Privacy Policy
of SIA “LUUT”
Effective date: 26 February 2026
This Privacy Policy describes how SIA “LUUT”, unified registration No. 40203382432, VAT No. LV40203382432, legal address: Baznīcas iela 13-17, Rīga, LV-1002, Latvia (hereinafter — the “Company” or “we”) collects, uses, stores, and protects the personal data of its customers, business partners, their employees, website visitors, candidates, and other natural persons (hereinafter — “you” or “Data Subject”).
This Policy applies whenever the Company, either alone or jointly with its cooperation partners, processes personal data. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Latvian data protection laws.
1. Definitions
Controller — a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Processor — a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Personal Data — any information relating to an identified or identifiable natural person (Data Subject).
Data Subject — an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, e-mail address, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing — any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
Customer — any natural or legal person who uses, has used, or has expressed a wish to use any services provided by the Company, or is in any other way related to them.
Cooperation Partner — any natural or legal person with whom the Company collaborates on joint projects or whose objectives are shared by the Company.
Candidate — any natural person who has applied for a position, who has been contacted by the Company via professional social media platforms, or who has provided personal information to a recruitment agency in connection with the Company.
2. General Provisions
2.1. This Policy describes the procedure by which the Company handles personal data that comes into its possession. Depending on the legal basis of data processing, the Company may act as a Controller, a Processor, or a Third Party.
2.2. The Company ensures the confidentiality of personal data within the framework of applicable laws and regulations and has implemented appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful processing or disclosure, accidental loss, alteration, or destruction.
2.3. When the Company acts as a Controller of personal data, it determines the purposes and means of personal data processing.
2.4. When the Company acts as a Processor, it processes personal data on behalf of the Controller in accordance with the Controller’s instructions.
2.5. The Company may engage approved sub-processors for personal data processing. In such cases, the Company ensures that sub-processors process personal data in accordance with the Company’s instructions, applicable laws, and appropriate security measures.
2.6. If the Company updates this Policy, the current version will be published on the Company’s website at luut.design.
3. How We Obtain Your Personal Data
We may obtain your personal data in the following ways:
You provide your data to us directly (e.g., via contact forms, e-mail, or during meetings);
We receive your data from our Customers or Cooperation Partners;
We receive your data from third parties (e.g., recruitment agencies);
Your data is available in public sources (social media, professional networks, your workplace website, etc.);
You visit our website (see our Cookie Policy for details);
You participate in business networking, events, or contact us through professional social media platforms such as LinkedIn;
You apply for our services using registration or inquiry forms on our website.
Where the Company obtains data from another Controller, the responsibility for informing the Data Subject rests with that Controller.
4. Categories of Personal Data We May Process
Depending on the nature of our relationship and the data processing purpose, we may process the following categories of personal data:
Identification data — name, surname, personal identification number/ID, date of birth;
Contact information — address, e-mail address;
Professional data — workplace, position held, experience, education, professional skills, portfolio, and recommendations;
Website usage data — IP address, browser type, pages visited, date and time of access, device identifiers, and other diagnostic data;
Data from social media profiles that are publicly available or shared with us;
Communication data — content of correspondence between you and us;
Other data that the Company processes within the framework of various projects as Controller, Processor, or authorised Third Party.
The specific data processed depends on the services provided, the nature of our cooperation, and the applicable legal basis.
5. Legal Basis for Data Processing
We process personal data based on one or more of the following legal grounds under the GDPR:
5.1. Performance of a Contract (Art. 6(1)(b) GDPR)
Processing is necessary in order to conclude and perform an agreement with the Customer or Cooperation Partner, to deliver services, and to verify service quality.
5.2. Legitimate Interests (Art. 6(1)(f) GDPR)
Processing is necessary for the legitimate interests of the Company, including providing high-quality services and timely support, business development, direct marketing (informing about industry news, new services, and individually prepared offers), and defending the Company’s legal rights. You have the right to object to processing based on legitimate interests at any time.
5.3. Legal Obligations (Art. 6(1)(c) GDPR)
Processing is necessary to comply with applicable laws and regulations, including tax obligations, accounting requirements, and responses to lawful requests from state or local government authorities.
5.4. Consent (Art. 6(1)(a) GDPR)
Where you have given your free and informed consent for specific processing purposes. You may withdraw your consent at any time by contacting us at info@luut.design. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Changes will take effect within three (3) working days.
5.5. Vital Interests (Art. 6(1)(d) GDPR)
In exceptional circumstances, processing may be necessary to protect the vital interests of a natural person.
