, surname, phone number, e-mail, photos, date of birthday (optional)); payment methods (electronic payments; on-site payments); disbursements; past disbursements; receipts; messages; testimonials; subscription invoices, device information and settings (e.g. language and time zone), operating system, browser type and version.

6.2.1.2. Legal basis for processing - contract formation, performance, modification, administration (Article 6(1)(b) GDPR).

‍

6.2.1.3. Time limit for data processing - If the Service Contract has been terminated without the use of the Company's Services, for the entire duration of the Service Contract and up to a maximum of 3 months thereafter. In all other cases, during the term of the Service Contract and for a maximum period of 5 years thereafter.

‍

6.2.1.4. We get our data from - directly from Data Subjects.

‍

6.2.1.5 We provide or transfer data - for data processors: marketing, sales service providers; communication system providers; server service providers.

‍

6.2.2. For the purpose of registering on the Mobile App and using the services provided by the Mobile App:

‍

6.2.2.1. Data categories - user name; surname; phone number; email. Service Provider online booking function (status - enabled/disabled); Facebook booking function (status - enabled/disabled); Instagram booking function (status - enabled/disabled); profile name and type; services and categories; address (street, house number, city) and facilities; opening hours; profile picture; gallery of work; description; social media profiles and links to social media site profiles; bookings; past bookings; customer contact details (name, surname, phone number,e-mail, photos, date of birthday (optional)); payment methods (electronic payments; on-site payments); disbursements; past disbursements; receipts; messages; testimonials; subscription invoices, device information and settings (e.g. language and time zone), operating system, Mobile App version

‍

6.2.2.2. Legal basis for processing - contract formation, performance, modification, administration (Article 6(1)(b) GDPR). The data subject's consent to the processing of personal data (Article 6(1)(a) GDPR).

‍

6.2.2.3. Time limit for data processing - if the Service Contract has been terminated without the use of the Company's Services, for the entire duration of the Service Contract and up to a maximum of 3 months thereafter. In all other cases, during the term of the Service Contract and for a maximum period of 5 years thereafter.

‍

6.2.2.4. We get our data from - Directly from Data Subjects. Information, such as Service Provider customer contacts (name, surname, phone number) or photos for work gallery or customer profile, We receive from Service Provider device. The Mobile App only receives this information if Service Provider actively agree to upload it to the Mobile App and chooses the contacts and photos they want to upload. 

‍

6.2.2.5 We provide or transfer data - For data processors: marketing and sales service providers; communication system service providers; server service providers; payment processing service providers.

‍

6.2.3. For the purpose of updating your personal profile created on the Website:

‍

6.2.3.1. Data categories - Registered visitor's city; country; list of favourite professionals; payments made (date, ID, amount, information, status, actions); payment history; payment card details (name, card number, card expiry date, CVV number); reviews left, password, device information and settings (e.g. language and time zone), operating system, browser type and version.

‍

6.2.3.2. Legal basis for processing - The data subject's consent to the processing of personal data (Article 6(1)(a) GDPR).

‍

6.2.3.3. Time limit for data processing - Data processed on the legal basis of consent shall be processed for as long as the Data Subject's consent is valid, but not longer than 2 (two) years.

‍

6.2.3.4. We get our data from - directly from Data Subjects.

‍

6.2.3.5 We provide or transfer data - for data processors: marketing and sales service providers; communication system service providers; server service providers; payment processing service providers.

‍

6.2.4. For the purpose of updating your personal profile created on the Mobile Application: 

‍

6.2.4.1. Data categories - Registered visitor's city; country; list of favourite professionals; payments made (date, ID, amount, information, status, actions); payment history; payment card details (name, card number, card expiry date, CVV number); reviews left, password, device information and settings (e.g. language and time zone), operating system, Mobile App version.

‍

6.2.4.2. Legal basis for processing - the data subject's consent to the processing of personal data (Article 6(1)(a) GDPR).

‍

6.2.4.3. Time limit for data processing - data processed on the legal basis of consent shall be processed for as long as the Data Subject's consent is valid, but not longer than 2 (two) years.

‍

6.2.4.4. We get our data from - directly from Data Subjects.

‍

6.2.4.5 We provide or transfer data - for data processors: marketing and sales service providers; communication system service providers; server service providers; payment processing service providers.

