Nomat.lv — Privacy and Cookie Policy
This Privacy Policy describes how SIA "Macovel" (Nomat.lv) processes your personal data in accordance with the General Data Protection Regulation (GDPR) and the laws of the Republic of Latvia.
Last updated: 2026-04-10
1. Controller and Contact Information
1.1. The controller of your personal data is:
SIA "Macovel"
Registration number: 40203046496
Registered address: Talsu nov., Lībagu pag., "Uplejas", LV-3258, Latvia
Email: [email protected]
Website: https://nomat.lv
1.2. For any matters relating to personal data processing or to exercise your rights, please contact us at [email protected].
1.3. This Privacy Policy applies to all visitors and registered users of the Nomat.lv website.
1.4. Data Protection Officer (DPO). Pursuant to Article 37 of the GDPR, SIA "Macovel" is not required to appoint a data protection officer, as Nomat.lv's core activities do not involve large-scale systematic monitoring of data subjects or large-scale processing of special categories of data. If you have questions about data processing, please contact us directly at [email protected].
2. Definitions
2.1. Personal data — any information relating to an identified or identifiable natural person (data subject).
2.2. Processing — any operation performed on personal data (collection, storage, use, deletion, etc.).
2.3. Controller — the natural or legal person that determines the purposes and means of processing personal data. In this case — SIA "Macovel".
2.4. Processor — a natural or legal person that processes personal data on behalf of the controller.
2.5. Data subject — an identified or identifiable natural person whose data is processed by Nomat.lv (User or visitor).
2.6. GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
3. What Data We Process
3.1. Depending on your interaction with the Website, we may process the following categories of personal data:
3.2. Identification and contact information:
— first name, last name;
— email address;
— phone number;
— date of birth (if provided);
— profile picture (if uploaded).
3.3. Account data:
— username;
— password (stored in encrypted/hashed form);
— account creation date;
— last login time and IP address;
— language and notification settings;
— two-factor authentication data (if enabled).
3.4. Trader/profile data (if the User is a business):
— company name;
— registration number;
— VAT registration number;
— legal address;
— bank account number (for invoices and payouts).
3.5. Listing and transaction data:
— listing content (description, photos, prices, location);
— reservations and rental transactions;
— reviews and ratings;
— correspondence with other Users (messages).
3.6. Payment data:
— payment history and statuses;
— invoice information;
— subscription type and period;
— NB! We do NOT store full payment card details. They are processed only by a certified payment service provider (see section 5).
3.7. Technical and usage data:
— IP address;
— browser type and version;
— device type and operating system;
— history of pages visited on the Website;
— entry and exit pages;
— cookies (see section 11).
3.8. Location data:
— listing and profile address (voluntarily published);
— geographic coordinates (geocoded from the address);
— approximate location from IP address (for analytics).
3.9. We do not process special category (sensitive) personal data (race, ethnicity, political opinions, religion, health data, etc.). Please do not publish such data in your listings or profiles.
4. Processing Purposes and Legal Basis
4.1. We process your personal data only for specific, clearly defined purposes, always based on one of the legal bases set out in Article 6 of the GDPR:
4.2. Account creation and provision of Website services
Purpose: to enable you to use the Website's functionality — register, publish listings, communicate with other Users, make reservations.
Legal basis: contract performance (Article 6(1)(b) GDPR).
4.3. Payment processing and accounting
Purpose: to accept subscription payments, issue invoices, maintain accounting records.
Legal basis: contract performance and legal obligation (Latvian Accounting Law) (Article 6(1)(b) and (c) GDPR).
4.4. User identification and fraud prevention
Purpose: to verify the User's identity, prevent fraudulent activities, protect other Users.
Legal basis: legitimate interests (for the security of the Website and the protection of Users) (Article 6(1)(f) GDPR).
4.5. Communication with the User
Purpose: to send service notifications (reservation confirmations, password resets, security notifications), respond to inquiries.
Legal basis: contract performance.
