Privacy Policy
Effective: 22 May 2026 · Version 3.0
Pending review by Lithuanian counsel.
Plain-language summary
We collect the minimum personal data needed to run our business and deliver our services. We never sell it, never share it with advertisers, and never use it to build profiles about you. We work from Lithuania and the broader Baltic-Nordic region, prefer EU-based infrastructure, and disclose every external provider we rely on below. You can ask to see, correct, port, restrict, or delete your data at any time by writing to ari@makplanet.com.
Some of our work uses artificial intelligence. Where AI is used to interact with you or to produce material delivered to you, we tell you. The full document below explains what we collect, why, where it lives, who processes it on our behalf, and the rights you have under EU law.
1. Who we are (Data Controller)
The data controller for personal data processed throughmakplanet.com, app.makplanet.com, and any service we deliver is:
ARK Team, UAB ("MAKplanet", "we", "us", "our"), represented by its director Ari Key.
Company code: 305788714
VAT ID: LT100014194811
Registered office: P. Vileišio g. 31-74, LT-10202 Vilnius, Lithuania
Email: ari@makplanet.com
Phone: +370 630 39591
We have not appointed a statutory Data Protection Officer because we are below the GDPR Article 37 thresholds. A dedicateddpo@makplanet.com alias is planned and will be added to this policy when active. Until then, all privacy correspondence reaches the controller directly at the address above.
Privacy of the controller's representative. Where Lithuanian or EU law requires us to identify a natural person as the controller's director or contact, we provide only the business contact details above. Information about the director's residence, household, family, or personal infrastructure beyond what is strictly required by law is not part of this policy and is not subject to disclosure under it.
2. Scope of this policy
This policy applies to personal data we process as acontroller — that is, where we determine the purposes and means of processing. This includes data of website visitors, prospects who contact us, customers who buy a service, counterparties to our partnership and supplier relationships, and candidates or invitees to events we organize.
Where we process personal data on behalf of a client as part of a paid engagement (for example, customer data the client has us analyse, document, or build automation around), we act as aprocessor. That processing is governed by a separate Data Processing Agreement ("DPA") signed with the client under GDPR Article 28. The terms of that DPA, not this policy, determine how that data is handled.
3. Categories of personal data we collect
3.1 When you visit our websites
- IP address, truncated or pseudonymised by our analytics provider
- Pages visited, referring page, approximate visit duration
- Approximate location at country and city level
- Device type, operating system, browser type and version
- Standard server log information needed to operate the site securely
3.2 When you contact us by form or email
- Name and, where you provide it, organisation
- Email address and, optionally, phone number
- Subject and content of your message and any attachments
- Any business or personal information you choose to share so we can answer
3.3 When you book a consultation or buy a service
- Everything in section 3.2 above
- Calendar booking details: chosen date, time, time zone, any notes you provide
- Billing information: full name or company name, billing address, VAT number where applicable
- Payment confirmation reference issued by our payment processor — we do not see or store your card number, expiry, or security code; those are handled directly by the payment processor
3.4 When you become a client
- Engagement notes, meeting records, and correspondence relevant to the work
- Materials, documents, files, and data you choose to share with us during the engagement
- Records of services delivered, deliverables produced, and invoices issued
- Where applicable, technical telemetry from systems we deploy or operate for you, governed by your engagement contract and DPA
3.5 What we do not collect
- Special categories of data under GDPR Article 9 (health, religious, political, biometric, sexual orientation, etc.) — we do not solicit or process these
- Behavioural advertising profiles or data from third-party tracking networks
- Data purchased, rented, scraped, or enriched from third-party data brokers
- Browsing behaviour on other websites
If you nevertheless send us special-category data unsolicited (for example, by mentioning a health matter in an email), we will treat it under GDPR Article 9 protections and, where possible, ask you to confirm explicit consent or delete it.
