Privacy Policy – Royal Key

Last Updated: 05 January 2025

WHEREAS this Privacy Policy (“Policy”) is issued by SIA ROYAL KEY BALTIC GROUP, a company duly incorporated under the laws of the Republic of Latvia with registration number 40203004100, having its registered office at Rīga, Vaidavas iela 6 k-2 – 26, LV-1084, Latvia (“Company”, “we”, “us”, or “our”).

WHEREAS this Policy sets forth the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the Personal Data Processing Law of the Republic of Latvia and other applicable data protection legislation (collectively, “Applicable Data Protection Law”).

NOW THEREFORE, the Company hereby establishes and implements this Policy as follows:

1. DEFINITIONS AND INTERPRETATION

1.1 In this Policy, the following terms shall have the meanings assigned to them below:

“Applicable Data Protection Law” means collectively:
(a) the GDPR;
(b) the Personal Data Processing Law of the Republic of Latvia;
(c) the Law On Information Society Services of the Republic of Latvia;
(d) the Electronic Communications Law of the Republic of Latvia; and
(e) any other applicable data protection or privacy laws and regulations.

“Controller” shall have the meaning assigned to it in Article 4(7) of the GDPR.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“Personal Data” shall have the meaning assigned to it in Article 4(1) of the GDPR.

“Processing” shall have the meaning assigned to it in Article 4(2) of the GDPR.

“Processor” shall have the meaning assigned to it in Article 4(8) of the GDPR.

“Special Categories of Personal Data” shall have the meaning assigned to it in Article 9(1) of the GDPR.

1.2 Any reference to any statute or statutory provision shall be construed as including a reference to any statutory modification, consolidation or re-enactment thereof for the time being in force.

2. SCOPE AND APPLICATION

2.1 This Policy applies to:
(a) all Personal Data collected and Processed through our website royalkey.com (“Website”);
(b) any associated applications, services, or tools where reference is made to this Policy; and
(c) any Personal Data collected and Processed by us in the course of our business operations.

2.2 This Policy does not apply to third-party websites, products, or services, even if they link to our Website or services.

3. DATA CONTROLLER AND DATA PROTECTION OFFICER

3.1 For the purposes of Applicable Data Protection Law, we act as a Controller in relation to the Personal Data we Process.

3.2 We have appointed a Data Protection Officer (“DPO”) who may be contacted at:
Email: dpo@royalkey.com
Address: Rīga, Vaidavas iela 6 k-2 – 26, LV-1084, Latvia
SEPA Identifier: LV65ZZZ40203004100

4. CATEGORIES OF PERSONAL DATA

4.1 We may collect and Process the following categories of Personal Data:

4.1.1 Identity Data:
(a) first name;
(b) last name;
(c) username or similar identifier;
(d) title; and
(e) date of birth.

4.1.2 Contact Data:
(a) billing address;
(b) delivery address;
(c) email address; and
(d) telephone numbers.

4.1.3 Financial Data:
(a) bank account details;
(b) payment card details; and
(c) transaction history.

4.1.4 Technical Data:
(a) internet protocol (IP) address;
(b) browser type and version;
(c) time zone setting and location;
(d) browser plug-in types and versions;
(e) operating system and platform; and
(f) other technology on the devices used to access the Website.

4.1.5 Profile Data:
(a) username and password;
(b) purchases or orders;
(c) interests;
(d) preferences;
(e) feedback; and
(f) survey responses.

4.1.6 Usage Data:
(a) information about how you use the Website;
(b) products and services; and
(c) customer service interactions.

5. LAWFUL BASIS FOR PROCESSING

5.1 We shall only Process Personal Data where we have a lawful basis for such Processing, namely:

5.1.1 Contractual Necessity (Article 6(1)(b) GDPR):
Processing is necessary for:
(a) the performance of a contract to which the Data Subject is party; or
(b) in order to take steps at the request of the Data Subject prior to entering into a contract.

5.1.2 Legal Obligation (Article 6(1)(c) GDPR):
Processing is necessary for compliance with a legal obligation to which we are subject under EU or Member State law.

5.1.3 Legitimate Interests (Article 6(1)(f) GDPR):
Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

5.1.4 Consent (Article 6(1)(a) GDPR):
The Data Subject has given consent to the Processing of their Personal Data for one or more specific purposes.

6. PURPOSES OF PROCESSING

6.1 We Process Personal Data for the following purposes:

6.1.1 Service Provision:
(a) to provide and maintain our services;
(b) to manage user accounts;
(c) to process transactions;
(d) to provide customer support; and
(e) to send service-related communications.

6.1.2 Legal and Regulatory Compliance:
(a) to comply with legal obligations;
(b) to maintain appropriate business records;
(c) to enforce our terms and conditions; and
(d) to handle legal claims or disputes.

6.1.3 Business Operations:
(a) to improve our services;
(b) to analyse service usage;
(c) to develop new products and services;
(d) to protect our legitimate business interests; and
(e) to maintain the security of our systems.

