PRIVACY POLICY OF TRILEMMA ACADEMY (UAB MASDENGA)

• GENERAL PROVISIONS

1. UAB Masdenga, entity number 305940976, registered address at Jankiskiu g. str. 43A-302, LT-02300 Vilnius (the Company) respects your privacy and personal data and commits to protecting your right to the lawful processing and protection of your personal data. This Privacy Policy (the Policy) provides comprehensive information on processing of the personal data or any other data concerning you that we may collect. 
2. Your personal data is processed in accordance with the GDPR, the Law of the Republic of Lithuania on the Legal Protection of Personal Data, the Law of the Republic of Lithuania on the Prevention of Money Laundering and Terrorist Financing, other legal acts and documents governing protection of personal data.

• DEFINITIONS

1. Personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data subject shall mean a person whose personal data the Company processes or intends to process for the established purposes and by established means (‘you’).
3. Customer shall mean a person who contacted the Company to obtain Company‘s services.
4. Other concepts used in this Policy are understood as they are defined in the legal acts of the Republic of Lithuania and the European Union.

• PURPOSES AND LEGAL BASES OF PERSONAL DATA PROCESSING, CATEGORIES AND RETENTION PERIODS OF PERSONAL DATA

1. Your personal data is processed by the Company for these purposes:

1. For the purpose of identification of a person (including fraud prevention), the following personal data shall be processed: name, surname, personal ID number, mobile signature, a copy of a personal ID document, the date and method of identification of the person.

Legal basis: compliance with the requirements set forth in legal acts (Art. 6(1)(c) of GDPR), and consent (Art. 6(1)(a) of GDPR).

Personal data retention period: 8 years after termination of the relationship.

Recipients of personal data: law enforcement authorities (on receipt of their request), supervisory authorities.

Personal data sources: the data subject.

1. For the purpose of direct marketing and surveys, the following personal data of customers shall be processed: the name, surname, date of birth, job position, profession, education, data on the customer’s behavior on the website of UAB Masdenga (Trilemma Academy), and the information on the website use (which includes monitoring of the person’s behavior on the website, and the use of the services provided by the Company).

The Company may send direct marketing messages or invitations to take a survey to the existing customers of the Company without a separate consent for marketing of similar services and surveys when the customers are provided with a clear, free and easily manageable opportunity to disagree or deny such use of their contact details, and on the condition that they did not object to such use of their data from the beginning, when sending each message.

Legal basis: the data controller’s legitimate interest to improve its service quality (Art. 6(1)(f) of GDPR).

Personal data retention period: as long as bound by contractual relations.

Sources of personal data: data subject.

1. For the purpose of securing performance of the service agreement, the following personal data of customers shall be processed: contact data (the phone number, declared and (or) actual place of residence (address), e-mail address), payment-related data (numbers of bank accounts and/or payment cards, unique text of remittance information, payment type, payment date, payment document number, unique number of the transaction archive, customer’s number in the beneficiary’s information system, currency denomination).

Legal basis: compliance with the requirements set forth in legal acts (Art. 6(1)(c) of GDPR), contract performance(Art. 6(1)(b) of GDPR).

Personal data retention period: unless a service agreement is concluded, the data is stored for 24 months. If a service agreement is concluded, i.e., in the event of contractual relations, the data is stored for 10 years from the moment of termination of contractual relations. 

Recipients of personal data: supervisory authorities, law enforcement authorities (on receipt of their request), debt collection companies.

Sources of personal data: data subject.

1. For the purpose of ensuring compliance with the requirements related to the prevention of money laundering and terrorist financing, and other requirements of legal acts as well verification whether any sanctions apply, the following personal data shall be processed: the source of funds, nationality, data indicating whether a person is a politically exposed person (PEP), and other data to the extent necessary for this purpose.

Legal basis: compliance with the requirements set forth in legal acts (Art. 6(1)(c) of GDPR).

Personal data retention period: 8 years after termination of the relationship.