4. Purposes and legal bases (GDPR Article 6)
We process personal data only for the specific purposes listed below, each tied to a lawful basis under GDPR Article 6:
| Purpose | Lawful basis |
|---|---|
| Operating our websites securely and showing them to you | Legitimate interest (Art. 6(1)(f)) in running a functional, secure website |
| Replying to your inquiry or quote request | Pre-contractual steps at your request (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) |
| Booking and delivering a paid consultation or service | Performance of the contract with you (Art. 6(1)(b)) |
| Invoicing, accounting, and tax records | Compliance with a legal obligation (Art. 6(1)(c)) under Lithuanian tax and accounting law |
| Sending optional newsletters or marketing | Consent (Art. 6(1)(a)), withdrawable at any time |
| Improving our own services and producing case-study material | Legitimate interest (Art. 6(1)(f)) using anonymised or aggregated information; identifiable material only with your written permission |
| Establishing, exercising, or defending legal claims | Legitimate interest (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have carried out the balancing test required by GDPR Recital 47. The balancing assessment is available on request.
5. How we organise data processing
Our work is organised around three functional processing tiers. This is how we keep the most sensitive material under our own control while still delivering modern services. Naming the tiers lets us be precise about which providers see which data.
5.1 Private processing tier (on-premise / sovereign)
For selected work — in particular Family Office engagements, sensitive client material, and any data flagged as confidential — we use AI inference infrastructure operated by MAKplanet itself, physically located in our European operating premises. Data processed in this tier is not transmitted to any third-party cloud AI service and remains under our direct technical and physical control. Sub-processors in this tier are limited to underlying infrastructure (network connectivity, secure backups, where relevant) and are listed in section 7.
5.2 Cloud-assisted processing tier
For non-sensitive work and for capabilities not available on local infrastructure (large-scale generation, certain specialised models), we use a defined set of third-party AI service providers named in section 7. Each request is purpose-limited, sent only to the provider necessary for that request, and governed by a Data Processing Agreement with no-training and confidentiality commitments. Outputs are returned to us and to you; inputs are not retained by the provider beyond their stated DPA terms.
5.3 Internal operations tier
For our own back-office work — drafting documents, scheduling, accounting, brand and content production — we use mainstream business productivity tools, again named in section 7. Personal data of clients enters this tier only where strictly required to run the engagement (for example, billing details going to our accountant, or a calendar invitation in our scheduling system).
6. AI in our work — EU AI Act Article 50 transparency
We use artificial intelligence systems in our daily operations and, where you engage us, in producing the services you commission. Under Article 50 of Regulation (EU) 2024/1689 ("the EU AI Act") we provide the following transparency disclosures.
6.1 You will know when you are interacting with AI
If you exchange messages with a chatbot, voice agent, or other AI-driven interface on our properties or in a service we deliver, we will make it clear that you are interacting with an AI system and not a human. Where a human is in the loop, we will tell you that too.
6.2 AI-generated content is labelled
Where deliverables we provide to you are produced wholly or substantially by an AI system — for example, AI-generated images, synthetic voice, AI-written drafts, AI-generated video — we will identify that material as AI-generated, both to you and, where content is intended for public distribution, in a manner detectable to recipients (machine-readable metadata or visible indication, as the deployment requires).
6.3 Risk classification
The AI systems we use for client work fall, in our assessment, within the "limited risk" tier of the EU AI Act. We do not deploy AI systems for biometric categorisation, social scoring, predictive policing, employment scoring, credit scoring, or any other use case listed as high-risk or prohibited under Articles 5 and 6 of the Act. If a future engagement would change that classification, we will tell you in writing and agree the additional obligations before starting.
6.4 No automated decisions with legal effects
We do not make decisions about you that produce legal or similarly significant effects through automated processing without human review, within the meaning of GDPR Article 22. Pricing, scoping, and engagement decisions are made by a human.
6.5 Training
We do not use your personal data, your business data, or any material you share with us during an engagement to train our own AI models or to train third-party AI models, except where you have explicitly instructed and consented to such training as part of an engagement (for example, a custom retrieval-augmented assistant built for your organisation on your own data, governed by a separate DPA). The third-party AI services we rely on are bound by their own no-training-on-customer-data commitments, referenced in section 7.
6.6 Human oversight
Every deliverable produced with AI assistance is reviewed by a human before it leaves us. We do not deliver unreviewed AI output to clients or to the public under the MAKplanet brand.
7. Sub-processors and third-party recipients
In line with GDPR Articles 13(1)(e) and 28, we disclose below each external provider that may process personal data on our behalf, together with its role, country of establishment, and the safeguard we rely on for any transfer outside the European Economic Area ("EEA"). We update this list when it changes and notify clients under engagement-level DPAs in advance of material changes.
