Privacy Policy
This page sets out what personal data Livonia Data Lab SIA collects on livoniadatalab.lv and in the course of working with clients, why and on what legal basis we process it, and how you can control it.
Version dated 16 July 2026 · applies to livoniadatalab.lv01 Who we are and the scope of this policy
The controller of personal data (pārzinis within the meaning of Article 4(7) of the General Data Protection Regulation, Regulation (EU) 2016/679, hereinafter the GDPR) is:
- Livonia Data Lab SIA, Reg. Nr. 40000000000
- Registered address: Rīga, Latvia
- Email: privacy@livoniadatalab.lv
- Phone: +371 20 000 000
This policy applies to the processing of personal data when you visit livoniadatalab.lv, when you send us enquiries and messages, and when development contracts are concluded and performed. It does not apply to third-party sites that our materials may link to — such resources have their own policies.
We have not appointed a data protection officer (DPO), as we do not meet the criteria of Article 37 of the GDPR: our core activity does not involve systematic monitoring of data subjects on a large scale or the processing of special categories of data. For any data protection matter, write to privacy@livoniadatalab.lv.
If, as part of a project, we process the data of your site's or application's users on your instructions, then in relation to that data we act as a processor (Article 28 of the GDPR) and you remain the controller. Such processing is governed by a separate data processing agreement (DPA), not by this policy.
02 What data we collect
We follow the principle of data minimisation: we collect only what we cannot do without in order to answer an enquiry, carry out the work or keep the site running.
Data you provide yourself
- Contact forms and enquiries: your name, email address, phone number (if you provide one), company name and the text of your enquiry describing the task.
- Correspondence: the content of emails, messenger messages and attachments you send us, including technical project materials.
- Client data under a contract: company details, registration and VAT number, registered address, contact persons on the client's side, and bank details for invoicing.
Technical data
- IP address (in hosting logs it is stored in truncated or full form depending on the provider's settings), together with the date and time of the request.
- Browser type and version, operating system, interface language, device type and screen resolution.
- Requested URLs, referrer (the page you came from), server response codes and the volume of data transferred.
Analytics
If you have consented to analytics cookies, we collect anonymised visit statistics: pages viewed, scroll depth, referral source, approximate location at city or country level, and session duration. We do not use this data for profiling and do not take decisions on the basis of it that produce legal effects for you. For details, see the Cookies Policy.
We do not collect special categories of data (health, origin, beliefs, biometrics) and do not request payment details through the site — invoices are issued and paid outside it.
In plain words. We do not sell your data or pass it to advertising brokers, we do not buy contact databases, we do not email people who never wrote to us, and we do not use the contact details from an enquiry for anything other than replying to it and working on the project.
03 Legal bases for processing
Each type of processing relies on one of the grounds in Article 6(1) of the GDPR.
- Consent — Article 6(1)(a). This applies to analytics and marketing cookies, and to the newsletter if you have subscribed to it. Consent is voluntary and you may withdraw it at any time; withdrawal does not affect the lawfulness of processing carried out before it.
- Performance of a contract or steps taken prior to entering into one — Article 6(1)(b). On this basis we process data when preparing an estimate at your request, when concluding a contract and during the work itself: project correspondence, delivery of designs, access credentials, acceptance.
- Compliance with a legal obligation — Article 6(1)(c). Retention of accounting and tax documents in accordance with the law of the Republic of Latvia, including the Accounting Law (Grāmatvedības likums) and tax rules.
- Legitimate interest — Article 6(1)(f). Maintaining the technical security of the site and protecting it against abuse, keeping server logs, anti-spam filtering of forms, replying to enquiries that reach us outside a contract, and establishing and defending legal claims. We have carried out a balancing test and consider that such processing does not override your rights and reasonable expectations; you have the right to object to it (see section 08).
04 Purposes of processing
We process data only for purposes defined in advance and for purposes compatible with them:
- to answer an enquiry and prepare an assessment and estimate for your task;
- to conclude a contract, carry out the work, agree the result and hand it over;
- to issue invoices, accept payment and meet accounting and tax requirements;
- to provide warranty support and maintenance after launch;
- to keep the site working, available and secure, and to detect failures and attacks;
- to understand which pages are useful to visitors and improve the structure of the site (only where consent to analytics has been given);
- to conduct business correspondence and retain evidence of what was agreed in case of a dispute.
If we need to process your data for a new purpose that is incompatible with the original one, we will tell you in advance and, where required, ask for your consent.
05 Disclosure to third parties and processors
We do not sell personal data and do not pass it to third parties for marketing purposes. Access to data is given only to those service providers without whom our work would be impossible. Such providers act as processors on our documented instructions, under contracts that meet the requirements of Article 28 of the GDPR.
- Hosting provider and CDN — hosting of the site, server logs, backups, DDoS protection.
- Email provider — receipt and storage of business correspondence, delivery of notifications from site forms.
- Web analytics service — collection of anonymised visit statistics where you have given consent.
- Accounting services — preparation of invoices and reports; access is limited to company details and payment data.
- Payment institutions and banks — execution of transfers against issued invoices; such organisations act as independent controllers.
In addition, we may disclose data to public authorities — courts, the police, the tax administration, the data protection supervisory authority — where this is required by law or necessary to establish, exercise or defend legal claims. In such cases we verify that the request is lawful and disclose the minimum amount of information necessary.
In the event of a reorganisation or a sale of the business, data may pass to the successor; we will notify you of this and ensure that the level of protection provided for in this policy is maintained.
06 Transfers outside the EEA
We seek to keep data within the European Economic Area and choose providers with infrastructure in the EU by default.
