PRIVACY POLICY

Scope. All websites, iOS applications and related services published by ML Consulting MB, including current and future Apple App Store applications.

Version. 1.0.

Effective from. 6 May 2026.

Last updated. 6 May 2026.

1. How to read this Policy

ML Consulting MB ("ML Consulting", "we", "us", or "our") is the publisher of the websites and iOS applications to which this Privacy Policy applies. This Policy is a single, portfolio-level notice. It is intentionally application-neutral so that it can serve as the privacy notice for every website and iOS application we operate today and for those, we may launch in the future, provided each one fits within the categories of personal data and the purposes described below.

Where an individual application has features or processing characteristics that materially go beyond this Policy - for example, a feature that would process new categories of data, transfer data to a new sub-processor, or activate a new lawful basis - we will publish an application-specific supplement, update this Policy and, where the change is material to your rights, give you advance notice as set out in section 23.

This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 - the General Data Protection Regulation (the "GDPR") - and the Lithuanian Law on Legal Protection of Personal Data of the Republic of Lithuania, which implements the GDPR in Lithuania. We have organized the sections so they map onto those articles and so they read in plain language for any user, while keeping the precision a regulator, an auditor, or counsel will expect to find.

2. Who we are (controller identity)

We are the data controller for the processing described in this Policy. Our identification details are as follows.

Legal form. Mažoji bendrija (small partnership / limited-liability legal form) governed by the law of the Republic of Lithuania

Legal entity code. 306991112 (Centre of Registers of the Republic of Lithuania)

Website. https://mlconsulting.lt

Privacy contact. mantvydas@mlconsulting.lt - recommended for all data-protection enquiries and data-subject requests

ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) of the GDPR. The privacy contact above handles all data-protection enquiries. If our processing activities change such that a DPO becomes mandatory, we will appoint one and publish their contact details in this Policy.

Our lead supervisory authority for the purposes of the GDPR's one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate - Valstybinė duomenų apsaugos inspekcija ("VDAI") - at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.

3. Scope of this Policy

This Policy applies to:

- the website at mlconsulting.lt;

- every iOS application published by ML Consulting MB on the Apple App Store, both consumer and professional, present and future, unless that application carries its own application-specific privacy notice expressly displacing this Policy;

- user accounts, subscriptions, trials, pilots, beta programmes, demo requests, support channels, billing operations and authentication services that we operate;

- email, in-application and other communications you exchange with us; and

- marketing communications, newsletters and event registrations where we operate them.

Where Apple Inc. or its subsidiaries, Google LLC or its subsidiaries, or any other independent third party processes personal data on its own account in connection with our applications - for example, the Apple App Store, Sign in with Apple, iCloud, Sign in with Google, or a payment card network - that party acts as a separate controller and its own privacy policy applies in addition to this Policy.

4. Our two privacy roles - controller and processor

4.1 We act as controller

We determine the purposes and means of processing for the following categories, which is why this Policy applies to them:

- account and authentication data we collect to identify you and operate your user account;

- device, technical, telemetry and security-event data the applications generate during normal use;

- communications and support correspondence;

- billing and payment data we collect from direct customers (where direct invoicing applies);

- subscription state and entitlement data we receive through the Apple App Store for in-application purchases;

- newsletter, marketing-list and event-registration data, where applicable.

4.2 We act as processor

For business applications that operate on a workspace model - where a business customer (the "workspace owner") uses our application to manage information about its own employees, contractors, drivers, customers, counterparties, suppliers, or other individuals - the workspace owner is the controller of that customer data and ML Consulting acts as a processor under a written Data Processing Addendum that meets the requirements of Article 28 GDPR.

In that role we process customer data only on the documented instructions of the workspace owner, except where we are required to act otherwise by EU or Lithuanian law. Where you are a worker, contractor, customer, supplier or other individual whose personal data has been uploaded to one of our applications by your employer, principal or commercial counterparty, that organisation is the controller and you should approach it first with any data-protection request. We will redirect any request we receive on its behalf without undue delay (see section 17.5).

5. Apple App Store and iOS platform context

Because every application we publish is delivered through the Apple App Store and runs on Apple's iOS platform, several aspects of how your personal data is handled are inherited from Apple's platform. This section makes the most relevant ones explicit.

