Privacy Policy
Revised 12.05.2022

What is this policy about?
• We strive to provide you with the most accessible and at the same time fully inform you about the information that we collect and what we will do with it.
• We will use the information you provide for the purposes described in our Privacy Policy, including to provide you with the services you have requested, the products ordered, and to enhance your experience with us. We process only the required minimum of information.
• We will also use this information to help us better understand you and your needs, so that the products we offer are best suited to your interests.
• If you tell us that you do not want to receive promotional messages, we will not send them to you. It goes without saying that refusal to receive promotional/advertising messages does not deprive you of the opportunity to receive important messages about the ordered product or the services provided, you will continue to receive such messages.
• The information you provide needs to be protected and we will take measures to ensure it. But if something happens, and because of an intruder, our protection is violated, we will definitely let you know.
• If some information about you is not accurate – you can write to us, we will clarify it.
• If you no longer want us to process the information you provide and let us know, we will stop doing this. But if the law obliges us to continue processing, we will act in accordance with the law. But we will definitely inform you about this.
• We respect your rights to exercise control over your own information.

Below is the full text of the Privacy Policy. In it we explain in more detail the types of personal information (personal data) we collect, how we collect it, what we can use it for and with whom we can share it, how you can influence it, and other important issues.
We tried to make the text of the Policy as clear as possible, but we could not avoid some legal phrases, without them a simple explanation would not be accurate, and we want to tell you the most accurate information.
If you still have questions, you can write to us at the e-mail address: support@openface.io.

1. Who processes your personal data.
This Personal Data Privacy Policy (hereinafter – the Privacy Policy) in accordance with the General Data Protection Regulation (GDPR), as well as the Law on the Legal Protection of Personal Data of the Republic of Lithuania I-1374 of 11.06.1996 (as amended) is established for regulation of personal data processing and provides measures to ensure the security of personal data about individuals that can be received by ATVIRAS VEIDAS, UAB (registration number 305620652, address V. Nagevičiaus g. 3, LT-08237 Vilnius). For the purposes of the definition of duties under the GDPR, the aforementioned person is considered the “data controller”.

2. What do we mean by personal data?
Personal data – data that identifies you or can be used to identify you, for example, your name and contact information. There may also be other information about how you use our Site.
We do not verify the accuracy of the data you provide, we trust you and assume that you are telling the truth about yourself.

3. When and how does this Privacy Policy apply?
3.1. This Privacy Policy applies to personal data about you that we collect, use and otherwise process, not only when you are our client (Buyer), but also when you are exploring our site (as a User).
Let's explain that:
Site – a set of graphic and information materials, as well as computer programs and databases, ensuring their availability on the site on the Internet at the address: https://openface.io/ and on all subdomains created on its basis.
User – a person to whom the relevant personal data relates, viewing the content of the Site and / or using the functionality of the Site.
Buyer – any capable person who has accepted the offer. The content and conditions of the public offer are available at openface.io.
3.2. The current version of the Privacy Policy is posted on the Site at: https://openface.io/privacypolicy. Before using our Site, you should read the Privacy Policy, and if its conditions are unacceptable to you, refrain from transferring personal data to us.
If you transfer your personal data, it means unconditional acceptance of the terms of this Privacy Policy and the conditions for processing personal data and the purposes of processing specified in it. But you have the right to withdraw consent, more on that below.
3.3. The privacy policy (including any of its parts) can be changed by the Controller, and we will immediately publish it on the Site for public review. The new edition of the Privacy Policy comes into force from the moment it is posted on the Site. If you do not agree with the new terms of the Privacy Policy, refrain from transferring personal data.
3.4. We are committed to protecting and respecting your privacy and will continue to do so with any changes we make to this Privacy Policy.
3.5. Using the Site and its services, applying a web browser that accepts data from cookies means your consent to the fact that the Controller can collect and process data from cookies in order to improve the Site, its content, and its functionality. Disabling and / or blocking your web browser option for receiving data from cookies means that your use of the Site may be limited, in particular, in terms of some of its functions.
Let's explain that:
Cookies are a small piece of data sent by a web service and stored on your computer, which the browser sends to the web server each time in an HTTP request when trying to open the page of the corresponding site.