4.6. Marketing and newsletters
Purpose: to inform about news, promotions, and Website improvements.
Legal basis: your consent (Article 6(1)(a) GDPR). You may withdraw your consent at any time by clicking "unsubscribe" in an email or writing to [email protected].
4.7. Website operation analysis and improvement
Purpose: to analyse how Users use the Website to improve functionality and user experience.
Legal basis: legitimate interests and (for analytics cookies) your consent.
4.8. Compliance with legal claims and defence
Purpose: to comply with legal requirements, respond to law-enforcement requests, defend Nomat.lv's legal interests.
Legal basis: legal obligation and legitimate interests.
4.9. Automated decision-making and profiling
Nomat.lv DOES NOT engage in automated decision-making that produces legal effects or significantly affects Users within the meaning of Article 22 of the GDPR. We DO NOT profile Users for marketing or behavioural prediction purposes. All material decisions concerning the User's Account (e.g., suspension, deletion) are made with human review.
5. Data Recipients
5.1. We DO NOT sell or transfer your personal data to third parties for any commercial or marketing purposes. We do not consider personal data as a tradable commodity. Data is shared only with processors and partners necessary for service delivery, or as required by law.
5.2. We may transfer your data to the following categories of recipients (processors and partners) acting on our behalf or under applicable law:
5.3. Payment service provider:
Paddle.com Market Limited (or another applicable provider) — processes subscription payments and issues invoices. Paddle is the official "Merchant of Record" for our payments. More information: https://www.paddle.com/legal/privacy.
5.4. Hosting and infrastructure providers:
— Server hosting provider (located in the EU);
— Database storage and backup services.
5.5. Email and notification services:
— SMTP/transactional email provider (for service notifications and marketing);
— Push notification services.
5.6. Analytics services:
— Web analytics tools for Website usage analysis (only with your consent to cookie use).
5.7. Professional service providers:
— accountants;
— lawyers and attorneys (in case of legal disputes);
— auditors.
5.8. State authorities:
— State Revenue Service, law enforcement agencies, or other competent authorities, when required by law or court order.
5.9. Other Website Users:
Information published in your profile and listings (name, profile picture, listing content, contact information) is accessible to other Users of the Website and search engines.
5.10. All our processors have signed a data processing agreement (DPA) with us in accordance with Article 28 of the GDPR.
6. Data Transfers Outside the EU/EEA
6.1. We strive to store personal data within the European Union (EU) and the European Economic Area (EEA).
6.2. However, some of our service providers (for example, Paddle.com Market Limited registered in the United Kingdom, or cloud service providers with servers outside the EU) may process data outside the EU/EEA.
6.3. In such cases, we ensure an adequate level of data protection using:
— European Commission Standard Contractual Clauses (SCCs);
— European Commission adequacy decisions (e.g., the United Kingdom benefits from an adequacy decision);
— other safeguards provided in Chapter V of the GDPR.
6.4. For more information about specific data transfer cases, please write to [email protected].
7. Data Retention Periods
7.1. We retain your personal data only for as long as necessary for the purposes for which it is processed or as required by law.
7.2. Main retention periods:
Account data and published listings:
For the entire duration of Account activity. After Account deletion — up to 90 days, to allow data restoration if the User changes their mind.
Payment and financial data (invoices, payment history):
5 (five) years after the end of the tax period, in accordance with Article 28 of the Latvian Accounting Law.
Correspondence and support requests:
Up to 2 (two) years from the date of the last activity.
Technical and server logs:
Up to 12 (twelve) months for security and technical analytics purposes.
Marketing consent and newsletter subscriptions:
Until consent is withdrawn or the account is deleted.
Claims, complaints, and disputes:
Up to 10 (ten) years after the dispute is resolved (in accordance with the civil law statute of limitations).
7.3. After the retention period expires, data is either permanently deleted or anonymised so that it can no longer be associated with a specific person.
