EvoEX
LEGAL INFORMATION

Privacy Policy

Effective from: July 3, 2026

This is an English-language translation of the original Latvian document provided for the convenience of non-Latvian-speaking users. In the event of any discrepancy or inconsistency between this translation and the Latvian-language original, the Latvian version shall prevail and is the sole legally binding version.

1. General Provisions

1.1. This privacy policy establishes the manner in which SIA SAM MARTIN GROYP, registration No. 40203520646, legal address: Matīsa iela 16-2, Rīga, Latvija, LV-1001 (hereinafter – the Controller), processes the personal data of natural persons in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, or GDPR), the Law on the Processing of Personal Data of Natural Persons, and other applicable legal acts in the field of personal data protection.

1.2. The purpose of this privacy policy is to provide data subjects with clear, transparent, and legally accurate information about the purposes of personal data processing, the legal bases, the categories of personal data, the retention periods, the recipients of personal data, the transfer of data outside the European Union or the European Economic Area, the rights of data subjects, and the procedure for communicating with the Controller.

1.3. The Controller operates in the information technology sector and, within the scope of its economic activity, may develop, maintain, and administer websites, software solutions, servers, hosting environments, backup solutions, e-mail infrastructure, technical support systems, and other digital services for clients.

1.4. Depending on the nature of the specific service, the Controller may act either as the controller of personal data or as a processor of personal data on behalf of a client, where the client determines the purposes and means of personal data processing.

1.5. Where the Controller provides a client with server maintenance, hosting, systems administration, backup, incident analysis, e-mail infrastructure, cloud services, user support, or other technical services, the Controller may process personal data to the extent necessary for the provision of the service, security, continuity, and the performance of contractual obligations.

1.6. The Controller's services, websites, and the associated information society services are intended only for adults (persons 18 years of age or older). The Controller does not knowingly collect or process children's personal data where a service is directly offered to children, and takes reasonable measures to restrict the use of the services by minors acting without a lawful basis.

1.7. If the Controller establishes that a service is in fact being used by a person under 18 years of age and there is no lawful basis for the processing of data (for example, the consent of a legal representative), the Controller may delete such data or convert it into anonymised form, as well as restrict such person's further access to the services.

2. The Controller and Contact Information

2.1. The controller of personal data processing is SIA SAM MARTIN GROYP, registration No. 40203520646, legal address: Matīsa iela 16-2, Rīga, Latvija, LV-1001.

2.2. E-mail for communication on matters relating to personal data processing: [email protected].

2.3. On matters relating to this privacy policy, the processing of personal data, the exercise of data subject rights, the handling of requests, or other matters related to the protection of personal data, the data subject may contact the Controller by writing to [email protected].

3. The Controller's Role in Data Processing

3.1. The Controller processes personal data as an independent controller in cases where the Controller itself determines the purposes and means of personal data processing, for example, in relation to the processing of data of business partners, client contact persons, suppliers, prospective clients, website visitors, accounting documents, and communications.

3.2. The Controller may also act as a processor of personal data within the meaning of Article 28 GDPR, where the client is the controller of personal data and the Controller, on the client's instructions, provides IT infrastructure, website hosting, database maintenance, server administration, technical monitoring, data storage, backup, systems maintenance, or other related technical services.

3.3. In cases where the Controller acts as a processor, the processing of personal data is carried out in accordance with the agreement concluded with the client, the client's documented instructions, and applicable legal requirements.

3.4. If, under the particular cooperation model, the Controller and the client jointly determine the purposes or essential means of personal data processing, the relationship between the parties may be structured as a joint controllership in accordance with the requirements of the GDPR.

