Privacy Policy
In effect from:
Data Controller
Personal data controller: SIA "Taču būda", registration no. 40103692102, registered address: "Taču būda", Gaujas Ciems, Carnikava, Ādažu Novads, LV-2163. Data protection contact: privacy@grabeklis.lv.
Data Protection Officer
We have not appointed a Data Protection Officer under Article 37 of the General Data Protection Regulation (GDPR), as our processing does not meet the appointment criteria set out therein. All questions and requests are handled by the controller directly: privacy@grabeklis.lv.
Data we process
We process the following categories of personal data:
- first and last name (for orders, vendor applications)
- email address (order confirmations, replies to inquiries)
- phone number (delivery coordination, application processing)
- delivery address (for shipping goods)
- payment information (handled only by Stripe — we do not store card data)
- IP address and session data (for security, fraud prevention)
Lawful basis for processing
We rely on the following GDPR Article 6 bases:
- Performance of a contract (Art. 6(1)(b)) — order processing, delivery, customer service
- Compliance with a legal obligation (Art. 6(1)(c)) — accounting records (5 years under the Latvian Accounting Law)
- Our legitimate interests (Art. 6(1)(f)) — security and fraud prevention
Purposes of processing
We use data for the following purposes:
- order processing and fulfillment
- payment processing and traceability
- customer service and communication
- processing vendor applications for Lietu Tirgotava markets
- accounting records and tax reporting
- site security and fraud prevention
Data recipients
The following processors handle data on our behalf:
- Stripe (USA) — payment processing; certified under the EU-US Data Privacy Framework (DPF)
- Resend (USA) — transactional email delivery; DPA in place
- Supabase (EU, Frankfurt) — database, authentication, file storage; within the EEA
- Vercel (EU, Frankfurt fra1) — frontend hosting; primarily EEA, DPF for any US fallback
- Fly.io (EU, Frankfurt fra) — API hosting; primarily EEA
International data transfers
Some processors (Stripe, Resend) are located in the USA. The legal basis for transfer is the European Commission-approved EU-US Data Privacy Framework (DPF) — both named providers are certified DPF participants. Certification status can be verified at: dataprivacyframework.gov.
Data retention periods
We retain data only as long as necessary:
- Accounting records: 5 years (Latvian Accounting Law)
- Order history: 2 years after last activity
- Vendor applications: 2 years after the market event
- Cart and session data: 30 days
- Security logs: 90 days
Statutory requirement to provide data
Providing data is necessary for entering into and performing the contract. If you do not provide the data, we cannot process your order or application.
Your rights
Under GDPR you have the following rights:
- Right to access your data (Art. 15)
- Right to rectify inaccurate data (Art. 16)
- Right to erasure — "right to be forgotten" (Art. 17)
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing (Art. 21)
- Right not to be subject to automated decisions (Art. 22)
- Right to withdraw consent where processing is based on consent (Art. 7(3))
To exercise your rights write to privacy@grabeklis.lv. We will respond within 1 month.
Filing a complaint
If you believe your data is being processed in breach of GDPR, you have the right to file a complaint with the Latvian Data State Inspectorate (DVI). Complaint form: dvi.gov.lv/lv/pakalpojumi/sudziba-par-personas-datu-apstradi
Children's data
The site is not intended for persons under 16 years of age. We do not knowingly collect children's data.
Automated decisions and profiling
Payment processing through Stripe Radar performs automatic fraud risk assessment (GDPR Art. 13(2)(f) disclosure obligation). This processing is not automated decision-making within the meaning of GDPR Article 22 — all decisions about order processing are made by a human. More on Stripe Radar: stripe.com/radar.
Source of data
All personal data is received directly from you (when placing an order, submitting an application, or contacting us). We do not obtain data from third parties.
Changes to the policy
We may amend this policy. We will give at least 14 days' notice on the site of any material changes. The effective date of the current version is shown at the top of the document.

