We consider ensuring the right to the protection of personal data as a fundamental commitment of HERET.RO, therefore we will devote all the necessary resources and efforts to process your data in full accordance with Regulation (EU) 2016/679 (“General Data Protection Regulation ” or “GDPR”), as well as with any other legislation applicable on the territory of Romania. As one of the essential principles of this legal framework is transparency, we have prepared this document to inform you about how we collect, use, transfer and protect your personal data when you interact with us in relation to our products and services ours, including through our website or apps available on your mobile phone.

We reserve the right to periodically update and amend this Privacy Policy to reflect any changes in the way we process your personal data or any changes in legal requirements. In case of any such change, we will display on our website the modified version of the Privacy Policy, which is why we ask you to periodically check the content of this Privacy Policy.

HERET.RO (hereinafter: “Data Operator”) is a company incorporated and operating in Romania, whose main field of activity is the sale of products through the HERET.RO website. In this Privacy Policy, the terms “company”, “we”, “our” etc. always represents the data controller.

The terms “you”, “user”, “customer” refer to the person who either accesses HERET.RO, or creates an account or purchases the products sold by the company.

The user is informed about the provisions of this Privacy Policy when creating the account on HERET.RO, when requesting the information necessary to validate the account and when placing an order on HERET.RO. The user will confirm that he has been informed about the Privacy Policy by checking an existing section on the site, in the section of creating the account or with the completion of the order.

With the creation of the account or the placing of the order, the User will give his consent for the use of the data for marketing purposes, the consent given in this regard can be withdrawn at any time through the platform or through the means through which the information is transmitted to him.

The data controller is responsible for the development of this Privacy Policy, for the full compliance of the persons within its scope and for monitoring and making any necessary changes. The Data Controller may unilaterally and at any time modify this Privacy Policy. Some business processes and enhancements make it essential that some of the data management goals extend further. The data operator undertakes to comply with the GDPR directives in every case that requires the processing of personal data. The privacy policy comes into force upon its publication.

The data controller grants each interested person the right to know, in particular, the purpose of the personal data processing and, if possible, the duration of the personal data processing, the recipients of the personal data and the logic of the automatic processing of the personal data, such as and the consequences that data management may have and the information that the Data Subject may receive. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, in particular with regard to the protection of software. However, these considerations should not lead to the refusal of all information by the Data Controller to the Data Subject.

The express acceptance of this Privacy Policy by electronic means is voluntary, specific and informative, you thus confirming that you have read the provisions of this privacy policy.

The data operator undertakes to protect the personal data of the Users, being managed confidentially and all technical and organizational measures being taken to ensure data security.

The Data Controller processes personal data lawfully and fairly and in a transparent manner for the Data Subject and any collection may only take place for a specific, explicit and legitimate purpose, appropriate and relevant to its purpose and limited to what is necessary. When processing personal data, the Data Controller endeavors to ensure that it is accurate and up-to-date and will take all reasonable steps to promptly delete or rectify any inaccurate personal data.

Given that the Data Operator is based in Romania, the protection offered in relation to the processing of personal data regulated by this Privacy Policy is guaranteed by the competent national supervisory authority, the National Supervisory Authority for Personal Data Processing (ANSPDCP) .

 Data operator: HERET SRL

Contact: office@heret.ro

Trade register number: J5/1793/2023

VAT code: RO48472393

Register authority: Oficiul Registrul Comerțului pe lângă Tribunalul Bihor

WEB page: www.heret.ro

To exercise your rights and to obtain additional information regarding the processing of personal data, you can contact the Data Protection Officer at the e-mail address office@heret.ro

The data operator declares that, at all times, it will treat the personal data of any subject with whom it is not yet in a contractual relationship, such as any contracted User, in accordance with applicable law, in particular with:

• European Union Regulation: European Union General Data Protection Regulation 2016/679/EU (“GDPR”)

The Romanian Constitution:

• The new updated Civil Code 2019 – Law 287/2009
• Law no. 365/2002 on electronic commerce
• Law no. 363/2007 on combating unfair practices of traders in the relationship with consumers and harmonizing regulations with European legislation on consumer protection
• Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector, with subsequent amendments and additions).

