Privacy policy
1. General Provisions
This Privacy Policy explains how UAB Karibus (company code: 303341682, registered address: Algirdo g. 85-34, Vilnius, Lithuania) processes personal data that you provide to us or that we collect when you visit or place orders for goods/services in the online store www.belamu.com make purchases at Belamu physical stores, or participate in beauty trainings or courses organized by Belamu. When processing data, we comply with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other applicable legal acts.
Data Controller: UAB Karibus, company code 303341682, registered address: Algirdo g. 85-34, Vilnius, Lithuania.
Email for data protection inquiries: [email protected] Phone: +370 677 62262
2. Purposes of Personal Data Collection and Processing
2.1. For the execution of purchases and order management
We process personal data in order to accept, handle, and deliver orders placed in the online store belamu.lt. For this purpose, we collect and process the following order-related data: first name and surname, phone number, address, email address, order information (prices of ordered goods or services, product codes, quantities), payment information, and delivery details. If goods or services are ordered on behalf of another person or a company, we collect their delivery and contact information. When a purchase is made on behalf of a company, we also collect: company name, company code, VAT payer number (if applicable), company address, and representative details.
The collected data is used solely for order fulfillment, i.e., receiving and processing orders, issuing invoices, administering payments, organizing delivery, fulfilling warranty obligations, processing returns or exchanges, and handling potential disputes or claims. We process this data on the legal basis of contract performance, and where required by law—on the basis of legal obligations (e.g., accounting, taxation, consumer protection requirements).
During order processing, we may contact customers using any contact information they have provided—email, SMS, or phone. Such communication is necessary to confirm the order, inform about its status, delivery progress or changes, and resolve issues related to payment, delivery, returns, or other order-related matters. These messages are considered part of essential contract performance and are not classified as direct marketing.
Data related to order administration may be shared with third parties only to the extent necessary for order fulfillment—for example, delivery service providers, payment processors, or IT infrastructure service providers. All such service providers process personal data only according to UAB Karibus instructions and ensure confidentiality and security.
Order-related data is stored for as long as necessary to perform the contract and protect the legitimate interests of the company. Core order information (name, contact data, order details) is stored for 10 years from the date of transaction, in accordance with Lithuanian laws governing the retention of accounting documents.
2.2. To ensure website functionality and analytics
To ensure the smooth operation, performance, and user experience of www.belamu.com as well as to analyse traffic and optimize content, we use various internet analytics and marketing tools such as cookies, tags, and tracking codes. These technologies collect information about user behavior on the website, such as which pages are visited, time spent on them, device or browser type, and approximate geographic location. The data is used to analyze visitor flows, understand user needs, improve website structure, content, and functionality, assess marketing campaign performance, and ensure technical stability and security.
The main tools used include:
• Google Analytics (Google LLC), which collects anonymised data about browsing patterns and interactions with the site;
• Meta Pixel (Meta Platforms Ireland Ltd.), which evaluates user behavior after clicking on ads and helps optimize ad delivery;
• Magento content management system, which records technical data necessary for website operation, such as session ID, login status, language preference, or shopping cart status;
• Hotjar (Hotjar Ltd.), which analyzes user behavior on the site, including navigation patterns, page views, clicks, and scrolling intensity, helping improve usability and interface design.
These tools may place cookies on the user’s device, but the collected information does not allow direct personal identification—it is used solely for statistical and analytical purposes.
Analytical data is stored for limited periods: Google Analytics data for up to 26 months from the last visit, Meta Pixel data for up to 24 months, Magento system cookies for up to 12 months or until the user deletes them, Hotjar data for up to 12 months. After this period, the data is automatically deleted or anonymised. Users can modify or withdraw consent for non-essential cookies at any time and delete cookies through their browser settings.
2.3. For direct marketing
We process personal data to maintain communication with customers, inform them about new products, promotions, offers, and news, and provide personalized recommendations matching their interests. For this purpose, we process data such as name, surname, email address, website browsing behavior, purchase history, and information about newsletter opens or link clicks. This helps us identify which offers are most relevant and ensures effective communication.
