Privacy Policy

2. Controller Information

AFKzona Group MB is the data controller for all personal data processed through the Statum platform for its own purposes. Where the Platform processes data on behalf of its clients (e.g., bendrija administrators, property managers), we act as a data processor. See Section 6 for details.

3. Definitions

• "Platform" means the Statum web application, APIs, mobile interfaces, and associated services operated by AFKzona Group MB.
• "Controller" means the entity that determines the purposes and means of processing personal data. For platform operations, AFKzona Group MB is the controller.
• "Processor" means the entity that processes personal data on behalf of a controller. When handling data entered by our clients (e.g., resident records managed by a bendrija), AFKzona Group MB acts as a processor.
• "Data Subject" means any identified or identifiable natural person whose personal data is processed. This includes building administrators, residents, owners, tenants, board members, and contractors.
• "Client" means an organization or individual that subscribes to Statum to manage properties, including bendrijos (HOAs), rental operators, commercial property managers, and real estate developers.
• "Sub-processor" means a third-party service provider engaged by AFKzona Group MB to process personal data on its behalf.
• "GDPR" (or "BDAR" in Lithuanian) means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "VDAI" means the State Data Protection Inspectorate of Lithuania (Valstybinė duomenų apsaugos inspekcija), the supervisory authority for data protection.

4. Data We Collect

5. How We Use Your Data

We process personal data only where we have a lawful basis under Article 6 of the GDPR. The table below sets out each purpose and its corresponding legal basis.

6. Our Role as Data Processor

When our clients (e.g., bendrija administrators, property managers, rental operators) use Statum to manage property-related personal data, AFKzona Group MB acts as a data processor under Article 28 GDPR. In this capacity:

• The client is the data controller and determines the purposes and means of processing for data they enter into Statum (e.g., resident records, owner information, tenant details, debtor records).
• We process such data only on documented instructions from the client, in accordance with our Data Processing Agreement (DPA).
• We implement appropriate technical and organizational measures to protect the data.
• We assist the client in fulfilling their obligations regarding data subject rights requests, data breach notifications, and data protection impact assessments.
• Upon termination of the service agreement, we will delete or return all personal data processed on behalf of the client, unless retention is required by EU or Lithuanian law.

Debtor data handling: In line with VDAI 2021 recommendations, debtor information (outstanding balances, overdue payments) is never publicly displayed through the Platform. Access to debtor data is restricted to authorized administrators and is handled in strict compliance with data minimization principles.

If you are a resident, owner, tenant, or other data subject whose personal data has been entered into Statum by a client organization, please contact that organization directly to exercise your data subject rights. We will assist them in fulfilling your request.

7. Data Sharing & Sub-processors

We do not sell, rent, or trade personal data. We share personal data only with the following categories of recipients, and only to the extent necessary:

8. International Data Transfers

All personal data processed through Statum is stored and processed within the European Union / European Economic Area (EU/EEA). We do not transfer personal data to countries outside the EU/EEA.

Our infrastructure is hosted on AWS in EU regions (Ireland and Frankfurt). Our sub-processors (Stripe and Google Cloud) process data within their EU-based facilities.

Should our transfer practices change in the future, we will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses under Article 46(2)(c) GDPR, adequacy decisions under Article 45 GDPR) and will update this policy accordingly.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods are as follows:

When data is no longer needed, it is securely deleted or anonymized. Backup copies are purged within 30 days of the primary data deletion.

10. Your Rights Under GDPR

Under the GDPR and Lithuanian Law on Legal Protection of Personal Data (No. I-1374), you have the following rights regarding your personal data:

• Right of access (Art. 15): You may request confirmation of whether we process your data and obtain a copy of it.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for its continued processing ("right to be forgotten").
• Right to restriction (Art. 18): You may request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
• Right to object (Art. 21): You may object to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

11. Children's Privacy

Statum is a professional property management platform and is not directed at children. We do not knowingly collect personal data from children under the age of 14 (the age of digital consent in Lithuania under Article 8(1) GDPR, as implemented by Lithuanian law).

If we become aware that we have collected personal data from a child under 14 without valid parental consent, we will promptly delete such data. If you believe a child's data has been provided to us, please contact us at dpo@afkzona.lt.

12. Cookie Policy

The Statum website and platform use cookies and similar technologies. In accordance with the Lithuanian Electronic Communications Law (Elektroninių ryšių įstatymas) and the ePrivacy Directive, we obtain your consent before placing non-essential cookies.

• Strictly necessary cookies: Required for the Platform to function (e.g., authentication, session management). No consent required.
• Analytics cookies: Help us understand how users interact with the Platform. Placed only with your consent.
• Preference cookies: Remember your settings and language choices. Placed only with your consent.

For full details on the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

13. Data Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control and the principle of least privilege
• Multi-tenant data isolation at the database level
• Regular security audits and vulnerability assessments
• Secure password hashing (bcrypt/argon2)
• Audit logging for all data access and modifications
• Automated backup procedures with encrypted storage
• Employee security training and confidentiality agreements

14. Data Breach Notification

In the event of a personal data breach, we will comply with the notification obligations set out in Articles 33 and 34 of the GDPR:

• Supervisory authority notification: We will notify the VDAI within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals.
• Data subject notification: Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay.
• Client notification (processor role): When we act as a data processor, we will notify the relevant client (data controller) without undue delay after becoming aware of a breach affecting their data.

We maintain a data breach register documenting the facts of each breach, its effects, and the remedial actions taken.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Effective Date" and version number at the top of this page.
• For significant changes, we will provide a prominent notice on the Platform or notify you by email.
• We will maintain an archive of previous versions upon request.

We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes your acknowledgment of those changes.

16. Contact Information

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us: