PRIVACY POLICY
1. GENERAL
1.1. Bepco Group (we, the Data Controller or the Group) value and protect the privacy and security of personal data, therefore in this Privacy Policy (the Privacy Policy), we explain how we handle the data of representatives of the customers or other persons related to the customers whose data is disclosed to us (when the customer is a legal person) (hereinafter, depending on the context collectively referred to as the Customers) and personal data of other data subjects' (hereinafter collectively referred to as you or Data Subject) when they use (a) the Group's website / platform www.bepco.online (the Platform) and (b) when they communicate with the Group by phone, e-mail, and/or in other ways.
1.2. For the purposes of this Privacy Policy, the term "Bepco Group" refers to the legal entities that jointly operate the Platform and related services: Bepco Pooling UAB (Republic of Lithuania), SIA Bepco (Republic of Latvia), and OÜ Bepco (Republic of Estonia). These entities jointly determine the purposes and means of personal data processing and therefore act as joint controllers.
1.3. All personal data processing activities described in this Privacy Policy are carried out under a joint controllership arrangement between the Group companies. This agreement defines the respective roles and responsibilities of each entity, in particular with regard to the protection of your rights, the provision of information, and handling of data subject requests.
1.4. You may exercise your data protection rights in respect of and against any of the joint controllers. However, for practical purposes, we recommend directing your request to admin@bepco.ee. Full details of each Bepco Group entity are provided in Section 14 of this Privacy Policy.
1.5. When processing personal data, we comply with the 2016 April 27 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation or the GDPR), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, Personal Data Processing Law of the Republic of Latvia, Personal Data Protection Act of Republic of Estonia, and other applicable legal acts regulating personal data protection, and the provisions of this Privacy Policy.
1.6. In this Privacy Policy, we present the most important structured information about the protection of the processed personal data: i.e., what personal data we collect, how and why we use it, on what legal basis we process it, how long we store it, to whom we transfer it, as well as our duties in processing your personal data, your rights, and the methods of their implementation.
1.7. This Privacy Policy is intended to inform you about how we process your personal data. Please review it carefully. If you have any questions, you are welcome to contact us using the contact details provided in Section 14.
1.8. This Privacy Policy may be updated or amended from time to time to reflect changes in our data processing practices, legal requirements, or other relevant factors. The latest version will always be available on the Platform. If we make material changes to this Privacy Policy (such as changes to the purposes of processing, categories of recipients, or data subject rights), we will inform you in advance by email or via a clear notice on the Platform.
1.9. All terms used in the Privacy Policy shall be understood as defined in the GDPR and the Law on the Legal Protection of Personal Data of the Republic of Lithuania, Personal Data Processing Law of the Republic of Latvia, Personal Data Protection Act of the Republic of Estonia and other Applicable laws.
2. PRINCIPLES OF PERSONAL DATA PROCESSING
2.1. When processing any personal data, the Group complies with the following principles:
- (a) lawfulness, fairness and transparency – personal data shall be processed lawfully, fairly and in a transparent manner;
- (b) purpose limitation – personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- (c) data minimisation – personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- (d) accuracy – personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay;
- (e) storage limitation – personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary;
- (f) integrity and confidentiality – personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage;
- (g) accountability – the Group, as the data controller, is responsible for and must be able to demonstrate compliance with these principles.
3. HOW WE USE YOUR PERSONAL DATA?
3.1. In this section you will find the information regarding:
- (a) the purposes for which we process personal data of the Data Subjects;
- (b) how we use personal data of the Data Subjects;
- (c) the categories of data we process;
- (d) the legal basis for processing; and
- (e) the data retention period.
3.2. We process the data of the Data Subjects specified in this Privacy Policy on these legal grounds:
- (a) for conclusion, performance, amendment and administration of a contract with us or for our necessity to take action at your request before concluding a contract (Article 6(1)(b) of the GDPR);
- (b) for fulfilment of legal obligations and requirements of legal acts applicable to us (Article 6(1)(c) of the GDPR);
- (c) for pursuing our legitimate interests and those of third parties (Article 6(1)(f) of the GDPR);
- (d) for acting in accordance with your consent (Article 6(1)(a) of the GDPR).
3.3. In the scope and under the conditions set by applicable legal acts, one or several of the abovementioned legal grounds may apply to processing of the same of your personal data.
3.4. We collect and process only your personal data that are sufficient and necessary to achieve the purposes for which they are processed.
3.5. We may combine personal data we have received from the Data Subjects (when they are using the Platform) with the personal data we have collected from other public or accessible sources (e.g., with data obtained using Platform cookies, or with data legally obtained from third parties, etc.).
More detailed information is provided below:
A. Registration on the Platform and Account administration
3.6. In order to access and purchase products via our Platform, you must have a business Account. This Account is created by us after entering your company information (company's identification and contact details) into our internal systems, as sale and purchase agreements are only concluded with the Customers who have an active Account.
3.7. Based on the data provided during the onboarding process (such as company name, registration number, VAT number, and the contact person's name, email address, and phone number) we create a unique Account on the Platform, according to which we will identify the Customer as a registered user and which will allow them to use the products and services provided to registered users.
3.8. This registration data also allows us to recognize you when you log in to manage your information, contact us regarding your data, or exercise your rights related to personal data processing.
3.9. We also use the contact data provided during the Account setup to communicate with the Customer, including responding to their requests and comments, providing them with important information about our products and services, their provision and/or changes to this Privacy Policy, to contact them for other purposes and so on.
3.10. By completing the registration process and logging into the Account, the Customer explicitly consents to the use of the Account under the terms of the Platform use agreement and acknowledges entering into a legally binding agreement with us.
| DATA CATEGORIES | LEGAL BASIS | DATA RETENTION PERIOD |
|---|---|---|
|
• Identification data: Company name, legal entity code • Contact details: contact email address for orders and invoices, telephone number, registration address • Account security data: account creation date, password, authentication logs |
Performance of a contract (Article 6(1)(b) GDPR) | For the entire period while Customer Account is active and for a period of 10 years after its expiry. |
3.11. The data provided by the Customer must be accurate, complete, and kept up to date. If inaccurate, outdated, or incomplete data is submitted, it may be difficult for us to ensure the provision of services or guarantee the exercise of the data subject's rights. In no case shall we be liable for any damages caused by provision of incorrect or incomplete personal data provided by the Customer. The Customer must promptly inform us immediately by changing the relevant data in the registration form on the Platform whenever their personal data changes.
B. Concluding and executing agreement with Customers (Order processing, tracking and monitoring)
3.12. Creating an Account on the Platform does not by itself constitute an agreement for the purchase of products or provision of services. To purchase products or receive services from us, the Customer must place a separate order through the Platform, explicitly accept applicable terms and conditions, and thereby conclude a binding purchase or service agreement with us.
3.13. We process your personal data to enter into and perform contracts with you, including handling your orders, delivering products and services, processing payments, issuing invoices, managing refunds or returns. To ensure secure product delivery and accurate transfer of products, we perform manual and automatic tracking of order status and delivery progress. For this purpose, we process data provided by the Customer directly, which is accessed only by authorized customer support personnel and administrators strictly for the purposes of order processing, invoicing, customer support, and internal efficiency reporting.
| DATA CATEGORIES | LEGAL BASIS | DATA RETENTION PERIOD |
|---|---|---|
|
• Customer (company) name, user ID • Email address, phone number • Order pick up details (items/services, dates, times, amounts, destination details) • Customer factory name • Ordered products • Communication related to the order (e.g. support inquiries, confirmations) |
Performance of a contract (Article 6(1)(b) GDPR) | We store the purchase data for 10 years (in Lithuania and Latvia) and 3 years (in Estonia, unless the obligations were violated intentionally in which case – 10 years) from the date of the purchase order transaction. After the applicable retention period expires the data is either securely deleted or irreversibly anonymised, meaning that it is permanently disassociated from any personal identifiers or links to the Customer's profile, making re-identification impossible. |
C. Business analytics, efficiency tracking
3.14. We may further process the product movement and transaction-related data, collected manually and automatically from our Customers for internal business analytics and operational efficiency tracking purposes. These purposes include evaluating delivery performance, optimizing logistics processes, and generating aggregated or non-personalized statistical reports that do not identify individual Customers.
