Privacy policy

Privacy Policy

Introduction: This Privacy Policy explains how TOLMETS SIA (“we” or “us”), as the operator of the website tolmetsgroup.com, collects, uses, and protects personal data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws. We provide this information in accordance with GDPR Articles 12-14, which require transparency about the identity of the data controller, the purposes and legal bases of processing, data recipients, international transfers, data retention, individuals’ rights, and other relevant details. By using our website or providing personal information, you consent to the practices described in this Privacy Policy.

Data Controller: The data controller (organization determining the purposes and means of processing your personal data) is TOLMETS SIA, located at Hika iela 5, Liepāja, LV-3401, Latvia (Reg. No. 42103022610). You can contact us using the details in the “How to Contact Us” section below with any questions about your personal data.

Personal Data We Collect

Information You Provide Directly: We collect personal identification information that you provide through our website forms, such as your name, email address, telephone number, company name, and any other information you choose to submit (for example, when you fill out a contact/feedback form or sign up for our email newsletter). This may include messages or inquiries you send to us. For instance, if you fill out our contact form, you will be asked for your name, contact information, and the message you wish to send. We only collect what you voluntarily provide and what is necessary for the intended purpose.
Information Collected Automatically: When you visit our site, we may collect certain data automatically via cookies and similar technologies (see our Cookie Policy for details). This can include your IP address, browser type, device information, pages visited, date/time of visit, and referring website. In particular, we use Google Analytics cookies to gather standard internet log information and visitor behavior information in an anonymized or pseudonymized form. This information helps us understand how visitors use our site (e.g. which pages are most popular) and improve the website’s functionality.
No Special Categories: We do not intentionally collect any sensitive personal data (such as information about health, political opinions, etc.) through the website. We ask that you do not provide this type of information in any free-text fields.

How We Collect Data

We collect personal data in the following ways:

Direct Interaction: You directly provide most data when you interact with our site. For example, you may provide personal details when you:

Submit an inquiry or feedback via our contact form.

Subscribe to our email newsletter or marketing communications.

Communicate with us via email or other contact methods provided on the site.

In these cases, you actively send us information, and we process it to fulfill your request or respond to you.

Automated Technologies: As you navigate through our site, we use cookies and analytics tools to automatically collect technical data about your browsing actions and usage patterns. For instance, our server logs and Google Analytics will record how you arrived at the site, what pages you viewed, and how long you stayed, via cookies placed on your browser. (For more details, see the Cookie Policy section below and our separate Cookie Policy page.)
Third-Party Sources: Generally, we do not obtain personal data about you from third parties when you use the website. The information is collected directly from you or your device. If in the future we receive personal data about you from another source (for example, if you engage with us via social media or if a partner provides your details with your consent), we will inform you separately as required by GDPR.

Purposes and Legal Bases for Processing

We process your personal data only for specified and legitimate purposes, and we ensure we have a lawful basis under Article 6 of GDPR for each processing activity. The purposes and legal bases for our processing include:

Responding to Inquiries and Providing Services: When you contact us through the website (e.g. submitting a question or request), we use your contact information and message to respond to you and provide the information or service requested. The legal basis is our legitimate interest in effectively communicating with prospective customers or site users and answering your questions, or it may be pre-contractual necessity if your inquiry is related to potentially entering into a contract with us. We have assessed that our legitimate interest in responding to you is not overridden by your rights, especially since you initiated contact and expect a reply.
Email Newsletter and Marketing: If you sign up for our newsletter or agree to receive promotional emails, we will use your name and email to send you news, updates, or marketing communications about our products and services. The legal basis for this is your consent. You will only receive marketing emails if you have actively opted in. You have the right to withdraw consent at any time, as described below, and every marketing email will include an unsubscribe link.
Website Analytics: We use Google Analytics and similar tools to collect data about how visitors use our site (as described above) in order to analyze trends, improve the site’s functionality, and enhance user experience. The use of analytics cookies is based on your consent. We will not set analytics cookies without your prior consent, obtained via the cookie banner/pop-up when you first visit the site. You can refuse or revoke your consent for analytics at any time (see Cookie Policy and Managing Cookies below). The data collected via analytics cookies is processed in aggregate form (e.g., overall visitor numbers, page popularity) and does not directly identify individuals.
Site Functionality and Preferences: We use certain cookies that are necessary for the operation of the website (for example, to enable core features, remember cookie consent choices, or keep the site secure). For any non-essential cookies (such as remembering your language preference or other preferences), we will also rely on consent. Essential cookies are used under a legitimate interest (i.e., our interest in providing a functioning website that you explicitly access). See the Cookie Policy for more on cookie categories.
Legal Compliance and Protection: We may process personal data as required to comply with legal obligations (e.g. accounting rules, court orders) or to establish, exercise, or defend legal claims. For instance, we might retain contact form data if needed for legal dispute resolution. The legal basis in such cases would be compliance with a legal obligation or legitimate interests (our interest in legal protection of our business).

We do not use your personal data for any purposes that are incompatible with those above, and we do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (such as credit scoring or automated marketing profiles) without your explicit consent. If this changes in the future, we will update this policy and, if required, obtain your consent.

Cookies and Tracking Technologies

Cookies are small text files placed on your device to collect standard internet log information and visitor behavior information. Our website uses cookies and similar technologies to enhance user experience (e.g., remembering your preferences) and to collect analytics information about how visitors use the site. Some cookies are placed by third-party providers (for example, Google Analytics cookies are set by Google, a third party, not directly by our website).

For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy. In summary:

Necessary Cookies: These are essential for the website’s core functionality (such as security, network management, and accessibility). They do not require consent, but we still want to inform you about them. Without these, the site may not function properly.
Preference/Functional Cookies: If used, these cookies remember choices you make (e.g., language selection) to provide a more personalized experience. These may be first-party or third-party cookies. We will obtain consent before setting these, unless they are strictly necessary for a service you requested.
Analytics/Statistics Cookies: These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. For example, they may track which pages are visited, in what order, and how long users spend on the site. The data collected is aggregated and not used to identify you personally. We currently use Google Analytics for this purpose; Google may set cookies (_ga, _gid, etc.) to gather information about website usage on our behalf. These cookies are only deployed with your consent.
Marketing Cookies: Our website does not currently use advertising or targeting cookies that profile you for advertising purposes. We do not show third-party ads on our site. If this changes, we will update our Cookie Policy and request your consent for any marketing cookies.

When you first visit our site, you will see a cookie consent banner. Except for strictly necessary cookies, cookies will not be set unless you choose to allow them. We store your cookie preferences, and you can change your consent choices at any time by using the cookie settings link on our website or adjusting your browser settings. You can also delete cookies from your browser. Note that refusing or deleting cookies may impact your user experience (for example, some features or preferences might not be remembered), but you will still be able to access our website even if you decline all optional cookies. We make it as easy to withdraw your consent as it was to give it – for instance, you can revisit your cookie settings via the banner or a link on our site at any time to adjust preferences.

For more information, please read our Cookie Policy below, which is incorporated into this Privacy Policy by reference.

How We Use and Share Your Data

We use the collected personal data solely for the purposes listed above. We treat your personal information with care and confidentiality. We do not sell your personal data to third parties. We only share data in the following circumstances:

Within Our Company Group: If TOLMETS SIA is part of a group of related companies (e.g., subsidiaries or affiliates), your data may be shared with other entities in our group as needed to provide services or respond to you. (Currently, our primary operations are under TOLMETS SIA in Latvia.)
Service Providers (Processors): We use trusted third-party service providers to help operate our website and deliver services. For example:

Our website may be hosted on servers provided by a third-party hosting company. This means any data you submit (e.g., form entries) is stored on their servers. We ensure that such hosting providers implement appropriate security measures and, if they are outside the European Economic Area (EEA), that adequate safeguards are in place for data transfers (see “International Data Transfers” below).