Recipients of personal data: the Financial Crime Investigation service, the State Tax Inspectorate, the Bank of Lithuania.

Sources of personal data: the data subject, financial institutions, the Population Register managed by the state enterprise Centre of Registers, other public databases.

1. For the purpose of arrears management, the following personal data shall be processed: the name, surname, personal ID number, job position, contact data (the phone number, e-mail address, declared and actual place of residence), data relating to assessment of creditworthiness (income, financial obligations to financial institutions or other persons, credit rating, information about delays to perform financial obligations, history of performance of financial obligations, information about the current and previous employers, hirings and dismissals, engaging in economic activity or individual activity (self-employed), any received and allocated permanent or one-off social benefits, circumstances that may affect your economic or financial situation or ability to repay the debt or pay its cost, other significant circumstances related to the customer’s financial situation or ability to perform financial obligations properly. This data is collected only in case if the customer breaches service agreement by not fulfilling or improperly fulfilling its financial obligations to the Company. 

Legal basis: the data controller’s legitimate interest to ensure the debt recovery (Art. 6(1)(f) of GDPR).

Personal data retention period: 10 years after completing performance of obligations or after termination of the relationship.

Recipients of personal data: third parties having taken over the customer’s obligations from the Company, debt collection agencies.

Sources of personal data: the data subject, financial institutions, the Population Register managed by the state enterprise Centre of Registers, the Real Estate Register, the State Social Insurance Fund Board under the Ministry of Finance, UAB Creditinfo Lietuva.

1. For the purpose of creating, developing of services, and improving the quality of services, the following personal data of customers shall be processed: data concerning a person (the name, surname, date of birth, job position, profession, education), data concerning the customer’s behavior on the data controller’s website, and the information on the website use (which includes monitoring of the person’s behavior on the website, and the use of the Company’s services).

Legal basis: the data controller’s legitimate interest to create and develop services, improve their quality (Art. 6(1)(f) of GDPR).

Personal data retention period: personal data is stored only for a period necessary for the purpose.

1. For the purpose of confirming the content of calls and ensuring the quality of services (call recording), audio recordings of phone calls between employees and other call participants shall be processed.

Call recordings may also be used for detection of suspected criminal acts, offenses under administrative law, proving or detecting the damage inflicted on the Company or third parties, and may be transmitted only to the persons entitled to receive such data in the manner prescribed by the laws.

Legal basis: consent (Art. 6(1)(a) of GDPR) the data controller’s legitimate interest to ensure adequate provision of services (Art. 6(1)(f) of GDPR).

Personal data retention period: 1 year from the day of making an audio recording of the call.

Recipients of personal data: the Company, supervisory authorities, law enforcement authorities.

1. For the purpose of administration of enquiries, complaints and requests, the following personal data of the persons making enquiries, complaints and requests shall be processed: the name, e- mail address, phone number.

Legal basis: the data controllers’ legitimate interests related to handling of enquiries, requests or complaints (Art. 6(1)(f) of GDPR). 

Personal data retention period: 1 year after the day the enquiry, request or complaint was examined.

Sources of personal data: the data subject, supervisory authorities.

1. For the purpose of statistics and ensuring the quality of services (by means of cookies), the data of visitors of the data controller’s website available by means of cookies shall be processed. Aggregated data relating to consumer behavior may be seen, the consumers can be classified by the consumer’s age, place of residence (city, country), interests, devices used, the source through which the website is accessed.

Legal basis: as for necessary cookies required for functioning of the website, the legal basis is the data controller’s legitimate interests related to functioning of the website (Art. 6(1)(f) of GDPR), and in other cases, it is the website visitor’s consent (Art. 6(1)(a) of GDPR). 

Personal data retention period: depending on settings of cookies.

1. For the purpose of maintaining business relationships, the following personal data shall be processed: name, surname, job position, e-mail, phone number.

