Privacy policy

PRIVACY POLICY 

Effective date: 4 November 2025

1. DATA CONTROLLER

The controller of the website https://zoddiak.com and of the personal data processed therein is:

• Legal entity name: Association Zoddiak
 • Legal entity code: 307189478
 • Registered office address: Gabijos g. 63-19, LT-06102 Vilnius
 • Email address for data protection matters: [email protected]

In this Privacy Policy, the legal entity is referred to as “Association Zoddiak”, “Zoddiak”, “we” or “the controller”, and the natural person whose data we process is referred to as “you”, “the user” or “the data subject”.

We ensure that your personal data is processed in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), the Republic of Lithuania Law on Legal Protection of Personal Data and other applicable legal acts.

At present, we do not appoint a data protection officer, as there is no legal obligation to do so under Article 37 GDPR. Should we appoint such an officer, we will update this information in this Privacy Policy.

2. WHAT PERSONAL DATA DO WE PROCESS AND FOR WHAT PURPOSES?

2.1. General provisions

Personal data means any information relating to an identified or identifiable natural person, such as name, surname, email address, telephone number, IP address and other information.

We process only the personal data that is necessary to achieve explicitly defined purposes and only for as long as is necessary for those purposes (principles of data minimisation and storage limitation).

2.2. Purposes of processing, categories of data, legal bases and retention periods

For the sake of transparency, the main purposes and conditions of personal data processing are set out below:

Registration for and participation in events:

  • Data collected: name, surname, email address, telephone number (if provided), information about the selected event/programme, number of participants, fact of participation.
  • Legal basis: conclusion and performance of a contract (Art. 6(1)(b) GDPR) – without these data we are unable to register you and ensure your participation.
  • Retention period: until the end of the event + 3 months (for organisational purposes and prevention of disputes).

Conclusion and performance of contracts with partners, sponsors, volunteers and other service providers:

  • Data collected: contact details (name, surname, email address, telephone number), position, represented organisation, contract details.
  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR) – our interest in properly managing cooperation relationships.
  • Retention period: for the duration of the contract and up to 10 years after its termination (in order to defend legal claims).

Direct marketing (newsletters, information about events and programmes, etc.):

  • Data collected: email address, name, surname (if provided), your preferences regarding areas of interest.
  • Legal basis: your consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time by clicking the link at the bottom of the email or by contacting us.
  • Retention period: 10 years from the granting of consent or until you withdraw consent (whichever occurs earlier).

Accounting:

  • Data collected: name, surname, personal/company details, payment information, invoice data.
  • Legal basis: legal obligation (Art. 6(1)(c) GDPR) and applicable Lithuanian legislation (e.g. Law on Accounting, Law on Tax Administration).
  • Retention period: at least 10 years in accordance with the requirements of Lithuanian law.

Administration of enquiries:

  • Data collected: your name, surname (if provided), email address, telephone number, content of the enquiry and related correspondence.
  • Legal basis: legitimate interests (Art. 6(1)(f) GDPR) – our interest in responding to your questions, ensuring communication and improving our services.
  • Retention period: up to 1 year after the last communication, unless a longer period is necessary to defend legal claims.

Website functionality (essential cookies):

  • Data collected: IP address, browser type, session ID, date and time of visit, selected language, privacy/cookie settings.
  • Legal basis: legitimate interests (Art. 6(1)(f) GDPR) – our interest in ensuring the technical operation, security and provision of services of the website. No consent is required for such cookies.
  • Retention period: until the end of the session or a short reasonable period necessary for website functionality and security.

Website statistics, analysis and improvement (e.g. Google Analytics, if used):

  • Data collected: IP address (in truncated form, where applicable), device type, browsing history on the website, actions on pages.
  • Legal basis: your consent to analytical cookies (Art. 6(1)(a) GDPR) – consent is given via the cookie settings window (banner).
  • Retention period: up to 2 years from the granting of consent or shorter, depending on the duration of specific cookies.

Compliance with legal requirements and dispute resolution:

  • Data collected: any of the above data that are necessary for a specific dispute or claim.
  • Legal basis: legal obligation (Art. 6(1)(c) GDPR) and legitimate interests (Art. 6(1)(f) GDPR) – our interest in defending our rights and interests.
  • Retention period: until the expiry of the statutory limitation period for claims.