We use email service providers to send out our newsletters or to communicate with you. If you subscribed to our newsletter, your name and email might be stored with that email service provider (for instance, Mailchimp, SendinBlue, or a similar platform – we will disclose the specific provider in the email subscription process).

We use Google Analytics, as mentioned, which is a service provided by Google LLC. Google acts as a data processor for us in analyzing website usage. Google may process some data on servers located outside the EU (notably in the USA), so we have measures in place as described under international transfers.

These service providers are only allowed to process your data on our behalf and according to our instructions, for the purposes stated in this policy. We have or will have appropriate data processing agreements in place with them as required by GDPR (Article 28). They are not permitted to use your data for their own purposes.

Legal Requirements: We may disclose personal data to third parties if required to do so by law or lawful order (for example, to law enforcement or government authorities in response to a valid request), or to establish, exercise, or defend our legal rights.
Business Transfers: In the unlikely event that our company is involved in a merger, acquisition, or sale of business/assets, personal data may be transferred to the new owner/third party as part of that transaction. If that happens, we will ensure the confidentiality of the personal data is maintained and provide notice before it becomes subject to a different privacy policy.

We will always strive to minimize the personal data we share and will anonymize or aggregate data wherever feasible (for example, sharing website traffic statistics that cannot identify individuals).

International Data Transfers

By default, we aim to store and process personal data within the European Union/European Economic Area. However, some of our service providers may be located or may store data in other countries. For example, Google Analytics may process data in the United States, and if we use an email newsletter service or cloud provider outside the EU, your data might be transferred to those locations.

Whenever we transfer personal data out of the EEA, we will ensure that adequate safeguards are in place as required by GDPR Chapter V. These might include:

Relying on a European Commission adequacy decision (if the country is deemed to provide an adequate level of data protection).
Using standard contractual clauses (SCCs) approved by the European Commission, which legally oblige the recipient to protect your data according to EU standards.
Implementing additional technical and organizational measures as needed (such as encryption in transit and at rest, pseudonymization, etc.).

You can contact us if you have questions about our international data transfer safeguards or want more information about where your data may be stored or accessed.

Data Retention

We will not keep your personal data for longer than necessary for the purposes for which it is processed, unless a longer retention period is required or permitted by law. In general:

Contact Form Inquiries: If you submit an inquiry, we will retain your data for as long as needed to respond and follow up, and for a short period thereafter in case of further communication. Typically, basic inquiry data will be deleted or anonymized within 1–2 years of the inquiry resolution, unless ongoing business relations or legal obligations justify retaining it longer.
Newsletter Subscription: We retain your email and related info for as long as you remain subscribed to our mailing list. If you unsubscribe or withdraw consent, we will remove you from the list promptly and will not continue to send you communications. However, we may keep a record of your request to unsubscribe (email address and opt-out date) to ensure we honor your no-contact request in the future.
Analytics Data: Data collected via Google Analytics is stored according to the settings we have configured with Google. We have set our Google Analytics data retention period to the industry standard (e.g., 14 months or a similar timeframe), after which Google automatically deletes the stored analytics data. We only view aggregate analytics reports, and do not maintain personal-level analytics information. You can also clear your cookies at any time to remove analytics identifiers from your browser.
Legal Retention: We may need to retain certain information for longer if required by law or for legal proceedings. For instance, transaction records or communications might be kept for a statutory limitation period (e.g., to comply with accounting rules or to have evidence in case of legal claims).

When we no longer have a legitimate need to retain your personal data, we will securely delete or anonymize it. If deletion is not possible (for example, because the data is stored in backup archives), we will securely store the data and isolate it from further processing until deletion is feasible.

