PRIVACY POLICY

This Privacy Policy sets out the principles governing the processing of personal data by UAB SUPERBOX (legal entity code 303012459), registered at Parko g. 11, LT-54434 Lapės, Kaunas district (hereinafter – Company).

The provisions of this Privacy Policy apply to natural persons whose data is processed by the Company, including:

• clients who use, have used, have expressed an intention to use, or are otherwise connected to the goods and/or services offered by the Company (hereinafter – Clients);
• individuals who contact the Company by providing information, suggestions, requests, or demands, either directly or via remote communication means, including but not limited to phone or email;
• individuals who visit the Company’s websites and use the services provided through those websites.

Definitions

The terms and abbreviations used in this Privacy Policy have the following meanings:

• Personal data – any information related to a natural person that can directly or indirectly identify that person (e.g., name, surname, contact details, etc.).
• Data subject / Individual – a natural person whose data is being processed (e.g., the Company’s clients, suppliers, individuals who contact the Company by submitting inquiries, information, suggestions, requests, demands, as well as users of the Company’s website, self-service portals, and other websites/mobile applications managed by the Company).
• Data processing – any operation performed on Personal data (e.g., collection, recording, storage, granting access, transfer, etc.).
• Goods – all products offered or sold by the Company.
• Services – any services provided by the Company.
• Company client – any person who has purchased the Company’s goods or services, placed an order, or has an active account on the Company’s website.

Other terms used in this Privacy Policy shall be understood as defined in the legal acts regulating the protection of personal data, including the General Data Protection Regulation (EU) 2016/679 (hereinafter – the Regulation), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other applicable legislation.

Purposes and Legal Grounds for Personal Data Processing

The Company processes Personal Data only for specific purposes, based on the legal grounds established by applicable legislation:

• when data processing is necessary to conclude and/or perform a contract with the individual, fulfill an order, sell Goods, provide Services, or offer consultations;
• when the individual has given consent for their data to be processed for one or more specific purposes;
• when the Company is required to process Personal Data in order to comply with legal obligations;
• when Personal Data must be processed to pursue the Company’s legitimate interests.

Main Purposes for Processing Personal Data by the Company:

• Sale of Goods and Provision of Services; Fulfillment of Client Orders to Produce and Sell Goods, and Provide Services; Conclusion and Execution of Contracts for the Production and Sale of Goods or Provision of Services. The Company processes personal data to ensure the proper sale of Goods, provision of Services, and the conclusion and execution of contracts with Clients, including relevant communication with the Client concerning the Goods, Services, and the contract. The legal basis for processing is the performance of a contract or legal obligations.
• Preparation of Commercial Offers. The Company processes personal data to provide the Client with a commercial offer for the Goods or Services they wish to purchase, including offers generated via the Company’s website.
• Payment Administration. The Company processes personal data related to payments for the Goods and Services provided, based on the requirements of the contract and applicable legislation.
• Debt Management. In the event of debt, the Company processes personal data related to the outstanding balance and undertakes debt recovery actions, based on the contract, legal requirements, and the Company’s legitimate interest.
• Consultation and Inquiry Handling. The Company processes personal data in the course of providing consultations and handling submitted inquiries or complaints, based on the e-shop terms of purchase, contract, consent, or legal requirements.
• Consultation and Inquiry Handling via the Company’s Facebook Page. For the purpose of managing inquiries, the Company may collect the following personal data of the person contacting it: the name of the individual’s social media profile, profile photo, first name, last name, phone number, email address, other information necessary for processing the inquiry, and the subject and content of the inquiries. This personal data will be processed based on the individual’s request for a response (consent) and/or for the purpose of contacting the person. The submitted data will be stored for the duration of the contract and for 5 years after the contract ends. If there is no contractual relationship, the data will be stored as long as the Company actively uses its social media account, unless the individual deletes the data themselves (or requests the Company to delete it) earlier. When a person submits personal data through an inquiry, that data becomes accessible to Facebook (Meta Platforms Ireland Limited). Information on how Facebook processes such data can be found in Facebook’s privacy policy.
• Direct Marketing and Customer Experience Evaluation. The Company may process personal data (first name, last name, email address, email interaction data) to provide profiled offers and news about its Goods and Services, information about ongoing events, and to inquire about the quality of Goods and Services. This data is processed and communications are sent to the individual only if the individual has given consent for direct marketing and profiling. For profiling purposes, in order to identify whether the information sent is relevant to the Client and to offer content tailored to the Client’s needs, the Company may process information about the interaction with sent marketing emails (e.g., whether the message was opened, when, and how many times). For the purpose of direct marketing, personal data will be processed as long as the individual remains a Client of the Company or until the consent is withdrawn, whichever comes first. You can withdraw your consent or change your settings at any time by logging into your self-service account at superbox.lt, superbox.lv, superbox.ee, superbox.fi, superbox.dk, superboxfactory.de, by emailing privacy@superbox.lt, or by calling +370 666 21299 (English). You may also express your preferences by visiting the Company’s office or by clicking the “Unsubscribe” link in a marketing email.
• Protection of the Company’s Legitimate Interests in Case of Disputes. The Company may process Personal Data in order to defend or safeguard its legitimate interests or claims in the event of a dispute, and to retain evidence, for example, as evidence of granted or withdrawn consent.
• Credit and Risk Assessment. With the Client’s consent, the Company may process Personal Data to assess credit risk and determine which Goods and Services, and under what conditions, the Company can offer to the Client.
• Safety of Individuals and Property. In order to ensure the safety of its employees, Clients, other individuals appearing in video surveillance, and its assets and premises, the Company may carry out video surveillance based on legal requirements or its legitimate interest.
• Aggregate Statistics. The Company processes non-personalized aggregate statistics on interactions with marketing emails sent to Clients, in order to manage Client traffic in customer service channels and to evaluate the effectiveness of email communication. For this purpose, the Company does not process any Personal Data or other information that could identify a Client as a specific individual. Aggregate statistical data has no legal or similarly significant impact on Clients.
• Other Purposes. The Company may also process Personal Data for other purposes, if it has received the individual’s consent, is required to do so by law, or has the right to do so based on a legitimate interest.