‍

6.2.5. For the purpose of sending notifications, offers and information by email, SMS, push notifications:

‍

6.2.5.1. Data categories - name; surname; email address; telephone number; user ID; city; country; category of service provided.

‍

6.2.5.2. Legal basis for processing - the data subject's consent to the processing of personal data (Article 6(1)(a) GDPR). The legitimate interest of the company (Article 6(1)(f) of the GDPR, Article 13(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Article 69(2) of the Law on electronic communications): send general and personalised offers and information; send active messages in the Mobile app.

‍

6.2.5.3. Time limit for data processing - data processed on the legal basis of consent shall be processed for as long as the Data Subject's consent is valid, but not longer than 2 (two) years.

‍

6.2.5.4. We get our data from - directly from Data Subjects.

‍

6.2.5.5 We provide or transfer data - for data processors: marketing, sales service providers; communication system providers; server service providers. Social network managers (Facebook, Instagram); search engine managers (Google).

‍

6.2.6. For the purpose of managing and administering the company's social media accounts (Facebook, Instagram, LinkedIn):

‍

6.2.6.1. Data categories - the name of the person's social network account; the person's photo; the person's reactions to the content generated by the Company (likes, comments, shares).

‍

6.2.6.2. Legal basis for processing - the data subject's consent to the processing of personal data (Article 6(1)(a) GDPR). The legitimate interest of the company in managing its social media profiles (Article 6(1)(f) GDPR).

‍

6.2.6.3. Time limit for data processing - personal data shall be processed for as long as the Company's or the Data Subject's social network account is valid, unless the Data Subject expresses their wish to delete their data contained in the Company's social network accounts earlier.

‍

6.2.6.4. We get our data from - directly from Data Subjects.

‍

6.2.6.5 We provide or transfer data - social network managers (Facebook, Instagram); search engine managers (Google).

‍

6.2.7. For the purpose of customer service (for the purpose of managing requests, enquiries, complaints or other communications from stakeholders with the Company):

‍

6.2.7.1. Data categories - name; surname; email address; telephone number; content of the request, enquiry, complaint or other communication; date and time of contact with the Company.

‍

6.2.7.2. Legal basis for processing - the data subject's consent to the processing of personal data (Article 6(1)(a) GDPR).

‍

6.2.7.3. Time limit for data processing - personal data shall be processed for as long as the Data Subject's consent is valid, but no longer than 2 (two) years.

‍

6.2.7.4. We get our data from - directly from Data Subjects.

‍

6.2.7.5 We provide or transfer data - for data processors: providers of communication systems; providers of server services.

‍

6.2.8. Ensuring the functionalities of the Website and the Mobile Application, administration of the Website and the Mobile Application and diagnosing possible malfunctions of the Website and the Mobile Application, statistical analysis to find out the needs of the Data Subjects in relation to certain functions and to analyse how and where to use the available resources most efficiently:

‍

6.2.8.1. Data categories - data generated through the use of the means of communication and the Services of the Website and the Mobile Application, including, but not limited to, traffic data such as the start date, time, duration, Internet Protocol (IP) address used by the Internet user at the time of connection, server log files, etc. Service usage data, including, but not limited to, data collected through the use of Web Browsers, such as Media Access Control (MAC), computer or mobile device type, screen resolution, operating systems, Mobile App version, etc.; and data collected through the use of Cookies, Pixel Tags, Web Beacons, and similar technologies in connection with your browsing experience.

‍

6.2.8.2. Legal basis for processing - the data subject's consent to the processing of personal data (Article 6(1)(a) GDPR). The legitimate interest of the Company in analysing data for the purposes of administering, improving the operation of the Website and improving the Company's business (Article 6(1)(f) of GDPR).

‍

6.2.8.3. Time limit for data processing - personal data shall be processed for as long as the Data Subject's consent is valid, but no longer than 2 (two) years.

‍

6.2.8.4. We get our data from - directly from Data Subjects.

‍

6.2.8.5 We provide or transfer data - for data processors: providers of communication systems; providers of server services; providers of IT services.

‍

6.2.9. Recording of telephone conversations in and out of the Company for the purpose of ensuring the objectivity of the quality of service, requests and complaints handling:

‍

6.2.9.1. Data categories - recording of the telephone call; content of the telephone call; start time of the telephone call; duration of the call; call waiting time; caller's telephone number; telephone number of the person who answered.

‍

6.2.9.2. Legal basis for processing - legitimate Companies (Article 6(1)(f) GDPR).

‍

6.2.9.3. Time limit for data processing - personal data is stored for a maximum of 1 year. After the expiry of the retention period, the chat recordings will be automatically deleted.

‍

6.2.9.4. We get our data from - directly from Data Subjects.

‍

6.2.9.5 We provide or transfer data - for data processors: providers of communication systems.

‍

6.2.10. For the purpose of the Company's Partners' communication with Data Subjects, for the purpose of sending gifts to Data Subjects:

‍

6.2.10.1. Data categories - name; work address; telephone number; email address; primary category of service provided.

‍

6.2.10.2. Legal basis for processing - The legitimate interest of the Company to ensure the quality of the services provided (Article 6(1)(f) GDPR).

‍

6.2.10.3. Time limit for data processing - personal data shall be processed for as long as the Data Subject's consent is valid, but no longer than 2 (two) years.

‍

6.2.10.4. We get our data from - directly from Data Subjects.

‍

6.2.10.5 We provide or transfer data - for Partners of the Company. . For data processors: server service providers.

‍

6.2.11 For the purpose of the Company's Partners' communication with Data Subjects, for the purpose of sending gifts to Data Subjects:

‍

6.2.11.1 Data categories - Name; work address; telephone number; email address; primary category of provided services.

‍

6.2.11.2 Legal basis for processing - The data subject's consent to the processing of personal data (Article 6(1)(a) GDPR).‍

‍

6.2.11.3 Time limit for data processing - Personal data shall be processed for as long as the Data Subject's consent is valid, but no longer than 2 (two) years. 

‍

6.2.11.4 We get our data from - Directly from Data Subjects.

‍

6.2.11.5. We provide or transfer data - For Partners of the Company. 

For data processors: server service providers.

‍

‍6.2.12. For the purpose of administering the Service Providers' revenues generated by the use of the Companies provided payment infrastructure via Website and Mobile Application and for the purpose of transmitting information to the State Tax Inspectorate. 

6.2.12.1 Categories of data - Service Provider's name, surname, date of birth/Individual Activity Certificate number or company name and code; address; tax and VAT identification number (if any); country of residence; bank account number to which the consideration for the service or goods provided has been paid or credited.

6.2.12.2 The legal basis for processing - performance of a legal obligation (Article 6(1)(c) GDPR).

6.2.12.3 Term of processing - Personal Data shall be processed for as long as the Service Provider uses the Website and Mobile Application services and for a period of 5 (five) years from the end of the calendar year in which the use of the services ceased. 

6.2.12.4 We receive Data from - Directly from Data Subjects.

6.2.12.5 We provide or transfer - to the State Tax Inspectorate. To data processors: server service providers and accounting service providers.

6.2.12.6 We would like to point out that if your personal data is transferred to the State Tax Inspectorate, we will inform you about it. In addition, this legal obligation does not apply to Service Providers who have received less than 30 payments through the Companies provided payment infrastructure via Website and the Mobile Application and whose remuneration for doing so has not exceeded 2,000 Euros per calendar year.

‍

‍

6.3. The Company shall collect, store and otherwise process the Personal Data of the Data Subject, which the Data Subject provides and/or the Company receives in the cases provided for in Clause 6.2 of this Privacy Policy, to the extent and for the purposes provided for in this Privacy Policy.

‍

6.4. Personal data may be retained for longer periods than set out in Section 6.2 of this Privacy Policy at the Company's discretion if there are reasonable grounds to believe that the Personal data may be needed for the investigation of a criminal offence or other incident, or other event that has caused damage to the Company. In such a case, the Personal Data shall be retained until such time as an appropriate decision or conclusion is made by law enforcement authorities or a court in relation to the criminal offence, or any other decision or conclusion by the persons investigating the incident or by other persons investigating the event that has caused damage to the Company.