| DATA CATEGORIES | LEGAL BASIS | DATA RETENTION PERIOD |
|---|---|---|
|
• Product movement and delivery data (e.g., timestamps, delivery status) • Order history and frequency • Customer location (general – for logistics analysis) • Customer segment/category |
Legitimate Interest (Article 6(1)(f) of the GDPR) – to improve service quality, optimize operations, and support internal decision-making | We retain this data only for 10 years after data collection (or longer if anonymised for statistical purposes) |
D. Use of the Platform
3.15. When you use the Platform, we automatically record information about your actions on the Platform and within your Account. We do so to ensure the smooth operation, integrity, and security of the Platform and our IT infrastructure.
3.16. Also, data is collected and processed to detect and prevent potential threats, misuse of the Platform, fraud, or other illegal activities. This includes protecting the Platform, IT infrastructure, and data against unauthorized changes, cyber-attacks, unauthorized access, manipulation, and other related security risks.
| DATA CATEGORIES | LEGAL BASIS | DATA RETENTION PERIOD |
|---|---|---|
|
• IP address • Login and logout timestamps • Session ID • Error messages and crash reports • Security event data (e.g., failed login attempts, access logs) • User ID or account identifier |
Legitimate interest (Art. 6(1)(f) GDPR) – to ensure the secure and reliable operation of the Platform and protect against misuse. | 2 years from the date of data collection, unless longer retention is required for investigation of security incidents or legal claims. |
E. For business correspondence, administration of inquiries, requests, complaints, and other communications with the Customer
3.17. We process your personal data to communicate with you, including answering your requests, informing you about the products, its prices, specifics, changes in the contracts concluded with you, or to contact you if we have identified any problems.
3.18. If you contact us by phone and/or in writing (e-mail, phone or otherwise), we will retain the content of your message, along with any personal data you provide, in order to properly review and respond to your inquiry, request, or complaint.
| DATA CATEGORIES | LEGAL BASIS | DATA RETENTION PERIOD |
|---|---|---|
|
• Name and surname • Contact details (email address, phone number) • Date and time of communication • Communication content (message, request, complaint) • Related order or service information (if applicable) • Internal notes regarding resolution or follow-up actions |
Legitimate interest (Art. 6(1)(f) GDPR) – to ensure effective communication and customer support. Performance of a contract (Art. 6(1)(b) GDPR) – where the inquiry relates to a service or agreement |
3 years from the date of the last communication or closure of the inquiry/request |
F. Execution of tax, accounting, and other obligations provided by law
3.19. To ensure the proper implementation of tax, accounting, and other legal obligations (i.e., correct writing and declaration of accounting documents to state institutions, etc.), we create various accounting documents with your personal data and administer them.
| DATA CATEGORIES | LEGAL BASIS | DATA RETENTION PERIOD |
|---|---|---|
| Company name, VAT number, contact details of representatives (e.g., position, business email, phone number), data about the purchases (description of the purchase; price/amount paid), issued accounting documents and their requisites, and other accounting and tax data that we must collect, process and store following laws and other legal acts. | Legal obligation (Article 6(1)(c) of the GDPR) | In most cases, the storage and deletion period are calculated from the date of creation of the accounting document – 10 years (in Lithuania and Latvia), 7 years (in Estonia) after the creation of the document (e.g., VAT invoice). |
4. ABOUT PLATFORM COOKIES
4.1. Cookies are small textual files containing identifier that is sent by a web server to your web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
4.2. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
4.3. Cookies that we use in our Platform:
- (a) necessary cookies – help to make our Platform usable by enabling basic functions like page navigation and access to secure areas of the Platform. The Platform cannot function properly without these cookies;
- (b) functional (preference) cookies – these cookies remember choices you make (such as language or region) and provide enhanced, personalized features. If disabled, some Platform features may not work as intended.
- (c) statistics cookies – these cookies allow us to monitor and analyse visits from a variety of traffic sources, this helps us to improve the overall site's performance. This type of cookie also provides data on the most and least visited pages as well as the visitor's navigation path around the Platform. The entirety of data collected by statistic cookies is aggregated and therefore completely anonymous. If these cookies are disabled, we can no longer follow your visits.
- (d) marketing cookies – these cookies are used to track visitors' choices on Platforms. They are used to tailor the Platform and the information displayed on it to the specific user. Marketing cookies are also used to link you to social networks, which may then use your visit information for targeted advertising on other Platforms.
More detailed information about the cookies we use is provided below:
| COOKIE NAME | PROVIDER | PURPOSE | TYPE | EXPIRY |
|---|---|---|---|---|
| XSRF-TOKEN | Group | This cookie enhances visitor browsing security by preventing cross-site request forgery. | Necessary | 2 hours |
| bepco_session | Group | Necessary | 2 hours |
5. WHAT SOURCES WE USE TO COLLECT PERSONAL DATA?
5.1. We collect personal data directly from you – the Customer – when you register on the Platform, use it, submit inquiries, or otherwise communicate with us.
5.2. We also receive personal data when you contact us via email, phone, written requests, or any other communication method. To properly assess your inquiry, we may need to gather additional information and connect it with data we already have or collect during the investigation of your request (e.g., transaction history, Platform usage records). This is done based on our legitimate interest or to fulfil a contractual obligation.
5.3. Certain personal data is collected automatically when you use the Platform – for example, IP address, device type, browser type, and activity logs – through cookies and similar technologies. More information is provided in our Cookie Policy.
5.4. We may also receive your personal data from third-party service providers, such as payment processors, logistics partners, or identity verification providers (if applicable), in order to deliver our services or comply with legal obligations.
6. CAN YOU REFUSE TO PROVIDE YOUR PERSONAL DATA AND/OR REFUSE CONSENT FOR ITS PROCESSING?
6.1. Your personal data is collected and processed to conclude or fulfil our contractual obligations to you and/or enable us to provide the services and respond to your requests and complaints promptly and adequately or to fulfil our obligations stipulated by law applicable to us. Suppose you do not provide your data, provide it with errors, or refuse to provide it further. In that case, we will not be able to conclude and/or execute our contractual obligations, provide the services, and adequately respond to your requests, complaints, and/or other requirements that require our action. Accordingly, failure to provide personal data or refusal to continue to provide certain personal data will mean that the contract with you will not be concluded or will be terminated.
6.2. If we process your personal data based on legitimate interest, we have weighed the opposing interests and have decided that considering the purpose for processing personal data and the measures that we have taken, our (or the relevant third party's) interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms which require protection of personal data. In this case, you have the right to receive more information regarding this processing and/or the right to object to the processing of your personal data based on legitimate interest.
6.3. In cases where we process personal data based on your consent, you have the right to withdraw your consent at any time, and data processing based on your consent will be terminated, but this will not affect the lawfulness of processing carried out prior to the withdrawal.
6.4. Section 10 of the Privacy Policy outlines more information about your rights.
7. WHO RECEIVES YOUR INFORMATION?
7.1. The activities of the Group may include the disclosure of all or part of personal data to the following data recipients: service providers, such as internal CRM software providers, competent authorities, vendors and suppliers of the Group and other data controllers who have the right to information under applicable laws and/or our legitimate interests. Also, upon receipt of your consent, your personal data may be disclosed to persons indicated by the Data Subject.
7.2. Disclosure required by law. Under certain circumstances, the Group may be required to disclose personal data if required to do so by applicable law or in response to valid requests by public authorities (for example, law enforcement authorities, tax administration).
7.3. Business Transaction. If we or our subsidiaries are involved in a merger, acquisition, reorganization or asset sale, your personal data may be transferred or deemed transferred to our new owner(s).
7.4. Legitimate Interests. We may share your personal data when it is necessary for the purposes of our legitimate interests, such as protecting legal rights, ensuring security, or managing business operations — provided such interests are not overridden by your data protection rights.
7.5. We may use third parties - service providers (data processors) to process your personal data on our behalf. Such data processors are, for example, companies that provide data centre services, companies that provide information technology infrastructure services, companies that create, provide, support and develop software, companies that provide advertising and marketing services, companies that perform analysis of Internet browsing or Internet activity and provide services, companies providing call and communication services, market research or other service providers.
