Privacy Policy


Personal Data Protection Policy: Pastatysiu.lt

1. Purpose of the Policy; Key Definitions
This Personal Data Protection Policy (hereinafter – “Policy”) of Construction Invest Group (hereinafter – “Company”) acknowledges that the protection of personal data is important to you—our clients and other data subjects—and commits to respecting and safeguarding the privacy of every data subject. Data subjects entrust us with their personal information, and we are responsible for justifying that trust in our daily operations.

Accordingly, this Policy:

  • Defines the Company’s commitments and responsibilities to protect and respect personal privacy;

  • Explains how the Company collects, uses, and stores (processes) personal data;

  • Informs data subjects about how their personal data are processed and about each data subject’s rights.

When processing data subjects’ personal data, we comply with the EU General Data Protection Regulation (GDPR), the Lithuanian Law on Legal Protection of Personal Data, the Lithuanian Electronic Communications Law, and other directly applicable legal acts governing personal data protection, as well as the instructions of competent supervisory authorities.

This Policy applies to Construction Invest Group. The Policy governs processing of personal data when a data subject uses the Company’s services, participates in the loyalty program, gives consent to receive marketing messages, or visits our website www.cigroup.lt. The Policy does not apply to other companies’ websites or services, even if accessed via links on the Company’s site.

If you have any questions, observations, or comments about this Policy, you may contact us by e-mail at [email protected] or by telephone at +370 633 44531.

1.1. Key Definitions Used in This Policy
1.1.1. Data Subject – a natural person whose personal data the Company processes.
1.1.2. Personal Data – any information relating to an identified or identifiable natural person (data subject), identified directly or indirectly, e.g., by reference to an identification number or to one or more characteristics specific to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
1.1.3. Processing of Personal Data – any operation or set of operations performed on personal data, such as collection, recording, storage, organization, structuring, adaptation, retrieval, consultation, use, disclosure by transmission, erasure, or destruction.
1.1.4. Consent of the Data Subject – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
1.1.5. Data Controller – the natural or legal person that determines the purposes and means of processing personal data. In this Policy, the Company is the Data Controller.
1.1.6. Data Processor – a natural or legal person (not an employee of the Controller), authorized by the Controller to process personal data on its behalf.
1.1.7. Employee – a person who has concluded an employment or similar contract with the Company.
1.1.8. Supervisory Authority – the State Data Protection Inspectorate.
1.1.9. Direct Marketing – offering goods or services to individuals by mail, telephone, or other direct means, and/or seeking their opinions about such offerings.
1.1.10. Company’s Websitewww.cigroup.lt.
1.1.11. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.1.12. Other terms used in this Policy correspond to those defined in the GDPR and in the Lithuanian Law on Legal Protection of Personal Data.

1.2. This Policy aims to facilitate data subjects’ exercise of their rights.
1.3. It also applies to other data subjects (i.e., not just clients or employees) whose personal data the Company processes or will process in the future.
1.4. The Company ensures that personal data it processes are accurate, adequate, and limited to what is necessary. Personal data are kept up to date as needed.
1.5. On the Company’s website, personal data may be collected for:

  • 1.5.1. Provision of Company services (processing and administration of orders; loyalty discounts; customer identification in the Company’s information systems; account login; invoicing and other financial documentation);

  • 1.5.2. With the data subject’s consent, for direct marketing purposes.
    1.6. For the purposes in 1.5, the Company processes personal data such as name, surname, e-mail address, postal address, and telephone number.
    1.7. The legal basis for processing personal data under 1.5.1 is the performance of a contract or the taking of pre-contractual measures at the data subject’s request.
    1.8. The legal basis for processing personal data under 1.5.2 is the data subject’s consent.
    1.9. When data are processed for direct marketing, the data subject may object at any time, free of charge, by withdrawing consent.

2. Processing of Personal Data

2.1. Only employees are authorized to process clients’ personal data within the Company, including transferring data to third parties as specified in 2.2. Each employee must keep client personal data confidential and comply with applicable data protection laws and this Policy.
2.2. In performing contracts for service provision, clients’ personal data may be transferred only to the Company’s partners acting as data processors on behalf of the Company (e.g., delivery and other service providers), and only to the extent necessary for service provision. Transfers may occur only when a data-processing agreement is in place and when the processor guarantees compliance with GDPR requirements. In all other cases, personal data may be disclosed to third parties only in accordance with Lithuanian law.
2.3. The Company adheres to the principle of confidentiality and treats all information related to personal data as confidential, unless disclosure is required by law.
2.4. Retention Periods

  • 2.4.1. Personal data processed for service-provision purposes (1.5.1) are retained for no more than 10 years from the date of the last order.

  • 2.4.2. Personal data processed for direct marketing (1.5.2) are retained until consent is withdrawn.
    2.5. When personal data are no longer needed, they are destroyed—except those required by law to be transferred to state archives.
    2.6. An authorized employee oversees, ensures, and implements personal data protection.

3. Data Subject Rights and Procedures

3.1. Data Subject Rights:
3.1.1. To be informed about the processing of their personal data.
3.1.2. To access their personal data and understand how it is processed.
3.1.3. To object to the processing of their personal data.
3.1.4. To request correction, completion, or deletion of inaccurate or incomplete data, or to suspend processing (except storage).
3.1.5. To request erasure of data (“right to be forgotten”) when one of the following applies:

  • Data are no longer necessary for their original purpose;

  • The data subject withdraws consent and no other legal basis exists;

  • Data were processed unlawfully;

  • Erasure is required by EU or national law.
    3.1.6. The right to data portability: to receive data provided to the Controller in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and is automated.

3.2. The data subject has the right to lodge a complaint with the supervisory authority (State Data Protection Inspectorate) about unlawful processing.
3.3. The data subject may authorize a non-profit body or association to lodge a complaint on their behalf and exercise GDPR-provided rights.

3.4. Procedures to Exercise Rights:
3.4.1. Submit a written request (in person, by mail, through a representative, or electronically) specifying name, contact details, and the right to be exercised.
3.4.2. Verify identity by presenting a valid ID (original or certified copy) or by electronic signature for electronic requests.
3.4.3. To object to direct marketing, inform the Company by e-mail and identify all Company accounts.
3.4.4. Through the Company’s online account, data subjects can view, edit, or object to processing of their data for direct marketing.
3.5. The authorized employee reviews requests under 3.4.1 and responds within 30 days of receipt.
3.6. The data subject must not abuse their rights (e.g., by requesting information more than once every six months); the Company may charge administrative fees.
3.7. Objections to direct marketing are processed immediately, and in any case within 72 hours.

4. Cookies and Their Use

Information about cookies on the Company’s website is provided in a separate document.

5. Data Security

5.1. The Company implements organizational and technical measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, or other unlawful processing.
5.2. Any data security breaches are addressed without delay.
5.3. Employees adhere to confidentiality principles (see 2.3).
5.4. Antivirus software is kept up to date on all Company computers.
5.5. If a security breach occurs, the Company notifies the supervisory authority without undue delay and, where feasible, within 72 hours—unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. If notification is delayed, reasons for the delay are provided.
5.6. If a breach poses a high risk to individuals, the Company also notifies the data subjects without undue delay.

6. Liability

6.1. Data subjects must provide complete and accurate personal data and inform the Company of any changes.
6.2. The Company does not guarantee uninterrupted, error-free operation of its website or protection from viruses. The Company is not liable for direct or indirect losses arising from the use of any materials, documents, or information from its website; use of such materials is at the data subject’s own risk.
6.3. Unless stated otherwise, intellectual property rights (including copyrights) in website content belong to the Company. Reproduction, translation, adaptation, or other use of any part of the website requires prior written consent. Any acts infringing the Company’s IP rights or fair competition are prohibited.

7. Final Provisions

7.1. This Policy is reviewed and updated at least every two years or upon changes in data protection laws.
7.2. The Policy is published on the Company’s website and communicated to clients electronically.
7.3. Data subjects with any questions regarding this Policy may contact the Company’s staff using the contact details provided on the website.

Cookie Policy


I. General Provisions

  1. This Cookie Policy (hereinafter – “Policy”) defines the rules for processing cookies used on the websites https://www.pastatysiu.lt/ (hereinafter collectively – “Sites”).

  2. The data controller, owner, and content manager of the Sites is UAB Construction Invest Group. Registered address: Pušyno g. 16-6, Šilgalių k., LT-95238 Pagėgiai, Lithuania. Company code 306621789. VAT number LT100016759217. Email: [email protected], Tel.: +370 669 27701 (hereinafter – “Company”).

  3. This Policy is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), the Lithuanian Electronic Communications Law, the European Data Protection Board’s Guidelines 05/2020 on consent under GDPR, and recommendations published by the State Data Protection Inspectorate.

II. Overview of Cookies

  1. Cookies are small text files stored by the user’s browser (e.g. Chrome, Firefox) on their device (PC, phone, tablet) when they browse the Sites; they collect information about the user’s activity on the Sites.

  2. On first visit, cookies are placed on the user’s device to recognize it on subsequent visits. This common practice facilitates navigation and access to previously viewed content. Cookies do not generally store personally identifying information, but they can be linked to the device or browser and to other data gathered via cookies.

  3. Any information collected via cookies is kept until the cookie expires and is used only for the purposes set out in this Policy.

  4. The Sites may contain links to third-party websites. The Company is not responsible for the content or privacy practices of those sites. Visitors who follow links to external sites should review those sites’ own cookie and privacy policies.

  5. Cookies on the Sites are used in a transparent and responsible manner. Visitors can always review which cookies have been set in their browser and may withdraw consent (except for strictly necessary cookies) at any time by changing their settings and deleting cookies.

