Privacy Policy updated on 20-12-2022

Amendments or changes to the Policy shall take effect upon their publication on this website.


This Privacy Policy sets out the terms and conditions for the collection and use of personal data on the websites and by Grožio Galia UAB (hereinafter referred to as “We” or “Sothys”), which apply to visitors to these websites and to visitors to our social networks (e.g., Facebook, Instagram etc.). Please read this document carefully as it is used to inform you about the processing of your personal data.

As this Policy is subject to change without notice, please check it each time you visit our websites. You will find the most recent version of the Privacy Policy on our websites.

In respect of all personal data described in this Privacy Policy, Grožio Galia UAB acts as Data Controller . Our details:

UAB Grožio Galia

Legal entity code: 303326876

Address: Vasario 16-osios g. 2-119, LT-01106 Vilnius


Phone: +370 612 51510


For what purpose do we collect personal data?

What data do we collect?

Which GDPR clause do we rely on to process your personal data?

How long do we keep this data?

2.1.For the purpose of conducting e-commerce,i.e. to enable you to shop in our online shop.

The following order data is collected:

- Name, surname

- Address of delivery location

- Telephone number and email address. Required for the fulfilment of contractual obligations (e.g. to contact you about delivery delays), but not for direct marketing purposes .

- Payment details (purpose and method of payment, amount of payment). Required for payment of ordered goods via the external payment transaction platform of your choice . The payment service provider (see section 3 of the Privacy Policy) may collect securely encrypted data from your bank card. This information (e.g. card number, expiry date, security code) is not accessible to us .

- Shopping cart

- Cosmetologist / beautician code. All items in our online shop can only be purchased with the approval of a cosmetologist, which you prove by providing your cosmetologist code. If you do not have a cosmetologist’s code, you can send a request to Sothys’ partner cosmetologists who will contact you to arrange a consultation.

- In this case, your email address will be forwarded to the consulting cosmetologist.

Performance and conclusion of the contract (Article 6(1)(b) GDPR)

Order data is stored for 24 monthsfrom the date the order was created.

Financial documents shall be kept for 10 years from the date of the purchase transaction, unless there is a need to keep the data longer, for example to defend legal claims .

2.2. For the purpose of setting up and administering the Customer Account. If you want to see your order and payment information and not have to fill in your details every time you place a new order, you can create a registered user account.

The following data is to be collected:

- Name and surname

- Email address

- Purchasing history

The account is created with your active consent (Article 6(1)(a) GDPR)

Account data is stored for as long as your account is valid. Your account is valid for 3 years from the date of your last login. We will send you a notice 30 days before your account expires informing you that your account is about to be deleted.

We may retain your consent and proof of consent for a longer period of time if we need to do so in order to defend ourselves against claims, demands or actions brought against us.

2.3. For the purpose of setting up and managing a cosmetologist/ beautician’s account

The following data is to be collected:

- Name and surname

- Email address

- Telephone contact number

- Beauty salon address

- Information about consultations given

Performance and conclusion of the contract (Article 6(1)(b) GDPR)

Account data is stored for the duration of the contractual relationship between Sothys and the beautician and for 10 years after its termination. In the event of termination or expiry of the contractual relationship, the account is blocked.

2.4. To inform you about our news, promotions and to ask for your opinion via a newsletter (direct marketing)

We collect your email address.

Note! We use double authentication to protect your data. This means that if you enter your email address, you will receive an email requesting authentication. Only by clicking on the link in the email will you be added to the subscriber list.

With your consent (Article 6(1)(a) GDPR)

5 years(unless you give a new consent for longer data retention within this period).

2.5. To inform you about the availability of goods in the trade in which you have shown an interest

We collect your email address, which you provide to us together with the details of the product you are interested in

With your consent (Article 6(1)(a) GDPR)

Your email address will be stored until you are notified that the item which was out of stock is available. Once we have informed you that the item has become available, we will delete your email address.

2.6. If you submit a question, request or complaint to us by electronic communication

We collect your name, surname, telephone number (if you provide one), email address (required), the content of the message, the time the message was received/delivered and the reply to the message.

We have a legitimate interest in answering your questions, requests or complaints) (Article 6(1f) GDPR)

Ordinary emails or messages asking for non-legally binding information are kept for a maximum of 1 year from the end of the enquiry.

In the case of a complaint, claim or other legally binding document, we keep it for 3 years.

Personal data may be retained for a longer period if this is necessary to enable us to defend ourselves against claims, claims or actions brought against us.

2.7. To manage our social networks (Facebook, Instagram)

The following data is collected and processed from social media users: name, contact information (if you provide it to us), comments left on our posts, shares of our posts, likes, follows and other reactions (including when you started following or liking our social media account), photo, messages you send to us, history of your communication with us (content of the messages, time of their receipt/delivery), evaluations you have left, and your Sothys ratings.

With your consent, which you have given by logging into a social network (Article 6(1)(a) GDPR)

10 years

2.8. To improve our website,to ensure its operation, to improve its security and to adapt its content and format to the needs of users

When you visit the Sothys website, we automatically collect the following data about you: your IP address, operating system, user ID and other information about your activities on our website and other websites. We collect and store this information as part of our log records or by using cookies. For more information on the use of cookies, please see our Cookie Policy.