7.6. Any data processors can process your personal data only according to our instructions. Besides, they must ensure security of your data in accordance with applicable legal acts and agreements concluded with us.
7.7. Data may also be provided to the competent government or law enforcement authorities, supervisory authorities, courts, insurance companies, bailiffs, tax inspectorates and other data recipients with the right to receive data, when required by applicable legislation or to ensure our rights, the safety of customers, employees and resources, to assert, provide and defend legal claims.
7.8. Except as provided in this Privacy Policy, we do not provide your personal data to any other third parties. The Group shall not disclose more personal data than is necessary for the purpose for which the personal data is provided and only in accordance with the requirements of the applicable laws and the legislation governing the protection of personal data.
8. GEOGRAPHICAL AREA OF PROCESSING OF PERSONAL DATA
8.1. Your personal data is primarily processed and stored within the European Economic Area (EEA). Most of our data processors and independent data controllers operate within the EEA or store data on servers located in EEA countries.
8.2. You may request more detailed information about the specific transfer mechanisms by contacting us using the contact details provided in Section 14 of this Privacy Policy.
9. DATA RETENTION
9.1. Personal data specified in this Privacy Policy shall be stored and otherwise processed for no longer than the periods specified in Section 3 of this Privacy Policy for each relevant data category and for no longer than necessary to achieve the purposes for which the data were collected.
9.2. In those cases when the data storage period is not indicated in this Privacy Policy, your data will be stored no longer than necessary for achievement of the purposes, for which the data were collected, or for a period set by legal acts.
9.3. After the expiry of the data retention periods specified in this Privacy Policy, we ensure that your personal data is either securely deleted or irreversibly anonymised no later than the last day of the defined retention period, unless otherwise required by law.
9.4. If different processing or storage periods can be applied to the same data category for different purposes in accordance with this Privacy Policy, the longest of the applicable periods shall apply.
9.5. Your personal data can be stored for a period longer than indicated in this Privacy Policy only when:
- (a) your data is necessary for the proper administration of debt, damages (for example, you have not fulfilled your financial and/or property obligations or caused damage to us or other persons), examination and settlement of a dispute, complaint, the protection of our legitimate interests or those of third parties;
- (b) that is necessary so that we could defend ourselves from existing or threatening demands, claims or legal actions and exercise our rights;
- (c) there are reasonable suspicions of violations, illegal activities, which are or may be a subject to investigation;
- (d) this is necessary for ensuring the functioning, resilience, integrity of backup copies, information systems, traceability of operations, statistical and other similar purposes;
- (e) there are other grounds provided for in legal acts.
10. YOUR RIGHTS AS A DATA SUBJECT
10.1. Data protection legislation gives you many rights that you can freely exercise, and we must ensure that you do so. We provide information about your specific rights and their implementation methods in this Privacy Policy below, please read it carefully.
10.2. Your other principal rights under data protection law are the following: (i) the right to access data; (ii) the right to rectification (note that you may exercise most of this right by logging to the Platform); (iii) the right to erasure of your personal data; (iv) the right to restrict processing of your personal data; (v) the right to object to processing of your personal data; (vi) the right to data portability; (vii) the right to complain to a supervisory authority; and (viii) the right to withdraw consent.
10.3. The right to access data. You have the right to receive our confirmation as to whether we are processing your personal data, as well as the right to familiarize yourself with your personal data processed by us and information about the purposes of data processing, categories of processed data, categories of data recipients, data processing period, sources of data, automated decision making, including profiling, as well as its implications for you. We provide most of this information to you in this Privacy Policy and we hope it is useful to you. If you are a user of the Platform Account, you can access your personal data processed by us at any time in your Account (e.g.: check current profile information). If the information provided in this Privacy Policy, the Account on the Platform is not sufficient for you, you can always contact us in the ways specified in Section 14 of this Privacy Policy.
10.4. The right to rectification. If the data provided to us during the use of Platform has changed or you believe that the information we process about you is inaccurate or incorrect, you have the right to demand that this information be changed, clarified, or corrected.