Personal data for direct marketing is processed only with explicit user consent, provided by checking the appropriate box during registration or ordering, or on other legal bases when the customer has purchased goods or services and marketing relates to similar products under legitimate interest. Users may opt out at any time by clicking the unsubscribe link at the bottom of any email or contacting [email protected]
Marketing communication is delivered using email and automation platforms that allow sending newsletters, promotional messages, and personalized recommendations. These systems also record delivery, open rates, clicks, and interaction metrics to evaluate campaign effectiveness.
Data used for direct marketing is stored as long as the individual's consent is valid or until withdrawn. Upon withdrawal, data is deleted immediately and aggregated statistical data is anonymised. The maximum retention period for direct marketing data is 36 months from the last user interaction (e.g., opening or clicking an email), unless longer retention is required due to legal obligations or dispute resolution.
2.4. For responding to inquiries and providing consultations
We process personal data to respond to inquiries submitted via email, phone, website contact forms, or social media, and to provide consultations regarding products, services, orders, delivery, or returns. Data processed may include name, surname, email address, phone number, inquiry date, content, and any voluntarily provided information necessary to address the request.
The data is processed based on the individual's consent, given by submitting the inquiry, or based on the company’s legitimate interest to ensure effective communication. Inquiry handling tools may include email systems, the Magento CMS, CRM tools, call recording tools, or social media messaging platforms.
Data is used solely to identify the person making the inquiry, contact them, provide requested information, or resolve the issue. It may also be used to analyse service quality and improve internal processes, but never for marketing purposes without explicit consent.
Inquiry data is stored only as long as necessary to address the request, typically no longer than 12 months from the last communication, unless related to an order, warranty, legal dispute, or complaint—then it may be stored longer until obligations are fulfilled or disputes resolved. After the retention period, data is deleted or anonymised.
2.5. For account creation and management
We process data to create and manage customer accounts on www.belamu.com Creating an account allows users to shop more efficiently, track order status, view purchase history, save delivery addresses, manage wishlists, personal data, and marketing consents, and participate in our customer loyalty program.
We process data such as name, surname, email address, phone number, password (encrypted), delivery addresses, order history, account creation date, activity logs, and loyalty program information (points accumulation and use).
Data is used to identify the user, provide account access, fulfil orders, issue invoices, manage delivery, maintain user settings, ensure system security, detect unauthorized access, prevent fraud, and support technical stability.
Account data is stored as long as the account exists and is actively used. Users may delete their account at any time through the website or by emailing [email protected]
When an account is deleted, related personal data is deleted or anonymised, except where retention is required for legal obligations. Inactive accounts are stored for up to 5 years from the last login or loyalty action, after which they are deleted or anonymised.
2.6. To provide training and course services
We process data necessary for course registration, contract formation, service provision, administration, and quality evaluation. Participants provide name, surname, email, phone number, address (if an invoice is needed), payment details, and date of birth (to confirm age and tailor course content).
Service contracts may include participant identity details, contract terms, payments, training dates and locations, and consent forms regarding participation in public materials. During training, photos or videos may be taken; these may be used for marketing (e.g., on social networks, website, or promotional materials) only with explicit participant consent.
After the training, participants may be invited to fill out non-anonymous evaluation forms to ensure service quality. These evaluations may be linked to a participant to address individual issues.
Training registration and contract data is processed based on contract performance and legal obligations (e.g., accounting or tax purposes). Marketing-related images or videos are processed only with consent, which may be withdrawn at any time.
Contract and payment data is stored for 10 years, evaluation forms for up to 3 years, and marketing materials (photos/videos) for up to 5 years or until consent is withdrawn.
2.7. For accounting purposes
We process data required for financial and tax accounting, compliance with legal obligations, and reporting. This includes name, surname, address, payment information, purchase or service documentation, invoices, contracts, and other financial data. Where required by law, invoices issued to individuals conducting business activities may include personal identification number or business certificate number. Data is processed based on legal obligations and stored for 10 years unless a longer period is required by law.
2.8. For video surveillance
We implement video surveillance to ensure the safety of company premises, employees, customers, course participants, and assets, as well as to prevent unlawful actions and investigate incidents. Surveillance is carried out in UAB Karibus-owned or managed facilities, including physical stores and training rooms, where video and audio may be recorded.