7.1 Infrastructure and platform providers
| Provider | Role | Jurisdiction | Transfer safeguard |
|---|---|---|---|
| Squarespace, Inc. | Showcase website hosting (makplanet.com) | United States | EU Standard Contractual Clauses (2021/914), DPF where applicable |
| Vercel Inc. | Application hosting (app.makplanet.com) | United States; EU regions configured | EU Standard Contractual Clauses, EU region routing |
| Google Ireland Limited / Google LLC | Business email, calendar, document storage (Google Workspace Enterprise); selected generative AI capabilities (Gemini Enterprise) under a no-training commitment for customer data | Ireland (EU) for contracting entity; storage in EU regions where available | EU contracting entity, EU data residency where available, SCCs for any onward transfer |
| Stripe Payments Europe, Limited | Payment processing for app.makplanet.com checkout | Ireland (EU) | EU controller-processor terms; SCCs for any onward transfer to Stripe US affiliates |
| Cal.com, Inc. (planned) | Booking and scheduling | EU-hosted instance | EU hosting; SCCs where applicable |
| Plausible Insights OÜ (planned) | Privacy-respecting, cookie-free web analytics | Estonia (EU) | EU-only processing |
| Quad9 Foundation | Recursive DNS resolution at our network edge | Switzerland | EU adequacy decision (Switzerland) |
| Tailscale Inc. | Encrypted private network connectivity for our internal infrastructure | United States / Canada | SCCs; end-to-end WireGuard encryption — provider does not see content traffic |
| Lithuanian accounting service | Statutory accounting, invoicing, and tax filing | Lithuania (EU) | EU-only; written processor agreement on file |
| External legal counsel | Legal advice on specific matters | Lithuania (EU) | Professional confidentiality under Lithuanian law |
7.2 Third-party AI service providers (cloud-assisted tier)
The following providers may process content we submit on behalf of our work and our clients. We use them only where the work calls for capabilities not available on our private processing tier. Each operates under its published Data Processing Agreement, including a no-training-on-customer-data commitment where indicated.
| Provider | Role | Jurisdiction | Transfer safeguard / no-training |
|---|---|---|---|
| Anthropic, PBC | Large language model inference (text understanding, drafting, reasoning) | United States; EU data-residency option for API workloads | SCCs (2021/914); API-tier no-training commitment |
| Mistral AI SAS | Large language model inference (European-hosted) | France (EU) | EU-only processing; API-tier no-training commitment |
| Google Ireland Limited / Google LLC | Generative AI inference within Google Workspace Enterprise (Gemini Enterprise), image and video generation where used | Ireland (EU) contracting; service routing as configured | Workspace Enterprise no-training commitment; SCCs for any non-EU routing |
| ElevenLabs, Inc. | Voice synthesis and speech generation (used selectively, only with prior client awareness) | United States | SCCs; enterprise no-training option used where available |
| Suno, Inc. | Music and audio generation (used only for our own brand work or with explicit client engagement scope) | United States | SCCs |
| Abacus.AI, Inc. | Multi-model AI gateway for content production tasks where we use it | United States | SCCs; per-provider no-training settings as applied |
The current list is also available on request fromari@makplanet.com, and we will share copies of the transfer safeguards (SCCs, supplementary measures, adequacy decisions) we rely on.
7.3 What we never do
- We never sell your personal data.
- We never share your personal data with advertisers, ad networks, or data brokers.
- We never enrich your data with third-party data sources without telling you.
- We never use your data to train AI models, our own or third parties', except with your specific written instruction inside an engagement scope.
- We never share your engagement materials with content production tools that we use for our own brand. Those tools are walled off from client data.
8. International transfers
Where a sub-processor in section 7 processes personal data outside the EEA, we rely on one or more of the following safeguards under GDPR Chapter V:
- European Commission adequacy decisions, where they apply (currently for the United Kingdom, Switzerland, and certain other jurisdictions)
- EU Standard Contractual Clauses (Decision (EU) 2021/914), including the supplementary measures recommended by the European Data Protection Board ("EDPB Recommendations 01/2020")
- Provider participation in the EU–US Data Privacy Framework where applicable
- Binding Corporate Rules of the provider, where applicable
We carry out and document a Transfer Impact Assessment for each non-EEA sub-processor that materially processes personal data of identifiable EU/EEA data subjects, and we revisit those assessments when the legal landscape changes. Copies of safeguards can be requested from ari@makplanet.com.