Legal basis: the data controllers’ legitimate interests to pursue its activities (Art. 6(1)(f) of GDPR). 

Personal data retention period: 10 years after termination of the relationship.

1. For the purpose of financial accounting, the following personal data of the customers and employees shall be processed: the name, surname, personal ID number, the number of an account at the bank or another financial institution.

Legal basis: the data controllers’ legitimate interests to maintain its financial accounting properly (Art. 6(1)(f) of GDPR), and compliance with the requirements set forth in legal acts (Art. 6(1)(c) of GDPR).

Personal data retention period: 10 years after the day of entering into a contract. The period of 10 years starts running at the end of the year following the calendar year in which the financial year to which the information pertains ends.

Recipients of personal data: the State Tax Inspectorate, the State Social Insurance Fund Board under the Ministry of Social Security and Labour, supervisory authorities.

1. For the purpose of online meetings, the following personal data shall be processed: Information about the participants. first name, last name, phone number (optional), e-mail address (optional), password (if single sign-on is not used), profile picture (optional), department (optional). Meeting metadata: subject, description (optional), participant IP addresses, device/hardware information, start and end time of the videoconference. Recordings (optional): Files with all video, audio, and presentation information of the online meeting. If we would like to record an online meeting, we will inform you beforehand in a transparent way and ask for your consent, if necessary. When dialing in with a phone: information about the incoming and outgoing telephone number, country name, start and end time. Text data: You may have the option to use chat, question, and survey functions in an online meeting. The texts you have entered will be processed in order to display them during the online meeting and, in exceptional cases, also to log them for further processing of the online meeting. If we would like to store text data for further processing, we will inform you beforehand with all transparency required and ask for your consent, if necessary.

If you participate in online meetings, the provider of service will store the related data (meeting metadata; data for phone dial-in; questions and answers in webinars, if any; survey function in webinars).

Legal basis: the data controller’s legitimate interests to organize online meetings (Art. 6(1)(f) of GDPR); the data subject’s consent (Art. (6)(1)(a) of GDPR).

Personal data retention period: The data mentioned above will be processed for as long as it is necessary to perform the online meetings and related services. Communication-related metadata will be deleted as soon as storage is no longer required in order to provide or maintain the service.

In case of a recording, the data of the audio and video transmission as well as optionally the messages in the chat, question, or survey function, are stored and remain stored beyond the duration of the meeting. The recordings stored on the provider’s cloud servers are automatically deleted after thirty (30) days at the latest. Data stored on local systems of the Company will only be stored in order to and as long as it is necessary to fulfill the respective purpose. Data in reports and on the dashboard of the provider will be deleted after twelve (12) months.

Recipients of personal data: The providers of Zoom, Google Meets or Teams receive the information stated above as far as necessary and as outlined in the data processing agreement.

1. For the purpose of ensuring proper governance of the Company (implementation of requirements of legal acts), the following personal data of shareholders, Board members of the Company shall be processed: the name, surname, personal ID number, date of birth, residential address, bank account data, disbursement-related data, passport / ID card data, phone number, e-mail address.

Legal basis: compliance with the requirements set forth in legal acts (Art. 6(1)(c) of GDPR).

Personal data retention period: the personal data shall be retained for the period specified in the legal acts.

Recipients of personal data: the State Tax Inspectorate and all the other interested parties having justified grounds to obtain, request personal ID documents in cases stipulated by laws for performance of their functions.

1. For the purpose of external and internal audits, the data concerning all the employees, customers, representatives of business partners contained in the information systems and paper documents. 

Legal basis: the data controller’s legitimate interest to conduct an audit (Art. 6(1)(f) of GDPR). 

Personal data retention period: personal data is stored only for a period necessary for the purpose.

Recipients of personal data: entities providing audit services.

1. For the purpose of making a record of personal data breaches, the following personal data of the persons recording and reporting the breach shall be processed: the name, surname, and the following personal data of the persons having committed a data breach shall be processed: the name, surname, and the breach-related information.