5.1 App Privacy details on the App Store

Apple requires every application on the App Store to publish a structured summary of the data the application collects (the "App Privacy details", commonly described as the App Store privacy "nutrition label"). The App Privacy details for each ML Consulting application are kept consistent with this Policy and you can review them on the application's App Store listing before installing it.

5.2 App Tracking Transparency

Our applications do not track you across other companies' applications and websites within the meaning of Apple's App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA). Where applicable, our App Store declaration is set to "Data Not Used to Track You".

5.3 Privacy Manifest

Each of our applications ships an Apple-required Privacy Manifest (the PrivacyInfo.xcprivacy file) declaring the data categories the application collects, the reasons for any use of "required reason" iOS APIs and the third-party SDKs the application depends on. The Privacy Manifest is the machine-readable counterpart of this Policy.

5.4 iOS sandbox and Data Protection

On-device application data is held inside the iOS application sandbox and benefits from Apple's default Data Protection (typically the "Complete Until First User Authentication" class), which encrypts that data at rest using a key derived from your device passcode. Where the application needs to retain a small secret value (for example, a session token), we use Apple's Keychain Services rather than handling secrets ourselves.

5.5 Sign in with Apple

Where an application offers third-party sign-in options, Sign in with Apple is offered in line with Apple's App Store Review Guidelines §4.8. When you choose this option, Apple supplies us with a stable Apple Account identifier and either your real email address or an Apple-generated relay address (the "Hide My Email" feature). We never receive your Apple Account password and we never see your full Apple Account.

5.6 In-application purchases via StoreKit

Where an application offers paid features through in-application purchases or subscriptions, the purchase is sold and billed by Apple through the App Store using StoreKit. The seller of record for users in the European Economic Area, the United Kingdom and Switzerland is Apple Distribution International Limited (Hollyhill Industrial Estate, Hollyhill, Cork T23 YK84, Ireland); for users in other regions, the seller of record is the Apple legal entity designated by Apple for that region. We never receive your payment-card data. We receive only the outcome of the purchase - your subscription tier, the entitlement state and the renewal events - through StoreKit.

5.7 iCloud, CloudKit and on-device frameworks

Some applications offer optional iCloud / CloudKit synchronisation across the user's own Apple devices. iCloud is opt-in at the operating-system level and is governed by Apple's own iCloud terms and privacy policy in addition to this Policy. Each application uses only the Apple frameworks needed for its features (for example, AVFoundation for camera input, Apple Vision for on-device text recognition, AuthenticationServices for sign-in, UNUserNotificationCenter for local notifications, SwiftData for local persistence). Application-specific privacy notices, where issued, identify the frameworks used by the application in question.

5.8 App Privacy Report

iOS 15.2 and later provide an in-operating-system App Privacy Report (Settings → Privacy & Security → App Privacy Report) that lets you inspect, for any installed application, the sensors, data categories and network domains the application has accessed. Our applications are designed so that this report shows minimal activity - primarily Apple iCloud and Apple App Store domains and any explicit feature you have invoked.

6. Key terms used in this Policy

- Personal data - any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

- Processing - any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.

- Controller - the person who determines the purposes and means of processing.

- Processor - a person who processes personal data on behalf of a controller.

- Workspace owner - a business customer that uses one of our business applications to manage information about its own employees, contractors, customers, suppliers, counterparties or other individuals.

- Sub-processor - a third-party service provider that processes personal data on our behalf or that supports a feature of our applications.

- On-device - data stored or processed locally on the user's iPhone or iPad inside the iOS application sandbox; it does not leave the device unless this Policy says otherwise.

- EEA - the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein and Norway.

- VDAI - Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate, our lead supervisory authority.

7. Personal data we process

We collect only the data we reasonably need to operate, secure, support and improve our websites and applications. The categories below are portfolio-wide; not every application processes every category, and an application may process less than the full set described here.