5.6. Public Interest (Art. 6(1)(e) GDPR)
Where processing is necessary for the performance of a task in the public interest or in the exercise of official authority, as provided by applicable laws.
6. Purposes of Data Processing
We process personal data for the following purposes:
Managing relationships with Customers and Cooperation Partners, including entering into and performing agreements, delivering services (UX/UI design, web design, brand identity, front-end development, and related digital design services), and ensuring service quality;
Fulfilling legal obligations, providing reports, calculating and paying taxes;
E-mail marketing and customer relationship management using third-party service providers;
Improving our services based on feedback and analysis;
Recruitment and evaluation of Candidates;
Ensuring the security and proper functioning of our website;
Defending the Company’s legal rights and interests.
7. Cookies and Website Usage Data
When you visit our website, we may use cookies and similar technologies to collect usage data. Cookies are small text files stored on your device that help us improve your browsing experience.
Types of cookies we may use:
Essential Cookies — necessary for the website to function properly. Without these cookies, certain services cannot be provided.
Preference Cookies — allow the website to remember your choices (such as language preferences) and provide enhanced functionality.
Analytics Cookies — help us understand how visitors interact with our website by collecting information such as pages visited, time spent on pages, and referral sources.
You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. For more details, please refer to our Cookie Policy published on our website.
8. Your Rights as a Data Subject
Under the GDPR, you have the following rights regarding your personal data:
Right of Access — you have the right to obtain confirmation as to whether your personal data is being processed, and to access that data along with information about the processing purposes, categories of data, recipients, and retention periods.
Right to Rectification — you have the right to request the correction of inaccurate personal data or the completion of incomplete data.
Right to Erasure — you have the right to request the deletion of your personal data where there is no compelling reason for its continued processing.
Right to Restriction of Processing — you have the right to request that the processing of your data be restricted under certain circumstances.
Right to Data Portability — you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to Object — you have the right to object to the processing of your personal data, particularly where processing is based on legitimate interests or is carried out for direct marketing purposes.
Right to Withdraw Consent — where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.
Right to Lodge a Complaint — you have the right to submit a complaint to the Data State Inspectorate of Latvia (Datu valsts inspekcija, www.dvi.gov.lv) or to the supervisory authority of your country of residence.
To exercise any of these rights, please contact us at info@luut.design. We will respond to your request within one (1) month, unless an extension is justified under applicable law.
9. Data Retention
Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected. The specific retention period depends on the nature of the data, the concluded agreements, the Company’s legitimate interests, and the requirements of applicable laws and regulations.
When personal data is no longer needed for its original purpose and there is no legal requirement to retain it, the data will be securely deleted or anonymised.
10. Technical and Organisational Data Protection Measures
10.1. The Company implements and regularly reviews appropriate technical and organisational measures to protect personal data from unauthorised access, accidental loss, disclosure, or destruction. These measures include the use of modern technologies, appropriate software, firewalls, data encryption, and physical access controls.
10.2. The Company carefully evaluates all third-party service providers who process personal data on its behalf and ensures that they apply adequate security measures in compliance with applicable laws and contractual obligations.
10.3. The Company shall not be liable for any unauthorised access to personal data or loss of personal data that is beyond the Company’s control, for example, due to the fault or negligence of the Data Subject, the Customer, or the Cooperation Partner.
11. International Data Transfers
11.1. Personal data is primarily processed within the European Union / European Economic Area (EU/EEA).
11.2. For certain purposes, such as e-mail marketing or the use of analytics and cloud-based services, personal data may be transferred to countries outside the EU/EEA. In such cases, the Company ensures that appropriate safeguards are in place in accordance with GDPR requirements, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.
11.3. You may request more detailed information about the transfer of personal data to countries outside the EU/EEA by contacting us at info@luut.design.
12. Third-Party Services
We may use third-party service providers to facilitate our business operations, including but not limited to e-mail marketing platforms, analytics tools, cloud hosting providers, and project management tools. These service providers process personal data on our behalf and are contractually obligated to maintain the confidentiality and security of your data.
Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites and encourage you to review their privacy policies before providing any personal data.
13. Changes to This Policy
The Company reserves the right to amend or update this Privacy Policy at any time. The most current version will always be available on our website at luut.design. We encourage you to review this Policy periodically.
14. Contact Information
If you have any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us:
SIA “LUUT”
Registration No.: 40203382432
VAT No.: LV40203382432
Legal address: Baznicas iela 13-17, Riga, LV-1002, Latvia
E-mail: info@luut.design
Responsible for data processing: info@luut.design
