KOMODA LLC PRIVACY POLICY
1. Data Controller
KOMODA LLC (UAB KOMODA), company code 302411633, address Mainų g. 6-13, Klaipėda, Lithuania, is the controller of your personal data when you use the website www.komoda.lt, place an order, create an account, purchase as a guest, subscribe to our newsletter, or contact us.
For questions regarding personal data processing, privacy, or security, you may contact us by email at: info@komoda.lt.
This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, the provisions of the Law on Electronic Communications of the Republic of Lithuania concerning cookies, as well as the Cyber Security Law of the Republic of Lithuania and the requirements of the Network and Information Systems Security Directive (NIS2), where applicable to the Company.
2. What Personal Data We Process
Depending on how you use our website and services, we may process the following categories of personal data:
• Identification data: first name, last name.
• Contact data: email address, telephone number.
• Delivery data: delivery address, postal code, city, country.
• Order data: ordered products, order number, order status, payment status, delivery method, return and complaint information.
• Account data: account login details, account settings, purchase history, wishlist information.
• Technical data: IP address, device and browser information, operating system, login and security event information, cookie identifiers.
• Marketing data: newsletter subscription status, consent information, marketing message opening and click data, where such data is collected through the tools we use.
• Communication data: your inquiries, correspondence, complaints, return requests, or warranty-related information.
We do not collect special categories of personal data, such as health information, political opinions, religious beliefs, or other sensitive data, unless such information is voluntarily provided by the individual during communication. In such cases, we kindly ask you not to provide excessive information.
3. Purposes and Legal Bases for Processing Personal Data
We process personal data only when we have a lawful basis for doing so. Below we explain the main purposes of data processing in plain language and indicate the corresponding legal basis under the GDPR. When we refer to Article 6(1)(b) GDPR, in the context of an online store this means that we process data in order to accept and fulfil your order, deliver products, administer payment, returns, or other matters related to your purchase. No physical written contract is required – by placing an order in the online store, a distance sales contract is formed.
• Order acceptance and fulfilment. We process your name, contact details, delivery details, order information, and payment status in order to accept, confirm, fulfil, and deliver your order. Legal basis – Article 6(1)(b) GDPR, i.e., processing is necessary for the performance of a contract resulting from your order in the online store or to take steps at your request before entering into such a contract.
• Guest purchases. If you make a purchase without creating an account, we process only the data necessary for order fulfilment, accounting, returns, warranty matters, and customer service. Legal basis – Article 6(1)(b) GDPR and Article 6(1)(c) GDPR, where we are required to retain data under accounting, tax, or other legal obligations.
• Administration of registered accounts. We process account information, purchase history, login information, and account settings so that you can conveniently use the online store, view order history, and access account functions. Legal basis – Article 6(1)(b) GDPR and Article 6(1)(f) GDPR, i.e., our legitimate interest in ensuring account functionality and security.
• Wishlist functionality. We process information about products you add to your wishlist in order to provide this website feature. Legal basis – Article 6(1)(b) GDPR or Article 6(1)(f) GDPR, depending on how you use your account. If this information is used for direct marketing or personalized advertising, your consent under Article 6(1)(a) GDPR will be required where applicable.
• Payment administration. We use Neopay to process payments. We receive payment confirmations and payment-related technical information necessary for order fulfilment and accounting. Legal basis – Article 6(1)(b) GDPR and Article 6(1)(c) GDPR.
• Product delivery. We transfer delivery information to the selected delivery partner – Omniva, DPD, LP Express, or Venipak – in order to deliver your products. Legal basis – Article 6(1)(b) GDPR.
• Customer service, returns, and dispute resolution. We process information you provide, correspondence, order details, complaints, and return information in order to respond to inquiries, manage returns, handle complaints, and defend our legal interests. Legal basis – Article 6(1)(b), Article 6(1)(c), and Article 6(1)(f) GDPR.
• Accounting and compliance with legal obligations. We process data necessary for invoicing, accounting, tax administration, and compliance with legal requirements. Legal basis – Article 6(1)(c) GDPR.
• Newsletters and direct marketing. If you subscribe to our newsletter or agree to receive marketing communications, we may process your email address, consent information, and marketing interaction data in order to send newsletters and offers. We use Omnisend. Legal basis – Article 6(1)(a) GDPR, i.e., your consent. You may withdraw your consent at any time using the unsubscribe link contained in the newsletter or by contacting us.
• Analytics and website improvement. We use Google Analytics 4 (GA4) to understand how visitors use the website and to improve its performance. Non-essential analytics cookies are used only with your consent where required by law.
• Advertising and remarketing. We use Google Ads and Meta/Facebook Pixel to measure advertising effectiveness, display more relevant advertising, and perform remarketing activities. These technologies are used only with your consent where such consent is required.
• Login via Google or Facebook. If you choose to log in using Google Login or Facebook Login, we receive from the relevant provider the information necessary to create or connect your account, such as your name, email address, and technical identifier. Legal basis – Article 6(1)(b) GDPR and your choice to use this feature.