Account and authentication data. Name, email address, account identifier, authentication method (Sign in with Apple, Sign in with Google, or email and password), Apple-issued relay address where you used "Hide My Email", organisation or workspace membership, role and permissions. Where password authentication is used, we store salted password hashes only - never plaintext passwords

Device, technical and telemetry data. IP address (typically truncated for analytics), device model and operating-system version, application version, language and timezone, pseudonymised interaction events (screens viewed, features used, retention metrics), crash reports, performance traces and security-relevant events such as failed log-ins

Communications and support data. The content and metadata of any email, support ticket, in-application help message, demo request, onboarding call note or other correspondence with us, including any attachments you choose to send

Billing and payment data (direct customers). For customers invoiced directly by ML Consulting MB: invoicing entity name, registered address, VAT identifier, signatory contact, order-form record (plan, term, price, limits), payment-status data, bank-transfer reference and the last four digits of the payment card where card payment is used. We do not store full payment-card numbers

Apple App Store transaction metadata. For in-application purchases and subscriptions: the Apple-issued purchase identifier, the subscription tier, the entitlement state and renewal events. The contract for the purchase is concluded between you and Apple; we do not receive your Apple Account password, your full payment card details or any other Apple-side billing information

User content and operational records. Information you enter, upload, import, generate or export through an application - including notes, attachments, photographs, PDFs, CSV files, reports, evidence packs, audit histories and project or workspace data. Where the application operates on a workspace model, this content is governed by the Data Processing Addendum with the workspace owner (see section 4.2)

Camera, photo and on-device file data. Where an application offers camera-based features (label or document OCR, barcode scanning, evidence capture), captured frames are processed in memory by Apple Vision and AVFoundation on your device. Stills are saved only when you explicitly capture them. Camera and photo-library access are controlled by the iOS permission prompt and may be revoked at any time in iOS Settings

Location-related data. Where an application offers an event-based location feature, location is captured only at the moment of an evidentiary action you initiate. We do not perform continuous background tracking. If we ever introduce continuous tracking, we will disclose it clearly, request the appropriate iOS permission and document a separate lawful basis

Notification preferences and tokens. Cadence toggles for any local or push notifications offered by an application; iOS notification permission state. Where push notifications are used, the device-level push token is processed by Apple Push Notification service

Application-generated data. Outputs of computational features (recommendations, calculations, classifications, summaries, scores, alerts, archives), model-version markers and computed-at timestamps, where the application generates such data

AI helper inputs and outputs. Where an application offers an opt-in AI-assisted feature, the prompts, selected records and generated text or structured notes associated with the feature. See section 14 for how AI features are governed

Marketing data. Newsletter subscription status, communication preferences, campaign source where applicable, email engagement and opt-in or opt-out records

7.1 Special categories of personal data

Our applications are not designed to collect special categories of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). You must not upload special-category data to any of our applications unless it is strictly necessary for your lawful use of the application and you have a valid lawful basis under Article 9(2) GDPR. Where the application operates on a workspace model, the workspace owner is responsible for that lawful basis.

7.2 What we do not collect

To remove ambiguity, we do not collect, in our iOS applications:

- the contents of your contacts, calendar, photo library beyond the images or audio records you actively capture.

- behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;

- analytics, attribution or crash-reporting data through any third-party SDK that has not been disclosed in this Policy and in the application's App Privacy details.

8. How we collect personal data

We collect personal data in three ways:

- Directly from you - when you create an account, complete a form, install or use one of our applications, upload a file, capture a photograph, generate an export, contact support or subscribe to a communication.

- Automatically through your use of our websites and applications - when our software generates technical, telemetry, security or computational data necessary to deliver, secure or improve the service.

- From third parties - when Apple supplies us with the result of Sign in with Apple or with App Store transaction metadata, when Google supplies us with the result of Sign in with Google, when a workspace administrator invites you to one of our business applications, when a payment provider confirms a payment, or when an authority lawfully provides information in connection with a regulatory matter.

9. Why we process personal data and our legal bases

For each processing activity we rely on a lawful basis under Article 6(1) GDPR. The table below sets them out for the categories of processing covered by this Policy.