Nevertheless, individual providers (for example, analytics or email infrastructure services) may process data in third countries, primarily the United States. Such a transfer takes place only where one of the safeguards in Chapter V of the GDPR is in place:
- an adequacy decision of the European Commission (Article 45) — for example, the recipient's participation in the EU—US Data Privacy Framework;
- the European Commission's standard contractual clauses (Article 46(2)(c)) combined with a transfer impact assessment and supplementary technical measures such as encryption and pseudonymisation;
- other safeguards provided for by the Regulation, or the explicit derogations in Article 49.
You have the right to ask us for information about the safeguards applied and to obtain a copy of the relevant documents by sending a request to privacy@livoniadatalab.lv.
07 Retention periods
We keep personal data no longer than is necessary for the purposes of processing, or for the period laid down by law.
| Data category | Retention period | Reason |
|---|---|---|
| Enquiries and messages that did not lead to a contract | Up to 12 months from the last contact | Legitimate interest: returning to the discussion, history of correspondence |
| Project correspondence and client materials | The term of the contract and 2 years after it ends | Warranty obligations, defence of legal claims |
| Contracts, invoices, acceptance certificates, accounting documents | 5 years (certain documents — 10 years) | Legal obligation under the law of Latvia |
| Web server logs | Up to 12 months | Legitimate interest: security and diagnosis of failures |
| Analytics data and cookies | For the lifetime of the cookie, but no more than 14 months | Consent; see the Cookies Policy |
Once the period expires, data is deleted or irreversibly anonymised. Where deletion is technically difficult (in backups, for example), we restrict the processing of such data until deletion becomes possible in the course of the regular backup rotation.
08 Your rights as a data subject
The GDPR gives you the following rights in relation to your personal data.
- Right of access (Article 15) — to find out whether we process your data and to obtain a copy of it together with information on the purposes, categories, recipients and retention periods.
- Right to rectification (Article 16) — to require inaccurate data to be corrected and incomplete data to be completed.
- Right to erasure, the "right to be forgotten" (Article 17) — to require data to be deleted where it is no longer needed for the purposes of processing, where you have withdrawn consent and there is no other basis, or where the processing was unlawful. The right does not apply to data we are obliged by law to keep.
- Right to restriction of processing (Article 18) — to require processing to be suspended temporarily, for example while the accuracy of the data is being verified or your objection is being considered.
- Right to data portability (Article 20) — to receive the data you provided on the basis of consent or a contract in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object (Article 21) — to object to processing based on legitimate interest. We will stop the processing unless we demonstrate compelling legitimate grounds that override your interests. You may object to processing for direct marketing unconditionally and at any time.
- Right to withdraw consent (Article 7(3)) — at any time and as easily as it was given. Withdrawal does not affect the lawfulness of processing carried out before it.
- Right not to be subject to an automated decision (Article 22) — we do not take decisions based solely on automated processing, including profiling.
How to exercise your rights
Send a request to privacy@livoniadatalab.lv or to Rīga, Latvia. We reply within one month of receiving the request; for complex or numerous requests the period may be extended by a further two months, and we will notify you within the first month, stating the reasons. Exercising your rights is free of charge; where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse, giving reasons for the refusal.
So as not to disclose data to the wrong person, we may ask you to confirm your identity — for example, by sending the request from an email address you have given us before, or by providing additional information for identification.
Right to lodge a complaint
If you believe that we have infringed your rights, you may lodge a complaint with the supervisory authority in your place of residence, place of work or the place of the alleged infringement. In Latvia this is the State Data Inspectorate of Latvia — Datu valsts inspekcija, Rīga, Latvia. We would be grateful if you wrote to us before turning to the inspectorate: most questions can be settled directly and more quickly. You are also entitled to bring the matter before a court.
09 Data security
In accordance with Article 32 of the GDPR we take technical and organisational measures proportionate to the risks of processing:
- encryption of traffic over HTTPS (TLS) on all pages of the site;
- access control on the least-privilege principle: only staff who need data for their work have access to it;
- two-factor authentication in services where it is available, and a password manager instead of shared accounts;
- regular updates of server and application software, backups and restore testing;
- confidentiality undertakings for staff and contractors, and data processing agreements with providers;
- separate development and production environments; anonymised or synthetic data is used for testing.
No method of transmitting and storing data offers absolute protection. In the event of a personal data breach entailing a risk to your rights and freedoms, we will notify Datu valsts inspekcija within 72 hours and, where the risk is high, you as well, without undue delay.
10 Children's data
Our site and services are addressed to legal entities and to adult representatives of businesses. We do not knowingly collect the personal data of persons under 16 and do not address our materials to them.
If you are a parent or guardian and believe that a child has given us their data, write to privacy@livoniadatalab.lv — we will look into it and delete such data without undue delay, unless there is another legal basis for keeping it.
11 Changes to this policy and contacts
We may update this policy — for example, when the law changes, when our set of providers changes, or when the functionality of the site changes. The current version is always published on this page together with its date. The date of the version in force is 16 July 2026.
Changes take effect from the moment of publication. If amendments materially affect your rights or extend the purposes of processing, we will notify you in advance by an appropriate means and, where the law requires it, ask for fresh consent. We recommend reviewing this page from time to time.
For any questions about personal data and this policy:
- Data protection questions: privacy@livoniadatalab.lv
- General questions: hello@livoniadatalab.lv
- Phone: +371 20 000 000
- Postal address: Livonia Data Lab SIA, Reg. Nr. 40000000000, Rīga, Latvia
Related documents: Cookies Policy and Terms of Service. You can also write to us through the contact page.