4. When do we collect your personal data?
We collect personal data about you whenever you use our services in any form. Most often these cases are: when you make an order, when you are undergoing testing, when you contact our specialists and when you use our Site.

5. When and why do we collect “sensitive personal data”?
Some types of personal data, for example, about race, ethnicity, health, are special categories of data that require additional protection in accordance with the legislation of the European Union. We try not to process these types of data. But, for example, providing information about the state of pregnancy / breastfeeding is such a type of personal data. We process this information only when you have provided it and only for the purpose of selecting the optimal skin care product.

6. Purposes of processing and types of personal data about Users that the Controller receives and processes.
6.1. Types of personal data:
6.1.1. Personal data posted by Users. These may include, in particular:
- last name, first name, patronymic, gender, photographs of the User, age, medications taken by User, information about the state of pregnancy / breastfeeding, information about the condition of the skin at different periods of life, information about the User's identity document;
- contact information (phone number, e-mail address, zip code, delivery address, city of residence).
It is forbidden for the User to provide personal data of third parties without the consent received from them for such a transfer, or if such personal data of third parties were not obtained by the User himself from publicly available sources of information.
6.1.2. Data automatically transmitted to the Site in the process of this data using the software installed on the User's device, incl. IP-address, individual network number of the device (MAC-address, device ID), electronic serial number (IMEI, MEID), data from cookies, information about the browser, operating system, access time, search requests of the User.
Let's explain that:
IP-address is a unique network address of a node in a computer network through which you get access to the Site.
6.2. We collect and process only that information about Users, incl. their personal data, which is related to the achievement of the following goals:
- sending a promotional code for a discount;
- sending of advertising and newsletters;
- providing services for the selection of the most suitable cosmetics from the range, depending on the information that the User has provided about himself;
- to administer and protect the Site, including troubleshooting, data analysis, testing, system maintenance, support, reporting and data placement.
If it is necessary to use personal information about Users for purposes not provided for by the Privacy Policy, we request the User's consent to such actions.

7. Purposes of processing and personal data about the Buyer, which is received and processed by the Controller
7.1. Types of personal data:
7.1.1. Personal data posted by Buyers. These may include, in particular:
- last name, first name, patronymic, gender, photographs of the Buyer, age, medications taken by Buyer, information about the state of pregnancy / breastfeeding, information about the condition of the skin at different periods of life, the Buyer's phototype;
- contact information (phone number, e-mail address, zip code, delivery address, city of residence).
It is forbidden for the Buyer to provide data of third parties without the consent received from them for such a transfer, or if such personal data of third parties were not obtained by the User himself from publicly available sources of information.
7.1.2. Data automatically transmitted to the Site in the process of this data using the software installed on the Buyer's device, incl. IP address, individual network number of the device (MAC-address, device ID), electronic serial number (IMEI, MEID), data from cookies, information about the browser, system, access time, search at the request of the Buyer.
7.1.3. Data also provided by Buyers at the request of the Controller in order to fulfill the Controller's obligations to the Buyers in relation to the Site using.
7.2. We collect and process only information about Buyers, incl. their personal data, which is related to the achievement of the following goals:
- providing services for the selection of the most suitable cosmetics from the range, depending on the information that the Buyer has provided about himself;
- fulfillment of obligations that have arisen or may arise for the Seller in the course of the execution of the Contract concluded on the terms of the Offer, including contacts with the Buyer by the Seller and / or his authorized representatives;
- sending a promotional code for a discount;
- sending of advertising and newsletters;
- to administer and protect the Site, including troubleshooting, data analysis, testing, system maintenance, support, reporting and data placement.
If it is necessary to use personal information about the Buyers for purposes not provided for by the Privacy Policy, we request the Buyers' consent to such actions.

8. When do we send you promotional (advertising) messages?
If you give your consent, we will occasionally send you promotional messages about our products and services.
We respect your right to opt out of receiving promotional messages. You can inform us about this in the following way: by sending a letter to our email address support@openface.io or by clicking the "unsubscribe" button under our advertising message that came to your email.

