Privacy Policy

Last updated: February 21, 2026

This Privacy Policy explains how Ernesta NT collects, uses, and protects personal data when you use this website and related services.

We process personal data in line with Regulation (EU) 2016/679 (GDPR), the Republic of Lithuania Law on Legal Protection of Personal Data, and other applicable legal requirements.

1. Data Controller

  • Controller: Ernesta Garmienė
  • Address: Filaretu g., Vilnius, Lithuania
  • Email: [email protected]
  • Phone: +37069871509

A Data Protection Officer is not appointed for the current scope of processing.

2. Scope

This Policy applies to:

  • Visitors of public website pages.
  • People submitting reviews through the public review form.

3. Personal Data We Process

3.1 Data you provide

  • Review form data: name, email address, and review text.
  • Contact data and message details when you contact us by phone or email.

3.2 Data collected automatically

  • Technical and usage data such as browser or device metadata, visited pages, and timestamps.
  • IP address: collected during CAPTCHA verification and forwarded to Cloudflare Turnstile for bot prevention. Your IP address is not permanently stored by us.
  • Functional cookie sidebar_state used to store sidebar open or collapsed state for up to 7 days.

4. Purposes and Legal Bases

  • Website operation and service functionality: GDPR Article 6(1)(f) (legitimate interest in providing a functional website).
  • Review handling, moderation, and publication: GDPR Article 6(1)(a) (consent, as reviews are submitted voluntarily) and Article 6(1)(f) (legitimate interest in publishing authentic reviews).
  • Security and abuse prevention, including Turnstile verification: GDPR Article 6(1)(f), and where required, Article 6(1)(c).
  • Compliance with legal obligations and legal claims handling: GDPR Article 6(1)(c) and Article 6(1)(f).

Where consent is the legal basis (for example, review submissions), you may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5. Cookies and Similar Technologies

We currently use:

  • Necessary functional cookie: sidebar_state (up to 7 days).
  • Third-party security cookies set by Cloudflare as part of bot protection (for example, cf_clearance and __cf_bm). These are strictly necessary for security purposes and are governed by Cloudflare's privacy policy.

You can control cookies in browser settings. If additional non-essential cookies are introduced in the future, we will request consent before activation.

6. Data Recipients and Processors

Personal data may be shared with processors only when required for service delivery and security, including:

  • Cloudflare Turnstile for bot and abuse prevention.
  • BunnyCDN for image delivery and content distribution.
  • Axiom for logging and monitoring.

We may also disclose personal data where required by law or lawful public authority request.

7. International Transfers

Some providers may process data outside Lithuania or the EEA. In such cases we apply GDPR transfer safeguards, such as adequacy decisions or Standard Contractual Clauses.

8. Retention

Data is retained only as long as needed for the purposes in this Policy, or as required by law. Review submissions are kept for moderation and publication management. Technical and security logs are kept for limited periods needed for security and troubleshooting.

9. Data Sources

  • Directly from you (for example, review form entries).
  • From your browser, device, and network metadata.
  • From technical providers used for security and authentication.

10. If You Do Not Provide Data

Providing some data is optional, but some data is required for specific features. For example, if required review form data or verification token is not provided, the review cannot be submitted.

11. Your GDPR Rights

  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restriction of processing.
  • Right to object to processing based on legitimate interests.
  • Right to data portability where applicable.
  • Right to withdraw consent where consent is the legal basis.
  • Right to lodge a complaint with a supervisory authority.

To exercise rights, contact [email protected]. We may request additional information to verify identity.

12. Children

This website is not intended for children. For consent-based information society services in Lithuania, the age threshold is 14. If we learn that data has been processed without required authorization, we will delete it.

13. Automated Decision-Making

We do not use automated decision-making, including profiling, that has legal or similarly significant effects.

14. Third-Party Links

Our website may contain links to third-party websites. Their privacy practices are governed by their own notices.

15. Updates

We may update this Policy from time to time. Changes are posted on this page with a new last updated date.

16. Contact and Complaints

For privacy questions or complaints, contact [email protected]. You also have the right to contact the State Data Protection Inspectorate of the Republic of Lithuania.

© 2026 Ernesta Garmienė