Last updated: 22 December, 2023
Under applicable data protection laws, we are obligated to inform individuals about their personal data processing and we fulfil this obligation within this Privacy Policy which explains how we collect, use and protect personal data in accordance with the General Data Protection Regulation No. 2016/679 (“GDPR”) and/or other applicable statutory regulations.
This Privacy Policy covers the information UAB 1stopVAT („we” or “1stopVAT”) collect about you when you use our services, or otherwise interact with us (for example, by attending our premises or events or by communicating with us), unless a different policy is displayed. We offer a range of services and we refer to all of our services and website as „Services” in this policy.
Please note, that we have a dedicated Privacy Notice for UAB 1stopVAT use of Amazon Services API which explains how UAB 1stopVAT processes and protects personal data of clients and end-users collected using Amazon Services API. This Privacy Notice is available here.
DEFINITIONS
Agreement – Service agreement, Terms of Service and all schedules, order forms and addenda specifically referenced therein, concluded by UAB 1stopVAT and Client.
Client – a contracting entity identified in the Agreement.
Data Controller – natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data – any information relating to an identified or identifiable natural person. For the avoidance of doubt, it is clarified that, within the context of this Privacy Notice, the term „Personal data” is used synonymously with „PII” (Personal Identifiable Information).
Services – any and all services provided by UAB 1stopVAT in accordance with, and as defined in the Agreement.
DATA CONTROLLER
UAB 1stopVAT is the Data Controller in respect of personal data described in this Privacy Policy unless specified otherwise. Our contact details:
UAB 1stopVAT
Registration code: 305405450
Address: Ozo str. 12A-1, 08200 Vilnius, Lithuania
Contact details: [email protected]
WHAT PERSONAL DATA DO WE COLLECT AND WHY?
Purpose | Type of Data | Legal Basis | Retention Period |
Provision of 1stopVAT services. UAB 1stopVAT acts as a Data Processor. | We collect the following data: Client data: sales data for the respective period; product name, quantities, codes, amounts, categories, etc. place of storage of goods (city and country only);VAT codes available to the client; sales invoice numbers; place of delivery of goods (city and country only);names and contact details of representatives of the client (e.g., employees);other personal data required in terms of the specific legal regulations stated in the local legislation. End-user data: For B2B: name and VAT code of the organization, city and ZIP code for the delivery location of goods.For B2C: city and ZIP code for the delivery location of goods. Data collected through Amazon API. For more details, please refer here. | The processing of this data is necessary to fulfil our contractual obligations while providing our services (Article 6(1)(b) of the GDPR) Processing is necessary for compliance with a legal obligation (Article 6(1)(c) of the GDPR) Legitimate interest (Article 6(1)(f) of the GDPR) | We retain this data as long as it is necessary for the proper and complete provision of services in accordance with the Agreement. We may continue to retain some information even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims). |
Compliance with AML (anti-money laundering) regulatory requirements (KYC procedure). UAB 1stopVAT acts as a Data Controller. | We collect the following UBO (Ultimate Beneficial Owner) and company’s director data: Name, Surname, Gender;Date of birth; Personal code or other identification number; Country, date of issuance and validity of the document, type and number of personal document; Citizenship (if indicated); Picture of a person and picture of personal document; IP address; Address (if indicated); Processing of biometric data: a photograph of a person’s face and a photograph contained in an identity document are compared using automated means and it is established, if it is the same person. Biometric data is not recorded and stored. The result of the comparison between the photo of the person and the photo of the person in the identity document (expressed in points of coincidence) is stored;Utility bill or another document, which includes the address of a person;Information, if sanctions to the person are applied, if person is politically exposed person, if there is negative media information about the person, if a person is listed by financial and other regulatory authorities, disciplinary bodies and anti-corruption agencies. Please note, that personal data listed above may be collected from a variety of sources. Sometimes directly from you, but also through the company or organization for who you are working or affiliated with, for example as an UBO. If your company or organization transfers your personal data to us, we expect your business or organization to inform you about this. | Public interest (Article 6(1)(e) of the GDPR) to implement measures for money laundering and terrorist financing prevention (Law on the Prevention of Money Laundering and Terrorist Financing of Republic of Lithuania) | We retain this data for 8 years from the date of termination of transactions or business relationships with the client. Data retention period may be extended for up to 2 years upon a reasoned instruction of a competent authority (Art. 9(1), 19(10) and (14) of the Law on the Prevention of Money Laundering and Terrorist Financing of Republic of Lithuania) |