9. Legal basis for data processing.
9.1. We process your personal data only if we have a legal basis to do it. This basis will depend on the reasons for which we collect and process your personal data.
9.2. Most often, the basis for data processing will be:
- contracts concluded between us and you, that is, we will process your personal data in order to fulfill our obligations to you (for example, to deliver goods);
- consent to the processing of personal data that you have given us (implies a certain list of such data and certain purposes).
9.3. Also, the law allows us to process personal data in the following cases:
- if it is necessary to use your personal data in accordance with a legal obligation to which we are subject;
- to protect the vital interests of you or another person.
9.4. We process personal information, incl. personal data, only if:
- processing is necessary to fulfill our contractual obligations to you.
- processing is necessary to comply with statutory obligations.
- when provided by applicable law, processing is necessary to ensure our legitimate interests in the event that such processing does not significantly affect your interests, fundamental rights and freedoms. When processing personal information on this basis, we will always strive to maintain a balance between our legitimate interests and the protection of your privacy.

10. How long do we keep personal data?
We will keep your information for as long as we need it for the purpose for which it is processed. For example, we store your data to fulfill the obligations under the contract, and after fulfilling it, we store the data in order to be able to respond to any of your request, complaint or claim. Information may also be stored so that we can continue to improve our experience and to reward you for your loyalty.
We constantly check the relevance of the need to process personal data, and in the event that there is no legal, business or customer need for keeping this information, we will safely delete it.

11. Who has access to your personal data?
In most cases, personal data is processed automatically without employees having access to it. If such access is available, then it can be provided to those persons who need it to perform their tasks. For the security of internal data, all persons must comply with the rules and procedures regarding data processing. They must also follow all technical and organizational security measures in place to protect personal data.
Consent to this Privacy Policy implies consent that we may receive statistical anonymized (without reference to the Personal Data Subject) data on the actions of the Personal Data Subject when using the Site, social networks (Instagram, WhatsApp, Facebook, Vkontakte).

12. How do we protect your personal data?
We have implemented sufficient technical and organizational measures to protect personal data from unauthorized, accidental or illegal destruction, loss, alteration, unscrupulous use, disclosure or access, as well as other illegal forms of processing. These security measures were implemented taking into account the current state of the technics, the cost of implementation, the risks associated with the processing and the nature of personal data, including the following measures:
- anti-virus protection with updated databases;
- information backup;
- limiting the circle of persons with access to personal data.

13.Who do we share personal data with?
13.1. We may transfer your personal data to the following subjects:
SMS service – the phone number.
Delivery service – full name, delivery address, phone number.
13.2. We may transfer your personal data to other third parties in the case that you have submitted such actions or we are required by law (the transfer is provided by applicable law).
13.3. If our company takes part in a merger, acquisition or any other form of sale of part or all of its assets, then a data array is transferred along with them. In this case, all obligations to comply with the terms of the Privacy Policy are transferred to the acquirer of the assets.
13.4. We will also share your information in response to a valid request from law enforcement or other government agencies, or when contacting government agencies such as police and regulatory agencies to protect our rights, property or the safety of our customers, personnel and assets.
13.5. We may be forced to transfer your personal data because we must comply with legal or regulatory obligations in any jurisdiction, including when this obligation arises from our voluntary action or decision (for example, our decision to operate in a country or related to solutions).
13.6. We do not sell personal information, including personal data, to third parties.

14. Cross-border transfer
Your personal data may be sent and stored by us and / or third parties in countries outside the country in which you are located and outside the European Economic Area.
For example, we may transfer your data outside the country in which you are located in order to provide services to us.
This may involve sending your data to countries where, according to their local laws, you may have fewer legal rights.
If your personal information is transferred outside the European Economic Area because we are using a service provider in a third country, we will take precautions to ensure that your data is still protected in accordance with the standards set out in this Privacy Policy.