Legitimate interests. Whenever we process data on the basis of legitimate interests, we always carry out a balancing test to ensure that our interests do not override your legitimate rights and freedoms. Upon request, you may obtain more information about a specific legitimate-interest assessment.

3. COOKIES AND OTHER TRACKING TECHNOLOGIES

Our website uses cookies and similar technologies (e.g. local storage, etc.):

Essential cookies – necessary for the website to function, to ensure security and to implement your chosen functions (e.g. language selection, login session). They cannot be disabled and no consent is required.
 • Analytical and marketing cookies – help us understand how the website is used, improve content and, where applicable, display relevant information or advertisements. These cookies are used only with your prior consent.

On your first visit to our website, a cookie settings window (banner) is displayed, where you can:

  1. select “Accept all”;
  2. select “Reject all” non-essential cookies (or “Essential only”);
  3. open “Settings”, where you can individually select the categories of cookies to which you consent.

Your consent is not pre-ticked. Pre-checked boxes are prohibited by the case-law of the Court of Justice of the European Union; therefore, no analytical or marketing technologies will be activated without your active choice.

You can change your choices at any time by clicking the “Cookie settings” link at the bottom of the website.

More detailed technical information about specific cookies (name, provider, duration and category) may be provided in a separate Cookie Policy, which you can find on a dedicated page, if available.

4. SOURCES OF YOUR PERSONAL DATA

We usually obtain personal data:

Directly from you, when you:

  • visit our website;
  • fill in registration or contact forms;
  • write to us by email or other communication channels;
  • enter into a contract or cooperation agreement with us.

In certain cases, we may obtain data:

• from the organisation you represent (e.g. if your employer provides your contact details as a contact person);
• from publicly accessible sources (e.g. websites of organisations, public registers), where permitted by law.

5. DISCLOSURE OF DATA TO THIRD PARTIES

We do not sell your personal data and do not disclose it to third parties for the purpose of enabling them to independently offer their goods or services.

Personal data may be disclosed to:

• our IT and server service providers (website hosting, email and other IT solutions);
• email sending platforms (e.g. newsletter systems), if used;
• event/programme partners, to the extent necessary for registration for and access to the event/programme;
• auditors, lawyers, consultants, where necessary for legal or financial obligations;
• public authorities (e.g. State Tax Inspectorate, law enforcement authorities, courts), where required by law.

In all cases, we conclude data processing agreements with service providers that oblige them to protect the data and to use it only for the specified purposes.

6. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA

Certain service providers (e.g. cloud, email or analytics providers) may be established in countries outside the European Economic Area (EEA), such as the United States.

In such cases, we ensure an adequate level of data protection by relying on:

• adequacy decisions of the European Commission, or
• Standard Contractual Clauses (SCC) approved by the European Commission, supplemented, where necessary, by additional safeguards.

You may obtain information about specific transfers and the safeguards applied by contacting us using the contact details indicated in section 14 of this Policy.

7. THIRD-PARTY PERSONAL DATA

If, when completing a registration form or otherwise communicating with us, you provide personal data of other persons (e.g. colleagues, family members, “plus one”), you:

• confirm that you have informed those persons about this Privacy Policy;
• have obtained their consent to the transfer of their data to us (where consent is the legal basis).

We will assume that you are entitled to provide third-party data. If it turns out that you do not have such entitlement, please inform us without delay and we will assist you in rectifying the situation.

8. PROCESSING OF SPECIAL CATEGORIES (SENSITIVE) PERSONAL DATA

We do not seek to collect or process special categories of personal data, such as:

• data revealing racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade-union membership;
• health data, genetic or biometric data;
• data concerning sex life or sexual orientation.

Please do not provide us with such information via the website or other channels.

If such information is nevertheless provided inadvertently, we will:

• not use it for any additional purposes;
• delete it as soon as reasonably possible, except where legal acts clearly permit or require its retention.

9. PROCESSING OF CHILDREN’S PERSONAL DATA

Minors may participate in our activities (e.g. youth events, educational programmes, etc.).

Where information society services are offered directly to a child, the processing of the child’s personal data based on consent is lawful under the Republic of Lithuania Law on Legal Protection of Personal Data if the child is at least 14 years old.

Accordingly:

• if the child is 14 years of age or older, he/she may independently give consent to the processing of his/her data for information society services;
 • if the child is under 14 years of age, we generally require the consent of a parent or guardian where processing is based on consent.