‍

‍

7. TRANSFER OF PERSONAL DATA

‍

7.1. The Company informs that it does not transfer, either for consideration or without consideration, or otherwise disclose the Personal Data of the Data Subject to third parties, except in the cases specified below:

‍

7.1.1. At the request and/or consent of the Data Subject;

‍

7.1.2. Partners of the Company or other authorized third parties (data processors) who process Personal Data of Data Subjects on behalf of the Company and for the purposes set out by the Company and specified in this Privacy Policy, i.e., server service providers, Website or Mobile Application Administrators, mail delivery companies, etc.

‍

7.1.3. To law enforcement and/or law enforcement authorities, bodies and/or other recipients of Personal Data to whom the data must be transferred in accordance with legal requirements.

‍

7.2. When the Data Subject makes a prepayment through the Website or Mobile Application, the Company transfers the payment data to a third party that provides a payment service to the Company - Stripe Payments Europe Limited. The transferred data are: name; surname; address; telephone number; email address; payment card details (card number, CVC, card expiry date. The Company only receives the following payment-related data from Stripe Payments Europe Limited: information about the payment received - identity of the person who made the payment; date of payment; link to the generated electronic invoice. The Company informs that the processing of data by Stripe Payments Europe Limited is subject to the Stripe Inc. Privacy Policy, which the Company recommends to read

‍

7.3. When the Data Subject makes a payment via the Company’s leased payment terminal (card reader) to the Service provider after the service was provided , the Company transfers the payment data to a third party that provides a payment service to the Company – Adyen N.V. The transferred data are: payment card details (card number, CVC, card expiry date). The Company only receives the following payment-related data from Adyen N.V.: date of payment; link to the generated electronic invoice. The Company informs that the processing of data by Adyen N.V. is subject to the Adyen N.V. Privacy Policy, which the Company recommends to read. 

‍

7.4. The Company informs that when linking the Service Provider's account to Facebook or Instagram, the processing of Personal Data is also subject to the Facebook Privacy Policy of Meta Platforms Ireland Limited and the Instagram Privacy Policy of Meta Platforms Ireland Limited, which describe in detail how the Personal Data of Data Subjects are processed.

‍

7.5. When transferring Personal Data in the case referred to in Clause 7.1.2. of this Privacy Policy, the Company shall require authorised third parties to process Personal Data of Data Subjects solely in accordance with the instructions given by the Company, for the purposes specified by the Company and in accordance with this Privacy Policy, the laws on legal protection of Personal Data and the data processing agreements entered into between the Company and the authorised third parties.

‍

7.6. In order to fulfil a legitimate purpose and on a lawful basis, the Company may transfer the Personal Data of Data Subjects to entities outside the European Economic Area (EEA) (e.g. if the Company's processors or recipients of Personal Data are established outside the EEA). In the event that Personal Data is transferred from the EEA to countries that are not recognised by the European Commission as providing an adequate level of protection for Personal Data, the Company shall take all appropriate measures to protect the Personal Data of the Data Subject (e.g., by basing the transfer of Personal Data on the standard contractual terms and conditions for data transfer agreements approved by the European Commission).

‍

8. RIGHTS OF DATA SUBJECTS AND THEIR IMPLEMENTATION

‍

8.1. Data subjects whose Personal Data is processed by the Company have the following rights:

‍

8.1.1. The right to be informed about the processing of Personal Data by the Company. The Data Subject shall have the right to obtain information about the Personal Data processed by the Company, the sources of the Personal Data, the purposes of the processing, the legal grounds, the retention period and the persons, data recipients or data processors, the rights of the Data Subject, etc.;

‍

8.1.2. The right of access to Personal Data processed by the Company. The data subject shall have the right to access and obtain a copy of his or her Personal Data processed;

‍

8.1.3. The right to request rectification of Personal Data processed by the Company. The Data Subject shall have the right to request the rectification of inaccurate Personal Data processed by the Company;

‍

8.1.4. The right to request erasure. The Data Subject shall have the right to request the erasure of his or her Personal Data if they are no longer necessary for the purpose for which they were collected, the Data Subject has withdrawn consent to the processing of his or her Personal Data, if the processing was based on the consent of the Data Subject, we are processing the Data Subject's Personal Data on the basis of legitimate interest and the Data Subject objects to such processing and there are no overriding legitimate reasons for processing the data, we are required to delete the Data Subject's Personal Data in order to comply with a legal obligation imposed on the Company, or the Data Subject's Personal Data has been processed unlawfully.