Provide and operate the websites and applications, including authentication, accounts, workspaces, features and exports Account and authentication data; device, technical and telemetry data; user content and operational records Legal basis: Performance of a contract with you (or pre-contractual steps at your request) (Art. 6(1)(b))

Process payments and manage billing for directly invoiced customers; comply with statutory accounting and tax retention Billing and payment data; account data Legal basis: Performance of a contract; compliance with a legal obligation under Lithuanian accounting and tax law (Art. 6(1)(b); Art. 6(1)(c))

Operate Apple App Store subscriptions and entitlements via StoreKit Apple App Store transaction metadata; account data Legal basis: Performance of a contract (Art. 6(1)(b))

Camera, photo, OCR and barcode features (where offered) Camera input (in memory); captured stills (only when you save them) Legal basis: Performance of a contract; consent for camera and photo-library access via the iOS prompt (Art. 6(1)(b); Art. 6(1)(a))

Local and push notifications, cadence toggles and digests Notification preferences and tokens; application-generated alerts Legal basis: Consent (granted via the iOS prompt and in-application toggles) (Art. 6(1)(a))

Optional iCloud / CloudKit sync of user data across the user's Apple devices On-device application data; user content (where applicable) Legal basis: Performance of a contract; consent - you control iCloud at the operating-system level (Art. 6(1)(b); Art. 6(1)(a))

Secure the platform; prevent fraud, abuse and unauthorised access Authentication data; device, technical and telemetry data; security-relevant events Legal basis: Legitimate interests in protecting the integrity, availability and confidentiality of our services (Art. 6(1)(f))

Improve the websites and applications; conduct privacy-respecting product analytics Pseudonymised telemetry; aggregated usage statistics Legal basis: Legitimate interests in understanding how our services are used. Where required, consent (Art. 6(1)(f); Art. 6(1)(a))

Provide customer support and respond to enquiries Communications and support data; account data Legal basis: Performance of a contract; legitimate interests for general or pre-contractual enquiries (Art. 6(1)(b); Art. 6(1)(f))

Respond to data-subject requests and operate the GDPR rights workflow All categories relevant to the request Legal basis: Compliance with a legal obligation under the GDPR (Art. 6(1)(c); Arts. 12 to 22)

Send service messages (security, billing, material change notices) Account data; communications data Legal basis: Performance of a contract (Art. 6(1)(b))

Send commercial marketing communications Account data; contact email; marketing data Legal basis: Consent under the ePrivacy Directive, or the "soft opt-in" for our existing customers in respect of similar products and services (Art. 6(1)(a); Art. 6(1)(f))

Defend or pursue legal claims Data relevant to the claim Legal basis: Legitimate interests in establishing, exercising or defending legal claims (Art. 6(1)(f))

Comply with legal, regulatory and tax obligations and respond to lawful requests Data required by law (typically account, billing, audit and security logs) Legal basis: Compliance with a legal obligation (Art. 6(1)(c); Art. 23)

Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment that concluded our interests are not overridden by your fundamental rights and freedoms. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal - through iOS Settings, the relevant in-application toggle, the unsubscribe link in any marketing email or by writing to us.

10. On-device processing, local storage and iCloud sync

Many of our iOS applications are designed to operate primarily on the user's device. Local data may include application records, captured images, notifications, drafts, cached files, diagnostics and preferences. If you delete an application without first using its in-application export or deletion tools, the operating system will remove the locally held data; cloud-synced or account-level records may persist where they exist for that application.

Where an application offers iCloud / CloudKit synchronisation across your own Apple devices, this is opt-in at the operating-system level and is governed by Apple's iCloud terms and privacy policy in addition to this Policy. ML Consulting does not receive your Apple Account password and does not access iCloud data outside the application's own private database.

11. Business customers, workspaces and invited users

Where one of our applications is offered to business customers under a workspace model, the workspace administrator may invite users, assign roles, view user activity inside the workspace, export records and configure retention. The administrator is responsible for ensuring that invited users receive an appropriate privacy notice and that the organisation has a valid lawful basis for processing the personal data of its employees, contractors, customers, counterparties or consultants.

For these applications we act as processor of customer data on behalf of the workspace owner under a written Data Processing Addendum. Workspace owners must rely on their own privacy notice for the substantive obligation under Articles 13 to 14 GDPR; this Policy applies in addition to that notice in respect of data we process as controller (account, telemetry, support, billing and similar data).