• Website security and fraud prevention. We process technical information, IP addresses, login information, and security event data, and use Cloudflare and Google reCAPTCHA to protect the website, user accounts, orders, and our systems against abuse, automated attacks, spam, and fraud. Legal basis – Article 6(1)(f) GDPR, i.e., our legitimate interest in ensuring the security of our website and services.
4. With Whom We May Share Your Data
Your data is shared only to the extent necessary to provide a specific service, fulfil an order, comply with a legal obligation, or ensure the security of our systems.
• Payment service provider: Neopay.
• Delivery partners: Omniva, DPD, LP Express, Venipak.
• E-commerce and technical infrastructure service providers: providers of Prestashop solutions, modules, hosting, technical maintenance, and IT security services.
• Analytics and advertising partners: Google Analytics 4, Google Ads, Meta/Facebook Pixel.
• Marketing platform: Omnisend.
• Security and availability service providers: Cloudflare, Google reCAPTCHA.
• Login service providers: Google Login and Facebook Login, if you choose to use these login methods.
5. Transfer of Data Outside the European Economic Area
Some of the service providers we use, such as Google, Meta, Cloudflare, or Omnisend, may process data outside the European Economic Area. In such cases, we verify the legal basis used by the relevant provider for international data transfers and use such services only where the transfer mechanisms required by the GDPR are in place, such as adequacy decisions adopted by the European Commission, Standard Contractual Clauses, or other lawful safeguards.
6. Cookies and Similar Technologies
Our website uses necessary, analytics, functional, security, marketing, advertising, and remarketing cookies.
Necessary cookies are used for website functionality, shopping cart operation, checkout, security, and session management. They may be used without separate consent because the website would not function properly without them.
Analytics cookies, such as Google Analytics 4, are used only with your consent.
Marketing, advertising, remarketing, and tracking technologies, such as Google Ads, Meta/Facebook Pixel, and Omnisend, are used only with your consent.
Security technologies, such as Cloudflare and Google reCAPTCHA, help protect the website from automated attacks, spam, and abuse.
In the cookie management banner, you can choose “Accept All”, “Reject Non-Essential Cookies”, or manage cookies by category. The actual list of cookies, their providers, purposes, and retention periods is provided below.
| Cookie name | Category | Provider | Purpose | Retention period |
| PHPSESSID | Necessary cookies | komoda.lt | Necessary session cookie used to ensure website functionality. It allows the website to recognize the user’s browsing session, store temporary session information, and provide core functions such as the shopping cart, account login, and order placement. | During the session |
| PrestaShop-# | Necessary cookies | komoda.lt | Necessary cookie used to ensure the operation of the online store. It helps maintain the user session, shopping cart information, login status, language or currency preferences, and other technical data required for proper website functionality, product selection, and order placement. | 480 hours |
| _cf_bm | Necessary cookies | Cloudflare / forms.soundestlink.com | Cloudflare security cookie used to protect forms on forms.soundestlink.com. It helps distinguish real users from automated traffic and protect forms from abuse, spam, and bot activity. | 30 minutes |
| _gid | Analytics cookies | | Google Analytics cookie used to distinguish visitors and generate short-term website usage statistics. It helps understand how visitors use the website, which pages they visit, and how website performance can be improved. | 1 day |
| _ga | Analytics cookies | | Google Analytics cookie used to distinguish visitors and generate website usage statistics. It helps understand how many visitors access the website, how they browse, which pages they view, and how website performance can be improved. | 1 year 1 month |
| _ga_* | Analytics cookies | | Google Analytics 4 cookie used to generate website usage statistics and maintain session state. It helps understand how visitors use the website, which pages they view, and how website performance can be improved. | 1 year 1 month |
| _gcl_au | Advertising and remarketing cookies | | Google Ads cookie used to measure advertising effectiveness and conversions. It helps evaluate how visitors interact with the website after viewing or clicking on an advertisement. | 3 months |
| IDE | Advertising and remarketing cookies | Google / DoubleClick | Google DoubleClick cookie used to display advertisements, measure advertising effectiveness, and perform remarketing. It helps display more relevant ads and evaluate how visitors interact with advertisements. | 1 year 24 days |
| _fbp | Advertising and remarketing cookies | Meta / Facebook | Meta / Facebook Pixel cookie used to measure advertising effectiveness, create audiences, and perform remarketing on Meta platforms such as Facebook and Instagram. It helps evaluate how visitors interact with the website after viewing or clicking on an advertisement. | 3 months |
| test_cookie | Advertising and remarketing cookies | Google / DoubleClick | Google DoubleClick cookie used to check whether the user’s browser supports cookies required for Google advertising services. | 15 minutes |
| soundestID | Marketing and communication cookies | Omnisend / komoda.lt | Omnisend cookie used to recognize the visitor session, support newsletter forms, marketing automation, and evaluate communication effectiveness. | During the session |
| omnisendSessionID | Marketing and communication cookies | Omnisend / komoda.lt | Omnisend cookie used to recognize the visitor session, support newsletter forms, marketing automation, and evaluate communication effectiveness. | 1 hour |
| page-views | Marketing and communication cookies | Omnisend / komoda.lt | Cookie used to record the number of pages viewed during a session and to manage the display of marketing communication elements, such as newsletter forms. | During the session |
| session_id | Functional and review cookies | evertink.lt | evertink.lt cookie used to maintain the review system session when the user enters the evertink.lt environment or uses the review functionality. The cookie helps associate the rating session with the review submission and ensures the proper functioning of the review system. This cookie is not necessary for the purchase process, but it is required for the review functionality to operate. | 3 months |
7. How Long We Retain Your Data
We retain personal data no longer than necessary for the purposes for which it was collected or for the period required by applicable laws.