In all the cases mentioned above, the Company processes Personal Data only to the extent necessary to achieve the specific and lawful purposes, in compliance with personal data protection requirements.

Scope (Categories) of Processed Personal Data

The main categories of Personal Data processed by the Company for the above-mentioned purposes and legal grounds include:

• Identity data – name, surname.
• Contact details – address, phone number, email address.
• Data related to the provision of Goods and Services, contract conclusion and performance – contract details, order information, files required to fulfill the order, which the Company receives through direct communication with individuals, via self-service platforms, or remote communication tools (phone, email, mobile applications), etc.
• The Company may process individuals’ phone numbers to deliver verification codes (e.g., for registration, login, order confirmation, or other authentication needs). In such cases, data is processed for contract performance or based on the Company’s legitimate interest – to ensure identity verification and data security.
• Data related to the use of the Company’s self-service website or mobile application – information provided when creating an account and using the Company’s self-service website or app (such as IP address and device type, as well as usage data).
• Payment data – amounts payable to the Company, outstanding debts, payment history, etc.
• Financial data – information about third-party obligations and debts, where the Company evaluates a Customer’s creditworthiness before offering Goods and Services.
• Audio and video recordings – video footage recorded at the Company’s premises, call recordings, etc.
• Cookie data – information about the individual’s approximate location (at city level), preferences, behavior on the Company’s website or self-service portal, interests, etc. (for more details, see the Company’s Cookie Policy).
• Other data processed by the Company in accordance with the legal grounds established by applicable laws.  

Collection of Personal Data

The Company processes Personal Data provided directly by individuals. Data is collected when customers purchase Goods from the Company or use the Services provided by the Company (e.g., use the online packaging configurator, place an order via the electronic platform), or when the Company receives data from other sources (e.g., public or private registries) or third parties, to the extent necessary and based on a contract, consent, legal obligation, or the Company’s legitimate interest.

Disclosure of Personal Data

The Company may disclose processed Personal Data to the following categories of recipients in accordance with applicable legal requirements:

• Service Providers. The Company may transfer processed Personal Data to third parties acting on behalf of and/or under the instructions of the Company, providing services such as parcel delivery, freight transport, customer service, software maintenance, design, construction, accounting, payment administration, correspondence delivery, and other services necessary for the proper production, sale, management, and development of the Company’s Goods and Services. In such cases, the Company takes necessary measures to ensure that the engaged service providers (data processors) process the provided Personal Data only for the purposes for which they were shared, applying appropriate technical and organizational security measures, and in accordance with the Company’s instructions and applicable legal requirements.
• Public Authorities, Law Enforcement, and Supervisory Institutions. The Company may provide processed Personal Data to public or law enforcement authorities (e.g., the police) and supervisory institutions (e.g., the State Tax Inspectorate), where required by applicable legal acts or to protect the Company’s or third parties’ legitimate interests.
• Debt Collection Entities and Shared Databases. If the Client fails to fulfill payment obligations under the Agreement in a timely and proper manner, and the Company has informed the Client at least 30 calendar days in advance, the Company has the right to provide the Client’s Personal Data to controllers of joint debtor databases, debt collection companies, courts, notaries, and bailiffs.
• Other Third Parties. The Company may transfer Personal Data to other data recipients based on legitimate grounds defined in legal acts.

As a rule, the Company stores Client data within the territory of the European Union or the European Economic Area (EU/EEA). If there are cases where Client data must be transferred outside the EU/EEA, such transfers are made only if at least one of the following conditions is met:

• The European Commission has recognized that the country to which the data is transferred ensures an adequate level of Personal Data protection;
• A data processing agreement has been concluded under the European Commission’s standard contractual clauses;
• Codes of conduct are followed, and other safeguards under the Regulation are applied.

