PRIVACY POLICY (SweetDropCBD.com)
Last updated: 2026-01-21

1. Who we are (Data Controller)

Data Controller: MB “EBIGUS”
Address: Rusnės g. 31, Šakių k., 47412 Kauno r. sav., Lithuania
Email: info@sweetdropcbd.com
Website: SweetDropCBD.com

For any questions about the processing of personal data or the exercise of your rights, please contact us by email at info@sweetdropcbd.com.

2. What this policy is about

This Privacy Policy explains how we process personal data when you use our website, purchase products, contact us, subscribe to a newsletter, or consent to cookies/marketing technologies.

3. What data we process

Depending on the situation, we may process:

1. Identity and contact data: first name, last name, email address, phone number, delivery/billing address.
   B. Order data: ordered products, quantities, price, discounts, order history, invoice/receipt details, returns.
   C. Payment data: payment status confirmation, transaction identifiers (card data is usually processed by the payment provider).
   D. Account data (if you create an account): login details (encrypted/hashed), settings, addresses, history.
   E. Correspondence data: enquiries and responses, attachments, customer service history.
   F. Technical and usage data: IP address, device/browser data, cookies, page views, traffic source, timestamps, events (e.g., add-to-cart).
   G. Marketing preferences: consent records, newsletter status, email opens/clicks (if enabled).

Please do not submit excessive sensitive information (e.g., health data) in contact forms or public reviews.

4. Purposes and legal bases for processing

We process personal data only where we have a legal basis under the GDPR.

4.1. Order fulfilment and customer service (GDPR Art. 6(1)(b))

• accepting orders, confirming payment, delivery, returns;
• transactional emails (order confirmation, shipment information).

4.2. Legal obligations (GDPR Art. 6(1)(c))

• accounting, taxes, financial documents and mandatory document retention.

4.3. Website security and fraud prevention (GDPR Art. 6(1)(f))

• logs, incident prevention, system stability, abuse prevention.

4.4. Cookies, analytics (GA4) and advertising measurement (Meta Pixel) (GDPR Art. 6(1)(a) – consent)

• cookies/technologies for analytics and marketing are used only with your consent, and refusing consent must be as easy as giving consent.

4.5. Direct marketing (newsletter) (GDPR Art. 6(1)(a) + Art. 81 of the Lithuanian Law on Electronic Communications)

We send newsletters and offers only with prior consent. You can withdraw your consent at any time (via the unsubscribe link in the email or by contacting us by email).

5. Cookies and similar technologies

We use:

• necessary cookies (for website operation),
• preference cookies (for settings),
• statistics/analytics cookies (GA4),
• marketing cookies (Meta Pixel).

Non-essential cookies/technologies are activated only after consent. The “ACCEPT” and “REJECT” options must be equally easy to access, and it must be easy to withdraw consent.

You can change your choices via the cookie banner and (if implemented) the “Cookie settings” link on the website.

6. Who we share data with (recipients / processors)

We share data only to the extent necessary:

• Payments: Stripe and/or Montonio (payment collection, confirmations).
• Email marketing: Mailchimp and/or MailerLite (newsletters, consent records).
• Analytics / advertising: Google (GA4), Meta (Pixel) – based on your consent (where applicable).
• Delivery: the chosen carrier/courier/parcel locker provider (name, address, phone number, email, shipment details).
• IT/hosting/security: hosting, maintenance, security and backup providers.
• Public authorities: where required by law.

We enter into data processing agreements (DPAs) with processors where required by the GDPR.

7. Transfers outside the EEA

Some providers may process data outside the EEA (e.g., in the USA). In such cases, we apply GDPR-compliant safeguards: an adequacy decision by the European Commission (e.g., the EU–US Data Privacy Framework) or Standard Contractual Clauses (SCCs) and supplementary measures.

8. How long we keep data

We retain data as long as necessary for the purposes and/or as required by law:

• Orders, invoices, accounting data: retained in accordance with accounting/tax requirements.
• Account: while active; afterwards deleted/anonymised within a reasonable period unless retention is legally required.
• Correspondence: until the request is resolved and (if necessary) for the defence of legal claims.
• Cookies / analytics / advertising: according to your consents and providers’ settings; you can withdraw consent at any time.

9. Do you have to provide data?

• To fulfil an order, you must provide necessary data (contact details, address, etc.). If you do not provide it, we will not be able to fulfil the order.
• For newsletters and non-essential cookies, providing data is voluntary (based on consent).

10. Your rights

You have GDPR rights: access, rectification, erasure (where applicable), restriction, data portability, objection (especially to direct marketing), and the right to withdraw consent at any time (this does not affect processing carried out before withdrawal).

To exercise your rights, contact us by email at info@sweetdropcbd.com.

11. Complaints

If you believe your rights have been violated, you may contact the State Data Protection Inspectorate (VDAI):
Address: L. Sapiegos g. 17, 10312 Vilnius, Lithuania
Email: ada@ada.lt

12. Security

We implement technical and organisational measures (access control, backups, secure connections, updates, etc.) to protect data against unauthorised access, loss, or disclosure.

13. Changes to this Privacy Policy

We may update this Privacy Policy. The latest version is always published on the website, with the update date shown at the top.