‍

8.1.5. The right to restrict processing. The Data Subject shall have the right to restrict the processing of Personal Data by the Company if the Data Subject disputes the accuracy of the data and the Company carries out a related check, if the Personal Data of the Data Subject have been unlawfully processed but the Data Subject does not consent to the erasure of the data, if the Personal Data of the Data Subject are no longer necessary for the purpose, for which it was collected, but is necessary for the establishment, exercise or defence of legal claims by the Data Subject, if the Data Subject has objected to the processing as described below, pending verification that the Company's legitimate reasons override those of the Data Subject.

‍

8.1.6. The right to object to processing. The Data Subject shall have the right to object to the processing of Personal Data of the Data Subject by the Company for direct marketing purposes, the right to object to the processing of Personal Data in the public interest or in the legitimate interests of the Company, unless these interests are overridden by the Data Subject's reasons.

‍

8.1.7. The right to portability of Personal Data. The Data Subject shall have the right to receive the Personal Data he or she has provided to the Company, or to request the transfer of such Personal Data to another controller in a structured, commonly used and computer-readable format, provided that the processing of the Personal Data of the Data Subject is based on the Data Subject's consent or on an agreement between the Data Subject and the Company and the processing of the Personal Data of the Data Subjects is carried out by automatic means.

‍

8.1.8. The right to lodge a complaint with the State Data Protection Inspectorate. In the event that the Data Subject considers that their rights have been violated, the Data Subject shall have the right to contact the State Data Protection Inspectorate.

‍

8.2. The data subject may contact the Company at the contact e-mail address hello@watalook.com to exercise their rights. Before exercising the Data Subject's right(s), the Company shall have the right to request the Data Subject to provide proof of identity.

‍

8.3. The Company hereby informs that the exercise of the above-mentioned rights may depend on the conditions for the exercise of the specific right set out in the legislation, and therefore, in the event of specific grounds set out in the legislation, the Company shall have the right to refuse to comply with the Data Subject's request to exercise the specific right on the grounds stated in the legislation.

‍

8.4. Responses to Data Subjects' requests for the exercise of their rights shall be provided promptly, but at the latest within 30 calendar days from the date of receipt of such request. This period may be extended by a further two months if necessary, depending on the complexity of the request and the number of requests. The Company shall inform the Data Subject of such extension within one month of receipt of the request, together with the reasons for the delay. Such Personal Data shall be provided to the Data Subject in writing at the request of the Data Subject. Personal Data shall be provided to the Data Subject free of charge. The Company shall have the right to request a reasonable fee if the Data Subject's requests are manifestly unfounded, repetitive or excessive.

‍

‍

9. DIRECT MARKETING MESSAGES

‍

9.1. The Company shall have the right to process the Personal Data of Data Subjects for the purpose of sending direct marketing communications with the free prior consent of the Data Subject to such processing of Personal Data. The Data Subject may always withdraw the consent given by contacting the Company by e-mail at hello@watalook.com and/or by using the instructions provided in each message.

‍

9.2. Withdrawal of consent shall not affect the lawfulness of processing based on consent carried out before the withdrawal of consent

‍

9.3. In addition, the Company may use the Data Subject's personal data for its own marketing of similar services on the basis of the Company's legitimate interest and the terms and conditions for sending such communications set out in law. The Data Subject may object to this in advance by contacting the Company at hello@watalook.com. The Data Subject may subsequently object to or opt-out of such use of Personal Data by contacting the Company at hello@watalook.com and/or by using the instructions provided in each message.

‍

‍

10. PROFILING

‍

10.1. The Company may use the Personal Data of the Data Subject for profiling only with the prior written consent of the Data Subject.

‍

10.2. The Company shall not use automated decision-making processes, including profiling, which may result in legal consequences for the Data Subject or have a similarly significant effect, when processing the Data Subject's Personal Data for the purposes set out in this Privacy Policy.

‍

10.3. The Company may, with the consent of the Data Subject, process the Personal Data of the Data Subject by automated means in order to classify the Data Subject as a relevant customer category and to provide tailored commercial offers that are relevant to the Data Subject's needs, and the Data Subject shall therefore have the right to request human intervention in order to express their opinion or to object to such classification.

‍

‍

11. PERSONAL DATA PROTECTION

‍

11.1. In order to implement and ensure the protection of Personal Data, the Company shall implement appropriate organisational and technical measures to ensure the security of Personal Data to protect Personal Data against accidental or unlawful destruction, alteration, disclosure, as well as any other unauthorised processing, including but not limited to:

‍

11.1.1. administrative (establishing procedures for the secure management of documents and computer data and their archives, as well as for the organisation of the work of the various activities, familiarising staff with the protection of personal data at the time of recruitment and at the end of the employment or similar relationship, etc);

‍

11.1.2. hardware and software security (administration of service stations, information systems and databases, maintenance of workstations, Company premises, protection of operating systems, protection against computer viruses, etc.);

‍

11.1.3. Protecting communications and computer networks (firewalling shared data, applications, unwanted data packets, etc.)

‍

11.2. The Company shall ensure that it makes every effort to protect the Personal Data of Data Subjects against loss, unauthorised use and alteration. The premises where the collected data is stored shall be physically protected against access by unauthorised persons. The database storing the Personal Data of Data Subjects shall be secured against unauthorised access through computer networks. The Company also uses software and other measures to protect the data of all Data Subjects.

‍

11.3. Notwithstanding the foregoing obligations of the Company to use its best efforts to protect the Personal Data collected and processed, the Data Subject unconditionally undertakes and agrees that he/she personally guarantees the confidentiality of their Personal Data and the proper observance of the other obligations relating to the security of such data as set out in the Website Rules, and further confirms that

‍

11.3.1. in all cases, the Registered Visitor and/or the Service Provider shall be personally liable for any damage caused to him/her and/or third parties as a result of the provision of incorrect and/or incomplete Personal Data or the failure to amend and supplement Personal Data after changes to the Personal Data have occurred. In no case shall the Company be liable for damages on this basis.

‍

11.3.2. undertakes to ensure the confidentiality of the Personal Data required to log in to the Personal Page created in accordance with the selected Registration Type or otherwise use the Services, and is personally responsible for ensuring the proper confidentiality of such data, and undertakes not to disclose the Personal Data to third parties and to ensure that no third parties use their Personal Data to access the Services.

‍

11.3.3. shall be liable for any acts of third parties, if any, committed through the use of the Registered Visitor's or Service Provider's Personal Data, and all obligations and liabilities arising from or in connection with the acts of third parties committed through the use of the Registered Visitor's or Service Provider's Personal Data shall be borne to the maximum extent by the Registered Visitor and/or Service Provider.

‍

‍

12. COOKIES

‍

The Company hereby informs you that the Website uses Cookies. More information about Cookies can be found in the Company's "Cookie Policy", which is an integral part of the Privacy Policy.

‍

‍

13. RIGHT TO COMPLAIN

‍

Data subjects who believe that their rights have been violated may always contact the Company by e-mail at hello@watalook.com and/or file a complaint with the State Data Protection Inspectorate (L. Sapiegos g. 17, LT-10312 Vilnius, by e-mail ada@ada.lt).

‍

‍

14. CONTACTS

‍

‍

14.1. The Data Controller that processes the Personal Data referred to in this Privacy Policy when you use the Company's Website and/or Services is:

‍

UAB "Telas"

Legal entity code 304139032

Address Mindaugo g. 14B, LT-03225 Vilnius

‍

14.2. For any questions and additional information related to this Privacy Policy, the Data Subject may contact the Company using the contact details provided below:

‍

hello@watalook.com

+3705214 4092

‍

‍

‍

15. VALIDITY AND CHANGES TO THE PRIVACY POLICY

‍

15.1. The Privacy Policy is a living, constantly changing document, and the Company has the right to update and change it at any time. Data Subjects will be informed of any changes to the Privacy Policy on the Website, and Registered Visitors and Service Providers will be informed of such changes by the Company's notice sent to the Registered Visitors' and Service Providers' email addresses provided during registration on the Website and/or the Mobile Application.

‍

15.2.Amendments or changes to the Privacy Policy shall come into force from the date of their publication, i.e. from the date they are posted on the Website.

‍

This Privacy Policy is effective from 18 August June 2023.

‍

‍