4. Categories of Personal Data

4.1. Depending on the service provided, the type of cooperation, and the purpose of processing, the Controller may process the following categories of personal data:

4.1.1. identification data, such as first name, surname, job position, or a person's representation status;

4.1.2. contact information, such as e-mail address, telephone number, correspondence address, company name, and other contact details;

4.1.3. contract and settlement data, such as the content of contracts, order information, invoices, payment information, cooperation history, and other information related to the provision of the service;

4.1.4. communication data, such as e-mail correspondence, support requests, inquiries, incident reports, chat correspondence, call notes, and other communication records;

4.1.5. technical data, such as IP address, device identifiers, browser parameters, authentication information, access times, session information, system event logs, error records, and security event information;

4.1.6. website and service usage data, such as user actions within the technical environment, login records, administrative actions, configuration changes, changes to access rights, system audit records, and other usage data;

4.1.7. server, hosting, and infrastructure operation data, such as log files, resource usage information, backup information, monitoring and availability data, incident diagnostic data, and service continuity data;

4.1.8. data of the client's end users, to the extent such data comes into the Controller's possession while providing hosting, systems administration, e-mail, backup, database maintenance, website maintenance, or other technical services in the client's interests and in accordance with the client's instructions;

4.1.9. other personal data provided to the Controller by the data subject or the client in the context of cooperation, a request, the performance of a contract, or the provision of a service.

4.2. The Controller processes only such personal data as are relevant, adequate, and necessary for achieving the specific purpose, observing the principles of data minimisation and accountability.

5. Sources of Personal Data

5.1. Personal data is obtained primarily directly from the data subject, the client, the business partner, or their authorised representatives, for example, upon concluding a contract, completing application forms, submitting requests, sending e-mails, or using the services provided by the Controller.

5.2. Personal data may also be obtained from publicly available registers, information systems used by the client, technical infrastructure, server logs, monitoring solutions, backup systems, authentication systems, and other technical sources necessary for the provision of the service, to the extent that this is lawful and necessary.

5.3. Where the Controller acts as a processor of personal data, personal data may be obtained from the client or from the systems, infrastructure, and services used by the client that the Controller technically maintains or administers on the client's instructions.

6. Purposes of Personal Data Processing

6.1. The Controller may process personal data for the following purposes:

6.1.1. identifying clients, suppliers, and business partners, and establishing cooperation;

6.1.2. preparing, concluding, performing, administering, and terminating contracts;

6.1.3. handling client requests, consultations, applications, and technical support matters;

6.1.4. maintaining and administering websites, applications, servers, hosting services, databases, e-mail solutions, APIs, integrations, and other IT infrastructure;

6.1.5. granting access rights, authentication, authorisation, and managing user accounts;

6.1.6. monitoring system operation, troubleshooting, performance analysis, security monitoring, incident investigation, and ensuring the stability of the technical environment;

6.1.7. creating backups, restoring systems, recovering data, and ensuring business continuity;

6.1.8. managing information and cybersecurity risks, preventing unauthorised access, conducting security audits, and protecting services;

6.1.9. ensuring accounting, tax compliance, legal obligations, claims, evidence, and internal administration;

6.1.10. carrying out statistics, quality control, service improvement, system optimisation, and usage analysis;

6.1.11. performing obligations established by legal acts, including cooperation with state and municipal authorities, law enforcement institutions, and supervisory authorities;

6.1.12. ensuring commercial communication, to the extent permitted under applicable legal acts and, where necessary, upon obtaining appropriate consent.

6.2. The Controller may send commercial communications about its services to existing clients on the basis of legitimate interest, in compliance with the requirements of the Law on Information Society Services and providing a simple means of opting out of each communication (for example, an "unsubscribe" link or contact with [email protected]).

6.3. Where commercial communication is based on the data subject's consent, the data subject has the right to withdraw consent at any time, using the opt-out mechanism indicated in the communication received.

7. Legal Bases for the Processing of Personal Data

7.1. Depending on the specific situation, the legal basis for the processing of personal data may be:

7.1.1. the conclusion and performance of a contract, or the taking of steps at the request of the data subject prior to entering into a contract, in accordance with Article 6(1)(b) GDPR;

7.1.2. compliance with a legal obligation to which the Controller is subject, in accordance with Article 6(1)(c) GDPR;

7.1.3. the legitimate interests pursued by the Controller or a third party, in accordance with Article 6(1)(f) GDPR, for example, in connection with network and information security, the protection of legal claims, ensuring the quality of services, technical stability, fraud prevention, system audits, and the organisation of business operations;

7.1.4. the consent of the data subject, in accordance with Article 6(1)(a) GDPR, where, in the specific case, processing is based on consent, for example, for sending certain marketing communications or using non-essential cookies.

7.2. Where the Controller acts as a processor of personal data on behalf of a client, the processing of personal data is carried out on the basis of the client's documented instructions and the contract, in compliance with the requirements of Article 28 GDPR and upon conclusion of an appropriate data processing agreement (DPA).

8. Special Provisions for IT Services and the Hosting Environment

8.1. When providing website hosting, virtual or physical servers, database maintenance, e-mail infrastructure, systems administration, cloud services, or other IT services, the Controller may process technical and usage-related personal data arising during the operation of the service, including access data, system logs, and security event records.

8.2. In order to ensure the security, availability, integrity, and stability of systems, the Controller may carry out network traffic monitoring, server load monitoring, error diagnostics, backup, disaster recovery, vulnerability assessment, configuration review, and other reasonable technical security measures.

8.3. In the event of a technical incident, a cybersecurity threat, an unauthorised access attempt, a service disruption, or a system error, the Controller may access the relevant technical information and, to a limited extent, also personal data, to the extent objectively necessary to detect, analyse, prevent, and document the incident.

8.4. Where the service ordered by the client includes the maintenance of the client's websites, databases, e-mail accounts, user accounts, or other systems, the Controller may technically process the personal data contained therein only to the extent necessary to ensure the functioning, security, backup, transfer, migration, restoration, or troubleshooting of the service.

8.5. The Controller does not determine the purposes of processing the client's end users' data unless otherwise follows from the nature of the specific cooperation or from legal acts; in such cases, the client is generally to be regarded as the controller, and the Controller as the processor.

8.6. The Controller may engage sub-processors, such as providers of data centre, hosting, cloud, e-mail, monitoring, backup, cybersecurity, or infrastructure services, where necessary for the provision of the service and provided that the appropriate data protection requirements are observed.

9. Cookies and Similar Technologies

9.1. Where cookies or similar technologies are used on the Controller's website or in solutions provided to clients, they may be used to ensure the website's basic functionality, security, session management, user authentication, retention of language preferences, analytics, performance improvement, or other technically necessary functions.

9.2. The user must be given clear and comprehensive information about the purposes for which cookies are used, and, where required by applicable legal acts, must be provided with the opportunity to give or refuse consent to the use of the relevant cookies.

9.3. The use of non-essential cookies may be based on the data subject's consent, while technically necessary cookies may be used to ensure the operation and security of electronic services in accordance with applicable regulation.

10. Personal Data Retention Periods

10.1. The Controller retains personal data for no longer than is necessary to achieve the relevant purpose of personal data processing, to perform contractual obligations, to protect legal rights, or to comply with obligations established by legal acts.

10.2. Retention periods may vary depending on the category of data and the purpose; for example, contract data, accounting documents, technical logs, backups, access records, support requests, and security incident data may be retained for different periods, taking into account the legal basis, technical necessity, security considerations, and the requirements of legal acts.

10.3. Personal data contained in backups may be retained until the next backup cycles or longer, where necessary for system restoration, incident investigation, business continuity, or compliance with regulatory requirements.

10.4. When personal data is no longer necessary to achieve the relevant purpose, it is deleted, anonymised, overwritten, or archived in accordance with applicable legal provisions and technical capabilities.

11. Recipients of Personal Data

11.1. Personal data may be disclosed to the Controller's employees, authorised persons, and business partners only to the extent necessary for the performance of work duties or contractual obligations, in compliance with the principle of confidentiality and appropriate security measures.

11.2. Personal data may be transferred to processors or sub-processors of personal data, such as providers of hosting, data centre, cloud, backup, e-mail, cybersecurity, accounting, legal, customer support, monitoring, document management, or other related services, to the extent necessary for the provision of the services.

11.3. In cases provided for by legal acts, personal data may be transferred to state and municipal authorities, courts, law enforcement institutions, supervisory authorities, or other persons, where such an obligation follows from legal acts or is necessary to protect the Controller's rights, legitimate interests, or security.

12. Transfer of Data Outside the European Union or the EEA

12.1. Where, in the course of providing services, personal data is transferred outside the European Union or the European Economic Area, the Controller ensures that such a transfer takes place only in accordance with the applicable requirements of the GDPR and that appropriate data protection mechanisms are applied.

12.2. Such mechanisms may include a European Commission adequacy decision, standard contractual clauses, binding corporate rules, or other personal data protection instruments recognised under the GDPR.

13. Security of Personal Data

13.1. The Controller implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, disclosure, or unauthorised access.

13.2. Depending on the nature of the specific service, such measures may include access control, user authentication, management of access rights, network segmentation, data encryption, firewalls, backup, event logging, vulnerability management, software updates, incident management, employee confidentiality obligations, and other reasonable security measures.

13.3. The Controller, having assessed the risks to the rights and freedoms of natural persons, implements security measures in accordance with the level of security set out in Article 32 GDPR.

13.4. If the Controller identifies a personal data breach, it acts in accordance with the applicable regulatory framework, including assessing its obligation to notify the supervisory authority and, where necessary, also the affected data subjects.

14. Rights of the Data Subject

14.1. The data subject has the right to request access to their personal data, its rectification, erasure, and restriction of processing, to object to processing, and to exercise the right to data portability, to the extent that such rights arise under applicable legal acts.

14.2. Where the processing of personal data is based on consent, the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

14.3. To exercise their rights, the data subject may submit a request by writing to [email protected].

14.4. The Controller examines the request without undue delay and responds within the period established by legal acts, generally no later than one month from receipt of the request, unless the particular situation justifies an extension of that period in accordance with the GDPR.

14.5. The Controller has the right to request additional information to verify the identity of the person, in order to ensure that information is not disclosed to an unauthorised person.

14.6. Where, in the specific data processing relationship, the Controller acts only as a processor on behalf of a client, the Controller may forward the data subject's request to the relevant client or examine it in cooperation with the client, taking into account the parties' respective roles and obligations under the GDPR.

15. Filing Complaints

15.1. Where the data subject considers that the processing of their personal data infringes the requirements of applicable legal acts, they have the right first to contact the Controller by writing to [email protected].

15.2. The data subject also has the right to lodge a complaint with the Data State Inspectorate (Datu valsts inspekcija, Latvia's data protection supervisory authority), which is the personal data protection supervisory authority in Latvia.

15.3. Contact information of the Data State Inspectorate: Elijas iela 17, Rīga, LV-1050, Latvija; e-mail: [email protected]; telephone: +371 67223131.

15.4. The Data State Inspectorate recommends that, prior to filing a complaint, the data subject first contact the controller carrying out the processing of the personal data concerned.

16. Recordings of Conversations and Alternative Means of Communication

16.1. In providing customer support and communication, the Controller may make recordings of telephone conversations, internet calls, voice messages, or other electronic communications, where necessary for the provision of services, quality control, dispute resolution, ensuring security, and protecting the Controller's legitimate interests, in compliance with the GDPR and other applicable legal acts.

16.2. Recordings of conversations are generally retained for up to 90 days from the date the recording was made, unless, in a particular case, dispute resolution, quality control, protection of the Controller's rights, or limitation periods established by legal acts justify a longer retention period.

16.3. Before a conversation is recorded, the data subject is informed that a recording will be made, and recordings are retained only for as long as necessary to achieve the relevant purpose, resolve disputes, carry out quality control, or comply with regulatory requirements.

16.4. Where a data subject does not wish a particular conversation to be recorded, they may choose an alternative means of communication, by writing to [email protected] or, for example, using the WhatsApp number +371 28 706 247.

16.5. Recordings of conversations and voice messages are considered personal data, and the data subject's rights under the GDPR apply to them in full, including the rights of access, rectification, erasure, restriction of processing, and objection, to the extent compatible with the purpose of the recording and applicable legal acts.