To handle questions, requests and complaints submitted by you. UAB 1stopVAT acts as a Data Controller. | We collect all data along with any communication and messages you send to us (including the time they were received / submitted). | We have a legitimate interest to answer to submitted questions and requests in accordance with the Article 6(1)(f) of the GDPR | If Personal Data is part of your query, this data is deleted once your query is closed. Other data (not Personal Data) is retained for 5 years after your query is closed. We may continue to retain some information, even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims). |
Direct marketing communication. UAB 1stopVAT acts as a Data Controller. | We collect your email address. | For Clients: the processing of this data is based on Client’s consent (Article 6(1)(a) of the GDPR) or Opt-Out as per Art. 81(2) of the Law on Electronic Communications of the Republic of Lithuania For others: the processing of this data is based on your consent (Article 6(1)(a) of the GDPR) | We retain this data for as long as your consent is valid but not longer than for 5 years. |
To improve our website, ensure its performance, increase its security and adapt both its content and form to the needs of our users. UAB 1stopVAT acts as a Data Controller. | When you visit our website, we collect the following data from you automatically: IP address, operating system, user ID and other information about your activities on our and other websites. We collect and store this information as part of log entries or through the use of cookies. Please refer to our Cookie Policy for more details about cookies. | Personal data collected via cookies is processed on the basis of our legitimate interest (Article 6(1)(f) of the GDPR) whilewe set up cookies on your device only with your consent (Article 6(1)(a) of the GDPR) | Please refer to our Cookie Policy for more details about retention periods for cookies. |
To manage our social media network accounts (Facebook, etc.). UAB 1stopVAT acts as a joint Data Controller with the respective social media platform. | We collect your name, contact information (if you provide it), comments you leave under our posts, post shares, information about “like” and “follow” clicks on our profile, post reactions (including information about when you started following or liked our social network account), your photo, any feedback you left and your messages to us (including the time they were received / submitted). Please note! When you communicate with us via social networks, you should inquire about their applicable data protection terms and conditions and read their privacy policy. All personal information you provide to us via social networks is controlled and managed by that particular social network (e.g., Facebook (Meta Platforms Ireland Limited)). | Your consent, which you have given when connecting to a particular social network (Article 6(1)(a) of the GDPR) | 10 years |
To select a suitable candidate for an open job vacancy. UAB 1stopVAT acts as a Data Controller. | We collect Candidate’s first name, last name, email address and (or) telephone number, information about the Candidate’s work experience (job title, duration of work, job positions, responsibilities and/or achievements), information about the Candidate’s education and qualifications, information on proficiency on languages and other competences required for an open job vacancy, a summary of the interview with the Candidate (including the results, feedback and insights from the interviewer), other information provided by the Candidate voluntarily in his/her CV, cover letter or other application documents (e. g. recommendations, references, etc.) which will be processed in the same manner as personal data of the candidate that has been collected by us. Special categories of personal data (e.g., health-related information, information about criminal records) may only be collected if necessary for a specific job position and only to the extent necessary and permitted by the applicable law. We may also collect personal data relating to the Candidate’s qualifications, professional abilities and personal qualities from one’s former employer, after informing the Candidate in advance, and from one’s current employer only with the consent of the Candidate. | We have a legitimate interest to select the best possible Candidate for a particular job vacancy (Article 6(1)(f) of the GDPR). | We retain this personal data for a period of 6 months after the end of the selection process. |
To reach out to the Candidate with future job opportunities (Administration of the Candidate Database). UAB 1stopVAT acts as a Data Controller. | We collect Candidate’s CV along with a summary of the interview with the Candidate (including the results, feedback and insights from the interviewer). | The processing of this data is based on the Candidate’s consent (Article 6(1)(a) of the GDPR) | We retain this personal data for a period of 3 years from the moment of giving the consent. |
Dispute resolution, including the filing and defense of claims or lawsuits, and cooperation with law enforcement and regulatory authorities in accordance with the applicable law. UAB 1stopVAT acts as a Data Controller. | All the aforementioned information, as well as documents and their attachments sent to you or provided by you, court rulings, decisions and similar data;Information about criminal activities and criminal convictions. | We process this data on the basis of our legitimate interest to defend our rights in legal proceedings (Article 6(1)(f) of the GDPR). We also process this data so we could assert, exercise, or defend legal claims (Article 9(2)(f) of the GDPR). | This processing continues during respective legal proceedings and up to 10 years after their conclusion. |
WHO DO WE DISCLOSE YOUR PERSONAL DATA TO WITHIN AND OUTSIDE THE EEA?