8. Your Rights
8.1. Under the GDPR, as a data subject, you have the following rights:
8.2. Right of access (Article 15 GDPR)
To obtain confirmation of whether we process your personal data and, if so, to receive a copy of it together with information about the processing.
8.3. Right to rectification (Article 16 GDPR)
To request the correction of inaccurate personal data or the completion of incomplete data. You can correct most of your data directly in your Account settings.
8.4. Right to erasure / right to be forgotten (Article 17 GDPR)
To request the deletion of your personal data if it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent. We may refuse this request if data retention is required by law (e.g., accounting data).
8.5. Right to restriction of processing (Article 18 GDPR)
To request that we restrict (temporarily suspend) processing of your data in certain cases, e.g., while the accuracy of the data is being verified.
8.6. Right to data portability (Article 20 GDPR)
To receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
8.7. Right to object (Article 21 GDPR)
To object to the processing of your data based on our legitimate interests, including direct marketing. In the case of direct marketing, we will immediately stop processing data for that purpose.
8.8. Right to withdraw consent (Article 7 GDPR)
If processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
8.9. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
To lodge a complaint with the State Data Inspectorate of Latvia (Elijas iela 17, Rīga, LV-1050; email: [email protected]; website: www.dvi.gov.lv) or in another EU country if you believe your data processing infringes the GDPR.
8.10. To exercise your rights, please write to [email protected]. We will respond to your request within 30 days. In more complex cases, this period may be extended by a further 60 days, with notice to you.
8.11. To verify your identity, we may ask you to provide additional information.
8.12. Exercising your rights is generally free of charge. However, if requests are unfounded or excessive, we may charge a reasonable fee or refuse to comply with the request.
9. Data Security
9.1. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, use, alteration, or destruction.
9.2. Main security measures:
— SSL/TLS encryption for all data transmission between your browser and our servers (HTTPS);
— passwords are stored in encrypted (hashed) form using secure algorithms (bcrypt);
— two-factor authentication (2FA) is available to all Users;
— regular installation of security updates and patches;
— restricted access to data (only authorised personnel);
— regular data backups;
— staff training on data protection.
9.3. Despite all our efforts, no internet transmission or data storage system is 100% secure. We cannot guarantee absolute security, but we undertake to do everything reasonably possible to protect your data.
10. Children's Personal Data
10.1. The Website is not intended for persons under 16 years of age. We do not knowingly collect or process personal data from children under this age.
10.2. If we learn that we have received personal data from a child under 16, we will delete that data immediately.
10.3. If you are a parent or guardian and you become aware that your child has provided us with personal data, please contact us at [email protected].
12. Data Breach Notification
12.1. In the event of a personal data breach that may pose a high risk to your rights and freedoms, we will notify the State Data Inspectorate within 72 hours in accordance with Article 33 of the GDPR.
12.2. If the breach poses a high risk to your personal data, we will also notify you personally without undue delay (Article 34 of the GDPR).
12.3. You can report suspected data security incidents by writing to [email protected].
13. Changes to the Policy
13.1. We may update this Privacy Policy from time to time to reflect changes in our practices, regulations, or new services.
13.2. We will notify you of significant changes by sending an email or publishing a notice on the Website at least 30 days before the changes take effect.
13.3. The current "last updated" date is always shown at the top of this page.
13.4. We recommend that you periodically review this Privacy Policy to keep up with changes.
14. Contact and Complaints
14.1. If you have questions, comments, or complaints about this Privacy Policy or the processing of your personal data, please contact us:
Email: [email protected]
Postal address: SIA "Macovel", Talsu nov., Lībagu pag., "Uplejas", LV-3258, Latvia
14.2. We will try to resolve all matters in a friendly and prompt manner.
14.3. If you are not satisfied with our response, you have the right to lodge a complaint with the State Data Inspectorate:
Address: Elijas iela 17, Rīga, LV-1050
Email: [email protected]
Phone: +371 67223131
Website: www.dvi.gov.lv