Effective date: 11 December 2025
Website: https://lab99.eu
Controller: LAB99, Ventspils iela 60-68, Rīga, LV-1046, Latvia
Email: [email protected]
This Privacy Policy explains how we collect, use and protect your personal data when you visit and shop on lab99.eu (the “Website”), contact us, subscribe to our newsletter, or otherwise interact with us.
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Latvian data protection law. GDPR requires us to tell you who we are, what we do with your data, the legal basis for processing, who we share it with, how long we keep it and what rights you have.
By using the Website, you agree to this Privacy Policy.
1. Who is responsible for your data?
The data controller for processing personal data on this Website is:
LAB99
Ventspils iela 60-68
Rīga, LV-1046
Latvia
Email (privacy / data protection): [email protected]
We operate the VitalNest / lab99.eu online store for natural cosmetics and skincare products.
If you have any questions about this Privacy Policy or how we process your personal data, you can contact us at the email above.
Supervisory authority
You also have the right to lodge a complaint with the Latvian data protection authority:
Data State Inspectorate (Datu valsts inspekcija)
Elijas iela 17
Rīga, LV-1050
Latvia
Email: [email protected]
Phone: +371 67223131
2. Who does this policy apply to?
This Privacy Policy applies to:
- Visitors to our Website
- Customers placing orders through the online shop
- People who create an account with us
- Newsletter subscribers and people who take part in promotions
- People who contact us (e.g. via email, contact form or WhatsApp)
The Website is intended for adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.
3. What data do we collect?
3.1 Data you provide directly
When you place an order or create an account:
- Name, surname
- Billing and delivery address
- Contact details (email, phone)
- Account login details (if you create an account – username, password)
- Order details (products purchased, amounts, dates, payment status)
When you contact us (e.g. form, email, WhatsApp):
- Name and contact details
- Content of your message and our correspondence
- Any other information you choose to share (for example about your skin type or preferences)
When you subscribe to our newsletter or marketing:
- Email address
- Name (if you choose to provide it)
- Your marketing preferences (e.g. consent, unsubscribe status)
When you leave reviews or participate in promotions:
- Name or nickname
- Review content, rating, comments
- Information required for promotions (e.g. contact details, prize delivery address)
3.2 Data we receive from payment and delivery partners
When you pay for an order, payments are processed by third-party payment service providers (for example, card processors or other online payment providers). We do not receive or store your full card number or CVV. We typically receive from them:
- Payment status (paid / failed / refunded)
- Limited payment details (e.g. last 4 digits of card, payment method, transaction ID)
Logistics and courier partners may share with us:
- Delivery status and tracking information
- Proof of delivery
3.3 Data collected automatically (cookies, analytics, logs)
When you visit the Website, we automatically collect certain information via cookies and similar technologies, such as:
- IP address
- Browser type and version
- Device type and operating system
- Referrer URL and pages visited
- Dates and times of access
- Interactions with the Website (clicks, scrolls, time on page, cart events)
This may include data collected via third-party analytics tools and advertising technologies. GDPR and related guidance require transparency about such tracking and, where it is not strictly necessary for providing the service, your prior consent.
For details, please see our Cookie Policy.
4. For what purposes and on what legal bases do we use your data?
Under GDPR we must have a legal basis for each purpose of processing.
4.1 To operate the Website and online shop
Data: account data, order data, contact details, device and log data
Purpose:
- Manage browsing, shopping cart, checkout and payment
- Process orders and returns
- Provide customer service and support
- Prevent misuse and ensure security of the Website
Legal basis:
- Performance of a contract or steps prior to entering a contract (Art. 6(1)(b) GDPR) – e.g. when you place an order or ask us to take pre-contractual steps.
- Our legitimate interest in operating a secure and functional e-commerce Website (Art. 6(1)(f) GDPR).
4.2 Customer support and communication
Data: contact details, message content, order details
Purpose:
- Answer questions and handle complaints
- Provide product and usage information
- Manage your requests regarding privacy and data protection
Legal basis:
- Performance of a contract or steps prior to entering a contract (Art. 6(1)(b) GDPR)
- Our legitimate interest in responding to enquiries and improving services (Art. 6(1)(f) GDPR)
4.3 Newsletter and marketing communications
Data: email address, name, marketing preferences, purchase history (for segmentation)
Purpose:
- Send you news, offers, promotions and product recommendations
- Analyze and improve our marketing campaigns
Legal basis:
- Your consent (Art. 6(1)(a) GDPR), which you grant when subscribing or accepting marketing in the checkout.
- In some cases, our legitimate interest to promote similar products to existing customers, with an easy opt-out (Art. 6(1)(f) GDPR), where permitted by law.
You can unsubscribe at any time by clicking the “unsubscribe” link in any newsletter or contacting us.
4.4 Reviews, surveys, promotions
Data: contact details, content of reviews or survey answers, promotion participation data
Purpose:
- Publish product reviews (possibly with your first name or nickname)
- Run surveys and promotions
- Improve our products and services
Legal basis:
- Your consent (Art. 6(1)(a) GDPR) for publishing identifiable reviews or using certain content in marketing
- Our legitimate interest in improving products and Website (Art. 6(1)(f) GDPR)
4.5 Analytics and Website improvement
Data: device and usage data, aggregated statistics
Purpose:
- Understand how visitors use the Website
- Improve navigation, product selection and user experience
- Detect technical problems and optimize performance
Legal basis:
- Your consent for non-essential cookies and analytics tools (Art. 6(1)(a) GDPR)
- Our legitimate interest in a user-friendly, efficient Website (Art. 6(1)(f) GDPR) – limited strictly necessary analytics or logs.
