Privacy Policy

Last updated: 2026-06-19.

This is the current version of this privacy policy. The date of the latest update is always shown at the top of this policy so that you can see when the document was last reviewed.

The controller of your personal data is the seller operating the ProDesk online shop. Under Article 13 of the GDPR we are required to disclose the controller's identity in this policy: it is the legal entity whose name, legal entity (company) code, registered office address and other particulars are set out below and on the Contacts page.

Controller particulars (to be finalised before publication): name – [seller's name]; individual-activity certificate number – [number]; registered address – [address]. The seller completes these fields with real, verified particulars before publication; until then, the exact identifying details are provided on the Contacts page.

For any matter concerning the processing of personal data, you can reach us through our dedicated privacy channel at privacy@prodesk.lt. For general matters you may also write to info@prodesk.lt; the seller's phone number and business hours are listed on the Contacts page.

Having assessed the nature and scale of its activities, the seller has not appointed a Data Protection Officer (DPO) under Article 37 of the GDPR, as this obligation does not apply to it.

Nevertheless, we have designated a responsible point of contact for all privacy matters – the email address privacy@prodesk.lt. You can use this address to submit requests to exercise your rights and any data-protection questions.

Order data: your name, surname, delivery and billing address, phone number, email address, the products ordered, order total and order history.

Account data: if you create an account, we process your login details, a hashed version of your password, purchase history and preferences. ProDesk does not store passwords in plain text.

Contact data: messages, questions and other information you provide when you contact us by email, phone or via our contact form.

Payment data: you pay through a payment service provider, so your payment card details never reach our server. We only receive confirmation of payment and information related to the transaction.

Browsing and cookie data: IP address, device and browser information, the date and time of your visit, pages viewed and other data collected through cookies and similar technologies. See our Cookie policy for details.

Business (B2B) data: if you request a quote for your business, we process the details of your company and contact person needed to prepare the quote and issue an invoice.

Most personal data is obtained directly from you – when you create an account, place an order, contact us or request a business quote.

Some data may come from third parties: from payment service providers we receive payment confirmation and transaction-related information; from delivery partners (couriers, parcel-locker operators) we receive shipment status and delivery data. In these cases the data processed concerns the transaction and the delivery linked to your order.

In a B2B context, the contact person's details are often provided by the company they represent rather than by the individual. In that case the source of the data is the company concerned, and the data processed includes the name, position and business contact details needed to prepare an offer and perform the contract.

Performance of a contract: we process data to accept and fulfil your order, deliver your goods, manage your account, handle warranty and returns, and communicate with you about your order. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

Consent: marketing messages, newsletters and non-essential cookies are used only with your consent, which you may withdraw at any time (Art. 6(1)(a) GDPR).

Legal obligation: accounting, tax and consumer-protection laws require us to keep certain records, such as invoices and order data (Art. 6(1)(c) GDPR).

Legitimate interest: we process browsing, IP address and device data, together with security and anti-fraud logs, on the basis of legitimate interest (Art. 6(1)(f) GDPR). The specific legitimate interests pursued are: ensuring network and information security, preventing unauthorised access and fraud, protecting the integrity of payments and orders, improving the quality of our services, and establishing and defending our legal claims. In each case we weigh these interests against your rights and freedoms.

Some personal data is a precondition for entering into and performing a contract, or is required by law. For example, without your name, delivery address and contact details we could not accept and fulfil your order, and without accounting data we could not issue and retain an invoice.

If you do not provide this data, we will correspondingly be unable to conclude or perform the contract – that is, to accept your order, deliver the goods or provide the related services.

Other data is provided voluntarily. For example, consent to receive the newsletter and non-essential cookies are not necessary for a purchase – you may decline them, and this will not affect your order.

We do not sell your personal data. We disclose it only to the extent necessary for a specific purpose – to fulfil your order, process a payment, deliver an item or comply with a legal obligation.

Payment service providers (purpose – payment processing; transaction-related data shared): Paysera, Montonio, Stripe (card payments) and the banks that process bank transfers. These providers act as separate controllers or as processors under their own privacy terms.

Delivery partners (purpose – delivery of goods; recipient name, address and contact details shared): Omniva, LP Express, DPD and Venipak. Bulky goods (desks and frames) cannot be sent to parcel lockers, so in such cases delivery is by courier or pickup in Vilnius.

IT and hosting providers (purpose – operation and security of the website; technical and account data may be accessible).

Advisors – accountants and lawyers (purpose – accounting and the defence of legal claims). With all of these providers acting as data processors we enter into data-processing agreements obliging them to process data only on our instructions and to ensure adequate protection.

Public authorities and courts – we disclose data to them not under a processing agreement but only where, and to the extent that, the law or legitimate legal process requires.

We keep personal data no longer than necessary for the purposes for which it was collected, or for as long as the law requires. The following periods or criteria apply to each category of data.

Order and customer-account data: kept for as long as you have an active account and, as a rule, for up to 5 years after your last order, so that we can administer warranties, returns and potential claims under the general limitation period for contractual claims.

Accounting and tax records (such as invoices): kept for the period prescribed by law, generally 10 years.

Marketing and newsletter consent data: kept for as long as your consent is valid and for up to 2 years after consent is withdrawn or after your last interaction – solely as evidence that consent was given and withdrawn.

Communication and inquiry records: kept for up to 2 years after the inquiry is closed, so that we can evidence and continue to provide support; correspondence relating to a specific order is kept together with that order's data.

B2B offer data: if an offer does not become a contract, kept for up to 1 year; if it becomes a contract, kept together with the relevant order and accounting records.

Cookie, analytics and log data: kept for the periods set out in the Cookie policy or, for security and analytics purposes, for no longer than 14 months, unless longer retention is necessary to investigate an incident.

Once the retention period ends, data is securely deleted or irreversibly anonymised.

You have the right to access your personal data, to request its rectification or erasure, to restrict its processing and to data portability.

You have the right to object to processing based on legitimate interest on grounds relating to your particular situation.

You have an unconditional right to object at any time to the processing of your data for direct-marketing purposes (Art. 21(2)-(3) GDPR). This is separate from withdrawing consent: even if marketing were based on another ground, we will stop such processing immediately upon receiving your objection.

You have the right to withdraw any consent you have given at any time, without affecting processing carried out before the withdrawal.

You have the right to lodge a complaint with the supervisory authority (see the section 'Complaint to the Supervisory Authority').

To exercise these rights, contact us at privacy@prodesk.lt. We will respond free of charge and, as a rule, within one month of receiving the request (Art. 12(3) and (5) GDPR); where necessary this period may be extended by a further two months, in which case we will inform you.

Where requests are manifestly unfounded or excessive, in the cases provided by law we may charge a reasonable fee or refuse to act on them.

We do not make decisions based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 of the GDPR.

Certain content or offers may be tailored to your choices or purchase history, but such personalisation has no legal or similarly significant effect, and any decision concerning you can always be reviewed by a human.

Our website uses cookies and similar technologies to make the site work properly, remember your preferences and, with your consent, help us analyse traffic and present relevant content.

Essential cookies are set without separate consent, as the site would not function without them. Non-essential (analytics, marketing) cookies are set only after you actively choose to accept them in the consent banner – they are not set before consent is given.

You can change or withdraw your choice at any time in the consent settings on the website or by deleting cookies in your browser. For detailed information about the cookies we use and how to manage them, please see our Cookie policy.

We aim to process personal data within the European Economic Area (EEA). Most of the service providers we use operate in Lithuania or the EU.

Some service providers may process data outside the EEA. For example, the payment service provider Stripe is established in the United States, so payment-related data may be transferred outside the EEA.

In such cases we rely on the safeguards provided by the GDPR – the European Commission's standard contractual clauses (SCC) and/or applicable adequacy decisions or certification mechanisms. You can obtain a copy of the safeguards applied by contacting us at privacy@prodesk.lt.

If you believe your personal data is being processed improperly, you have the right to lodge a complaint with the supervisory authority. In Lithuania this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI).

Contact details: address – L. Sapiegos g. 17, 10312 Vilnius; phone +370 5 271 2804, +370 5 279 1445; consultations +370 5 212 7532; email ada@ada.lt; website vdai.lrv.lt.

We encourage you to contact us first at privacy@prodesk.lt – we will do our best to resolve the matter promptly.

For any question or request relating to privacy and the processing of your personal data, use our dedicated channel at privacy@prodesk.lt.

Further contact information and the seller's exact company particulars can be found on the Contacts page.

We may update this privacy policy from time to time to reflect changes in the law or in our operations.

The current version is always published on this page, together with the date of the latest update shown in the 'Last Updated' section. We recommend reviewing the policy periodically.

This policy is a draft; it must be reviewed by the seller's lawyer before final approval, and the placeholders (particulars, contacts) must be completed with real, verified details.