The processing of personal data obtained by means of cookies is based on our legitimate interest (Article 6(1)(f) GDPR)

For more information on retention periods, please see our Cookie Policy.

2.9. To protect our rights in legalproceedings concerning you

All the above information, documents sent to you and their attachments, documents you have submitted and their attachments, procedural documents, court orders, rulings, decisions.

Information on criminal offences and convictions.

We have a legitimate interest in protecting our rights in legal proceedings (Article 6(1)(f) GDPR).

The data is necessary for us to assert, exercise or defend legal claims (Article 9(2)(f) GDPR).

For as long as legal proceedings are ongoing and for 10 years after they end..


Where necessary, Sothys may transmit and/or otherwise disclose the personal data processed to public regulatory and law enforcement authorities, courts and other public authorities.

In addition, to the extent necessary to ensure the proper provision of services, Sothys may transfer personal data to third parties - partners, service providers (including providers of software, IT infrastructure maintenance, cloud services, server rentals and maintenance, electronic communications, parcel delivery, website administration, accounting, archiving, marketing services, etc.) - for processing. We will only provide all of these service providers with as much data as is necessary to perform a particular service.

Sale of a business or merger. We may also disclose your personal data to third parties in the event that we sell or buy any business or assets (whether as a result of liquidation, bankruptcy or otherwise) or merge with another company. In such a case, we may transfer your data to the prospective seller or buyer of such business or asset, as Sothys’ customer information may also be the subject of a sale in the course of a business sale or merger.

We currently cooperate with and transfer your personal data to the following service providers:

  • Newsletter service provider
  • Website hosting provider
  • Cosmetologists with whom Sothys cooperates.Your data is transferred when you send us an enquiry about your need for a beautician
  • Payment service provider (acting as an independent data controller)
  • Parcel delivery service providers
  • Facebook, Inc. (USA).You can read Facebook's privacy policy here. Facebook no longer relies on the Privacy Shield data transfer mechanism to the US, but continues to participate in this programme. For transfers of personal data outside the EEA, Facebook uses the Standard Contractual Clauses (SCC) approved by the European Commission.
  • Google LLC (USA).Google's privacy policy can be found here. Google cookies and Google Workspace are used. Google no longer uses the Privacy Shield mechanism for data transfers to the US, but continues to participate in this programme. For transfers of personal data outside the EEA, Google uses the Standard Contractual Clauses (SCC) approved by the European Commission .

Where you interact with us via social networks, you should check the data protection terms and conditions of the social network in question, as well as its privacy policy. Any personal data that you transmit to us via social networks is controlled by the specific social network operator (e.g. Facebook, Instagram).


When processing and storing your personal data, we implement organisational and technical measures to ensure the protection of personal data against accidental or unlawful destruction (e.g. regular data backup), alteration, disclosure, as well as against any other unlawful processing. Secure use of our website is ensured by one of the world's most prominent Secure Socket Layer (SSL ) certificates. With an SSL certificate, the information sent between the user's browser and our server is encrypted. For details of the certificate, please visit


Each data subject whose data is processed in our activities has the following rights:

· To know (be informed) about the processing of his/her personal data (GDPR Articles 12-14)

· To have access to the processing of his/her personal data (Article 15 GDPR)

· To request the rectification of inaccurate personal data concerning him/her (Article 16 GDPR)

· To request the erasure of personal data concerning him/her ('right to be forgotten') (Article 17 GDPR).

Note! You only have the right to be forgotten if one of the following reasons can be relied upon:

o the personal data are no longer necessary for the purposes for which they were collected or otherwise processed

o you withdraw your consent to the processing of the personal data on which the processing is based and there is no other basis for the processing

o you do not consent to processing in accordance with Article 21(1) of the GDPR and there are no overriding legitimate grounds for processing.

· To restrict processing (Article 18 GDPR)

Note! You only have the right to restrict the processing of your data if:

o the personal data are inaccurate

o the processing of the personal data is unlawful but you do not consent to the erasure of the data

o the controller no longer needs the personal data for the fulfilment of its purpose, but needs it in order to assert, exercise or defend legal claims against you

o you object to the processing in accordance with Article 21(1) of the GDPR, provided that the controller's legitimate reasons do not override your reasons.

· To transfer your personal data where the processing is based on consent or contract and the processing is carried out by automated means (Article 20 GDPR)

· Object to the processing of your personal data on grounds relating to your particular case where the processing is carried out for the legitimate interests of the controller or of a third party, unless the controller demonstrates that the processing is carried out for compelling legitimate grounds which override your interests, rights and freedoms, or for bringing, executing or defending legal claims (Article 21 of GDPR).

If you believe that UAB Grožio Galia unlawfully processes your personal data or fails to exercise your rights, you have the right to lodge a complaint with the State Data Protection Inspectorate (L. Sapiegos g. 17, 10312 Vilnius, tel. (8 5) 271 2804, 279 1445, email ).

You can exercise your rights by submitting a written request by email:


This website may contain third party banners and links to their websites and services. Please note that we are not responsible for the content of these websites or the data security measures used by them. Therefore, if you click on a link from the Sothys website to other websites, you should consult their privacy policies separately.


If you have any questions regarding the protection of your personal data, please contact us by e-mail or phone +370 612 51510.