Legal basis: the data controller’s legitimate interest to manage personal data breaches (Art. 6(1)(f) of GDPR).

Personal data retention period: 10 years from the report on the data breach.

Recipients of personal data: the State Data Protection Inspectorate.

1. For the purpose of employment at the Company, the following personal data shall be processed: the CV, name, surname, education, qualification, contact details, etc.

Legal basis: entering into contract (Art. 6(1)(b) of GDPR), the consent (Art. 6(1)(a) of GDPR).

Personal data retention period: If you apply for a specific position but are not offered a job, the personal data you have provided are destroyed after completion of the candidate selection to the vacancy advertised by the Company.

The personal data concerning you as a potential candidate may be stored for the purpose of future selections of Company’s employees only if your consent is obtained.

• SOURCES OF PERSONAL DATA

1. Personal data may be obtained directly from the data subject. A data subject contacts the Company, uses the services provided by the Company, or contacts the Company requesting information, etc.

Personal data may be obtained from the third parties, e.g., legal entities which provide personal data of their representatives natural persons or their employees, also from credit and payment institutions, the Population Register, the State Social Insurance Fund Board under the Ministry of Social Security and Labour, the database of UAB Creditinfo Lietuva, supervisory authorities, other information systems and registers when it is necessary to comply with requirements of legal acts.

Personal data may be obtained when a data subject visits the website when cookies used on the website are saved on the data subject’s terminal equipment.

• TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

1. Your personal data is not transferred outside the European Economic Area. Such data transfers may be carried out only given a legal basis and in compliance with the requirements provided for in Chapter V of GDPR.

• YOUR RIGHTS

1. In the manner set forth in this Policy, you have the right to:

1. know (be informed) about processing of your personal data;
2. access your personal data being processed, and receive information on the manner of their processing;
3. request rectification or erasure of your personal data (the right to be forgotten), or restriction of processing of your personal data;
4. receive your personal data being processed in a structured, easily machine-readable and interoperable format, and to transmit it to another controller (the right to data portability);
5. object to the processing of your personal data;

1. The Company cannot provide you the data concerning you or any related information without identifying you first.
2. You have the right to obtain a confirmation from the Company whether the personal data concerning you are processed. If such personal data are processed, you have the right to access the personal data.
3. You have the right to request that the Company rectified inaccurate personal data concerning you without delay. In view of the purposes for which the data were processed, you have the right to request supplementing any incomplete personal data.
4. You have the right request that the Company erased the personal data concerning you without delay where:

1. the personal data are no longer necessary for achievement of the purposes for which the data were collected or processed otherwise;
2. you have withdrawn the consent which served as the basis for processing of Your personal data, and there is no other legal basis for data processing;
3. you object to the data processing when the processing is carried out on the basis of consent, and there are no overriding reasons to process such data;
4. you do not consent to the data processing for the purposes of direct marketing;
5. Your personal data have been processed unlawfully.

1. Personal data must be deleted (erased) in compliance with the requirements of the Republic of Lithuania and the European Union.
2. Your request for erasure of the personal data, including the obligation of the Company to instruct data controllers to erase such data, shall not apply where processing is necessary at least in one of the following cases:

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by legal acts of the European Union or the Republic of Lithuania to which the data controller is subject;

1. for the statistical purposes in compliance with Art. 89(1) of the GDPR, if your right (to be forgotten) may render it impossible or seriously aggravate achievement of the purposes of that processing;
2. for the establishment, exercise or defence of legal claims.

1. You have the right to request that the Company restricted processing of your data when at least one of the following applies:

1. you are contesting accuracy of the data for the period during which the Company may verify accuracy of the personal data;
2. processing of your personal data is unlawful, but you do not consent to erasure of such data and request restriction of their use instead;
3. the Company no longer needs the personal data for the purposes of processing, but the data subject needs the data for the establishment, exercise or defence of legal claims;
4. you do not consent to the data processing until it is verified whether the legitimate reasons of the Company override your reasons.

1. Where personal data are processed for the purposes of direct marketing, you have the right to object (without specifying any reasons or motives) to the processing of the personal data concerning you for such marketing purposes, including profiling, related to such direct marketing.
2. Requests for exercising the above- mentioned rights may be submitted by contacting Eugenijus Kriksciunas, the data protection officer of the Company, in writing or e-mail support@trilemma.academy.

• RIGHTS OF THE COMPANY

1. The Company has the right to refuse to examine your application to enter into a service agreement or refuse entering into a service agreement, if your personal data necessary for entering into the service agreement are not provided.
2. The Company and other entities of the same group of companies as well as their business partners have the right to use and disclose your personal data if to do so is permitted or prescribed by the legal acts of the Republic of Lithuania and the European Union.

• PERSONAL DATA PROCESSING ON SOCIAL MEDIA

1. For the purpose of increasing the Company’s visibility on social media and on the legal basis of the legitimate interest to increase the Company’s visibility on social media (Art. 6(1)(f) of GDPR), the personal data of social media visitors shall also be processed: profiles of social media visitors, pressing of “Like” and “Follow” buttons, comments. The information about personal data retention period is provided in privacy policies of Facebook, Instagram, YouTube, Linkedin social media.

As the administrator of the social media account, the Company selects the appropriate settings, takes into account its target audience, and the objectives of its business management and promotion. When granting the Company an opportunity to create and manage accounts on the social media, the providers of the social media may restrict a possibility to change certain essential settings. As a result the Company will not be able to have any influence on the data concerning you which the social media providers will be collecting when the Company sets up social media accounts. Any of such settings may affect personal data processing when you are using social media, visit the Company’s accounts or read the Company’s posts on the social media. The providers of social media usually process your personal data (even the data collected when the Company selects additional settings for the account) for the purposes defined by the providers of the social media relying on their privacy policies. Nevertheless, when you use social media, communicate with the Company via social media, visit the Company’s accounts on social media, watch videos on such accounts, the Company receives information about you. The scope of the received data depends on the settings of the accounts selected by the Company, agreements with the providers of social media for extra services, and the cookies set up by the providers of social media.

• DATA PROCESSORS

1. The Company may provide personal data of data subjects to data processors, but they render services to the Company and process personal data on behalf of the Company, e.g., providers of IT support, financial accounting, legal, other consultancy and marketing services. Data processors have the right to process personal data only as instructed by the Company and only to the extent necessary for proper performance of the obligations stipulated in agreements. When engaging the data processors, the Company shall take all the necessary measures to ensure that the data processors have implemented all the appropriate organizational and technical measures ensuring security, and that they maintain secrecy of personal data.

• COOKIES AND TRACING

1. The Company collects, processes and analyzes the information related to your use of its website.
2. The Company uses cookies and similar technologies to provide you with high- quality services, ensure cybersecurity, carry out marketing, conduct an analysis of the website use, and offer you most interesting content on the website.
3. You may choose whether to consent to the use of cookies, or not. If you do not consent to the use of cookies, you may still continue using the website.
4. More information about cookies is provided in the Cookie Policy.

• FINAL PROVISIONS

1. Should you have any questions concerning processing of your personal data, you may contact the Company via email: support@trilemma.academy, phone +447389060427 .

1. Performance and interpretation of provisions of this Policy shall be governed by the law of the Republic of Lithuania.

1. This Policy does not constitute an agreement between you and the Company on processing of the consumer’s personal data. By this Policy, the Company informs you about the principles of your personal data processing at the Company, and the Company has the right to unilaterally amend and/or supplement this Policy any time.

1. Any amendments and/or supplements to this Policy shall come into effect as of the moment they are published on the Company’s website at www.trilemma.academy .

1. If any provision of this Policy becomes or is declared invalid, the remaining provisions shall continue to be effective.

1. This Policy was approved on 10.07.2024.