Where necessary, we may transfer and/or otherwise disclose your personal data to the law enforcement authorities, regulatory bodies, courts and other authorised governmental bodies.
To the extent necessary to ensure the proper provision of our services, we also may transfer and/or otherwise disclose personal data to third parties involved in the processing activities:
- KYC compliance platform service provider UAB Ondato;
- Workplace collaboration and productivity tools provider Google, Inc.;
- Customer service software provider HubSpot, Inc.;
- Ecommerce, email marketing and SMS platform provider UAB Omnisend, Omnisend, LLC., Omnisend, Ltd. (“Omnisend”);
- Accounting service providers;
- Other partners and external service providers (e.g., software, IT infrastructure maintenance, cloud service providers, web hosting and web support, servers rent and maintenance, electronic communications, accounting, archiving, etc.).
For all of these service providers, we will only provide as much data as it is necessary to perform a particular service.
We may transfer your personal data outside the EEA but only based on appropriate safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the EEA. That is, we may transfer your personal data based on an adequacy decision by the European Commission, EU Commission’s approved Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework or using other possible safeguards and derogations where it is allowed by the applicable laws. Please reach out to us via [email protected] for detailed information about your personal data transfers outside of the EEA.
Please note! When you communicate with us via social networks, you should inquire about their applicable data protection terms and conditions and read their privacy policy. All personal information you provide to us via social networks is controlled and managed by that particular social network (e.g., Facebook (Meta Platforms Ireland Limited)).
Sale or merger. We may also disclose your personal data to third parties in the event that we sell or buy any business or assets (due to liquidation, bankruptcy or otherwise), or merge with another company or business. In this case we may transfer your data to a prospective seller or buyer of such business or assets as client’s information may be among the transferred assets in said transactions.
HOW DO WE PROTECT YOUR PERSONAL DATA?
When processing and storing your personal data, we implement organisational and technical measures to ensure that personal data is protected against accidental or unlawful destruction (e.g., backups on a regular schedule), alteration, disclosure, and any other unlawful processing. Technical and organisational measures implemented by 1stopVAT are described in Annex A of this Privacy Policy.
YOUR RIGHTS
Under the GDPR you have the following rights:
- Know (be informed) about the processing of your personal data (Articles 12-14 of the GDPR);
- Access your personal data that is being processed (Article 15 of the GDPR);
- Request the correction of inaccurate personal data relating to you (Article 16 of the GDPR);
- Request the deletion of personal data relating to you (“the right to be forgotten”) (Article 17 of the GDPR). Please note! You have the right to be forgotten only if it can be justified by one of the following reasons: (i) personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) you do not consent to the processing under Article 21 (1) of the GDPR and there are no overriding legitimate reasons for processing.