Worker monitoring under Article 88 GDPR - where a business application processes worker-related data - remains the responsibility of the workspace owner, including any required works-council or co-determination consultation under the law of the EU Member State where the worker normally works. None of our applications performs continuous GPS tracking of workers; any location capture is event-based, initiated by the user at the moment of an evidentiary action.

12. Recipients of personal data

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not "share" personal data for cross-context behavioural advertising as that term is defined under California law.

Apple Inc. and Apple Distribution International Limited. Purpose: App Store distribution, in-application purchases via StoreKit, Sign in with Apple, iCloud / CloudKit storage where used, App Privacy Report and related Apple platform services. Status: Independent controller for App Store-side processing; sub-processor for iCloud / CloudKit storage of application data

Google LLC and Google Ireland Limited. Purpose: Sign in with Google, where you choose that authentication method. Status: Independent controller for the authentication-side processing

Cloud hosting, database and object-storage providers. Purpose: Operate accounts, workspaces, files, backups, exports and service infrastructure where not held on-device. Status: Sub-processors under written terms

Email-delivery and support providers. Purpose: Send service messages, password resets, support replies and (where applicable) marketing communications. Status: Sub-processors under written terms

Analytics, monitoring and crash-reporting providers. Purpose: Privacy-respecting product analytics, performance monitoring and bug diagnostics; pseudonymised where feasible. Status: Sub-processors under written terms; where required, used only after consent

Payment and invoicing providers (direct customers only). Purpose: Process card payments, invoices, refunds, taxes and reconciliation for directly-invoiced customers. Status: Independent controllers or sub-processors, depending on the provider

AI text-API or automation providers. Purpose: Provide optional AI-assisted features where the user has enabled them. Status: Sub-processors under written terms; inputs and outputs are not used to train any third-party model

Professional advisers (lawyers, accountants, auditors, insurers). Purpose: Legal, tax, audit, insurance and compliance advice on a need-to-know basis. Status: Independent controllers under their own duties of confidence

Authorities, courts and regulators. Purpose: Where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI) and the Lithuanian State Tax Inspectorate (VMI) where applicable. Status: Independent controllers acting under their statutory powers

Successor entity. Purpose: In the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy. Status: Independent controller after the transaction closes

A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. Each sub-processor we engage is bound by a written contract that imposes the data-protection obligations required by Article 28 GDPR (or, where ML Consulting is the controller, equivalent contractual safeguards).

13. International data transfers

ML Consulting MB is established in Lithuania and aims to keep personal data within the European Economic Area by default. Some of our sub-processors and the global infrastructure of Apple Inc. and Google LLC may process data in the United States or other regions where they operate.

Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:

- European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;

- the European Commission's Standard Contractual Clauses (Module Two - controller to processor - and Module Three - processor to sub-processor - as applicable), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom;

- additional technical measures including TLS 1.2 or higher for data in transit and encryption at rest, as well as contractual and organisational measures appropriate to the risk; and

- any other lawful transfer mechanism under Articles 46 to 49 GDPR.

14. Automated decision-making and AI features

14.1 No solely-automated decisions with legal or similarly significant effects

We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, a human is meaningfully involved in the outcome.

14.2 AI-assisted features

Some of our applications offer optional AI-assisted features (for example, drafting, summarisation, structured-note help, classification suggestions, OCR helpers or recommendations). Across our portfolio these features are governed by four principles: they are off by default and opt-in, they are assistive only and never autonomous, they never auto-write legally significant or status-bearing values, and the user can review and override the output before it is used.

14.3 Third-party model providers

Where an AI feature relies on a third-party language-model provider, the provider acts as our sub-processor under a written agreement that prohibits the use of inputs or outputs to train any third-party model. We minimise the data we send, redact customer-identifying free text where the application supports redaction, and disclose the provider in our sub-processor list and, where applicable, in the application-specific notice.

14.4 EU AI Act readiness

We design and operate AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the Artificial Intelligence Act), including transparency, logging and human-oversight requirements appropriate to the risk classification of the relevant feature. None of our current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.

15. How long we keep personal data

We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. The retention periods below are indicative; the actual period for any item of personal data is the longest of the periods that apply to the purposes for which we use it.