Your Data Protection Rights

We are committed to upholding your rights under the GDPR. You have the following data protection rights with respect to your personal data:

Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to request a copy of the personal data we hold about you. We will provide you with a copy of the data in a commonly used electronic format, unless you request otherwise. (For additional copies, we may charge a reasonable fee based on administrative costs, as permitted by law.)
Right to Rectification: If you believe that any personal data we have about you is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to contact us to keep your information up to date.
Right to Erasure: You have the right to request the deletion of your personal data under certain conditions. For example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and no other legal basis for processing applies, or if you object to processing and we have no overriding legitimate grounds, or if we have processed the data unlawfully. Please note that this right is not absolute – sometimes we may have legal obligations or compelling legitimate grounds to keep some data (we will inform you if that is the case).
Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data under certain circumstances. This means we would mark the data to be limited in use while we consider your request (for example, if you contest the accuracy of the data or have objected to our processing, we would restrict use until the issue is resolved).
Right to Object: You have the right to object to our processing of your personal data at any time if we are processing it on the legal basis of legitimate interests. If you object, we will assess whether our compelling legitimate grounds override your privacy rights. You also have an absolute right to object to direct marketing – if you object, we will stop using your data for marketing purposes immediately.
Right to Data Portability: Where you have provided data to us and we process it by automated means on the basis of your consent or a contract, you have the right to request that we provide the data in a structured, commonly used, machine-readable format and, where feasible, to transmit it to another data controller (this is the “data portability” right).
Right to Withdraw Consent: If we rely on your consent for any processing (such as for sending marketing emails or setting non-essential cookies), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing we conducted based on consent before its withdrawal. For example, you can unsubscribe from our newsletter through the link in emails or change your cookie settings to withdraw consent for analytics. We have made the process for withdrawing consent as easy as giving it.
Right not to be Subject to Automated Decisions: As noted, we do not use your data for solely automated decision-making that has legal or similar significant effects. If that changes, you would have the right not to be subject to such decisions without human intervention.

To exercise any of your rights, please contact us using the contact information provided in the “How to Contact Us” section. We may need to verify your identity before fulfilling certain requests (to ensure we don’t disclose data to the wrong person). We will respond to your request as soon as possible, and in any case within one month as required by GDPR. Under certain circumstances, we can extend this period by two further months if necessary (for complex requests), but we will inform you of any extension within the first month.

If your request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request, as permitted by law. However, we will inform you of our reasoning in such cases.

Data Security

We take the security of your personal data seriously. We have implemented appropriate technical and organizational measures to protect the personal information we process from unauthorized access, alteration, disclosure, or destruction. These measures include, for example: using secure hosting with firewalls, data encryption in transit (HTTPS on our website), access controls to limit who within our organization can access personal data, and policies to handle data securely. We also ensure that any third-party processors we use have adequate security practices.

However, please note that no website or internet transmission is completely secure. We cannot guarantee absolute security of data, but we follow best practices and will notify you and relevant authorities of any data breaches as required by law.

Children’s Privacy

Our website and services are not directed to children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not provide any personal information on the site. If we learn that we have inadvertently received data from a child under 16, we will take steps to delete it. Parents or guardians who believe their child may have provided personal data to us should contact us, and we will promptly remove the information.

Links to Other Websites

Our site may contain links to third-party websites (for example, to partner companies or useful resources). Please note that this Privacy Policy does not apply to those external sites. We are not responsible for the content or privacy practices of other websites. If you follow a link to any other website, we encourage you to read their privacy policy. We provide those links for convenience, and a link does not imply endorsement of the linked site’s content or services. We have no responsibility for the privacy practices or content of linked websites.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in legal requirements or our data processing practices. When we make changes, we will post the updated policy on this page and update the “Last updated” date. If the changes are significant, we may also notify you by additional means (such as a notice on our homepage or an email notification, if appropriate). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

This Privacy Policy was last updated on [DATE]. (We will fill in the effective date when we publish the final version.)

How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us at:

Email: [email protected]
Postal Address: TOLMETS SIA, Hika iela 5, Liepāja, LV-3401, Latvia.
Telephone: 371 63 425 200

Please feel free to reach out with any questions about your privacy or to exercise your data protection rights.