”Persona data” or ”personal information” are any element that allow us to identify you as a person. Personal data processing is governed by Regulation 679/2016 regarding personal data protecting (”GDPR”) and completed in Romania by Law no. 190/2018.
We take very seriously the personal data privacy and protection, and this document shows: (a) the personal data that we are collection from you, (b) how we intend to use this data and (c) what rights you have related to these data and their processing.
- Who controls your personal data and how can you contact us?
According to the legislation, our company, CRAIASA CONCEPT SRL, is a personal data controller. In order to process your personal data in safety, we have made every effort to implement reasonable measures to protect your personal information.
As per legal provisions, you, as an individual, beneficiary of our services or in any type of relationship with our company, are a „target person”, meaning a natural person identified or identifiable. In order to be transparent in personal data processing and to allow you to easily exercise, in any moment, the rights, we have implemented measures to facilitate communication between us, the data controller and you, target person.
2.1. Our contact
Below you may find our identification data and contact:
|Name||CRAIASA CONCEPT SRL|
|Work point||18A C.C. Arion, ground floor, apt.5,
1st District, Bucharest
|Trade Registry number||J40/13811/2018|
|Unique identification code||39922944|
If you have any concerns, comments or complains about us or the personal data that we process for you, you may always send us an email at the address above.
2.2. Supervisory authority data
If you think there is a problem with the processing of your personal data, we will ask you to send us a request at the above address first – we will do our best to amicable resolve your request as soon as possible.
Also, you may file a request to the supervisory of personal data authority. For Romania, you may find the contact data below:
|Name||The National Supervisory Authority for Personal Data Processing|
|Address||Blvd. G-ral. Gheorghe Magheru no. 28-30, 1st District, postal code 010336,
|Phone:||+40.318.059.211 or +40.318.059.212|
- What information we collect from you?
We collect from you the following information with the purpose to process your command:
- Full name;
- E-mail address;
- Phone number;
- Billing address;
- Delivery address;
- Payment data;
- IP address;
- Facebook ID.
- Password for user account;
We can also collect and then process certain information about your behavior while visiting our website to personalize your online experience and provide you with offers tailored to your profile.
- How we collect the data?
We collect the personal data directly from you, when you create an account and/or place an online order in our shop.
- What is the legal bases for the processing of personal data?
We will use your personal information/data having the following the legal bases:
|Personal Data||Purpose||Temei Legal|
|· full name;
· e-mail address;
· phone number;
· billing address;
· delivery address;
· payment data;
|Order processing and delivery.||Avem nevoie de aceste informații pentru a putea duce la îndeplinire obligațiile noastre contractuale (ie. să îți livrăm produsele).|
|· IP address;
· e-mail address.
|Marketing||În baza consimțământului exprimat prin bifarea casuței pentru abonare la newsletter si prin acceptarea politicii de cookie-uri.|
|· IP address;||Improving our services||Ne întemeiem aceste activități pe interesul nostru legitim de a desfășura activități comerciale, având întotdeauna grijă ca drepturile și libertățile tale fundamentale să nu fie afectate.|
- If you do not want to provide this information?
You do not need to provide us your personal data. However, if you choose not to do so, we will not be able to process your order in our online store.
- How we protect this information?
We understand the importance of personal data security and take the necessary steps to protect our customers and other people whose data we process from unauthorized access to personal data and the unauthorized modification, disclosure or destruction of the data we process in our current activity
We have implemented the following technical and organizational security measures for personal data:
Dedicated policies. We consistently adopt and revise internal privacy practices and policies (including physical and electronic security measures) to protect our systems against unauthorized access, or other potential threats to their security. These policies are subject to constant checks to ensure that we comply with legal requirements and systems are functioning properly
Minimize data. We ensure that your personal data that we process is limited to what is necessary, appropriate and relevant for the purposes stated in this policy.
Restrict access to data. We try to restrict as much as possible the access to the personal data we process to the minimum necessary: employees, collaborators and other people who need to access this data in order to process and perform a service. Our partners and collaborators are subject to strict confidentiality (either statutory or legal) obligations.
Specific technical measures. We use technologies to ensure the security of our customers, always trying to implement the most optimal data protection solutions. We also do periodic data backups to recover them in the event of an incident, and we have periodic audit procedures in place for the security of the equipment used.
Ensure the accuracy of your data. Sometimes we may ask you to confirm the accuracy or timeliness of your data to make sure they reflect reality.
Staff training. We constantly train and test our employees and collaborators on legislation and best practices in the field of personal data processing.
Anonymisation of data. Wherever we can, we try as much as possible to anonymize / pseudonymize the personal data we process, so that we can no longer identify the people they are referring to.
- To whom we share the personal data?
Our service providers for the website, payments, e-mail and courier will have access to your personal information. This is required to complete your order and send you an order confirmation as well as a receipt / invoice.
Our providers are the following:
- for website – ROMARG
- for payments – MOBIL PAY
- for e-mail – MAILCHIMP
- for delivery – FAN CURIER
- for firewall and content distribution network – GO DADDY MEDIA TEMPLE INC (SUCURI)
- for marketing – GOOGLE, FACEBOOK, HOTJAR
We may be required to provide personal information to others in limited circumstances:
- External Consultants (as lawyers);
- Public authorities or judicial bodies.
At any time we will decide to give your personal data access to someone else, we will ensure that there are adequate security methods in place to protect your privacy
- Will be personal data transferred outside of SEE?
If you are located in a country in the European Economic Area (EEA), we may need to transfer your personal data outside of the EEA, for example where our storage facilities are located in another country.
If we are in such a case, we will implement appropriate and approved procedures to ensure the protection of your data, fundamental rights and freedoms while your personal data is located outside the EEA. If you would like more information about this, please contact us at the details provided in Section 2.1 above.
- How long we store the personal data?
The information we collect for the purpose of creating the user account is stored until the account closure request is reached or until a 5-year period of non-use of the account is reached and the newsletter is stored until unsubscribed. We need to store this data for commercial purposes also in case of disputable disputes about the order.
Purchase processing and payment information will be retained for a period of 5 years from the date of payment. We need to store these data in accordance with the payment processor’s instructions and in the event of disputes regarding the order and payment.
Sometimes we may need to keep a copy of your personal information for a longer period of time in case of a dispute, for example, to investigate security breaches or to comply with legal obligations. We will never store your personal data for longer than necessary. In all cases, your personal information will be destroyed in a secure way once the storage period described above has expired.
- What are your rights?
You have certain rights with respect to your personal data that we process, including:
- the right to have access to the information we hold about you;
- the right to rectify the data if you consider it to be incorrect / inaccurate / incomplete;
- the right to ask us to delete the data (only if we rely on your consent for processing);
- the right to receive a copy of any information we hold about you;
- the right to oppose the processing of your personal data for the purposes listed above. However, you have to keep in mind that it is not an absolute right, but it has certain limitations.
- We do something else with this data in the future?
We will be able to associate your personal data with a unique customer number for business purposes, which will allow us to deliver the best services to our customers.
Where consent is used for data processing, you have the right to withdraw your consent at any time and ask us to stop processing your data. We will tell you about the implications of this and we will follow your options in this regard.
- Changes to this information policy
Las modification date 5 May 2019.