Privacy Policy

Last updated: 24 March 2026

1. General Information
1.1. This Privacy Policy explains how SIA B2Y processes personal data in connection with the online store bio2you.lv, customer service, marketing activities and related services.
1.2. The controller of your personal data is SIA B2Y, registration No. 40103243404, VAT No. LV40103243404, registered address: “Vismaņi k-5”, Mārupe parish, Mārupe municipality, LV-2167, Latvia.
1.3. You can contact us regarding personal data processing at ecommerce@bio2you.eu or by phone at 20626606.

2. Scope of This Policy
2.1. This Policy applies to individuals who visit bio2you.lv, make purchases, create a customer account, subscribe to newsletters, submit product reviews, post blog comments, participate in contests or promotions, or otherwise contact us.
2.2. It covers personal data obtained directly from the data subject, collected automatically through website use, or received from service partners where necessary to provide our services.

3. Categories of Personal Data
3.1. Depending on the situation, we may process your name, surname, email address, phone number, delivery and billing address, company details where relevant, order and delivery details, payment status, order history, customer account data, information contained in reviews, comments, contests or correspondence, and technical or analytics-related data concerning website use.
3.2. If you use a customer account or wishlist function, we also process data necessary to provide those features.
3.3. If you submit a review or blog comment, your name or chosen username and the content you submit may be publicly visible, while your email address is not displayed publicly.

4. Sources of Personal Data
4.1. We obtain personal data directly from you when you place an order, create an account, subscribe to newsletters, submit a review, leave a comment or contact us.
4.2. We also collect certain data automatically through cookies and similar technologies.
4.3. In some cases, we receive data from payment and delivery partners where this is required for payment confirmation, order fulfilment or delivery arrangements.

5. Purposes of Processing and Legal Bases
5.1. We process personal data in order to accept and fulfil orders, process payments, arrange delivery, provide customer service and maintain customer accounts. The legal basis for this processing is the performance of a contract and, where applicable, compliance with legal obligations.
5.2. We process personal data in order to administer product reviews, blog comments, contests, campaigns and similar activities. Depending on the circumstances, the legal basis may be your consent, the performance of a contract or our legitimate interests.
5.3. We process personal data to ensure website functionality, security, analytics, advertising measurement and service improvement. The legal basis is our legitimate interests and, where required for analytics or marketing cookies, your consent.
5.4. Where you have given consent, we may use your contact information to send newsletters, marketing messages, offers and discount codes by email. If SMS marketing is introduced in the future, it will only be used where separate consent has been obtained.
5.5. We may also process personal data for accounting, compliance, dispute handling, protection of legal claims and safeguarding our legitimate business interests.
5.6. Articles 12, 13 and 14 GDPR require privacy information to be provided in a transparent, accessible and understandable manner, including the purposes of processing, legal bases, recipients, retention periods and the rights of the data subject, and this notice has been structured accordingly.

6. Whether Data Must Be Provided
6.1. Where you wish to place an order, certain data must be provided so that we can process payment, complete the order and arrange delivery.
6.2. If such data is not provided, we may be unable to fulfil the order.
6.3. Newsletter subscriptions, contests, reviews and similar activities are voluntary.
6.4. Orders may also be placed without creating a customer account.

7. Cookies and Similar Technologies
7.1. Our website uses necessary, analytics and marketing cookies and similar technologies.
7.2. Necessary cookies are used to ensure core website functionality, including cart, checkout and account functions.
7.3. Analytics and marketing cookies are used only where there is an appropriate legal basis, including consent where required.
7.4. We use a consent management tool that enables users to choose cookie categories and later change or withdraw their choice.
7.5. The Latvian Data State Inspectorate has emphasised that a privacy policy must remain separately accessible and not be hidden only within a cookie banner, and must reflect actual processing practices rather than generic templates.

8. Recipients of Personal Data
8.1. We may share personal data with service providers and business partners where necessary to provide relevant services.
8.2. Depending on the situation, this may include payment processors, delivery partners, IT and hosting providers, website development and maintenance partners, analytics and advertising platforms, accounting and legal advisers, and public authorities where disclosure is required by law.
8.3. Examples of tools and providers we may use include MakeCommerce, Klaviyo, Google Analytics, Google Tag Manager, Google Ads, Meta Pixel/CAPI and Microsoft Clarity.
8.4. Personal data is shared only to the extent necessary for the relevant purpose.

9. Transfers Outside the EEA
9.1. Some of our service providers or their sub-processors may be located outside the European Economic Area.
9.2. In such cases, we ensure that the transfer takes place in accordance with GDPR requirements, for example on the basis of an adequacy decision, standard contractual clauses or another lawful transfer mechanism.
9.3. The GDPR requires that such information be clearly provided to the data subject as part of the privacy notice.

10. Retention Periods
10.1. Personal data is retained only for as long as necessary for the relevant purpose and to the extent allowed or required by law.
10.2. Order, invoice, accounting and transaction-traceability data are retained in accordance with applicable legal retention rules, including in some cases up to 10 years.
10.3. Customer email correspondence is generally retained for up to 5 years.
10.4. Customer account data is retained while the account remains active and for a reasonable period afterwards where necessary for the defence of legal claims.
10.5. Marketing consent data is retained until consent is withdrawn or the user unsubscribes.
10.6. Review, comment and contest data is retained for as long as the relevant content remains published or necessary for the relevant activity.

11. Your Rights
11.1. You have the right to request information about the processing of your personal data, access your data, request correction or deletion, request restriction of processing, object to processing, exercise the right to data portability where applicable, and withdraw consent where processing is based on consent.
11.2. If you believe that your personal data is being processed unlawfully, you also have the right to lodge a complaint with the competent supervisory authority.
11.3. The EDPB’s transparency guidance specifically stresses that a privacy notice should enable the individual to understand both what happens to their data and how they can exercise their rights.

12. Withdrawal of Marketing Consent
12.1. You may unsubscribe from marketing emails by using the unsubscribe link in the email or by contacting us at ecommerce@bio2you.eu.
12.2. If SMS marketing is introduced in the future, opt-out instructions will be provided in the relevant SMS message or upon contacting us.

13. Data Security
13.1. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, loss, destruction or unlawful alteration.
13.2. Such measures are applied having regard to the nature, scope, context and risks of the processing.

14. Minors
14.1. Our online store is not intended exclusively for adults.
14.2. At the same time, we expect users placing orders or otherwise using our services to provide accurate and truthful information.
14.3. Where justified concerns arise regarding misuse or unauthorised activity, we may perform additional checks or restrict access to the service.

15. Amendments to This Policy
15.1. We may update this Privacy Policy from time to time to reflect changes in legal requirements, services or processing practices.
15.2. The current version is always published on bio2you.lv, and changes take effect on the date of publication unless stated otherwise.
15.3. The Latvian supervisory authority has expressly noted that privacy policies should reflect actual processing rather than copied generic text, which is why this Policy should also be updated whenever tools, recipients or marketing practices materially change.