- Restrict data processing (Article 18 of the GDPR). Please note! You have the right to restrict the processing of your data only if: (i) personal data is inaccurate; (ii) the processing of personal data is unlawful, but you do not consent to the erasure of the data; (iii) we no longer need your personal data to fulfil our purpose, but it is necessary for you to assert, enforce or defend legal requirements; (iv) you object to the processing under Article 21 (1) of the GDPR unless the legitimate reasons of 1stopVAT override your own.
- Transfer your personal data when the processing is based on consent or contract and the data is processed by automated means (Article 20 of the GDPR);
- Object to the processing of personal data for reasons specific to your case where the processing is in the legitimate interests of 1stopVAT or of a third party, unless we prove that the processing is for compelling legitimate reasons overriding your interests, rights and freedoms, or for the purpose of asserting, enforcing or defending legal requirements (Article 21 of the GDPR).
If you believe that 1stopVAT is unlawfully processing your personal data or is not implementing your rights, you have the right to file a complaint with the competent Data Protection Authority or to make a claim against 1stopVAT with a competent court (either in the country where you live, the country where you work or the country where you deem that data protection law has been infringed).
Contact details for State Data Protection Inspectorate, the supervisory data protection authority in Lithuania: L. Sapiegos street 17, 10312 Vilnius, (8 5) 271 2804, 279 1445, [email protected]. You can find contact details of other competent authorities within the EU, here.
You can exercise rights over your data by reaching out to: [email protected].
CONTACT US
If you have any questions about this Privacy Policy or about your personal data processing, please contact us by email: [email protected].
WHO DO WE DISCLOSE YOUR PERSONAL DATA TO WITHIN AND OUTSIDE THE EEA?
Where necessary, we may transfer and/or otherwise disclose your personal data to the law enforcement authorities, regulatory bodies, courts and other authorised governmental bodies.
To the extent necessary to ensure the proper provision of our services, we also may transfer and/or otherwise disclose personal data to third parties involved in the processing activities:
- KYC compliance platform service provider UAB Ondato;
- Workplace collaboration and productivity tools provider Google, Inc.;
- Customer service software provider HubSpot, Inc.;
- Ecommerce, email marketing and SMS platform provider UAB Omnisend, Omnisend, LLC., Omnisend, Ltd. (“Omnisend”);
- Accounting service providers;
- Other partners and external service providers (e.g., software, IT infrastructure maintenance, cloud service providers, web hosting and web support, servers rent and maintenance, electronic communications, accounting, archiving, etc.).
For all of these service providers, we will only provide as much data as it is necessary to perform a particular service.
We may transfer your personal data outside the EEA but only based on appropriate safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the EEA. That is, we may transfer your personal data based on an adequacy decision by the European Commission, EU Commission’s approved Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework or using other possible safeguards and derogations where it is allowed by the applicable laws. Please reach out to us via [email protected] for detailed information about your personal data transfers outside of the EEA.
Please note! When you communicate with us via social networks, you should inquire about their applicable data protection terms and conditions and read their privacy policy. All personal information you provide to us via social networks is controlled and managed by that particular social network (e.g., Facebook (Meta Platforms Ireland Limited)).
Sale or merger. We may also disclose your personal data to third parties in the event that we sell or buy any business or assets (due to liquidation, bankruptcy or otherwise), or merge with another company or business. In this case we may transfer your data to a prospective seller or buyer of such business or assets as client’s information may be among the transferred assets in said transactions.
HOW DO WE PROTECT YOUR PERSONAL DATA?
When processing and storing your personal data, we implement organisational and technical measures to ensure that personal data is protected against accidental or unlawful destruction (e.g., backups on a regular schedule), alteration, disclosure, and any other unlawful processing. Technical and organisational measures implemented by 1stopVAT are described in Annex A of this Privacy Policy.
YOUR RIGHTS
Under the GDPR you have the following rights:
- Know (be informed) about the processing of your personal data (Articles 12-14 of the GDPR);
- Access your personal data that is being processed (Article 15 of the GDPR);
- Request the correction of inaccurate personal data relating to you (Article 16 of the GDPR);
- Request the deletion of personal data relating to you (“the right to be forgotten”) (Article 17 of the GDPR). Please note! You have the right to be forgotten only if it can be justified by one of the following reasons: (i) personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) you do not consent to the processing under Article 21 (1) of the GDPR and there are no overriding legitimate reasons for processing.
