Privacy Policy

MB Firepoint (hereinafter "Firepoint," "we," "us," or "our") is a small partnership (mažoji bendrija) registered in the Republic of Lithuania.

For the purposes of Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and the Lithuanian Law on Legal Protection of Personal Data (Asmens duomenų teisinės apsaugos įstatymas), we act as the data controller of personal data described in this policy.

All privacy-related questions, requests, and formal notices should be addressed to: hello@getfirepoint.com

This policy applies to:

• Visitors to getfirepoint.com
• Individuals who submit applications through our website
• Clients and prospective clients who correspond with us or purchase our services
• Representatives of business entities that engage with us

This policy does not govern third-party websites, platforms, or services we link to or integrate with. Each operates under its own privacy practices for which we are not responsible.

We collect only the personal data necessary to evaluate applications, deliver our services, fulfill our legal obligations, and operate our business.

3.1. Application data

When you submit an application through the form on our website, we collect: your full name, work email address, Shopify store URL, stated monthly revenue range, stated monthly ad spend range, your description of the conversion issues you are experiencing, your stated current conversion rate (if provided), your description of prior interventions (if provided), any upcoming launches or changes (if provided), and your stated budget range.

3.2. Engagement data

If you become a client, we additionally process: the read-only access credentials you provide to your Shopify store and, where applicable, your email/marketing platform, analytics platform, and advertising platform accounts, for the strict duration of the engagement; our working notes and audit findings regarding your store; correspondence between us; and the recorded video walkthrough and written report we deliver to you.

3.3. Payment data

Payments are processed through a regulated third-party payment service provider. We do not collect, store, or have access to full payment card details at any time. We receive only the minimum transaction metadata necessary for accounting and anti-fraud purposes (for example: transaction ID, date, amount, last four digits of the card, billing country).

3.4. Website data

Our website uses minimal analytics to understand aggregate traffic patterns. We do not deploy advertising pixels, third-party behavioral tracking cookies, or cross-site identifiers. Details on cookies are set out in Section 9.

3.5. Correspondence data

When you email us or otherwise correspond with us, we process the content of that correspondence and any attachments you send, along with the metadata (timestamp, sender, recipient).

We process personal data on the following legal bases under Article 6(1) GDPR:

4.1. Performance of a contract (Art. 6(1)(b) GDPR)

Processing of engagement data and payment data is necessary for the performance of the consulting contract between you and us.

4.2. Pre-contractual measures (Art. 6(1)(b) GDPR)

Processing of application data is necessary for steps taken at your request prior to entering into a contract — specifically, evaluating whether we can accept your engagement.

4.3. Legitimate interests (Art. 6(1)(f) GDPR)

Processing of correspondence, minimal website analytics, and internal administrative records is based on our legitimate interests in operating, securing, and improving our services, provided such interests are not overridden by your rights and freedoms. You have the right to object to processing on this basis (see Section 8).

4.4. Legal obligation (Art. 6(1)(c) GDPR)

Retention of invoicing, accounting, and certain engagement records for statutory periods is required under Lithuanian tax and accounting law.

4.5. Consent (Art. 6(1)(a) GDPR)

Where we rely on consent for any specific processing activity, we will request it clearly and you may withdraw it at any time without affecting prior lawful processing.

We do not sell personal data. We do not rent or trade personal data. We do not share personal data with advertisers or marketing networks.

We share personal data only with the following categories of recipients, and only to the extent necessary:

5.1. Service providers (data processors) acting under our instructions

We engage reputable third-party service providers to perform specific functions on our behalf, including email and document storage, website hosting, payment processing, domain registration, video recording and delivery of client deliverables, form submission handling, scheduling, and accounting support.

Each such provider operates under a written data processing agreement with us requiring confidentiality, appropriate technical and organizational security measures, and compliance with the GDPR. We may change providers from time to time as our operational requirements evolve; such changes do not require an update to this Policy.

5.2. Professional advisors

Our accountants, lawyers, and tax advisors may process personal data where strictly necessary and under obligations of confidentiality.

5.3. Public authorities

We may disclose personal data where required by a binding legal obligation or a valid order from a competent authority.

5.4. International transfers

Some of our service providers (notably those based in the United States) may process personal data outside the European Economic Area. In such cases, transfers are protected by one of the following safeguards under Chapter V GDPR: (a) an adequacy decision of the European Commission; (b) the EU-U.S. Data Privacy Framework certification where applicable; or (c) Standard Contractual Clauses approved by the European Commission. We keep records of the safeguards in place for each transfer and can provide these on request.

We retain personal data only for as long as necessary for the purposes described in this policy.

• Application data from individuals who do not become clients: 12 months from submission, after which the record is deleted.
• Engagement data (client records, deliverables, correspondence): for the duration of the engagement and for 10 years thereafter, in accordance with Lithuanian legal requirements on the retention of commercial and accounting records (including Article 19 of the Lithuanian Law on Accounting).
• Invoicing and tax records: 10 years, in accordance with Lithuanian tax legislation.
• Correspondence unrelated to an active engagement: up to 3 years, unless a longer period is required to defend legal claims or comply with legal obligations.

When retention periods expire, personal data is deleted or irreversibly anonymized.

We apply appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, the nature of the processing, and the risks involved.

Measures include: encrypted data transmission (TLS); access controls and strong authentication on all systems holding personal data; use of reputable EU-based or SOC 2-compliant infrastructure providers; a principle of least privilege in access assignment; and documented internal procedures for handling personal data.

No system is perfectly secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the State Data Protection Inspectorate and affected individuals in accordance with Articles 33 and 34 GDPR.

You have the following rights under the GDPR with respect to personal data we hold about you:

• Right of access (Art. 15): to obtain confirmation of whether we process your data and to receive a copy of it
• Right to rectification (Art. 16): to have inaccurate or incomplete data corrected
• Right to erasure (Art. 17): to have your data deleted in defined circumstances
• Right to restriction of processing (Art. 18): to limit how we process your data in defined circumstances
• Right to data portability (Art. 20): to receive your data in a structured, machine-readable format and to transmit it to another controller where technically feasible
• Right to object (Art. 21): to object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3)): at any time, where processing is based on consent, without affecting prior lawful processing

To exercise any of these rights, email hello@getfirepoint.com with the subject "Data request" and a description of your request. We will respond within 30 days, in accordance with Article 12(3) GDPR. If your request is complex, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons within the initial 30-day period.

You also have the right to lodge a complaint with the State Data Protection Inspectorate of the Republic of Lithuania (Valstybinė duomenų apsaugos inspekcija):

You may alternatively contact the supervisory authority in your EU country of residence.

getfirepoint.com uses only strictly necessary cookies and minimal first-party analytics. We do not deploy:

• Third-party advertising pixels or conversion tags
• Cross-site behavioral tracking cookies
• Session replay or mouse-movement recording tools
• Data brokers or audience-enrichment services

The analytics we use collect aggregated, non-identifying information such as page views, referrers, approximate geographic region (country level), and anonymized session duration. We use this data solely to understand which pages are useful and where visitors drop off.

If we ever introduce cookies that require consent under the ePrivacy Directive and Article 7 GDPR, we will implement a compliant consent banner before doing so.

Our services are directed at businesses and their representatives. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us and we will delete the data.

We do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects concerning you.

We may update this policy from time to time to reflect changes in our practices, our legal obligations, or the services we use. When we make material changes, we will update the "Last updated" date at the top of this page, and — for active clients — notify you by email at least 14 days before the change takes effect.

Continued use of our services or website after an update constitutes acceptance of the updated policy, except where applicable law requires a different form of consent.

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data: