Privacy policy

This privacy policy explains how M company SIA (hereinafter - the Company or the Controller) collects, processes and protects your personal data when you visit the online shop rigasriepas.lv (hereinafter - the Website), place an order, register as a user or contact us.

Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, hereinafter - the GDPR), the Latvian Personal Data Processing Law and other applicable legislation.

1. Data controller

Name M company SIA
Registration number 40103250586
Legal address Piekalnes iela 32, Ogre, Ogres nov., LV-5001
Phone 20110016
Email address
Website rigasriepas.lv

For any questions about the processing of personal data, please contact us by email at or by writing to the legal address stated above.

2. What personal data we process

Depending on how you interact with the Website, we process the following categories of personal data:

Payment card data is not collected or stored on the Website. Payments are processed by an external payment service provider, Montonio Finance UAB, acting as an independent data controller (see section 6).

3. Purposes and legal basis of personal data processing

Each processing activity has a specific purpose and a legal basis under Article 6 of the GDPR:

Purpose of processing Data processed Legal basis
Receiving, processing and fulfilling orders First name, surname, email, phone, delivery address, order data Performance of a contract - GDPR Article 6(1)(b)
Communication about your order (confirmation, status, delivery) Name, email, phone Performance of a contract - GDPR Article 6(1)(b)
Creating and managing a user account First name, surname, email, phone, delivery address Performance of a contract - GDPR Article 6(1)(b)
Responding to contact form enquiries Name, email, content of the enquiry Legitimate interests - GDPR Article 6(1)(f) (responding to customer questions)
Accounting records and tax reporting First name, surname, address, order and invoice data Legal obligation - GDPR Article 6(1)(c) (Law on Accounting)
Website usability analysis (Google Analytics) Anonymised IP address, browser data, page visits Consent - GDPR Article 6(1)(a)

Where the legal basis is legitimate interests, we have assessed that the processing is necessary and does not disproportionately intrude on your privacy. You have the right to object to such processing (see section 8).

4. Personal data retention periods

Data category Retention period Justification
Order and invoice data 5 years from the end of the tax year in which the transaction took place Law on Accounting and VAT legislation
User account data While the account is active + 5 years after the account is closed or after the last activity Limitation period for legal claims under the Latvian Civil Procedure Law
Contact form enquiries Up to 12 months after the enquiry has been handled Legitimate interests - handling possible claims
Google Analytics data 14 months (configured in Google Analytics) Consent; deleted automatically after this period
Session cookies For the duration of the browser session; deleted when the browser is closed Cookies necessary for the operation of the website

Once the retention period has expired, personal data is securely deleted or fully anonymised.

5. Recipients of personal data

We share your personal data only with those recipients who need it to achieve the purposes stated above. We do not pass personal data to third parties for marketing purposes without your consent.

ABCD, SIA - order processing partner (data processor)

Orders are processed and fulfilled by ABCD, SIA (reg. no. 40103922235, legal address: Piekalnes iela 32, Ogre, Ogres nov., LV-5001) as our data processor. ABCD, SIA processes your first name, surname, email, phone number, delivery address and order data solely on our behalf, on the basis of a data processing agreement concluded in accordance with Article 28 of the GDPR. The data is processed in Latvia.

Montonio Finance UAB - payment processing (independent data controller)

Payments are processed by Montonio Finance UAB (a Lithuanian company, reg. code 305205122, address: Konstitucijos pr. 7, Vilnius, Lithuania), a licensed payment institution supervised by the Bank of Lithuania (licence no. LB002007). Montonio is an independent data controller for the processing of payment data - it independently determines the purposes and means of the processing. Rigasriepas.lv does not receive or store your payment card data. Montonio's privacy policy is available at: montonio.com/legal/privacy-policy.

Google LLC - website analytics (data processor)

To analyse Website statistics we use the Google Analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics processes data only with your prior consent. Google LLC is certified under the EU-US Data Privacy Framework, which the European Commission has recognised as an adequate safeguard for transferring data to the USA. Further information on how Google uses data submitted by its partners: policies.google.com/technologies/partner-sites.

