Privacy Policy

TL;DR

We collect only the data necessary to deliver the service. We never sell your data. We never share it with advertising networks. We never use your data to train AI agents without your explicit consent. You have full rights to view, export, and delete everything we hold about you.

1. Who we are

Data Controller:

UAB Rūpestėlis Holding
Company code: 307514683
Registered office: J. Savickio g. 4, LT-01108 Vilnius, Lithuania
Email: tomas@rupestelis.com
Website: rupestelis.com

Supervisory Authority: State Data Protection Inspectorate of Lithuania (VDAI), L. Sapiegos g. 17, 10312 Vilnius, vdai.lrv.lt.

2. Our principles

Minimalism. We collect only what's needed for the service.
Transparency. You can always see what we hold (in-app and via data export request).
Non-transferable ownership. Your data stays yours. We are custodians, not owners.
No advertising tracking. We don't use Google Analytics, Facebook Pixel, or similar systems.
No AI training. Your data does not enter model training without your explicit, separate consent.

3. What we collect

3.1. Sigillum Unicum (key order)

Data	Purpose	Legal basis
Name, surname	Order personalization, shipping	Contract (GDPR 6.1.b)
Email	Order confirmation, status, production updates	Contract (GDPR 6.1.b)
Shipping address (28 EU/EEA countries)	Physical DHL shipping	Contract (GDPR 6.1.b)
Payment information	Processed via Stripe — we don't see card details	Contract (GDPR 6.1.b)
Sigillum hash (SHA-256)	Key authenticity verification via QR code	Contract (GDPR 6.1.b)

3.2. Founding 50 application (Akademija)

Data	Purpose	Legal basis
Name, organization, role	Cohort fit assessment	Consent (GDPR 6.1.a)
Email	Response on eligibility, cohort updates	Consent (GDPR 6.1.a)
Motivation paragraph	Human evaluation of applicant's perspective	Consent (GDPR 6.1.a)

3.3. Waitlist

Data	Purpose	Legal basis
Email	Notification when product becomes available	Consent (GDPR 6.1.a)
Product category	Knowing which product you signed up for	Consent (GDPR 6.1.a)

3.4. Heart Members club (Rūpestėlis ID)

Data	Purpose	Legal basis
Email, name	Club membership administration	Contract (GDPR 6.1.b)
Heart ID (cryptographic)	Identity verification across Rūpestėlis services	Contract (GDPR 6.1.b)

3.5. Technical data

When you use our websites, our servers automatically log limited technical info: request time, IP address (kept for hours — security purposes), browser type, response code. Used solely for security monitoring and deleted after 30 days.

4. What we DO NOT do

We don't use Google Analytics, Facebook Pixel, TikTok pixel, or other ad tracking systems.
We don't share your data with advertisers.
We don't sell data to third parties.
We don't use your data to train AI models without your separate consent.
We don't use cookies for behavioral tracking (only essential session cookies if logged in).

5. Who we share data with (necessary processors)

Party	Purpose	What data
Stripe (Ireland)	Payment processing	Order info, payer email, card data (to Stripe, not us)
DHL Express	Sigillum shipping	Name, address, phone (if provided)
Jewelry partners LT/PL	Sigillum production	Order SKU + Sigillum hash only — NO personal data
Hosting (DigitalOcean, EU region)	Server infrastructure	All data stored on our server
Email delivery service	Notifications	Email + message content

All our subprocessors have signed GDPR-compliant Data Processing Agreements (DPA).

6. Retention periods

Category	Retention
Order info (Sigillum, payments)	10 years (Lithuanian tax law)
Founding 50 applications	2 years after cohort end or upon deletion request
Waitlist emails	Until product launch or your unsubscribe
Heart Members info	Active membership + 6 months after departure
Technical logs (IP, etc.)	30 days

7. Your rights (GDPR Articles 15-22)

You have the right to:

Know what data we hold about you (Art. 15) — we respond within 30 days
Export your data in structured format — JSON or CSV (Art. 20)
Correct inaccurate data (Art. 16)
Delete your data ("right to be forgotten", Art. 17) — with limited exceptions (tax law, ongoing legal cases)
Restrict processing (Art. 18)
Withdraw consent at any time (Art. 7.3) — does not apply to contractual basis
Lodge a complaint with VDAI if you believe we violated your rights

To exercise — write to tomas@rupestelis.com. Response within 30 days (typically within 7).

8. International data transfers

Primary data is stored in the European Union (DigitalOcean Frankfurt region). Stripe (Ireland) and DHL (Germany) — also EU-based. We do not use US-only services where an EU alternative exists.

9. Security

HTTPS everywhere (TLS 1.3)
Passwords stored with bcrypt (where login is used)
DB on restricted network (internal servers only)
Payment info doesn't reach our servers (PCI-compliant Stripe Checkout)
Regular security audits
Encrypted backups

10. Children

Our services are intended for individuals aged 18+. We don't knowingly collect children's data. If you learn that a minor (under 18) has submitted data — let us know, and we'll delete it immediately.

11. We don't use data for AI training

Per our ethical code (NOVA Charter), your data does not enter AI model training without your explicit, separate consent. Even when chatting with our agents (CaaS, Akademija, etc.), your conversations are used only to answer you, not to train the model for other users.

12. Cookies

We use only essential technical cookies for session maintenance (when logged in). We do not use advertising, analytics, or tracking cookies. Therefore no cookie banner is required under the ePrivacy Directive.

13. Changes

We may update this policy. Material changes will be announced on the website + by email (if you're a Heart Member or order holder). Earlier versions available on request.

14. Questions

All privacy-related questions — directly to me:

Tomas Margelis (CEO, de facto Data Protection Officer)
Email: tomas@rupestelis.com

I'll respond within 7 business days. Personally.

A note on honesty. This document is v1.0 — the first public version. It will be updated as services evolve. Our principle: if we're not sure something is OK to do with your data — we ask you first.