Account and authentication data. Retention period: Lifetime of the account; in any case deleted or anonymised within 24 months of complete inactivity, save where statutory retention applies. Trigger for deletion or anonymisation: Account deletion, 24-month inactivity sweep or end of statutory retention

On-device application data. Retention period: Held on your device for as long as you keep it; included in iCloud Backup if you have it enabled. Removed by the operating system on application deletion. Trigger for deletion or anonymisation: You delete the data, the application or your account

Telemetry and service-operation data. Retention period: Pseudonymised at collection where feasible; retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely. Trigger for deletion or anonymisation: Time-based deletion or aggregation

Communications and support data. Retention period: Up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, regulatory request or legal claim, until the matter is resolved plus the applicable limitation period. Trigger for deletion or anonymisation: Time-based deletion or matter closure

Billing, accounting and tax records. Retention period: Up to 10 years from the end of the relevant accounting period, in line with the Lithuanian Law on Financial Accounting and the Lithuanian Law on Tax Administration. Trigger for deletion or anonymisation: Expiry of the statutory retention period

Apple App Store transaction metadata. Retention period: For the lifetime of the entitlement plus the period required to handle refunds, disputes and statutory accounting; aligned with the billing-records period above. Trigger for deletion or anonymisation: Expiry of the statutory retention period

Customer data within business workspaces (where we are processor). Retention period: Governed by the Data Processing Addendum: a 30-day data-export window in read-only mode after termination, followed by deletion or anonymisation within a further 60 days, save for records the workspace owner is required by law to retain. Trigger for deletion or anonymisation: Termination of the customer agreement, plus the period set in the Data Processing Addendum

Audit and security logs. Retention period: Up to 24 months, or longer where necessary for security, fraud-prevention or legal-claim purposes. Trigger for deletion or anonymisation: Time-based deletion

Backups. Retention period: Standard backup-rotation cycles (typically up to 30 days). Backups are not used to restore deleted accounts and are themselves overwritten on the rotation cycle. Trigger for deletion or anonymisation: Backup-rotation cycle

Marketing data. Retention period: Until you withdraw consent or unsubscribe; in any case reviewed every 24 months for ongoing relevance. Trigger for deletion or anonymisation: Withdrawal of consent or unsubscribe

16. Security and personal-data breaches

16.1 Article 32 measures

We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration or disclosure, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to your rights and freedoms (Article 32 GDPR).

16.2 Notification of personal-data breaches

If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Where ML Consulting is acting as processor on behalf of a workspace owner, we will notify the workspace owner without undue delay in accordance with Article 33(2) GDPR and the Data Processing Addendum.

16.3 Reporting a suspected breach to us

If you suspect a security incident or unauthorised access affecting your account or any personal data we hold, please notify us at mantvydas@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email.

17. Your rights as a data subject

Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law.

- Right of access (Article 15). Confirm whether we process personal data about you and obtain a copy together with the information set out in Article 15.

- Right to rectification (Article 16). Have inaccurate personal data corrected and incomplete data completed.

- Right to erasure (Article 17). Have personal data erased where the conditions in Article 17 apply, including where the data is no longer necessary or where you withdraw consent and there is no other legal basis. Many of our applications also offer an in-application "Delete account" control.

- Right to restriction of processing (Article 18). Restrict our processing while we verify the accuracy of contested data, while we deal with an objection or in the other circumstances set out in Article 18.

- Right to data portability (Article 20). Where processing is based on consent or contract performance and is carried out by automated means, receive the data you provided in a structured, commonly-used and machine-readable format and, where technically feasible, have it transmitted to another controller. Many of our applications already provide an in-application export.

- Right to object (Article 21). Object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.

- Rights related to automated decision-making (Article 22). Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, and obtain human intervention, express your point of view and contest the decision where the right applies. See section 14.

- Right to withdraw consent (Article 7(3)). Where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

- Right to lodge a complaint (Article 77). Complain to our lead supervisory authority - the VDAI in Vilnius - or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place. We would, however, appreciate the opportunity to address your concern directly first.

1. ## How to exercise your rights

You can exercise the rights above by sending an email mantvydas@mlconsulting.lt with the words "Privacy request" in the subject line.

We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests, in which case we will inform you of the extension and the reason within the first month. We may need to verify your identity (typically by asking you to authenticate to the relevant account or to provide proof of identity proportionate to the request and the data concerned). The service is free of charge unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).

For data we process as processor on behalf of a business workspace owner, please direct your request to the workspace owner first; if you cannot identify the workspace owner, contact us at mantvydas@mlconsulting.lt and we will redirect your request without undue delay.

18. Regional rights notices

18.1 United Kingdom

If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply to processing within their territorial scope. The rights set out in section 17 apply equivalently. The UK supervisory authority is the Information Commissioner's Office (ICO).

18.2 Switzerland

If you are in Switzerland, the Swiss Federal Act on Data Protection (revFADP) applies to processing within its territorial scope. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Where we transfer data to Switzerland, we apply the Swiss addendum to the Standard Contractual Clauses where required.

18.3 California, United States

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA / CPRA"), gives you the right to (i) know the categories and specific pieces of personal information we collect, (ii) request deletion, (iii) request correction, (iv) limit the use and disclosure of sensitive personal information, and (v) opt out of any "sale" or "sharing" of personal information. We do not sell personal information and we do not "share" personal information for cross-context behavioural advertising. We will not discriminate against you for exercising any of these rights.

18.4 Other US states

Similar rights are available to residents of Colorado, Connecticut, Virginia, Utah, Texas and other US states with comprehensive privacy laws. To exercise any state-law right, write to mantvydas@mlconsulting.lt.

18.5 Global Privacy Control

On our websites, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any "sale" or "sharing" of personal information.

19. Children

Our applications are not directed at children. We do not knowingly collect personal data from children below the age of digital consent applicable in their jurisdiction (16 in Lithuania under the GDPR as implemented locally, lower in other Member States that have set a lower age, but in any case at least 13). Where the subject matter of an application requires, we may impose a higher minimum age (for example, 18 for applications related to alcohol). Apple's App Store age rating reflects the relevant minimum age for each application.

If we become aware that we have collected personal data from a child without the appropriate authorisation, we will delete it without undue delay. If you are a parent or guardian and believe your child has provided personal data to us, please contact at mantvydas@mlconsulting.lt. Apple's Family Sharing and Ask to Buy controls also allow guardians to restrict App Store downloads at the operating-system level.

20. Cookies and similar technologies

Our iOS applications and the website at mlconsulting.lt do not use analytics, advertising, profiling or marketing cookies. iOS applications use on-device storage (the iOS application sandbox, the Keychain, SwiftData, UserDefaults and - where the user enables it - a private iCloud / CloudKit container) to deliver their features. This is not "cookies" within the meaning of the ePrivacy Directive 2002/58/EC and is governed by this Policy and any application-specific notice rather than by this section.

21. Communications and direct marketing

21.1 Service messages

We send transactional service messages (security alerts, billing notices, password resets, support replies, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the relevant service.

21.2 Direct marketing

Where we send commercial marketing emails - newsletters, product updates, launch announcements, educational materials or event invitations - we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the "soft opt-in" under Article 13(2) of the ePrivacy Directive (existing customer relationship, similar products or services, with a clear opt-out at the point of collection and in every message).

21.3 Opting out

You may opt out of marketing at any time by clicking the unsubscribe link in any marketing email, by emailing mantvydas@mlconsulting.lt or by updating your preferences in your account where applicable.

22. Changes to this Policy

22.1 Routine updates

We may update this Policy from time to time, for example to reflect new features, regulatory developments, sub-processor changes or operational changes. The latest version is always published at mlconsulting.lt/privacy-policy.

22.2 Material changes

Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice - typically at least 30 days, unless a shorter period is required by law - by in-application notice and, where we have your email address, by email. Non-material changes (typographical fixes, clarifications, contact-detail updates, sub-processor list updates) take effect on posting.

22.3 Versioning

Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.

23. Application-specific notices and Apple App Store updates

Where an application has features or processing characteristics that go materially beyond this Policy, we publish an application-specific privacy notice that operates alongside this Policy. The application-specific notice describes the additional categories of personal data, sub-processors and lawful bases relevant to that application, and is linked from the application's App Store listing and from within the application itself. The App Privacy details on the App Store listing are kept consistent with this Policy and any application-specific notice.