  6. On a user’s first visit, a notice appears explaining the use of cookies, identifying strictly necessary cookies, and requesting the user’s consent for other types of cookies.

  7. Cookies will not be used for profiling or other automated decision-making unless expressly stated prior to such processing.

  8. The Company retains records of users’ cookie consents to demonstrate compliance with legal requirements.

III. Types of Cookies and Their Purposes

  1. By duration:

  • Persistent cookies remain on the device until they expire or are deleted;

  • Session cookies are erased when the browser is closed.

  1. Cookies help ensure the technical operation, usability, personalization, and security of the Sites, simplify navigation, gather analytics, and improve our services.

  2. By purpose, the Sites use four categories of cookies:

14.1 Strictly Necessary Cookies
Essential for the Sites to function. Without these, certain services cannot be provided. They uniquely identify logged-in users and remain on the device for a limited time, enabling core functionality. No consent is required for these cookies (legal basis: legitimate interest under GDPR Art. 6(1)(f)).

14.2 Functional (Preferences) Cookies
Remember user settings (e.g. language, time zone) to avoid resetting on each visit. They enable personalized features (e.g. commenting, repeating an order). Consent is required and can be withdrawn.

14.3 Analytical (Statistics) Cookies
Gather anonymous data on visitor numbers, traffic sources, popular pages, and browsing patterns to improve the Sites. No personally identifying information is collected. Consent is required and can be withdrawn.

14.4 Marketing (Advertising) Cookies
Deliver relevant content and ads based on browsing behavior, enabling targeted marketing. Consent is required and can be withdrawn.

14.5 By origin:

  • First-party cookies are set by the Sites themselves.

  • Third-party cookies are set by external domains (e.g. YouTube, Google Analytics) and used for analytics or ads. Third parties manage their own cookies under their own policies.

14.6 Trackers are a variation of cookies that send browsing data along with the user’s IP to a third-party database for analysis, typically for marketing.

14.7 Collected cookie data are used to:

  • Ensure site functionality and convenience;

  • Develop and optimize services;

  • Analyze usage and marketing campaign effectiveness;

  • Enable targeted advertising.

IV. Legal Basis for Cookie Use

  1. Strictly necessary cookies: Legitimate interest (GDPR Art. 6(1)(f)). No consent required; users are informed about their use.

  2. All other cookies (functional, analytical, marketing): Consent (GDPR Art. 6(1)(a)). They are activated only after the user gives explicit consent via the cookie banner.

  3. Consent requirements:
    17.1 Separate consent is requested for each category of cookie via checkboxes and a “Confirm selected cookies” button; a “Confirm all cookies” button implies agreement to all.
    17.2 If only essential cookies are selected, no other cookies are set.
    17.3 Users may withdraw consent at any time by changing browser settings and deleting cookies.
    17.4 If no choice is made, only essential cookies are set, and the cookie banner reappears on each visit.
    17.5 Before setting third-party cookies, users should review the third party’s cookie policy.

V. Refusing or Blocking Cookies

  1. Users can modify settings to limit or block cookies in their browser, deleting them individually or all at once. Instruction links vary by browser; typically found in Settings or Options under Privacy.

  2. For guidance on managing cookies, visit www.aboutcookies.org or www.allaboutcookies.org. To opt out of Google Analytics, visit http://tools.google.com/dlpage/gaoptout.

  3. In most browsers, you can:
    20.1 View and delete individual cookies;
    20.2 Block third-party cookies;
    20.3 Block cookies from specific sites;
    20.4 Block all cookies;
    20.5 Delete all cookies on browser exit.

  4. For more information or assistance, contact the data controller at [email protected] or +370 633 44531.

VI. Third-Party Cookies and Content

  1. The Sites may set cookies by third parties (e.g. Google, Facebook) when embedding external content or using third-party analytics and marketing services. The Company cannot control these cookies; users should consult each third party’s policy for details and data transfer practices.

VII. Data Subject Rights

  1. Data subjects have the right to:
    23.1 Be informed about data processing;
    23.2 Access their personal data;
    23.3 Request correction;
    23.4 Request deletion;
    23.5 Restrict processing;
    23.6 Object to processing;
    23.7 Data portability;
    23.8 Lodge a complaint with the State Data Protection Inspectorate.

  2. To exercise rights, contact the Company using the details in Section II. Detailed procedures and deadlines are in the Privacy Policy.

  3. If you believe your rights have been violated, you may contact the Company or file a complaint with the State Data Protection Inspectorate (L. Sapiegos g. 17, LT-10312 Vilnius; email [email protected]).

VIII. Final Provisions

  1. For more information on cookies or data processing, contact [email protected] or +370 633 44531.

  2. If new non-essential cookies are introduced, fresh consent will be sought. For new essential cookies, an updated notice will be displayed.

  3. The Company reserves the right to amend this Policy at any time. All changes will be published on the Sites.

  4. Last updated: 30 April 2025.

If you have any further questions, please contact us at the details provided above.