Mitigate

Privacy Policy

Regarding clients, cooperation partners and their employees, and our prospective employees

SIA Mitigate, unified registration No. 50103381201, legal address: Gustava Zemgala gatve 74A, Riga, LV-1039, Latvia, hereinafter referred to as "the Company", data protection privacy policy. This policy is applicable in cases where the Company, or the Company together with its Cooperation Partners, processes the data of natural persons.

1. Definitions

  1. Controller means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  2. Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller;
  3. Third Party means a natural or legal person, public authority, agency, or body other than the Data Subject, the Controller, the Processor, and persons who, under the direct authority of the Controller or the Processor, are authorised to process personal data;
  4. Personal Data means any information relating to an identified or identifiable natural person (Data Subject);
  5. Data Subject means an identifiable natural person who can be directly or indirectly identified, in particular by reference to an identifier such as the person's name, surname, identification number, telephone number, email address, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  6. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
  7. Client means any natural or legal person who uses, has used, or has expressed a desire to use any services provided by SIA Mitigate, or is in any other way connected thereto;
  8. Cooperation Partner means any natural or legal person with whom the Company works on joint projects or with whom the Company has shared objectives;
  9. Prospective Employee means any natural person who has submitted an application to the Company for an advertised or potential vacancy, or whom the Company has approached based on contacts available on social networks, or whom the Company has approached and the Prospective Employee (you) has responded to the Company's approach, or you have provided your data to a recruitment agency.

2. General Provisions

  1. 2.1. This privacy policy, hereinafter referred to as the Policy, describes the procedure by which the Company handles the personal data that come into its possession. Depending on the legal basis for data processing, the Company may act as a Controller, Processor, or Third Party;
  2. 2.2. The Company ensures the confidentiality of personal data within the framework of applicable regulatory enactments and has implemented appropriate technical and organisational measures to protect personal data against unauthorised access, unlawful processing or disclosure, accidental loss, alteration, or destruction;
  3. 2.3. In cases where the Company acts as the Controller of personal data, it determines the purposes and means of the processing of personal data;
  4. 2.4. In cases where the Company acts as the Processor of personal data, the Company processes personal data on behalf of the Controller;
  5. 2.5. In cases where the Company acts as a Third Party, the Company is authorised to process personal data under the direct authority of the Controller or the Processor;
  6. 2.6. In cases where the Company carries out data processing, the Company may use approved personal data Processors for the processing of personal data. In such cases, the Company takes the necessary measures to ensure that such personal data Processors carry out the processing of personal data in accordance with the Company's instructions and in compliance with applicable regulatory enactments, and requires the implementation of appropriate security measures;
  7. 2.7. If the Company updates this Policy, the current version of the Policy will be published on the Company's website www.mitigate.dev in the privacy policy section, while you may acquaint yourself with previous versions of this Policy by contacting the Company in advance by writing to the email address datuapstrade@mitigate.dev.

3. How the Company obtains natural persons' (your) data

  1. 3.1. The Data Subject (you) personally submits their data to the Company;
  2. 3.2. The Company receives personal data from its Clients or Cooperation Partners;
  3. 3.3. The Company receives personal data from third parties;
  4. 3.4. The Company records your data that is available in the public domain (media, social networks, your employer's website, etc.);
  5. 3.5. You visit our website (see Cookie Policy);
  6. 3.6. You participate in corporate events organised by us, during which photography or video recording may take place;
  7. 3.7. You participate in our surveys, competitions, register your participation, or take part in our training, innovation projects, etc.;
  8. 3.8. You participate in business forums, business networking, your contacts are on social networks designed for the exchange of mutual contacts, such as LinkedIn, you follow us on social networks, contact us, etc.;
  9. 3.9. You visit our office premises;
  10. 3.10. You personally add your data to the Company's systems;
  11. 3.11. You use the registration forms placed on our website to sign up for our services.

In cases where the Company obtains data from the Controller, any responsibility for informing the Data Subject is borne by the respective Controller.