4.6 Compliance with legal obligations
Data: order and payment information, invoicing details, communications related to legal matters
Purpose:
- Comply with tax, accounting and consumer protection laws
- Respond to lawful requests from authorities
Legal basis:
- Legal obligation (Art. 6(1)(c) GDPR)
Latvian law requires companies to retain accounting records for at least several years (commonly at least 5 years) for tax and bookkeeping purposes.
5. Who do we share your data with?
We do not sell your personal data. We may share your data with:
- Service providers (processors) who help us operate the Website and our business, for example:
- Website hosting and maintenance providers
- E-commerce platform and plugins
- Payment service providers
- Logistics and courier companies (for order delivery)
- Email and newsletter tools
- Analytics and marketing service providers
- Independent controllers, such as:
- Payment service providers processing your payment under their own terms
- Social media platforms and messaging services (e.g. when you contact us via WhatsApp or interact with our social media pages)
- Public authorities where required by law or necessary to protect our rights, for example in case of suspected fraud or abuse.
In case of a corporate restructuring, merger, sale or similar event, your data may be transferred to the relevant successor entity as permitted by law.
6. International data transfers
Some of our service providers may be located outside the European Economic Area (EEA) or may process data in third countries.
When personal data is transferred outside the EEA, we ensure an adequate level of protection by using one or more of the following safeguards, as required by GDPR.
- An adequacy decision by the European Commission for the destination country (for example, the EU-US Data Privacy Framework for certified US organizations);
- Standard Contractual Clauses (SCCs) adopted by the European Commission with additional safeguards where appropriate;
- Other permitted transfer mechanisms under GDPR.
You can contact us for more information about specific safeguards for a particular service provider.
7. How long do we keep your data?
We keep personal data only for as long as necessary for the purposes described in this policy, and to comply with legal obligations.
Approximate retention periods:
- Customer accounts: for as long as your account is active. If you request deletion, we will delete or anonymize your account data, unless we need to keep certain information for legal reasons.
- Order and invoicing data: typically kept for the period required by tax and accounting law (usually at least 5 years from the end of the financial year in which the transaction occurred).
- Customer service communications: normally up to 3 years after resolution of your request, unless we must keep them longer in case of legal disputes.
- Marketing data (newsletter subscriptions): kept until you withdraw consent or unsubscribe. We may keep a minimal suppression record to ensure we do not email you again.
- Device and analytics data: kept for the period set in our cookies/analytics tools, usually from a few months up to 2 years, depending on the specific cookie. See our Cookie Policy for details.
We may keep data for longer if required by law or necessary to establish, exercise or defend legal claims.
8. Your rights under GDPR
Under GDPR you have several rights in relation to your personal data, including: Baker McKenzie Resource Hub+3European Data Protection Board+3GDPR+3
- Right to be informed
To receive clear information about how we use your data – this Privacy Policy aims to provide that. - Right of access
To obtain confirmation whether we process your personal data and to receive a copy of those data. - Right to rectification
To have inaccurate or incomplete personal data corrected or completed. - Right to erasure (“right to be forgotten”)
To request deletion of your personal data in certain circumstances (for example where data are no longer necessary, or you withdraw consent and no other legal ground applies). - Right to restriction of processing
To request that we restrict processing of your data in certain cases (e.g. while we verify the accuracy of data or in case of an objection). - Right to data portability
To receive the personal data you provided to us in a structured, commonly used and machine-readable format, and to have those data transmitted to another controller where technically feasible. - Right to object
- To object at any time to processing based on our legitimate interests, for reasons related to your particular situation.
- To object at any time to the processing of your data for direct marketing (including profiling for such marketing); in that case we will stop processing for marketing purposes.
- Rights related to automated decision-making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not use such profiling in connection with the Website at present.
These rights are not absolute; they can be subject to conditions and legal limitations.
9. How to exercise your rights
To exercise your rights or ask any privacy-related questions, please contact us at:
Email: [email protected]
To help us process your request, please:
- State which right(s) you wish to exercise
- Provide enough information for us to confirm your identity (we may ask for additional verification if necessary)
- Specify the context (for example order number, account email, etc.)
If you believe that our processing of your personal data infringes GDPR, you also have the right to lodge a complaint with the Data State Inspectorate using the contact details above.
10. Security of your data
We use appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure. These may include, for example:
- Use of secure, password-protected systems
- Encryption in transit (HTTPS) and, where appropriate, at rest
- Access controls and limited access based on role
- Regular software updates and security reviews
No system can be completely secure, but we work continuously to reduce risks and follow best practices recommended for EU data protection.
11. Cookies and tracking technologies
Our use of cookies and similar technologies is described in more detail in our Cookie Policy, which forms part of this Privacy Policy.
You can manage your preferences through:
- Our cookie banner or settings; and
- Your browser settings, which allow you to block or delete cookies (note that some features of the Website might not work properly without certain cookies).
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example:
- To reflect changes in how we process data
- To comply with new legal or regulatory requirements
- To reflect changes to our Website, services or business
We will publish the updated version on this page and update the “Effective date” at the top. If we make material changes that significantly affect your rights or how we use your data, we may also notify you by email or via a notice on the Website, where appropriate.