10.5. In some circumstances you have the right to the erasure of your personal data. Those circumstances include when: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent to consent-based processing and there are no other legal basis to process data; (iii) you object to the processing under certain rules of applicable data protection laws; (iv) the processing is for direct marketing purposes; or (v) the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. Such exclusions include when processing is necessary: (i) for exercising the right of freedom of expression and information; (ii) for compliance with our legal obligation; or (iii) for the establishment, exercise or defence of legal claims.
10.6. In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are when: (i) you contest the accuracy of the personal data; (ii) processing is unlawful but you oppose erasure; (iii) we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and (iv) you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data, however we will only further process such data in any other way: (i) with your consent; (ii) for the establishment, exercise or defence of legal claims; (iii) for the protection of the rights of another person; or (iv) for reasons of important public interest.
10.7. You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
10.8. The right to data portability. To the extent that the legal basis for our processing of your personal data is: (i) consent; or (ii) performance of a contract or steps to be taken at your request prior to entering into a contract, necessary to enter into such, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. And if you request and if it is technically possible, we will transfer the data directly to another data processor specified by you. However, this right does not apply where it would adversely affect the rights and freedoms of others.
10.9. You have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision produces legal effects concerning you or similarly significantly affects you. This means you can request that decisions about you are not made solely by algorithms or automated systems, without any meaningful human involvement. Such decisions might include, for example: (i) automatic refusal of an online credit application; (ii) automated assessment of insurance risks; (iii) automated decisions about employment, access to services, or pricing. This right applies when all three of the following conditions are met: (i) the decision is made solely by automated means (i.e., no human intervention); (ii) the decision includes profiling or evaluation of personal characteristics (e.g., behavior, preferences, interests); (iii) the decision produces legal effects concerning the person (e.g., contract acceptance/rejection, legal status) or similarly significantly affects them (e.g., access to services, eligibility decisions).
10.10. If you believe that we process your data in violation of the requirements of data protection legislation, we always ask you to contact us directly first. We believe that with good faith efforts, we will be able to dispel all your doubts, satisfy your requests and correct any mistakes we have made. If you are not satisfied with our proposed method of solving the problem, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so by filling a complaint with the supervisory authority, which is the State Data Protection Inspectorate of the Republic of Lithuania (registered office at L. Sapiegos St. 17, LT-10312, https://vdai.lrv.lt/), Data State Inspectorate (registered office at Elijas 17, Riga, LV- 1050, https://www.dvi.gov.lv/en), Data Protection Inspectorate for the Republic of Estonia (registered office at Tatari 39, Tallinn 10134, https://www.aki.ee/).
10.11. To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
10.12. However, taking into account the objectives of the provision of the services and the balance of the legitimate interests of both parties (both you as the data subject and us as the data controller), your withdrawal may mean that we will not be able to continue to provide our services.
10.13. In order to protect your and other persons' data from unlawful disclosure, we will have to verify your identity upon your request to provide data or exercise your other rights. For this reason, we may ask you to indicate your name, surname, e-mail address, telephone number or other data and we will compare whether your provided data correspond to the respective data or sign your request with a qualified electronic signature.
10.14. Upon receipt of your request concerning the exercise of any of your rights and having successfully carried out the above verification procedure, we commit, without undue delay, yet in any case within one month from the date of receipt of your request and completion of the verification procedure at the latest to inform you about actions we took according to your request. Having regard to the complexity and number of requests, we have the right to extend the period of one month by two additional months, informing you thereof by the end of the first month and indicating the reasons for this extension.
10.15. If your request is submitted by electronic means, we will also give you an answer by electronic means, except for cases where this is impossible (e.g., due to a particularly large scope of information) or when you ask us to respond in another way.
10.16. We may refuse to fulfil your request if one of the exceptions provided for in applicable data protection legislation applies (for example, where the request is manifestly unfounded or excessive, or where the requested action would infringe the rights and freedoms of others). In such cases, we will provide you with a reasoned written explanation of the refusal.