The Company does not conduct video surveillance on its premises. The manager of the building in which the Company is located conducts video surveillance of common areas and is responsible for it.

4. What personal data of yours the Company may process

Depending on the nature of data processing, the Company may process the following personal data:

  • Personal identification data — name, surname, personal identification code/ID, date of birth, and occasionally identity document data;
  • Personal contact information data — address, telephone number, email address;
  • Personal workplace data — place of employment, position held;
  • Professional data — experience, education, professional skills, references, and other data that allow the assessment of you as a professional;
  • Internet activity data — IP address, actions performed, date and time;
  • Public profile data — data that the person has published on social networks;
  • Survey and competition data — name of the survey or competition, date, response submission date, questions/tasks and answers provided;
  • Event data — data generated during competitions and training, including works created by you, their evaluation and analysis, photo and video materials;
  • Photographs — photographs from corporate events, date and location of the photograph, as well as photographs that you add to the Company's systems;
  • Social network contacts — your contacts on social networks designed for the exchange of mutual contacts, such as LinkedIn;
  • Communication data — in cases where communication has taken place between us;
  • Project data — data of various categories, including, in exceptional cases, special category data, which the Company processes within the framework of various projects as a Controller, Processor, or as a Third Party based on the Controller's authorisation.

Depending on the service provided, the product delivered, the specifics of mutual cooperation, the above-mentioned data of yours may be processed to varying extents, in various combinations, for various purposes, and on various legal bases, as set out in this Privacy Policy.

5. Legal basis for data processing

  1. 5.1. Conclusion and performance of a contract — in order for the Company to conclude and perform a contract entered into with the Client or Cooperation Partner, providing quality services, it must collect and process certain personal data. (GDPR Article 6(1)(b));
  2. 5.2. Legitimate interests of the Company — in order to observe the Company's interests, which are based on compliance with the requirements of applicable legislation, the provision of quality services and timely support to the Client and/or Cooperation Partner, the Company has the right to process the personal data of the Client or Cooperation Partner to the extent that is objectively necessary and sufficient for that purpose. Additionally, legitimate interests include the processing of personal data for the purpose of informing about developments in the field in which the Company operates, about new development opportunities, including through direct marketing, as a result of which the Company may individually approach various persons to inform them about industry developments, educational and development opportunities, and opportunities to offer new and/or individually prepared Company products and services. However, the Company respects the wishes of the Data Subject and provides the option to opt out of receiving the above-mentioned information. (GDPR Article 6(1)(f));
  3. 5.3. Fulfilment of legal obligations — the Company is entitled to process personal data in order to fulfil the requirements of regulatory enactments, as well as to respond to lawful requests from state and municipal authorities. (GDPR Article 6(1)(c));
  4. 5.4. Consent of the Data Subject — the Data Subject personally gives consent to the collection and processing of personal data for specific purposes. Consent is their free will and independent decision, which may be given at any time, thereby permitting the Company to process personal data for the specified purposes. The Data Subject has the right at any time to withdraw their previously given consent by using the designated communication channels with the Company. The submitted changes will take effect within three business days. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. (GDPR Article 6(1)(a));
  5. 5.5. If the Company carries out data processing as a Processor, based on a duly concluded agreement with the Data Controller, the Company complies with the Controller's instructions;
  6. 5.6. If the Company carries out operations with the data of natural persons as a Third Party, based on a duly concluded agreement with the Data Controller, the Company complies with the authorisation granted by the Controller.

6. Purposes of data processing

The following purposes of data processing are distinguished:

  1. 6.1. Service provision and contract management — to conclude and perform a contract with the Client or Cooperation Partner; to deliver the purchased service or product; to ensure the availability and quality of the service or product;
  2. 6.2. Fulfilment of legal and tax obligations — to fulfil obligations imposed by law, to provide reports and declarations, to calculate and pay taxes;
  3. 6.3. Client relationship management — to ensure quality, timely service and cooperation during the term of the contractual relationship; to ensure the relevance and accuracy of data by verifying and supplementing it;
  4. 6.4. Email marketing — the Company processes personal data for email marketing purposes and client relationship management, using third-party services such as Mailchimp (provided by The Rocket Science Group LLC), to manage email subscriber lists and send emails to our Clients and Cooperation Partners;
  5. 6.5. Community and engagement — to build a corporate connection between the Company, Clients, Cooperation Partners, and other persons who wish to participate in the Company's activities;
  6. 6.6. Feedback and improvements — to learn the opinions of Clients, Cooperation Partners, and other persons about the Company's work and necessary improvements;
  7. 6.7. Legal protection — to defend the rights of the Company as established by law;
  8. 6.8. Personnel recruitment — to evaluate Prospective Employees for vacancies, to manage the recruitment process, and to communicate with Prospective Employees about employment opportunities.

7. Data recipients

The Company may transfer personal data to the following categories of recipients:

  1. 7.1. IT service providers and hosting providers that ensure the operation of the Company's systems and infrastructure;
  2. 7.2. Email marketing service providers (Mailchimp / The Rocket Science Group LLC) for sending marketing communications;
  3. 7.3. Website analytics service providers (Google Analytics) for the purpose of analysing website usage;
  4. 7.4. Accounting and financial service providers for the fulfilment of tax and accounting obligations;
  5. 7.5. Legal advisors and auditors, if necessary for the protection of the Company's legitimate interests or the fulfilment of legal obligations;
  6. 7.6. State and municipal authorities, if required by applicable regulatory enactments;
  7. 7.7. Cooperation Partners, if necessary for the performance of joint projects, based on a data processing agreement;
  8. 7.8. Recruitment platforms and agencies for the management of the recruitment process.

The Company ensures that all data recipients apply appropriate data protection measures in accordance with applicable regulatory enactments.

8. Rights of the Data Subject

The Data Subject has the following rights with respect to the processing of their data:

  1. 8.1. Right to information — When the Company obtains personal data from the Data Subject, it provides the following information:
    1. The Company's registration number and legal address, contact information;
    2. Contact information of the data protection officer, if one has been appointed;
    3. The purposes of processing and the legal basis;
    4. Legitimate interests, if processing is based on GDPR Article 6(1)(f);
    5. The recipients or categories of recipients of personal data;
    6. Whether data will be transferred to a third country or an international organisation.
  2. 8.2. Right of access — You have the right to request confirmation as to whether your personal data are being processed and, if so, to receive a copy of such data;
  3. 8.3. Right to rectification — You have the right to request the rectification of inaccurate personal data;
  4. 8.4. Right to erasure — You have the right to request the erasure of your personal data if there is no legal basis for further processing;
  5. 8.5. Right to restriction of processing — You have the right to request the restriction of processing in certain circumstances;
  6. 8.6. Right to data portability — You have the right to request a copy of your personal data in a usable format, insofar as this is technically feasible and complies with the conditions of GDPR Article 20;
  7. 8.7. Right to object — You have the right to object to the processing of your personal data, including for the purposes of direct marketing;
  8. 8.8. Right to withdraw consent — If processing is based on consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out prior to the withdrawal;
  9. 8.9. Right to lodge a complaint — You have the right to lodge a complaint with the Data State Inspectorate (www.dvi.gov.lv);
  10. 8.10. Right regarding automated decisions — You have the right to know whether automated decision-making, including profiling, is applied with respect to your data.

How to exercise your rights: Contact us by email at datuapstrade@mitigate.dev. We will respond to your request within 30 days. If additional time is required, we will inform you within the initial 30-day period.

In cases where the Company acts as a Processor or Third Party, the Company acts in accordance with the Controller's instructions or authorisation; in the event of a Data Subject's request, the Company shall promptly inform the Controller of the received request.

9. Retention period

Personal data are processed only for as long as is necessary for the fulfilment of the processing purpose. The specific retention periods are as follows:

Data category Retention period Legal basis
Contract and service data 10 years after the end of the contractual relationship Legal obligation (Commercial Law, tax legislation)
Accounting and financial data 10 years after the end of the financial year Legal obligation (tax legislation)
Email marketing data Until withdrawal of consent or the Company's decision to discontinue data processing Consent / Legitimate interests
Prospective employee / recruitment data Recruitment data are retained for up to 12 months after the conclusion of the recruitment process. Detailed retention periods are set out in the Employee Privacy Policy. Consent / Legitimate interests
Website usage data (cookies) See Cookie Policy for specific retention periods Consent
Communication records Client communication data are retained during the term of the contract and for a reasonable period thereafter, insofar as necessary to safeguard the Company's legitimate interests. Data stored on third-party platforms are managed in accordance with the policies of those platforms. Legitimate interests
Data processed as Processor As determined by the Controller in the data processing agreement Contractual obligations

Upon expiry of the retention period, the Company shall erase or anonymise personal data, unless further retention is required in accordance with regulatory enactments.

10. Technical and organisational data protection requirements

  1. 10.1. The Company ensures, continuously reviews, and improves protection measures to protect the personal data of Data Subjects against unauthorised access, accidental loss, disclosure, or destruction. To ensure this, the Company employs modern technologies, technical and organisational requirements, including appropriate software, using firewalls, intrusion detection, analytics software and data encryption, as well as carries out physical data protection (access code at exterior doors), alarm systems;
  2. 10.2. The Company carefully verifies all service providers that process personal data on behalf of and at the instruction of the Company, and also evaluates whether cooperation partners (personal data Processors) apply appropriate security measures so that the processing of personal data is carried out in accordance with the Company's delegation and the requirements of regulatory enactments;
  3. 10.3. The Company regularly conducts employee training and maintains employee qualifications;
  4. 10.4. The Company shall not assume responsibility for any unauthorised access to personal data and/or loss of personal data if it is not attributable to the Company, for example, due to the fault and/or negligence of the Client, Cooperation Partner, or Data Subject;
  5. 10.5. With respect to certain processing operations of natural persons' data, projects, etc., specific technical and organisational data processing requirements may be established. Detailed information about each individual data processing operation, if your personal data are processed within its scope, may be obtained by contacting us by email at datuapstrade@mitigate.dev.

11. Processing territory

  1. 11.1. Personal data are primarily processed within the EU/EEA territory. For the purposes of email marketing, data may be transferred to Mailchimp servers located in the United States of America. The Company ensures that all data transfers to Mailchimp are protected by appropriate security measures that comply with the requirements of the GDPR, such as Standard Contractual Clauses (SCCs);
  2. 11.2. The transfer and processing of personal data outside the EU/EEA may occur if there is a legal basis for it, namely, to fulfil a legal obligation, to conclude or perform a contract, or in accordance with the Client's consent, and appropriate security measures have been taken. The European Commission has recognised which countries ensure a level of personal data protection that corresponds to the appropriate level of data protection in the European Union (GDPR Article 45 — adequacy decisions). If the Company transfers personal data to countries for which no adequacy decision has been adopted, the Company ensures appropriate safeguards in accordance with GDPR Article 46, such as Standard Contractual Clauses;
  3. 11.3. Upon request, the Client may receive more detailed information regarding the transfer of personal data to countries outside the EU/EEA.

12. Contact information

  1. 12.1. The Data Subject may contact the Company regarding any questions, withdrawal of consent, information requests, exercise of Data Subject rights, and complaints about the processing of personal data;
  2. 12.2. The Company's contact information is available at www.mitigate.dev in the contacts section;
  3. 12.3. Person responsible for data processing: datuapstrade@mitigate.dev;
  4. 12.4. For any questions regarding the management of your data in Mailchimp, or if you wish to opt out of email marketing communications, please contact us using the contact information provided above. You may also opt out directly by using the link provided in each marketing email;
  5. 12.5. Before submitting a complaint to the Data State Inspectorate, in the interest of saving time and resources of all parties involved, the Company recommends contacting us in advance.

Approved on 18.03.2026.
Reviewed on 18.03.2026.
Next review no later than 18.03.2027.