Data controller: Nordstate, MB, company code 307664149, VAT LT100020182417, Laisvės al. 85E-5, LT-44297 Kaunas. Contact: info@nordstate.lt.
2. Data we process
Identity & contact data (name, email, phone, company, VAT ID)
Delivery and billing addresses
Order, invoice and payment records (bank transfer reference, amounts, IBAN we receive to)
Account credentials (hashed password, session tokens) for registered users
Technical data: IP address, browser, device, cookies, log files
Communications you send us (support requests, quotations)
3. Purposes and legal bases (GDPR Art. 6)
Performance of a contract — processing orders, delivery, invoicing, warranty (Art. 6(1)(b))
Legal obligation — accounting, tax, consumer protection records (Art. 6(1)(c))
Legitimate interest — fraud prevention, site security, service improvement (Art. 6(1)(f))
Consent — marketing emails, non-essential cookies (Art. 6(1)(a)) — you can withdraw at any time
4. Recipients
We share the minimum necessary data with: payment providers (e.g. Paysera), delivery carriers, hosting & cloud infrastructure providers, accounting and email service providers, and public authorities when required by law. All processors act under written data-processing agreements.
5. International transfers
Data is processed within the EU/EEA. Where a processor is located outside the EEA, we rely on the European Commission's Standard Contractual Clauses or an adequacy decision.
6. Retention
Order and invoice data: 10 years (Lithuanian accounting law)
Account data: until you delete your account + 3 years for claims
Marketing consent: until you withdraw
Server logs: up to 12 months
7. Your rights (GDPR Arts. 15–22)
You have the right to access, rectify, erase, restrict or object to processing, data portability, and to withdraw consent at any time. Write to info@nordstate.lt. You may lodge a complaint with the State Data Protection Inspectorate of Lithuania (VDAI, vdai.lrv.lt) or your local EU supervisory authority.
8. Security
We use TLS encryption in transit, encrypted storage, role-based access control, and audit logging. We never store full card details — payments are processed by regulated PSPs.
9. Children
The platform is not directed to children under 16. We do not knowingly collect data from minors.
10. Changes
We may update this Policy. Material changes will be announced on the site.