If we become aware that we have received a child’s data without the required parental/guardian consent, we will take steps to delete such data or to suspend its processing, except where legal acts permit or require otherwise.

10. DATA SECURITY

When processing your personal data, we implement appropriate technical and organisational measures to protect the data against:

• accidental or unlawful destruction;
• loss or alteration;
• disclosure;
• unauthorised access or other unlawful processing.

Such measures include, inter alia:

• restriction of access to data on a “need-to-know” basis;
• protection of systems by passwords and other authentication measures;
• regular software updates and security patches;
• backups of data, where necessary;
• careful selection of processors and contractual obligations for them to protect the data.

Nevertheless, no method of transmission over the Internet or method of electronic storage is 100% secure, and therefore we cannot guarantee absolute security; however, we strive to minimise risks in line with current standards.

11. YOUR RIGHTS

As a data subject, you have the following rights:

  1. Right to be informed – to receive clear information about how your personal data are processed (this Privacy Policy and additional information, where necessary).
  2. Right of access to your personal data – you may request confirmation as to whether we process your data and, if so, obtain a copy of them.
  3. Right to rectification – to request the correction of inaccurate or incomplete data.
  4. Right to erasure (“right to be forgotten”), where:
    • the data are no longer necessary for the purposes for which they were collected;
    • you withdraw your consent and there is no other legal basis for processing;
    • the data are processed unlawfully;
    • in other cases provided for in the GDPR.
  5. Right to restriction of processing, for example where you contest the accuracy of the data or object to processing.
  6. Right to data portability, where:
    • we process the data on the basis of your consent or a contract, and
    • processing is carried out by automated means.
  7. Right to object to the processing of data where processing is based on our legitimate interests – in such a case we will stop processing, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or where processing is necessary for the establishment, exercise or defence of legal claims.
  8. Right to withdraw your consent at any time where processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
  9. Right not to be subject to automated decision-making (including profiling), if such were applied.

We do not currently carry out automated decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you.

You may exercise your rights by:

• submitting a written request to us by email: [email protected];
• or via other channels indicated in our contact section.

We will respond no later than within 1 month from receipt of your request. This period may be extended by a further 2 months if the request is complex or if we have received a large number of requests; in such a case, we will inform you of any extension and the reasons for it.

Complaints to the supervisory authority

If you believe that your personal data are being processed in breach of legal requirements, you have the right to lodge a complaint with the State Data Protection Inspectorate (VDAI):

• Address: L. Sapiegos g. 17, 10312 Vilnius
• More information: on the VDAI website vdai.lrv.lt

Nevertheless, before contacting the VDAI, we encourage you to contact us first – we will seek to resolve the situation promptly and amicably.

12. IS PROVISION OF YOUR DATA MANDATORY?

Registration for events and/or programmes. If you do not wish to provide the information necessary for registration (e.g. name, surname, email address), we will be unable to register you and ensure your participation.
Accounting. If you do not provide the data that we are required to collect under legal acts (e.g. invoice details), we will be unable to issue an invoice or properly fulfil our legal and tax obligations.
Direct marketing. Receipt of newsletters and other direct marketing is entirely voluntary – you will not receive them if you do not provide your consent.
Enquiries and communication. If you do not provide contact details, we may simply be unable to respond to your enquiry.

In certain cases (e.g. financial accounting, taxes), the provision of data may be a legal requirement. In such cases, we will inform you separately if failure to provide the data will entail specific legal consequences.

13. SCOPE AND AMENDMENTS OF THIS PRIVACY POLICY

This Privacy Policy applies when:

• you visit the website https://zoddiak.com;
• you complete our forms or register for events or programmes;
• you communicate with us by email or other communication channels;
• you are our partner, supplier, sponsor, volunteer or otherwise related person.

We may periodically update this Privacy Policy, for example where legal acts change or the nature of our activities changes.

• The updated Policy will be published on our website, indicating the latest effective date at the top.
• In the event of material changes (e.g. new processing purposes, new categories of data), we will, where possible, inform you additionally (e.g. by email or website notifications).

We recommend that you periodically review this Privacy Policy and familiarise yourself with its latest version.

14. CONTACT DETAILS

If you have any questions regarding this Privacy Policy or wish to exercise your rights, please contact us:

• Email: [email protected]
• Address: Gabijos g. 63-19, LT-06102 Vilnius.

We will strive to respond and resolve your questions promptly and transparently.