Data Retention

The Company processes Personal Data for no longer than is required to achieve the specified purposes of data processing or as provided by applicable legislation if a longer retention period is prescribed.

To determine data retention periods, the Company applies criteria that comply with legal obligations and takes into account the rights of the individual—for example, it sets a data retention period during which claims related to contract execution could potentially be made, if any arise.

Applied Security Measures

The Company ensures the confidentiality of Personal Data in accordance with applicable legal requirements and implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, accidental loss, alteration, destruction, or other unlawful processing.

Automated Decision-Making and Profiling

The Company does not process Personal Data through automated individual decision-making as defined in Article 22 of the Regulation. The Company only performs profiling (i.e., automated processing of personal data used to evaluate certain personal aspects related to a natural person); however, such profiling does not produce legal effects or similarly significant consequences for the individuals.

Profiling is used to manage the distribution of irrelevant marketing offers by categorizing Clients based on the types of Products purchased, Services used, payment methods, and similar criteria.

Rights of Individuals

An individual may contact the Company to exercise the following rights:

1. To access their Personal Data processed by the Company.
2. To request the correction of inaccurate, incomplete, or incorrect Personal Data.
3. To request the deletion of Personal Data or the suspension of processing (except for storage) if such processing violates applicable legal requirements or if the data is no longer necessary for the purposes for which it was collected or otherwise processed.
4. To receive their Personal Data, which they have provided to the Company themselves, in a structured, commonly used, and machine-readable format.
5. To request the deletion of Personal Data when it is processed in violation of applicable laws or is no longer necessary to achieve the purposes for which it was collected or otherwise processed.
6. To restrict the processing of their Personal Data in accordance with applicable laws, for example, during the period in which the Company assesses whether the individual has the right to request data deletion.
7. To object to the processing of their Personal Data and/or, where processing is based on consent, to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Consent for direct marketing may be withdrawn by emailing privacy@superbox.lt, calling customer service at +370 666 21299 (in English), via the self-service portal, or by clicking “unsubscribe” in the received newsletter.

Exercising Individual Rights

Individuals may contact the Company regarding the processing of their Personal Data at Raudondvario pl. 150, LT-47174, Kaunas, by phone: +370 666 21299 (in English), or by email at: privacy@superbox.lt.

The contact details of the Company’s Data Protection Officer: privacy@superbox.lt.

To exercise their rights under the Regulation, an individual must submit a request using the form approved by the Company. The request may be submitted in person, by post, through a representative, or by electronic means.

When submitting a request, the individual must confirm their identity:

• If submitted in person: the individual must present a valid identity document to an employee of the Company responsible for customer service.
• If submitted by post: a notarized copy of an identity document must be enclosed with the request.
• If submitted through a representative: the representative must provide their full name, address, and contact details, as well as the full name and personal ID number of the represented individual. A notarized copy of the representative’s identity document and a document proving representation (or a copy certified in accordance with applicable laws) must also be submitted.
• If submitted electronically: the request must be signed with a qualified electronic signature or submitted through electronic means ensuring data integrity and authenticity.

The Company may refuse to act on a request if it is clearly unfounded or excessive.

The Company will respond to the request no later than within one month from the date of receipt, providing information about the actions taken in accordance with Articles 15–22 of the Regulation. If necessary, this period may be extended by an additional two months, considering the complexity and number of requests. The Company will notify the individual within one month if the period is extended, stating the reasons for the extension.

The Company has the right to refuse to provide the requested information if:

• The Personal Data was collected directly from the individual and this information has already been provided.
• The Personal Data was not collected directly from the individual.
• Providing the requested information is impossible or would require disproportionate effort.
• The Personal Data must remain confidential due to professional secrecy obligations regulated by European Union or Lithuanian law.

If an individual is unable to resolve issues related to the Company’s processing of their Personal Data and/or their rights, they have the right to lodge a complaint with the State Data Protection Inspectorate.

Obligations of Individuals

By submitting their personal data to the Company, individuals confirm that they have properly read and understood the terms and conditions of personal data processing outlined in this Privacy Policy, do not object to the Company processing the personal data provided, and that the data and information submitted are accurate and truthful. The Company is not liable for the submission or processing of excessive data if such data is provided due to the individual’s own carelessness.

The individual undertakes to inform the Company of any changes to the submitted data or other related information.

Validity and Amendments of the Privacy Policy

This Privacy Policy outlines the main provisions for the processing of personal data. Additional information on how the Company processes personal data may be provided in the Company’s contracts, other documents, on the websites superbox.lt, superbox.lv, superbox.ee, superbox.fi, superbox.dk, superboxfactory.de, or via remote customer service channels (e.g. phone, email).

In the event of changes to legal requirements and/or the Company’s processes, services, etc., the Company reserves the right to unilaterally amend and/or supplement this Privacy Policy. The Company will inform about such changes by publishing an announcement on its website. In certain cases, the Company may also notify individuals of changes by email or other means.

This Privacy Policy was last reviewed and updated on 29 July 2025.