• Order, payment, invoicing, and accounting data are retained for up to 10 years to the extent required for accounting, tax, and legal compliance purposes.
• If you purchase as a guest, your data is not used for account administration; however, data necessary for order fulfilment, delivery, payment, accounting, returns, warranty claims, and potential disputes is retained according to the periods specified in this Policy.
• General inquiries that are not related to a specific order are retained for up to 12 months from the date of the last communication.
• Communications relating to orders, deliveries, returns, complaints, or warranty matters are retained for up to 3 years following the final resolution of the matter, unless longer retention is necessary for handling a dispute, complaint, investigation, or legal claim.
• Registered account data is retained while the account remains active. If the account is deleted, data no longer required for account administration is removed; however, data necessary for order fulfilment, accounting, and legal compliance is retained for the periods specified in this section.
• Newsletter and direct marketing consents are retained while the consent remains valid and for a reasonable period after withdrawal so that we can demonstrate when consent was given or withdrawn.
• Data collected through cookies and similar technologies is retained according to the specific retention periods applicable to those cookies, as indicated in the cookie settings or cookie policy.
• Security logs, technical records, and incident management information are retained for as long as necessary to ensure website security, investigate incidents, prevent abuse, and comply with legal requirements.
Once the applicable retention period expires, the data is deleted, anonymized, or securely destroyed, unless laws permit or require a longer retention period.
8. Your Rights
You have the right to:
• receive information about the processing of your personal data;
• access your personal data that is being processed;
• request the correction of inaccurate or completion of incomplete data;
• request deletion of data where there is a legal basis for doing so;
• restrict the processing of personal data;
• object to processing where the data is processed on the basis of legitimate interests;
• withdraw your consent where processing is based on consent;
• receive your data in a structured, commonly used, and machine-readable format where the right to data portability applies;
• lodge a complaint with the State Data Protection Inspectorate.
Requests regarding your rights may be submitted by email to info@komoda.lt. Before fulfilling a request, we may ask you to verify your identity in order to protect your data against unauthorized disclosure.
9. Data Security
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, disclosure, or destruction. Such measures are selected taking into account the nature of the data processed, associated risks, technological capabilities, and applicable legal requirements.
The following security measures are used or may be used:
• SSL/TLS encryption;
• access control and user permission management;
• protection of administrative accounts and, where applicable, multi-factor authentication;
• updates of servers, the online store, and installed modules;
• Cloudflare protection against malicious traffic and automated attacks;
• Google reCAPTCHA protection against spam and automated abuse;
• backup and recovery measures;
• monitoring of technical logs and security events;
• restriction of employee and service provider access based on the need-to-know principle;
• assessment of supplier and technical partner security requirements.
10. Cybersecurity, NIS2 and Cyber Security Law Requirements
In managing the information systems of our online store and related services, we comply with the applicable requirements of the Cyber Security Law of the Republic of Lithuania, the NIS2 Directive, and implementing legislation.
If a reportable cybersecurity incident occurs, we provide notifications to the National Cyber Security Centre and, where applicable, to other competent authorities in accordance with legal requirements. In the event of a major cybersecurity incident, the initial notification is generally submitted within the short deadlines established by law, while additional information and the final report are provided in accordance with the incident management procedures established by the competent authorities.
This section is intended to explain to customers how we ensure the security, continuity, and cyber resilience of our online store and services. Detailed internal cybersecurity procedures, risk assessments, response plans, supplier evaluations, and technical control measures are maintained in the Company’s internal documentation and are not publicly disclosed for security reasons.
11. Personal Data Breaches
A personal data breach may include, for example, unauthorized access to customer data, data loss, unauthorized disclosure, alteration, or destruction of personal data.
If we suspect or identify such a breach, we assess its nature, scope, potential consequences, and risks to the rights and freedoms of individuals. Where required by the GDPR, we notify the State Data Protection Inspectorate no later than 72 hours after becoming aware of the breach. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we also inform the affected individuals.
12. Children's Data
Our online store is not intended for children. If it becomes apparent that personal data has been provided by a minor without the appropriate consent of a legal representative, we will take reasonable steps to remove such data or otherwise establish a lawful basis for processing it.
13. Changes to This Policy
We may update this Privacy Policy when our services, tools, data processing practices, or legal requirements change. The most recent version of the Privacy Policy is always published on the website www.komoda.lt.
14. Contact Information
If you have any questions regarding this Privacy Policy, cookies, personal data processing, security, or if you wish to exercise your rights, please contact us:
KOMODA LLC (UAB KOMODA)
Company Registration Number: 302411633
Address: Mainų g. 6-13, Klaipėda, Lithuania
Email: info@komoda.lt