PRIVACY POLICY
PRIVACY AND COOKIES POLICY
1. General Information
1.1. This Privacy and Cookies Policy explains how personal data are collected, processed, and stored by Orheja, Ltd, registration number 40003901805 (hereinafter Controller), when operating the online store available at https://mattilde.lv.
1.2. The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), the Personal Data Processing Law of the Republic of Latvia, and other applicable legal acts of the European Union and the Republic of Latvia.
1.3. A data subject is any natural person whose personal data are processed by the Controller.
---
2. Purposes and Legal Basis for Processing
The Controller processes personal data only for specific, explicit, and legitimate purposes, including:
– processing and delivery of orders (GDPR Article 6(1)(b));
– customer communication and support (GDPR Article 6(1)(b) and (f));
– accounting, invoicing, tax compliance, and fulfillment of legal obligations (GDPR Article 6(1)(c));
– ensuring website security, functionality, fraud prevention, and system integrity (GDPR Article 6(1)(f));
– marketing communications and newsletters, where the data subject has given explicit consent (GDPR Article 6(1)(a));
– website analytics, conversion tracking, and performance optimization, subject to consent where required.
---
3. Categories of Personal Data
The Controller may process the following categories of personal data:
– first name and last name;
– e-mail address;
– telephone number;
– delivery and billing address;
– order and transaction details;
– payment-related information (payment card data are not stored by the Controller);
– correspondence and customer support communication;
– technical data such as IP address, device identifiers, browser type, operating system, and cookies.
The Controller does not store full payment card details.
---
4. Recipients of Personal Data
Personal data may be disclosed only to the extent necessary to the following categories of recipients:
– payment service providers;
– accounting, tax, and financial service providers;
– courier, postal, and delivery service providers;
– IT infrastructure, hosting, website maintenance, analytics, and marketing service providers;
– public authorities, where required by applicable law.
---
5. International Data Transfers
Due to the use of international service providers (including e-commerce platform, payment processors, analytics, and advertising partners), personal data may be transferred outside the European Economic Area, including to countries such as the United States.
In such cases, the Controller ensures appropriate safeguards in accordance with GDPR, including the use of Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.
---
6. Data Retention Period
Personal data are stored only for as long as necessary for the purposes of processing or as required by applicable law, including:
– order and transaction data – up to 5 years in accordance with accounting and legal requirements;
– marketing data – until consent is withdrawn;
– customer account data – until the account is deleted;
– technical and analytical data – up to 12 months, unless a longer retention period is legally required.
---
7. Rights of the Data Subject
The data subject has the right to:
– access their personal data;
– request rectification of inaccurate or incomplete data;
– request erasure of personal data (“right to be forgotten”);
– request restriction of processing;
– object to the processing of personal data;
– receive personal data in a structured, commonly used, and machine-readable format (data portability);
– withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
Requests may be submitted by contacting the Controller at: [e-mail address].
---
8. Automated Decision-Making and Profiling
The Controller does not carry out fully automated decision-making, including profiling, that produces legal effects concerning the data subject or similarly significantly affects the data subject.
---
9. Minors
The website and services are not intended for individuals under the age of 18. The Controller does not knowingly collect personal data from children. If such data are identified, they will be deleted without undue delay.
---
10. Complaints and Supervisory Authority
The data subject has the right to lodge a complaint with a supervisory authority and to seek judicial remedy without prejudice to any other administrative or judicial remedies.
In Latvia, the supervisory authority is:
Data State Inspectorate of the Republic of Latvia
https://www.dvi.gov.lv
---
11. Data Security
The Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, disclosure, or destruction.
---
12. Cookies Policy
The website uses cookies and similar technologies to ensure proper website operation, improve user experience, analyze website traffic, measure conversions, and provide personalized advertising.
Types of cookies used:
– strictly necessary cookies required for website functionality;
– analytical cookies (e.g. Google Analytics) used to collect statistical information;
– marketing cookies (e.g. Meta Pixel, Google Ads) used for personalized advertising and remarketing, subject to the user’s consent.
Users can manage or withdraw their cookie preferences at any time through their browser settings or via the cookie consent banner displayed on the website. If marketing or analytical cookies are declined, no such tracking will be performed.
---
13. Final Provisions
The Controller reserves the right to amend this Privacy and Cookies Policy at any time. The current version is always available on the website https://[domain].