9. Retention
We keep personal data only for as long as we need it, applying the shortest period consistent with the purpose and applicable legal obligations:
- Website server logs: 30 days, then deleted or aggregated
- Web analytics (aggregated, non-identifiable): indefinitely
- Contact form inquiries that do not lead to engagement: 12 months from last contact
- Quotes and pre-engagement correspondence: 24 months from last contact
- Active client engagement records: for the duration of the engagement plus 3 years (limitation period for contractual claims)
- Invoicing and accounting records: 10 years from the end of the financial year, as required by Lithuanian Law on Accounting and the Lithuanian Tax Administration Act
- Newsletter subscribers: until you unsubscribe, plus 30 days for unsubscribe handling
- Marketing consent records: 3 years after consent is withdrawn or last used, for accountability under GDPR Article 7(1)
10. Your rights under GDPR
You have the right to:
- Access (Art. 15) — ask what personal data we hold about you and obtain a copy
- Rectification (Art. 16) — have inaccurate or incomplete data corrected
- Erasure (Art. 17) — ask us to delete your data, subject to legal exceptions (notably accounting retention)
- Restriction (Art. 18) — ask us to pause processing while a question is being resolved
- Portability (Art. 20) — receive data you have provided in a structured, machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interest, including for direct marketing
- Withdraw consent (Art. 7(3)) — where processing relies on consent, withdraw it without affecting prior lawful processing
- Not to be subject to automated decisions with legal or similarly significant effects (Art. 22) — see section 6.4
- Lodge a complaint with a supervisory authority
To exercise any right, write to ari@makplanet.com. We respond within one month from receipt, extendable by a further two months for complex requests in line with GDPR Article 12(3). Routine requests are free of charge.
10.1 Lithuanian supervisory authority (lead authority)
State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI)
L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
Phone: +370 5 271 2804
Email: ada@ada.lt · Web: vdai.lrv.lt
10.2 Other supervisory authorities in our operating region
If you are resident in another EEA Member State, you may also complain to your local supervisory authority. For our other regular operating jurisdictions:
- Sweden: Integritetsskyddsmyndigheten (IMY) — imy.se
- Denmark: Datatilsynet — datatilsynet.dk
- Latvia: Datu valsts inspekcija (DVI) — dvi.gov.lv
- Estonia: Andmekaitse Inspektsioon (AKI) — aki.ee
11. Cookies and equivalent technologies
Our use of cookies, local storage, and equivalent technologies is governed by our Cookie Policy. In summary, we use only strictly necessary cookies by default; everything else requires your consent, in line with Article 5(3) of the ePrivacy Directive as transposed into Lithuanian law. We do not run advertising cookies or cross-site trackers.
12. Security
We apply appropriate technical and organisational measures under GDPR Article 32, including:
- Encrypted transport (TLS) on all our websites and applications
- Strong authentication and two-factor authentication on administrative accounts
- Network-level firewalling and segmentation
- Key-based remote access; password authentication disabled for administrative interfaces
- Automatic security patching of operating systems on our infrastructure
- Encrypted backups and access logging
- Role-based, need-to-know access to client material
- Vendor selection that favours EU jurisdictions and contractual no-training commitments for AI services
No system is fully secure. If we discover a personal-data breach under GDPR Article 4(12), we will notify the lead supervisory authority within 72 hours under Article 33 and, where there is a high risk to your rights and freedoms, notify you directly under Article 34.
13. Children
Our services are directed at adult professionals and businesses. We do not knowingly process personal data of children under 16. If you believe a child has provided us personal data, write toari@makplanet.com and we will delete it.
14. Changes to this policy
We review this policy at least every six months and update it when our operations or the applicable law change. We update the effective date at the top of the document on every change and notify subscribers and active clients by email of material changes. The current version always lives atmakplanet.com/privacy.
15. Contact
Privacy questions, data subject requests, and DPA negotiations:ari@makplanet.com (an alias ofdpo@makplanet.com is planned and will be reflected here when active).
Postal: ARK Team, UAB — P. Vileišio g. 31-74, LT-10202 Vilnius, Lithuania.
Correspondence is accepted in English and Lithuanian. We respond within the GDPR-mandated time frame, usually faster.