Courier services - delivery of goods

For the delivery of goods, your first name, surname, phone number and delivery address are passed to our partner courier companies. The specific courier service is stated in the order confirmation.

Public authorities

Where required by legislation or upon a justified request from competent public authorities (the State Revenue Service, courts, the police, etc.), we disclose personal data in order to comply with a legal obligation.

6. Transfer of personal data outside the EU/EEA

Your personal data is primarily processed in Latvia and the European Economic Area (EEA).

The only exception is Google Analytics - data is transferred to Google LLC servers in the USA. This transfer is lawful because Google LLC is certified under the EU-US Data Privacy Framework, approved by the European Commission's decision of 10 July 2023, which ensures an adequate level of protection. In addition, the European Commission's standard contractual clauses (SCC) are applied. This data transfer takes place only if you have given your consent to analytics cookies.

Processing by the other processors - ABCD, SIA and Montonio Finance UAB - takes place within the EEA.

7. Cookies

The Website uses two types of cookies:

Necessary session cookies

These cookies are technically necessary for the website to work properly - they keep your shopping cart, enable secure login to your user account and support other core functions. Session cookies are deleted automatically when you close your browser. The legal basis for their use is legitimate interests (GDPR Article 6(1)(f)) - the website cannot function without them. Consent is not required for these cookies.

Analytics cookies (Google Analytics)

These cookies are activated only if you have given your consent via the website's cookie consent notice. They collect anonymous data about how visitors use the Website (pages viewed, session duration, source of arrival) so that we can improve the usability of the website. IP addresses are anonymised automatically. You can withdraw your consent at any time by changing the cookie settings on the website or by using the Google Analytics opt-out browser add-on.

8. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  1. Right of access to your data (GDPR Article 15) - you may request information about which of your personal data we process, for what purposes and to what extent.
  2. Right to rectification (GDPR Article 16) - if your personal data is inaccurate or incomplete, you have the right to request that it be corrected.
  3. Right to erasure (GDPR Article 17) - you may request the deletion of your personal data if it is no longer needed for the purposes for which it was collected, or if you withdraw your consent and there is no other legal basis for the processing. This right does not apply to data we are legally required to retain.
  4. Right to restriction of processing (GDPR Article 18) - you may ask us to temporarily suspend the active use of your data, for example while your objection or rectification request is being reviewed.
  5. Right to data portability (GDPR Article 20) - you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, where the processing is based on consent or a contract and is carried out by automated means.
  6. Right to object to processing (GDPR Article 21) - you have the right to object to the processing of personal data based on legitimate interests. The right to object to direct marketing is absolute - processing stops immediately once your objection is received.
  7. Right to withdraw consent (GDPR Article 7(3)) - where processing is based on your consent, you may withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
  8. Rights relating to automated decision-making (GDPR Article 22) - we do not carry out automated decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you.

To exercise any of these rights, please contact us by email at or by writing to our legal address. Your request must include proof of your identity (a copy of an identity document or a letter signed with a secure electronic signature). We will respond to your request within one month. For complex requests, this period may be extended by a further two months, in which case you will be informed.

9. Right to lodge a complaint with the supervisory authority

If you believe that the processing of your personal data violates the GDPR or other applicable legislation, you have the right to lodge a complaint with the Latvian supervisory authority:

Authority Datu valsts inspekcija (Data State Inspectorate of Latvia)
Address Elijas iela 17, Rīga, LV-1050
Phone +371 67223131
Email
Website www.dvi.gov.lv

We encourage you to contact us directly first - we will do our best to resolve any issue promptly and out of court.

10. Data security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction or disclosure. These measures include:

Despite these measures, data transmission over the internet is never completely secure. In the event of data loss or unauthorised access, where this poses a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 of the GDPR.

11. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in legislation or in our business practices. The current version of the privacy policy is always available in the "Privacy policy" section of the Website. We will inform you of any material changes by publishing a notice on the Website or by sending a notification to the email address you have provided.

Privacy policy last updated: April 2026.

My account

or
Forgot your password?

Don't have an account yet?

Create an account