Privacy Policy

Last updated:

Identity Lab, UAB ("Company," "we," "us," or "our"), a company registered in the Republic of Lithuania under company code 306161668, with its registered office at Mileišiškių g. 66, Vilnius, Lithuania, is the data controller responsible for the processing of your personal data collected through the website soverio.id ("Website").

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Lithuanian Law on Legal Protection of Personal Data (Asmens duomenų teisinės apsaugos įstatymas), and other applicable data protection legislation.

This Privacy Policy explains what personal data we collect, why we collect it, how we process it, and what rights you have in relation to your data.

1. Data Controller

Identity Lab, UAB
Mileišiškių g. 66, Vilnius, Lithuania
Company code: 306161668

For data protection inquiries, contact us at:
Email: contact at soverio dot com

2. Personal Data We Collect

We collect personal data only when it is necessary for the purposes described in this policy. The categories of data we collect depend on how you interact with our Website.

2.1 Data You Provide Directly

When you submit our contact or demo request form, we collect:

  • Full name
  • Email address
  • Company name
  • Job title (if provided)
  • Phone number (if provided)
  • Message content and the nature of your inquiry
  • Product or service interest

2.2 Data Collected Automatically

When you visit our Website, certain data is collected automatically through cookies and similar technologies:

  • IP address (anonymized where technically feasible)
  • Browser type and version
  • Operating system
  • Referring URL (the page that linked you to our Website)
  • Pages visited on our Website and time spent on each page
  • Date and time of your visit
  • Screen resolution and device type
  • Language preference

This data is collected through Google Analytics 4 (GA4) only after you provide cookie consent. See Section 7 and our Cookie Policy for more details.

2.3 Data We Do Not Collect

We do not knowingly collect special categories of personal data (also known as sensitive data), such as data concerning health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, or data concerning sex life or sexual orientation.

We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data from a child without verified parental consent, we will take steps to delete that data promptly.

3. Purposes and Legal Bases for Processing

Under the GDPR, we must have a lawful basis for processing your personal data. The table below describes each purpose and its corresponding legal basis.

Purpose Data Processed Legal Basis (GDPR Article)
Responding to your contact or demo request Name, email, company, job title, phone, message content Article 6(1)(b) — necessary to take steps at your request prior to entering a contract
Managing customer relationships via CRM Contact form data transferred to Salesforce Article 6(1)(f) — legitimate interest in managing prospective client communications
Website analytics and performance improvement Anonymized browsing data via GA4 Article 6(1)(a) — your consent, given through the cookie consent banner
Ensuring Website security and preventing abuse IP address, access logs Article 6(1)(f) — legitimate interest in maintaining Website security and integrity
Complying with legal obligations Any data required by law Article 6(1)(c) — necessary for compliance with a legal obligation

Legitimate Interest Assessment

Where we rely on legitimate interest (Article 6(1)(f)), we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section 9).

Obligation to Provide Data

The provision of personal data through the contact or demo request form is neither a statutory nor a contractual obligation. You are not required to provide your data. However, if you choose not to provide the requested information, we may be unable to respond to your inquiry or provide the requested service demonstration.

4. Data Recipients and Third-Party Processors

We share your personal data with the following categories of recipients, who process data on our behalf or for their own purposes:

4.1 Salesforce (CRM)

  • Provider: Salesforce, Inc.
  • Purpose: Processing and managing contact form submissions, customer relationship management
  • Data transferred: Name, email, company, job title, phone, message content, lead source
  • Location: Data processed within the EU/EEA under Salesforce's EU data processing arrangements
  • Legal safeguard: EU Standard Contractual Clauses (SCCs) and Salesforce's Data Processing Addendum
  • More information: Salesforce Privacy Policy

4.2 Google Analytics 4

  • Provider: Google Ireland Limited (for EEA users)
  • Purpose: Website analytics, understanding how visitors interact with the Website
  • Data transferred: Anonymized browsing data, device information, pages visited
  • Data processing: Google processes analytics data on servers that may be located outside the EEA
  • Legal safeguard: EU-US Data Privacy Framework (where applicable), Standard Contractual Clauses, Google's Data Processing Amendment
  • IP anonymization: GA4 does not log or store full IP addresses for EEA users
  • Consent: GA4 is loaded only after you provide explicit cookie consent
  • More information: Google Privacy Policy

