Legal
GDPR & Data Protection
This GDPR & Data Protection Notice explains how MB Libranet ("Libranet", "we", "us", "our") processes personal data in connection with the website https://libranet.pro. This is our complete notice on how we process personal data through this website. Last updated: 20 June 2026.
We are the data controller for the personal data described below. This notice is provided to satisfy our transparency duties under Article 13 of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), which governs information to be provided where personal data is collected directly from the data subject, read together with the Lithuanian Law on Legal Protection of Personal Data and the Law on Electronic Communications.
1. Who we are — controller identity and contact
The controller responsible for your personal data is:
- Legal name: MB Libranet (a Lithuanian mažoji bendrija / small partnership)
- Company / registration code: 306214658
- Registered office: V. Nagevičiaus g. 3, LT-08237 Vilnius, Lithuania
- Email: [email protected]
- Phone: +370 660 22 189
- Website: https://libranet.pro
Our business is the provision of IT services — cloud platforms, custom software development and AI systems — to business clients (B2B) across the European Union. This website is a corporate and marketing site with a contact form. It does not sell products or take payments online.
Data Protection Officer
We have not appointed a Data Protection Officer (DPO). Our processing does not meet the conditions in Article 37(1) GDPR that would make appointment mandatory: our core activities do not consist of large-scale systematic monitoring of individuals, nor of large-scale processing of special categories of data. All data-protection enquiries and requests should be sent to [email protected].
2. The personal data we process, and why
We process only the limited categories of personal data set out below. We do not operate analytics, advertising, newsletters, user accounts, online payments or social logins on this site, and we do not collect special categories of data (Article 9 GDPR).
2.1 Contact form
When you use the contact form, we process your full name (required), email address (required), company name (optional), phone number (optional) and the content of your message (required). Submissions are stored in the site's database and emailed internally to [email protected]. The form is protected by IP-based rate limiting and a hidden honeypot field to prevent automated abuse. We do not request special-category data; please do not include sensitive personal information in your message.
2.2 Technical and security logs
To operate the website securely we process technical data including your IP address, browser user-agent, and request metadata and timestamps. This data is used to keep the service running, to maintain network and information security, and to detect and prevent abuse.
2.3 Browser localStorage (theme preference)
We store a single "theme" value in your browser's localStorage to remember your dark or light display preference. This value stays in your browser, is not transmitted to our server, and is not used to track or profile you.
2.4 Cookies
We use strictly-necessary cookies only — see Section 7 for the full item-by-item detail. We do not use analytics, advertising or cross-site tracking cookies.
3. Legal-basis summary (Articles 6 and 13(1)(c)–(d) GDPR)
The table below sets out, for each processing activity, the personal data involved, our lawful basis under Article 6(1) GDPR, and the applicable retention period. Where we rely on legitimate interests (Article 6(1)(f)), the specific interest pursued is stated, as required by Article 13(1)(d). The recipients of this data are set out in Section 4.
| Processing activity | Personal data | Lawful basis (Art. 6(1) GDPR) | Retention |
|---|---|---|---|
| Handling contact-form enquiries and any resulting business relationship | Full name, email, company name (optional), phone (optional), message content | Art. 6(1)(b) — taking steps prior to a contract at your request; and/or Art. 6(1)(f) — our legitimate interest in responding to and managing enquiries | Kept only as long as needed to handle the enquiry and any resulting relationship, and in any case deleted within approximately 24 months of the last contact, unless a contract or law requires longer. |
| Operating the website securely; preventing and detecting abuse | IP address, browser user-agent, request metadata, timestamps | Art. 6(1)(f) — our legitimate interest in the security of our network and information systems and in preventing abuse and fraud | Kept for a short period only, then deleted or overwritten in the ordinary course. |
| Providing essential website functionality (sessions, form security, theme preference) | Session cookie, CSRF token, Cloudflare security cookies; "theme" localStorage value | Strictly necessary to provide the service you requested — exempt from consent under Article 5(3) of the ePrivacy Directive 2002/58/EC (as transposed into Lithuanian law); to the extent any personal data is involved, Art. 6(1)(f) (functionality and security) | See Section 7 for the duration of each item. |
Is providing your data required?
You are not under any statutory or contractual obligation to use the contact form. However, the fields marked required (name, email and message) are necessary for us to identify you and reply; if you do not provide them, we cannot respond to your enquiry. The optional fields (company name, phone) help us respond more effectively but may be left blank.
4. Recipients and processors
We share personal data only with the recipients listed below, and only as far as necessary. We never sell or rent personal data, and we use no advertising networks.
- Cloudflare, Inc. — content delivery network, DNS, DDoS protection and bot mitigation. Cloudflare proxies all traffic to the site and processes IP addresses in that capacity, acting as our processor. Cloudflare may process data outside the EEA (in the United States); see Section 5 on international transfers.
- Hosting and email infrastructure — the site runs on a dedicated server, and email is self-hosted, both operated for MB Libranet.
Server-side SEO tooling that we use (such as Google Search Console, Bing Webmaster Tools and DataForSEO) processes only aggregate site and search statistics. It does not receive or process contact-form data or other personal data described in this notice.