10.17. The rights of Data Subjects are not absolute and may be limited in certain circumstances. In this regard, you will be provided with such information as the Group may provide to you to ensure that the exercise of the right of access to personal data does not adversely affect the rights and freedoms of others, including in relation to the protection of trade secrets, intellectual property and copyright protection for software. In cases where applicable laws provide, the Group may delay or restrict the provision of information to you or withhold it if it may hinder or impair the detection or investigation of unlawful acts or the enforcement of sanctions, infringe the rights and freedoms of other persons, endanger national security or public order, or hinder the investigation of the unlawful acts or the prosecution of the persons responsible for the acts.
10.18. If the Group obtains personal data not directly from the Data Subject, it shall provide the Data Subject with all required information under Article 14 of the GDPR, including the source of the data, the purposes of processing, the legal basis, the categories of personal data concerned, the data retention period, and any intended recipients of the data. This information shall be provided within a reasonable period after obtaining the data, but no later than one month, or at the time of first communication with the Data Subject, or when the data is first disclosed to another recipient, whichever comes first. The Group is not obliged to provide such information if an exemption under Article 14(5) of the GDPR applies – for example, where the Data Subject already has the information, providing it is impossible or would involve a disproportionate effort, or where obtaining or disclosure is expressly laid down by Union or Member State law.
11. UPDATING YOUR DATA
11.1. Please inform us promptly if any of the personal data we hold about you is inaccurate, incomplete, or has changed. While you are responsible for providing accurate and up-to-date information, we also take reasonable steps to ensure the accuracy of the data we process.
11.2. You may update your personal data directly through your account on the Platform or by contacting us via email. Failure to provide accurate information or to inform us of changes may affect our ability to provide services properly.
11.3. To the extent permitted by law, we are not responsible for any adverse consequences resulting from your failure to provide accurate or updated personal data.
12. SECURITY OF PERSONAL DATA
12.1. We employ appropriate organizational and technical security measures, including protection against unauthorized or unlawful processing of data and against accidental loss, destruction or damage. Such measures have been selected taking into account the risks that may arise for your rights and freedoms as those of a data subject.
12.2. We strictly control access to your personal data, providing it only to those employees who need personal data for the performance of their work duties (such as customer service and administration units), and monitor how they use the access provided. Employees who have access to personal data shall be made aware of the personal data protection requirements and shall ensure the confidentiality of the personal data processed. The responsible IT management team members provides secured access to personal data with passwords of the required level and prepare agreements for the protection of confidential information with individuals or partners who are given access to your personal data.
12.3. We regularly monitor our systems for possible breaches or attacks, but it is not possible to guarantee full security of information transmitted online. With this in mind, you provide us with information by use of the internet connection or the unilateral disclosure of the login credentials of the Platform to any third parties at your sole discretion and assuming any associated risks.
12.4. In order to ensure the security of customers' data, we constantly assess and strengthen applicable security requirements.
13. VALIDITY AND CHANGES TO THIS PRIVACY POLICY
13.1. If we change this Privacy Policy, we will publish its updated version on our Platform, besides, you will be additionally informed about the most important changes via e-mail and/or another appropriate communication channel. This Privacy Policy was last updated on July 31st, 2025.
13.2. If any provision of the Privacy Policy is deemed invalid or unenforceable, this provision does not affect the legality and validity of the remaining provisions of the Privacy Policy, which shall remain in full force and effect.
14. CONTACT INFORMATION
14.1. The data controller that processes your personal data indicated in this Policy is:
14.2. Bepco Pooling UAB, legal entity code 304866658, address: Skaidiškių k., Sodų g. 10, LT-13270, Vilniaus r. sav., the Republic of Lithuania;
14.3. SIA "BEPCO", legal entity code 51203062701, address: Dzirnieku iela 26, Mārupe, Mārupes nov., LV-2167, the Republic of Latvia;
14.4. OÜ Bepco, legal entity code 11939016, address: Harju maakond, Tallinn, Nõmme linnaosa, Liivalao tn 11, 11216, the Republic of Estonia.
14.5. You can contact us on all issues concerning this Privacy Policy by e-mail: admin@bepco.ee, phone +372 5666 0844, or if necessary, by visiting our office at the address indicated above.
14.6. We will use all reasonable efforts to answer any questions or resolve any concerns regarding your privacy promptly.