4.3 Web Hosting Provider

  • Provider: UAB Progresyvūs sprendimai (company code: 125641196, VAT: LT256411917)
  • Address: J. Savickio g. 4, Vilnius, Lithuania
  • Purpose: Hosting and serving the Website
  • Data processed: Server access logs (IP address, date/time, pages requested, HTTP status codes)
  • Location: EU/EEA (Lithuania)
  • Retention: Access logs are retained for 30 days for security and diagnostic purposes
  • Legal safeguard: Data Processing Agreement in place with the hosting provider

We do not sell, rent, or trade your personal data to third parties.

5. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically in connection with the third-party services listed in Section 4.

When such transfers occur, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

  • Transfers to countries with an EU adequacy decision (Article 45 GDPR)
  • Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR)
  • Binding Corporate Rules where applicable (Article 47 GDPR)

You may request a copy of the safeguards in place by contacting us at contact at soverio dot com .

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law.

Data Category Retention Period Justification
Contact form submissions 24 months from last interaction Necessary for customer relationship management and follow-up
CRM records (Salesforce) Duration of business relationship + 24 months Legitimate interest in maintaining client history
Website analytics data (GA4) 14 months (GA4 default) Analytics retention setting configured in GA4
Server access logs 30 days Website security and diagnostic purposes
Cookie consent records 12 months Compliance with ePrivacy Directive — demonstrating valid consent

After the retention period expires, personal data is securely deleted or anonymized so that it can no longer be associated with you.

7. Cookies and Tracking Technologies

Our Website uses cookies — small text files placed on your device — to ensure the Website functions properly and to analyze Website usage.

We categorize cookies as follows:

  • Strictly necessary cookies: Required for the Website to function. These do not require consent.
  • Analytics cookies: Used to understand how visitors interact with the Website (Google Analytics 4). Loaded only after you provide consent.

You can manage your cookie preferences at any time through the cookie consent banner on our Website or by adjusting your browser settings.

For a complete list of cookies, their purposes, and retention periods, please refer to our Cookie Policy.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in compliance with Article 32 of the GDPR. These measures include:

  • HTTPS/TLS encryption for all data transmitted between your browser and our Website
  • Content Security Policy (CSP) headers to mitigate cross-site scripting attacks
  • Rate limiting and bot protection on form submissions to prevent abuse
  • Access controls and authentication for our internal systems and CRM
  • Regular security reviews of our Website and hosting infrastructure

We maintain Records of Processing Activities (ROPA) in accordance with Article 30 of the GDPR, documenting all categories of processing carried out under our responsibility.

Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, we conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 of the GDPR before commencing such processing.

While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to:

  • Notifying the relevant supervisory authority of any personal data breach within 72 hours of becoming aware of it, as required by Article 33 of the GDPR
  • Notifying affected data subjects without undue delay where a breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR

9. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting us at contact at soverio dot com .

Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about how it is processed.

Right to rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to erasure (Article 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, you withdraw consent, or the data has been unlawfully processed.

Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interest.

Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to object (Article 21): You have the right to object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You can withdraw cookie consent by using the cookie settings on our Website.

Right not to be subject to automated decision-making (Article 22): We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

Response Timeframe

We will respond to your request within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any extension within one month of receipt.

No Fee Required

Exercising your rights is free of charge. However, we may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests, particularly if they are repetitive.

Identity Verification

To protect your personal data, we may ask you to verify your identity before processing your request.

10. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority.

The supervisory authority for Lithuania is:

State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
L. Sapiegos g. 17, 10312 Vilnius, Lithuania
Phone: +370 5 271 2804
Email: ada@ada.lt
Website: https://vdai.lrv.lt

You also have the right to lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post the updated policy on this page with a revised "Last updated" date.

For material changes that significantly affect how we process your personal data, we will provide notice through a prominent announcement on the Website or, where appropriate, by direct communication.

We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about how we handle your personal data, please contact us:

Identity Lab, UAB
Mileišiškių g. 66, Vilnius, Lithuania

Email: contact at soverio dot com
Website: soverio.id