- Restrict data processing (Article 18 of the GDPR). Please note! You have the right to restrict the processing of your data only if: (i) personal data is inaccurate; (ii) the processing of personal data is unlawful, but you do not consent to the erasure of the data; (iii) we no longer need your personal data to fulfil our purpose, but it is necessary for you to assert, enforce or defend legal requirements; (iv) you object to the processing under Article 21 (1) of the GDPR unless the legitimate reasons of 1stopVAT override your own.
- Transfer your personal data when the processing is based on consent or contract and the data is processed by automated means (Article 20 of the GDPR);
- Object to the processing of personal data for reasons specific to your case where the processing is in the legitimate interests of 1stopVAT or of a third party, unless we prove that the processing is for compelling legitimate reasons overriding your interests, rights and freedoms, or for the purpose of asserting, enforcing or defending legal requirements (Article 21 of the GDPR).
If you believe that 1stopVAT is unlawfully processing your personal data or is not implementing your rights, you have the right to file a complaint with the competent Data Protection Authority or to make a claim against 1stopVAT with a competent court (either in the country where you live, the country where you work or the country where you deem that data protection law has been infringed).
Contact details for State Data Protection Inspectorate, the supervisory data protection authority in Lithuania: L. Sapiegos street 17, 10312 Vilnius, (8 5) 271 2804, 279 1445, [email protected]. You can find contact details of other competent authorities within the EU, here.
You can exercise rights over your data by reaching out to: [email protected].
CONTACT US
If you have any questions about this Privacy Policy or about your personal data processing, please contact us by email: [email protected].
ANNEX A
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The following sections define 1stopVAT current technical and organizational security measures. 1stopVAT may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting personal data.
Network Security and Sensitive Information | |
1.1. | 1stopVAT ensures that no database, web servers, or application servers containing sensitive information (personal data, financial records, and confidential business information) are located within 1stopVAT network itself. |
Zero-Trust Network | |
2.1. | 1stopVAT office network is maintained as a „zero-trust” network, meaning that Clients have internet access only and should not assume any inherent trust within the network. |
2.2. | 1stopVAT takes measures to adequately protect the office network from unauthorized use and intrusion attempts to maintain its integrity. |
Guest Access | |
3.1. | Guest access to 1stopVAT network is password-protected and is kept separate and isolated from the „native” network. Clients accessing the network as guests are subject to specific access limitations. |
Limited Access to Sensitive Information | |
4.1. | Clients who are part of the „native” network do not automatically gain access to sensitive information solely based on their connection to the network. |
Access Authorization | |
5.1. | While 1stopVAT office network is protected from intrusion and employs threat monitoring measures, it is considered a public network. |
5.2. | Access to 1stopVAT information systems, including sensitive information, requires additional authorization each time such information is accessed. Clients must adhere to 1stopVAT access control policies and procedures. |
General Terms and Responsibilities | |
6.1. | Clients are contractually obligated to comply with all applicable laws and regulations while accessing 1stopVAT network and information systems. |
6.2. | Clients are contractually responsible for maintaining the confidentiality of their login credentials, passwords, and any other authentication information used to access 1stopVAT network. |
6.3. | Clients are contractually prohibited to engage in any activities that may disrupt, damage, or compromise the integrity of 1stopVAT network, information systems, or the data contained therein. |
6.4. | 1stopVAT contractually reserves the right to monitor network traffic, access, and usage for security and compliance purposes. Clients contractually consent to such monitoring. |
Password Management Policy | |
7.1. | Minimum Password Age and Inactivity Lock Passwords for the employees’ computers must have a minimum age of 1 day. This means users cannot change their password again until at least one day has passed since their last password change. This prevents frequent password changes and encourages stronger, long-term password choices. Computers automatically lock after 5 minutes of inactivity. This ensures that unauthorized individuals cannot access an unattended computer, adding an extra layer of security. |