15. What are your legal rights in relation to the personal data we process?
15.1. The personal data protection laws of the EU and Lithuania give you a number of rights. To implement them, most often you just need to contact us in writing (by mail or email), it's free. We will reply to you within 30 days, but we will do our best to make it much faster.
Sometimes we will have to deny your request (in whole or in part), because we are obliged to comply with the applicable law. But we will definitely explain in our answer to you why we cannot fulfill your request.
15.2. You have the following rights:
A) You can ask us to stop sending you promotional materials. How to do this – in the section "When we send you advertising messages". Refusal from advertising mailing will not deprive you of the opportunity to receive messages about the progress of the provision of services and our performance of the contract.
B) You can ask us to stop processing your personal information for marketing purposes, including analytics for targeted marketing purposes, including online advertising.
C) You can ask for information regarding the processing of your personal data, including confirmation of the fact of processing, place and purpose of processing, types of data, to which third parties this data is disclosed, storage period and source of receiving.
D) You can ask us to correct the personal data that you have provided to us if this information is inaccurate or out of date.
E) You can ask to delete your personal data.
But we must warn you that some of the data will be archived to meet our obligations to law enforcement, national authorities and legal proceedings. We will give you a full answer which information will remain saved. When the storage period expires in accordance with the applicable law that obliges us to store this data, we will delete the data.
F) Ask us to provide a free electronic copy of personal data to another company.

16. Request forms and what we will check upon receiving your request.
16.1. You can send your request in writing or electronically.
16.2. Written requests include any of your written requests sent to us, including requests sent through post offices.
16.3. Electronic requests include inquiries sent by email. In this case, the request should be signed with your electronic signature in accordance with applicable law. We do not process requests related to the transfer or disclosure of personal data received by phone or fax due to the inability to identify the person of the requestor.
16.4. The procedure for considering requests is as follows:
16.4.1. A written request is sent by us to you regardless of the form of the request (written or electronic) and the results of consideration of the request or appeal. The preparation of answers is carried out by our responsible specialist.
16.4.2. Requests and appeals are checked for the presence of:
- surname, name of the applicant;
- last name, first name of the person whose personal data are processed (Personal data subject);
- number of the main identity document of the Personal data subject or his legal representative, information about the date of issue of the specified document and the issuing authority.
16.5. If necessary, we will ask you for additional information.

17. What to refer to in the request?
17.1. Personal data subject has the right at any time to revoke the given consents and permissions to the processing of personal data, as well as to refuse to inform and send out, by sending a message to email support@openface.io.
17.2. Personal data subject has the right to demand to delete, correct, update personal data, demand to restrict the processing of personal data or object to the processing of personal data, when it is provided for by applicable law. The Controller responds to these requests in accordance with applicable law.
17.3. In case of confirmation of the fact of inaccuracy of personal data or the unlawfulness of personal data processing, the personal data must be updated by the Controller, and the processing of the illegally obtained data must be stopped.
17.4. Upon achievement of the goals of personal data processing, as well as in case of withdrawal of consent to personal data processing, personal data should be deleted if:
- otherwise is not provided for by the contract, the party to which, the beneficiary or the guarantor of which is the Personal data subject;
- The Controller is not entitled to carry out processing without the consent of the Personal data subject in accordance with applicable law;
- otherwise is not provided by another agreement between the Controller and the Personal data subject.

18. How to contact us (address) and your right to file a complaint with a supervisory authority.
You have the right to send us requests, suggestions or questions regarding this Privacy Policy by e-mail support@openface.io or V. Nagevičiaus g. 3, LT-08237 Vilnius.
We make every effort to handle your information responsibly. But if something is not clear to you or something worries you, please contact us at the indicated address.
We will try to help you, but we remind you that you have the right to contact the data protection supervisory authority:
State Inspectorate for Data Protection (Valstybinė duomenų apsaugos Inspekcija)
Website: https://vdai.lrv.lt/
You can ask preliminary questions to the Inspectorate by email ada@ada.lt or telephone +370 5 212 7532.
Inspection address: L. Sapiegos str. 17 (left entrance)
LT-10312 Vilnius