The recordings capture individuals’ images, movements, behavior, and conversations, but are used solely for security purposes. Recordings are not used for marketing or communication and are not shared with third parties except law enforcement or supervisory authorities when required.
The legal basis is the company’s legitimate interest to ensure security. Areas under surveillance are marked with informational signs.
Recordings are stored for no longer than 30 calendar days unless needed for an investigation or dispute, in which case they are stored until the matter is resolved. Afterward, data is automatically deleted securely.
3. Disclosure of Data to Third Parties
UAB Karibus may disclose your personal data to third parties only as necessary to achieve the purposes set out in this Privacy Policy and only in accordance with applicable laws. Data may be shared with companies providing IT hosting, email services, payment processing, delivery, marketing, analytics, customer support, or other services related to company operations. Such service providers process data only according to our instructions and must ensure confidentiality and adequate protection.
In certain cases, data may be provided to law enforcement, tax authorities, or supervisory institutions when necessary to fulfil legal obligations, protect company rights, or prevent violations.
Some service providers may process or store data outside the European Economic Area (EEA). In such cases, UAB Karibus ensures that data transfer is carried out only in compliance with GDPR requirements—e.g., based on European Commission Standard Contractual Clauses or other appropriate safeguards. In all cases, data is shared only to the extent necessary and is never sold or otherwise transferred for commercial gain.
4. Data Retention Period
UAB Karibus stores personal data only for the period necessary to fulfil the purposes specified in this Privacy Policy or as required by applicable laws. Specific retention periods are provided in the relevant sections above. Once the retention period expires or data is no longer needed, it is securely deleted or destroyed so that it can no longer be recovered or used.
5. How Can You Access Your Data? What Rights Do You Have?
You have the right to contact UAB Karibus at any time by email at [email protected] and obtain information about what personal data of yours is being processed, for what purposes, and on what legal basis it is used. You also have the right to request the rectification of inaccurate or incomplete data, as well as to request the deletion of your data if it is no longer necessary for the purposes for which it was collected. Upon receiving your request to access your data or exercise any of your rights, we will be required to verify (identify) your identity. For this purpose, we may ask you to provide your name, surname, email address, or phone number. Information about your processed data is provided within 30 calendar days from the date of receipt of the written request.
You may request the restriction of processing of your data if you dispute its accuracy or the lawfulness of the processing. You also have the right to object to the processing of your personal data when such processing is based on the company’s legitimate interest. If your data is processed based on consent, you have the right to withdraw your consent at any time, and such withdrawal will not affect the lawfulness of processing carried out before the consent was withdrawn.
6. Protection of Minors’ Data
UAB Karibus does not knowingly collect or process personal data of minors under the age of 16 without the consent of their parents or legal guardians. If it becomes apparent that personal data of a minor of this age has been collected without proper consent, such data will be deleted immediately upon discovery. Parents or guardians who believe that their child has provided personal data without their consent have the right to contact us by email at [email protected]
7. Changes to the Privacy Policy
Additions or amendments to the Privacy Policy may be made at any time in response to changes in legislation regulating the processing of personal data, the use of information and communication technologies, or changes in the company’s personal data collection and usage practices. Updates to the Privacy Policy are published at www.belamu.com/privacy-policy and become effective upon publication. This Privacy Policy was last updated on 2025-11-12.
8. Where to Contact in Case of a Rights Violation?
If you believe that your personal data is being processed unlawfully or in violation of your rights under the General Data Protection Regulation (GDPR), we encourage you to first contact us directly — UAB Karibus — by email at [email protected] We will make every effort to promptly review your issue and provide a response; however, in some cases, reviewing your request may take up to 30 calendar days. If you believe that your rights and interests continue to be violated, you have the right to lodge a complaint with the Lithuanian Data Protection Agency, which is responsible for overseeing personal data protection in Lithuania. The Agency is located at L. Sapiegos g. 17, 10312 Vilnius, Lithuania. You may contact them by email at [email protected]
The information below is required for social login
My Account
Register