7.2. | Password Generation, Minimum Password Requirements, Monitoring for Old and Duplicate Passwords (NordPass) All Windows passwords is generated using NordPass program. NordPass offers a secure password generator that can create strong and complex passwords, helping to mitigate the risk of password-related security breaches. Passwords must adhere to NordPass’s minimum password requirements, as outlined on their website. These requirements typically include a combination of upper- and lower-case letters, numbers, and special characters. NordPass configured to monitor and alert users when they have old or duplicate passwords. This encourages users to update their passwords regularly and avoid using the same password for multiple accounts, enhancing security. |
7.3. | Regular Password Changes and Account Lockout Policies Users required to change their passwords periodically (e.g., every 90 days). Frequent password changes reduce the risk of compromised passwords over time. 1stopVAT has a multi-factor authentication for accessing sensitive systems and data. MFA adds an additional layer of security by requiring users to provide two or more forms of verification before granting access. 1stopVAT has account lockout policies that temporarily lock user accounts after a certain number of failed login attempts. This helps prevent brute force attacks. |
7.4. | User Education, Security Auditing and Compliance 1stopVAT regularly educates employees about security best practices, including password hygiene and the importance of data protection, regularly audits internal systems for compliance with these security rules, ensuring that employees are following the established security policies and make necessary adjustments based on audit findings. |
Baseline Standard Configuration | |
8.1. | The procedure for maintaining a baseline standard configuration of software for information systems used by 1stopVAT employees: The purpose of this procedure is to standardize systems, enhance security, and ensure compliance with 1stopVAT policies. This procedure applies to all company-owned workstations, including servers, applications, network devices, databases, and web servers. It covers both the baseline set of software and the extended set for specific duties as outlined below. Baseline Set of Workstation Software The baseline set of workstation software is deployed to all employees’ workstations and consists of the following components: Operating System: Windows 10/11 Professional. Office Suite: Microsoft Office 2016/2019/2021, including Word, Excel, PowerPoint, and Outlook. PDF Reader: Adobe Acrobat Reader. Web Browser: Google Chrome (set as default for greater compatibility with Google platforms). Media Player: VideoLAN media player. Antivirus Software: ESET Endpoint Security. Email Integration: Google Workspace Sync for Microsoft Outlook. File Sync and Backup: Google Drive for Desktop. Instant Messaging: Telegram Desktop messenger. Printer Software: Konica Minolta BizHub C250i Printer driver. Archiving Tool: WinRAR archiver. Extended Set for Specific Duties In addition to the baseline software, employees may require access to the extended set of software based on their specific job duties. Authorization for installing and using these applications must be obtained from 1stopVAT management. The extended set includes: VPN Software: NordVPN and Surfshark VPN software (for secure remote access). Password Management: NordPass password management utility. PDF Editing: Adobe Acrobat Professional (for PDF editing and creation). Screen Capture Tool: Screenpresso screen capture tool for Windows Procedure 3.1. Deployment of Baseline Software The System Administrator is responsible for preparing workstations with the baseline software configuration. Upon issuing a new computer to an employee, the System Administrator installs the baseline software. The employee is not authorized to install any additional software without prior approval from 1stopVAT management. 3.2. Requesting Extended Software Employees requiring access to the extended set of software for specific job duties must submit a request to their supervisor. The supervisor reviews the request and forwards it to the appropriate department head for approval. The department head approves or denies the request based on business needs and security considerations. Approved requests are then forwarded to the IT department for software installation. Compliance and Monitoring The IT department is responsible for monitoring compliance with this baseline configuration procedure. Regular audits may be conducted to ensure that employees are not using unauthorized software. Revision of Baseline Configuration The baseline configuration of software may be revised periodically to accommodate updates and changes in software requirements. Any changes to the baseline configuration will be documented and communicated to all relevant parties. |