Privacy Notice

PRIVACY NOTICE 1. TERMS AND DEFINITIONS 1.1. Notice – this Privacy Notice of the Company. 1.2. Data subject (also "you") – the natural person whose personal data the Company processes. 1.3. EU/EEA – the European Union and/or the European Economic Area. 1.4. Application (also "App") – the Company's point-of-sale application ZalaPay used by the Data subject. 1.5. Website – the Company's website www.amro.lv 1.6. Company (also "we") – SIA AMRO BALTIC, registration number: 40103627507, registered address: Lacplesais iela 87i, Riga, LV-1011. 1.7. GDPR – the General Data Protection Regulation. 1.8. Other terms used in this Notice that are defined in Article 4 of the GDPR – e.g., "personal data", "processing", "controller", "processor", "recipient", "profiling", etc. – have the same meaning as defined in that article. 2. PURPOSE AND SCOPE OF THE NOTICE The purpose of this Notice is to inform the Data subject about the processing of personal data carried out by the Company. The Notice applies in all cases where the Company processes the personal data of the Data subject (e.g., when the Data subject uses the App, visits the Website, communicates with the Company, etc.). 3. CONTROLLER INFORMATION The Company is considered the controller of personal data, meaning that it determines the purposes (i.e., "why" personal data are processed) and means (i.e., "how" personal data are processed) of processing. Company contact details: (a) email address: info@amro.lv; (b) phone number: +371 20445455 4. SOURCES OF PERSONAL DATA Where lawfully justified in each individual case, the Company may obtain personal data about the Data subject in two ways: 4.1. By receiving them directly from the Data subject, mainly when he/she: (a) uses the App or visits the Website; (b) communicates with the Company (e.g., by phone, through the App, email, regular mail, social media and other means of communication); (c) otherwise provides personal data to the Company. 4.2. From third-party sources (e.g., public authorities, commercial registers, etc.). 5. CATEGORIES OF PERSONAL DATA PROCESSED The Company mainly processes the following categories of data: (a) Basic data (e.g., first name, last name, personal identification number, date of birth, age, email address, position in a specific company); (b) Contact information (e.g., email address, phone number, declared residential address); (c) Device-related data (e.g., device identifier, device model, operating system version, location during use of the app, transaction data); (d) Location data; (e) Network data (source IP address); (f) Communication data (by phone (NB! All telephone conversations with the Company are recorded) or in writing); (g) Other personal data provided by the data subject to the Company or obtained by the Company. 6. PURPOSES OF PERSONAL DATA PROCESSING 6.1. The Company processes personal data mainly for the following purposes: (a) Ensuring the functionality of the App or Website; (b) Communicating with the Data subject in connection with the use of the App, Website or services provided by the Company; (c) Providing the requested service; (d) Creating and using a user account; (e) Administering a user account; (f) Responding to applications, complaints, requests or questions from the Data subject; (g) Ascertaining the opinion of the Data subject; (h) Exercising and protecting the rights and interests of the Company; (i) Market research and trend analysis; (j) Prevention of unlawful activities (e.g., fraud prevention, protection of property, etc.); (k) Improving the Company's App, Website and related processes; (l) For direct marketing purposes, such as: (1) sending commercial messages; (2) organising customer loyalty activities; (3) using targeting strategies, cookies and similar technologies; (4) evaluating and researching customer groups; (5) reaching out to potential customers and/or offering services; (m) Creating a user database and other administrative purposes; (n) Fulfilling obligations set out in applicable law; (o) Responding to requests from competent public authorities; (p) Filing, maintaining and enforcing claims; (q) Research, analytics and statistics; (r) Improving the quality/efficiency of the Company's service delivery; (s) Resolving service issues and disruptions; (t) Assessing customer satisfaction; (u) Handling Data subject complaints; Creating a complaints register; (v) Ensuring security, protecting property, preventing and detecting criminal offences; (w) Quality control of call content, service quality control; Preserving evidence. 6.2. The Company is entitled to process personal data for other purposes not mentioned in the previous paragraph if a relevant legal basis exists. 7. LEGAL BASES FOR PROCESSING 7.1. The legal basis on which we process your personal data depends on the type of personal data being processed and the purposes for which they are processed. 7.2. We will mainly process your personal data on the following legal bases: (a) your consent; (b) necessity for the performance of a contract; (c) compliance with our legal obligation; (d) processing is necessary to protect the vital interests of a person; (e) processing is necessary for the purposes of the legitimate interests pursued by us or a third party. 8. CATEGORIES OF RECIPIENTS AND TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA 8.1. Where lawfully justified in each individual case, personal data may be transferred to the following categories of recipients: (a) Employees and officials of the Company; (b) Service providers of the Company (processors and other controllers); (c) Public authorities, e.g., the Consumer Rights Protection Centre, the State Revenue Service, the Data State Inspectorate, the State Police, etc.; (d) Other recipients who are entitled to receive personal data. 8.2. We mainly process personal data within the EU/EEA. However, during the processing, personal data may be transferred to a recipient outside the EU/EEA. In this case, the Company ensures compliance with the GDPR requirements for transfers of personal data outside the EU/EEA. 9. RETENTION OF PERSONAL DATA We will retain personal data in accordance with our data retention policy. The retention period mainly depends on the relevant category of personal data and the purpose of processing. At the end of the retention period, personal data will be deleted or irreversibly anonymised. 10. DATA SUBJECT RIGHTS 10.1. The GDPR grants the Data subject several rights with regard to their personal data, namely: (a) Right of access to personal data; (b) Right to rectify personal data; (c) Right to erasure of personal data; (d) Right to request restriction of processing; (e) Right to object to processing; (f) Right to data portability; (g) Right to withdraw consent at any time. 10.2. Please note that the rights listed above are not absolute. 10.3. To exercise the above rights, the Data subject must contact the Company by: (a) Sending a personally signed application to the Company's registered address; or (b) Sending an application signed with a secure electronic signature to the Company's email address. 10.4. If the Company has reasonable doubts about the identity of the natural person, the Company may request additional information to confirm identity. 11. DISPUTE RESOLUTION AND COMPLAINTS The Company hopes to resolve any dispute amicably. However, the Data subject is entitled to lodge a complaint with the Data State Inspectorate if they consider that the processing carried out by the Company is contrary to the GDPR and/or other applicable personal data protection legislation. 12. OBLIGATION TO PROVIDE PERSONAL DATA Whether the Data subject has the right or obligation to provide personal data depends mainly on the purpose of processing. Providing personal data may be mandatory to use the services offered through the App and/or Website. Subscription to newsletters is always voluntary. 13. AUTOMATED DECISION-MAKING AND PROFILING The Company does not make automated decisions that produce legal effects concerning the Data subject or similarly significantly affect the Data subject. The Company may carry out profiling for marketing purposes or to personalise offers. 14. PASSWORD AND ACCOUNT ACCESS 14.1. When creating a user account in the App or on the Website, the Data subject is obliged to create a secure password. The Data subject is not permitted to disclose this password to any third party. 14.2. The said user account may only be used by the Data subject themselves for their own purposes. 15. CHANGES The Company is entitled to unilaterally make changes to this Notice. Changes take effect on the day the updated Notice is published in the App or on the Website. In the case of significant changes, the Data subject will be informed of them using the contact information available to the Company.