5. International transfers (Chapter V GDPR)
Because our content-delivery and security provider, Cloudflare, Inc., operates global infrastructure, your personal data — in particular your IP address as proxied traffic — may be transferred to and processed on servers in the United States. We rely on the following safeguards under Chapter V GDPR:
- Standard Contractual Clauses (SCCs). The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) are incorporated into our data processing agreement with Cloudflare under Article 46(2)(c) GDPR. These apply to any transfer not covered by the Data Privacy Framework.
- EU–US Data Privacy Framework (DPF). Cloudflare, Inc. is self-certified under the EU–US Data Privacy Framework. Transfers to a DPF-certified recipient benefit from the European Commission's adequacy decision of 10 July 2023 under Article 45 GDPR.
You may request further information about these transfers, and a copy of the relevant safeguards, by contacting us at [email protected].
6. Data security (Article 32 GDPR)
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation and the risks involved. These measures include:
- Encryption in transit — all traffic is served over HTTPS using TLS; the Laravel session cookie is encrypted.
- Access controls — administrative access to the server, database and email is restricted to authorised personnel on a need-to-know basis.
- Network and application protection — Cloudflare provides DDoS protection and bot mitigation; the contact form is protected by IP-based rate limiting, a honeypot and CSRF protection.
- Data minimisation — we collect only the data each purpose requires, and delete it when no longer needed.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority and, where required, affected individuals, in accordance with Articles 33 and 34 GDPR.
7. Cookies and local storage
This website uses only strictly-necessary cookies and first-party browser storage. We do not use analytics, advertising, profiling or third-party tracking technologies. Because the items below are strictly necessary to provide the service you requested, they are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive 2002/58/EC as transposed into the Lithuanian Law on Electronic Communications. For this reason, no cookie consent banner is presented. Our information duty still applies, and is met by this section.
| Name / key | Type | Purpose | Duration | Party |
|---|---|---|---|---|
| Laravel session cookie | Cookie (encrypted) | Maintains your session and enables secure form handling | Session | First-party |
| CSRF token | Cookie | Protects forms against cross-site request forgery (security) | Session | First-party |
| __cf_bm (and similar Cloudflare security cookies) | Cookie | Bot mitigation and abuse prevention | Short-lived (typically up to ~30 minutes for __cf_bm) | Set by Cloudflare (our processor) |
| theme | localStorage | Remembers your dark / light display preference | Persists in your browser until you clear it | First-party |
All of these items are essential or functional and first-party in nature; none are used to build profiles or to track you across other sites. You can clear or block cookies and localStorage at any time through your browser settings. Disabling strictly-necessary items may prevent parts of the site, such as the contact form, from working correctly. There is no consent toggle because there is nothing non-essential to refuse.
8. Your rights as a data subject
Under the GDPR you have the rights set out below in respect of your personal data. Each right is explained together with how to exercise it. To exercise any right, contact us at [email protected] or by post to our registered office. We may ask you for information to confirm your identity before acting (Article 12(6)).
- Right of access (Article 15). You may ask us to confirm whether we process your personal data and, if so, to receive a copy of it together with information about how and why we process it.
- Right to rectification (Article 16). You may ask us to correct inaccurate personal data and to complete data that is incomplete.
- Right to erasure (Article 17). You may ask us to delete your personal data where, for example, it is no longer needed for the purpose for which it was collected, or where you have validly objected to processing and no overriding grounds remain.
- Right to restriction of processing (Article 18). You may ask us to limit how we use your personal data in certain circumstances, for instance while we verify its accuracy or consider an objection you have raised.
- Right to data portability (Article 20). Where we process your data by automated means on the basis of your consent or a contract, you may ask to receive it in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
- Right to object (Article 21). You may object, on grounds relating to your particular situation, to processing we carry out on the basis of legitimate interests (Article 6(1)(f)). We will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is needed to establish, exercise or defend legal claims.
- Right to withdraw consent (Article 7(3)). Where any processing is ever based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. (Note: we do not currently rely on consent for the processing described in this notice.)
Our response timeframe (Article 12)
We will respond to any request without undue delay and in any event within one month of receiving it. Where a request is particularly complex, or where you have made a number of requests, we may extend this period by up to a further two months, in which case we will inform you of the extension and the reasons within the first month. Acting on your requests is generally free of charge, though we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive (Article 12(5)).
9. No automated decision-making
We do not carry out any solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 GDPR. Replies to enquiries are handled by people.
10. Right to lodge a complaint
If you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority (Article 77), in particular in the EU Member State of your habitual residence, place of work or the place of the alleged infringement. The competent supervisory authority in Lithuania is:
- State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI)
- Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
- Phone: +370 5 271 2804
- Email: [email protected]
- Website: https://vdai.lrv.lt/
You may also contact us directly at [email protected]; this does not affect your right to lodge a complaint.
11. Governing law and venue
This notice and our processing of personal data are governed by the law of the Republic of Lithuania and by directly applicable EU data-protection law. Any disputes that cannot be resolved with the supervisory authority fall within the jurisdiction of the competent courts of Vilnius, Lithuania, without prejudice to any mandatory rights you may have under EU consumer or data-protection law.
12. Changes to this notice
We may update this GDPR & Data Protection Notice to reflect changes in our processing or in the law. The current version is identified by the "Last updated" date at the top. Where changes are material, we will take reasonable steps to bring them to your attention.