17. Completion of Forms and Data Processing

17.1. Various electronic forms (for example, contact forms, application forms, service request forms, support request forms) may be available on the Controller's websites, applications, or solutions provided to clients, when completing which the data subject provides personal data so that the Controller can provide the requested service, communication, or fulfil another specific purpose.

17.2. When completing a form, the data subject generally provides identification and contact information, as well as other data related to the request, which the Controller processes in order to respond to the request, provide the service, examine the submission, prepare an offer, or take other steps initiated by the data subject.

17.3. The legal bases for the processing of personal data submitted through forms may be the conclusion or performance of a contract, compliance with a legal obligation to which the Controller is subject, the Controller's legitimate interests (for example, ensuring communication, protecting legal claims, improving the quality of services), or the consent of the data subject, where the relevant form provides corresponding information to that effect.

17.4. Personal data received as a result of completing forms is retained only for as long as necessary to achieve the relevant purpose, ensure communication, perform contractual obligations, protect the Controller's rights, or comply with obligations established by legal acts, after which it is deleted, anonymised, or archived in accordance with the procedure set out in this privacy policy.

17.5. The data subject is entitled at any time to contact the Controller to find out what data has been obtained about them, for what purposes it is used, and what the retention period for such data is, as well as to exercise other rights provided for under the GDPR with respect to personal data submitted through forms.

18. Cybersecurity and Systems Maintenance

18.1. The Controller ensures that the information and communication technology systems it maintains are protected in accordance with the regulatory framework in force in the Republic of Latvia in the field of cybersecurity, including the requirements of the National Cybersecurity Law and related Cabinet of Ministers regulations, to the extent that such legal acts are applicable to the Controller.

18.2. The Controller maintains servers, the hosting environment, databases, e-mail infrastructure, and other IT systems to a reasonable extent, taking into account technical capabilities, the level of risk, and minimum cybersecurity requirements, as well as the obligations and limits of liability established under contracts with clients.

18.3. The Controller implements technical and organisational measures to mitigate cybersecurity risks, such as access control, authentication, security updates, backup, incident management, monitoring, and other reasonable protective measures, to the extent objectively possible, taking into account the level of risk and the significance of the relevant system.

18.4. The Controller is not liable for cybersecurity incidents or system malfunctions arising from circumstances that the Controller cannot objectively control (for example, the actions of third parties, the configuration of the client's own infrastructure, the actions of the client's users, global cyberattacks); nevertheless, the Controller takes reasonable measures to mitigate the consequences and restore the provision of services, insofar as practically possible.

18.5. Where the Controller meets the status of a subject under the National Cybersecurity Law (for example, a provider of an important or essential service), it fulfils, in addition to this privacy policy, the obligations established by law, including the appointment of a cybersecurity manager, the submission of self-assessment reports, the reporting of incidents to the supervisory authority, and compliance with other statutory requirements.

19. Automated Decision-Making and Profiling

19.1. The Controller does not carry out automated decision-making, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them within the meaning of Article 22 GDPR.

19.2. The Controller may carry out limited analytics and analysis of service usage data (for example, analysis of system performance, use of functionality, and access statistics), which is not to be regarded as profiling with a significant effect on the data subject.

20. Final Provisions

20.1. The Controller is entitled to unilaterally amend or supplement this privacy policy at any time by publishing the current version on its website, client portal, or another communication channel determined by the Controller.

20.2. The current version of the privacy policy takes effect from the date of its publication, unless a different effective date is specified therein.

20.3. If any part of this privacy policy becomes invalid, contradictory, or unenforceable, this shall not affect the validity of the remaining provisions; in such a case, the Controller shall replace the relevant provision with one that corresponds as closely as possible to the original purpose and the applicable regulatory framework.

20.4. This privacy policy applies for as long as the Controller processes personal data within the scope of its economic activity; specific data processing terms may be developed for individual services, contracts, or projects, to be applied together with this policy, to the extent that they do not conflict with the GDPR and the legal acts of the Republic of Latvia.

Questions regarding the processing of personal data: [email protected].