Privacy policy

This Privacy Policy applies to current and prospective clients of Torena (“Company”) who use our services or visit our websites during the service ordering process. It applies to all situations in which personal data is processed within the scope of the Company’s activities – including through self-service systems, service orders, and direct or remote communication with the Company.

The purpose of this Privacy Policy is to clearly and transparently explain how the Company processes personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable legal requirements. This document is intended to ensure transparency, fairness, and accountability in personal data processing and to provide data subjects with relevant information about their rights and how personal data is handled within the Company.

The Company processes personal data in accordance with Article 6 of the General Data Protection Regulation (GDPR). Your personal data is processed based on at least one of the following legal grounds:

• where processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (e.g., service ordering, account management).
• where processing is necessary for compliance with a legal obligation applicable to the Company (e.g., accounting, tax compliance).
• where processing is based on your consent (e.g., the use of non-essential cookies or submission of contact forms via the website).
• where processing is necessary for the purposes of the Company’s legitimate interests, provided such interests are not overridden by your fundamental rights and freedoms (e.g., service quality assurance, system and physical premises security, service analytics).

Depending on the nature of the services provided, the Company may collect and process the following categories of personal data:

• Identification data
  • first name, last name
  • company name
  • client ID
• Contact details
  • email address
  • phone number
  • physical address
• Login information
  • username
  • password hash
  • IP address
  • login timestamps
• Client account and service data
  • selected plans
  • usage records
  • invoices
• Payment information
  • invoice numbers
  • payment status
  • date
• Audit log data
  • client ID
  • timestamps
  • account used
  • performed changes
• Technical browsing data
  • IP address
  • cookie ID
  • browser type
  • device information
• Any other information you provide via our self-service systems or direct communication with the Company.

The listed types of data are considered personal data only to the extent that they relate directly or indirectly to an identifiable natural person.

The Company processes personal data only for clearly defined and lawful purposes. Depending on the specific context, your data may be processed for the following purposes:

• to provide and administer services (e.g., user account setup, service ordering, self-service functionality).
• to fulfill contractual obligations and maintain communication with clients (e.g., invoicing, service updates, notifications).
• to comply with legal obligations (e.g., accounting documentation, access log retention).
• to manage client inquiries and provide technical support.
• to ensure service quality, system maintenance (e.g., system logs).
• to ensure the security of information systems, datacenters, and physical premises (e.g., access logs, video surveillance).
• for statistical and analytical purposes (e.g., using Google Analytics on www.torena.lt and www.torena.eu).
• for other purposes where a clear legal basis exists and appropriate information is provided separately.

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws. The retention period depends on the data category and the legal basis for processing.

• client account and service data is retained during the service period and for 1 year after the termination of the contractual relationship.
• invoicing and payment records are retained for 10 years in accordance with accounting regulations.
• login logs and technical records (audit logs) are retained for 18 months in line with NIS2 directive requirements and information system security needs.
• when data is collected based on consent, it is retained until consent is withdrawn.

After the retention period ends, data is securely deleted, anonymized, or archived, if required by law.

Your personal data may be shared with third parties only to the extent necessary for service provision, legal compliance, or based on a clearly established legal basis. Recipients of data may include:

• IT service providers and infrastructure maintenance partners.
• Payment system operators.
• Accounting, legal, and auditing service providers.
• Government authorities where required by law (e.g., tax, law enforcement, supervisory agencies).
• Cookie and analytics service providers (e.g., Google Analytics – applicable only to www.torena.lt and www.torena.eu).

When data is transferred outside the European Economic Area (EEA), it is done only using safeguards as required by the GDPR, such as Standard Contractual Clauses (SCC) approved by the European Commission.

The Company does not transfer or sell personal data to any parties for marketing or unauthorized purposes.

Video surveillance is carried out in the data centers, including their internal premises and surrounding areas, in order to ensure the physical security of infrastructure, information systems, and provided services. The processing is based on the Company’s legitimate interest in accordance with Article 6(1)(f) of the GDPR.

• Purpose
  • to ensure the security of datacenter facilities, equipment, personnel, and authorized visitors.
• Legal basis
  • the Company’s legitimate interest to protect its assets, ensure service continuity, and prevent incidents.
• Data processed
  • video footage, timestamps, and physical location.
• Retention period
  • up to 14 calendar days unless a security incident is recorded – in such cases, footage is retained until the investigation or legal process is complete.
• Sharing and transfers
  • only competent law enforcement or supervisory authorities, as required by law.
• Monitored areas
  • only necessary data center zones such as entrances, server rooms, equipment areas, and technical access points. Private or unrelated areas are not monitored.

Clear signage is displayed prior to entering any monitored areas.

You have the following rights regarding your personal data:

• Right to access the personal data we process about you.
• Right to rectify inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) where data is no longer needed or processed unlawfully.
• Right to restrict processing, for example when data accuracy is contested or you object to processing.
• Right to object to data processing where it is based on legitimate interest.
• Right to withdraw consent at any time, where processing is based on your consent (this does not affect prior lawful processing).
• Right to data portability, where processing is based on consent or contract and carried out by automated means.
• Right to lodge a complaint with the State Data Protection Inspectorate (www.vdai.lrv.lt) if you believe your rights are violated.

You may exercise your rights by contacting us at privacy@torena.lt. We will respond within 30 calendar days, with the possibility of extending the deadline to 60 days if necessary.

The Company reserves the right to update or modify this Privacy Policy at any time. Updates may be made to reflect changes in legal requirements, internal processes, or service development. The latest version of this policy is always published on the Company’s websites.

By ordering new services or extending existing ones, you confirm that you have read and agree to the contents of this policy and its future amendments.