6.1.4 Marketing and Communications:
(a) to send marketing communications (subject to consent);
(b) to conduct market research;
(c) to measure marketing effectiveness; and
(d) to personalise user experience.

7. DATA RETENTION

7.1 We shall retain Personal Data only for as long as necessary to fulfil the purposes for which it is Processed, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

7.2 Specific retention periods:

7.2.1 Account Data:
Retained for the duration of the account plus 2 years following account closure.

7.2.2 Transaction Data:
Retained for 7 years as required by applicable tax and accounting laws.

7.2.3 Marketing Data:
Retained until consent withdrawal or opt-out.

7.2.4 Technical Data:
Retained for 12 months from collection.

7.2.5 Legal Claims:
Retained for the applicable statute of limitations period.

8. DATA SECURITY

8.1 We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

8.1.1 Technical Measures:
(a) encryption of Personal Data in transit and at rest;
(b) access controls and authentication systems;
(c) firewalls and intrusion detection systems;
(d) regular security assessments and penetration testing;
(e) secure backup systems; and
(f) disaster recovery procedures.

8.1.2 Organisational Measures:
(a) information security policies and procedures;
(b) staff training on data protection;
(c) access restriction protocols;
(d) data protection impact assessments;
(e) incident response procedures; and
(f) regular compliance audits.

9. INTERNATIONAL TRANSFERS

9.1 We may transfer Personal Data to countries outside the European Economic Area (“International Transfer”) only where:

9.1.1 the European Commission has issued an adequacy decision pursuant to Article 45 GDPR;

9.1.2 appropriate safeguards are in place pursuant to Article 46 GDPR, including:
(a) Standard Contractual Clauses;
(b) Binding Corporate Rules; or
(c) approved Codes of Conduct or certification mechanisms;

9.1.3 specific derogations under Article 49 GDPR apply.

10. DATA SUBJECT RIGHTS

10.1 Data Subjects have the following rights under Applicable Data Protection Law:

10.1.1 Right of Access (Article 15 GDPR):
The right to obtain confirmation of Processing and access to Personal Data.

10.1.2 Right to Rectification (Article 16 GDPR):
The right to rectification of inaccurate Personal Data.

10.1.3 Right to Erasure (Article 17 GDPR):
The right to erasure of Personal Data in certain circumstances.

10.1.4 Right to Restriction (Article 18 GDPR):
The right to restrict Processing in certain circumstances.

10.1.5 Right to Data Portability (Article 20 GDPR):
The right to receive Personal Data in a structured format and transmit it to another controller.

10.1.6 Right to Object (Article 21 GDPR):
The right to object to Processing based on legitimate interests or direct marketing.

10.1.7 Rights Related to Automated Decision Making (Article 22 GDPR):
The right not to be subject to automated decision-making, including profiling, producing legal effects.

10.2 Exercise of Rights:

10.2.1 Data Subjects may exercise their rights by:
(a) emailing our DPO at dpo@royalkey.com;
(b) writing to us at our registered address; or
(c) using any specific tools we provide for this purpose.

10.2.2 We shall respond to requests without undue delay and within one month of receipt, extendable by two further months where necessary.

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 We use cookies and similar tracking technologies in accordance with our Cookie Policy.

11.2 Users may control cookies through their browser settings.

12. CHILDREN’S PRIVACY

12.1 Our services are not directed to children under 16 years of age.

12.2 We do not knowingly collect Personal Data from children under 16.

12.3 Parental consent is required for Processing children’s Personal Data where applicable.

13. CHANGES TO THIS POLICY

13.1 We reserve the right to update this Policy at any time.

13.2 Material changes will be notified to Data Subjects through appropriate channels.

13.3 Continued use of our services following such changes constitutes acceptance of the updated Policy.

14. COMPLAINTS AND SUPERVISORY AUTHORITY

14.1 Data Subjects have the right to lodge a complaint with a supervisory authority.

14.2 The lead supervisory authority for the Company is:

Data State Inspectorate (Datu valsts inspekcija)
Elijas Street 17
Riga, LV-1050
Latvia
Phone: +371 67223131
Email: pasts@dvi.gov.lv
Website: www.dvi.gov.lv

15. GOVERNING LAW AND JURISDICTION

15.1 This Policy shall be governed by and construed in accordance with the laws of the Republic of Latvia.

15.2 Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of the Republic of Latvia.

16. CONTACT INFORMATION

16.1 Questions, comments and requests regarding this Policy should be addressed to:

Data Protection Officer
SIA ROYAL KEY BALTIC GROUP
Email: dpo@royalkey.com
Address: Rīga, Vaidavas iela 6 k-2 – 26, LV-1084, Latvia

IN WITNESS WHEREOF, this Policy has been duly implemented and published by the Company on the date first written above.

For and on behalf of
SIA ROYAL KEY BALTIC GROUP