Personal data are collected directly through HERET.RO, the collection being carried out in different stages, such as:

When you place an order on HERET.RO, you send us: name and surname, address (street, city, county), postal code, telephone number, e-mail address;

We may also collect and further process certain information about your behavior while visiting our website or using our smartphone app, in order to personalize your online experience and provide you with offers tailored to your profile. we invite you to find out more details in this regard by consulting the section regarding the purposes of processing below.

On our website we may store and collect information in cookies and similar technologies, according to the Cookie Policy.

We do not collect or otherwise process sensitive data, included by the General Data Protection Regulation in special categories of personal data. We also do not wish to collect or process data of minors under the age of 16.

 PROCESSING

1.TO PROVIDE HERET.RO SERVICES

DATA TYPES:     

• name, surname
• phone number
• delivery address
• invoice data
• info about product payment
• e-mail
• zip code

COLLECTION PURPOSE:

• Placing an order on HERET.RO
• Invoicing, order processing
• Returning products and resolving order cancellations
• To fulfill the Company’s legal obligations
• Delivery of products
• Direct marketing if there is express consent

LEGAL BASIS:

• Concluding and execution of a contract-art.6 letter f) GDPR
• Legal obligation – art. 6 letter c) GDPR
• Consent – art. 6 letter a) GDPR – in the case of direct marketing

2.TO IMPROVE OUR SERVICES

We may collect and use certain information related to your Buyer behavior, we may invite you to complete satisfaction surveys following the completion of an order, or we may conduct, directly or with the help of partners, studies and market research.

DATA TYPES: e-mail, phone number         

COLLECTION PURPOSE: optimizing and adapting the experience on HERET.RO     

LEGAL BASIS: Legitimate interest-art.6 letter f) GDPR

3.FOR MARKETING PURPOSES

 In order to promote the products sold, expand the visibility of HERET.RO and inform you about marketing campaigns, we collect and use the following types of data.

DATA TYPES: e-mail, phone number         

COLLECTION PURPOSE:

• Information on similar products, offers, promotions, complementary product recommendations
• Granting vouchers for shopping
• Information regarding promotional campaigns

LEGAL BASIS: art.6 letter a) GDPR- obtained in advance and with the possibility of withdrawal at any time.

You can change your mind and withdraw your consent at any time by:

• Accessing the unsubscribe link displayed in the messages you receive from us; or through
• Contacting HERET.RO using the contact details described above.

You can ask us at any time, by the means described above, to stop processing your personal data for marketing purposes, and we will comply with your request.

We will ask for your consent before we process your personal data for direct marketing purposes. In this case, we inform you that you will be able to withdraw your consent for marketing processing at any time, in which case you will no longer receive any marketing communications from us. We will include an unsubscribe link that you can use if you no longer want us to send you messages.

4.TO DEFEND OUR INTERESTS AND COMPLY WITH LEGAL PROVISIONS

There may be situations where we will use or share information to protect our rights and business. These may include:

• Protection measures for the website and users of the HERET.RO platform against cyber attacks:
• Measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
• Measures to manage various other risks.

The general basis of these types of processing is our legitimate interest to defend our commercial activity as well as in order to fulfill some legal obligations that fall to us according to the legislation in force, it being understood that we ensure that all the measures we take guarantee a balance between the interests our and your fundamental rights and freedoms. How long we keep your personal data.

As a general rule, we will store your personal data provided for placing an order on HERET.RO (e-mail, first name, last name, telephone number, delivery address) for a period of 1 year from the last order placed. You may request that we delete certain information or close your account at any time, and we will comply with such requests, subject to the retention of certain information including after account closure, where applicable law or our legitimate interests require it. This exception may become applicable in the situation where the information is necessary for the defense of our rights in court or before the competent authorities or in other cases that involve the protection of our interests. In the case of this exception, the data is stored until the final completion of legal actions.

We constantly review the need to retain your personal data, and to the extent that processing is no longer necessary and there is no legal obligation to retain the data, we will destroy your personal data as soon as possible and in a way that does not can still be recovered or reconstructed (for example, we will delete/destroy all data of people who were not hired following interviews, if there is no serious prospect of employment in the future). If personal information is printed on paper, it will be destroyed in a secure way that ensures the impossibility of reconstitution, and if it is saved on electronic media, it will be deleted by technical means to ensure that the information is no longer they can be recovered or reconstituted later.

The data necessary for invoicing (address, customer name, etc.) and keeping accounting records are kept for a period of 10 years according to the applicable legislation, being a legal obligation of the Company. The processing and storage of other types of personal data will not exceed 3 years.

In order to carry out the commercial activity and fulfill the previously described purposes, as the case may be, we may transmit or provide access to certain of your personal data to the following categories of recipients:

• companies within the same group of companies as HERET.RO;
• RO partners;
• courier service providers;
• payment/banking service providers;
• marketing / telemarketing service providers;
• market research service providers;
• IT service providers;
• other companies with which we can develop joint programs for offering our goods and services on the market.

If we are under a legal obligation or if it is necessary to defend a legitimate interest, we may also disclose certain personal data to public authorities.

We ensure that access to your data by third parties under private law is carried out in accordance with the legal provisions on data protection and information confidentiality, based on contracts concluded with them.

The privacy of your data is important to us, which is why, where possible, the transmission of personal data in accordance with the above is only carried out on the basis of a confidentiality undertaking from the recipients, guaranteeing that this data is kept safe and that the provision of this information is done in accordance with applicable law and policies. In any case, each time we will transmit to the recipients only the information strictly necessary to achieve the respective purpose.

Currently, we store and process your personal data on the territory of Romania. However, we may transfer certain of your personal data to entities located in the European Union or the European Economic Area.

We will always take steps to ensure that any international transfer of personal data is handled carefully to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, other safeguards such as standard contractual clauses issued by the European Commission or certification schemes such as the Privacy Shield for the Protection of Personal Data transferred from within the EU to the United States of America.

You can contact us at any time using the contact details set out above to find out more information about the countries to which we transfer your data and the safeguards we have put in place in relation to these transfers.

The General Data Protection Regulation recognizes a number of rights in relation to your personal data. According to the Regulation, you have the following rights:

1. The right to be informed about the processing of your data.
2. Right of access to data. You have the right to obtain from us a confirmation that personal data concerning you is being processed or not and, if so, access to the respective data and to the information provided by art. 15 para. (1) of the GDPR.
3. The right to rectify inaccurate or incomplete data. You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you.
4. The right to erasure (“the right to be forgotten”). In the situations provided for in art. 17 of the GDPR, you have the right to request and obtain the deletion of personal data.
5. The right to restrict processing. In the cases provided for in art. 18 of the GDPR, you have the right to request and obtain the restriction of processing.
6. The right to transfer the data we hold about you to another operator (“the right to portability”). The right to transfer the data we hold about you to another operator (“the right to portability”)
7. The right to object to data processing. In the cases provided for in art. 21 of the GDPR, you have the right to object to data processing.
8. The right not to be subject to a decision based solely on automatic processing, including the creation of profiles with legal or similar significant effects on you.
9. The right to go to court to defend your rights and interests.
10. The right to a complaint before a Supervisory Authority, the contact details being found in the following:

The National Supervisory Authority for the Processing of Personal Data

Address: B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, cod poștal 010336, București, România

e-mail:  anspdcp@dataprotection.ro

To be able to exercise your rights, you can contact us using the contact details, respectively ofQice@HERET.RO or at the company headquarters. The requests based on the exercise of the rights provided for in art. 15-21 of the GDPR will be formulated, mandatorily, in writing, in such a way as to ensure compliance with the provisions of the GDPR.

Please note the following points if you wish to exercise these rights:

Identity. We take the privacy of all records containing personal data seriously. For this reason, please send us your requests regarding such records using the e-mail address related to the HERET.RO account. Otherwise, we reserve the right to verify your identity by requesting additional information aimed at confirming your identity.

Fees. We will not charge a fee to exercise any right in relation to your personal data, unless your request for access to the information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in such circumstances. We will inform you of any fees applied before we settle your claim.

Response time. We aim to respond to any valid requests within a maximum of one month, unless this is particularly complicated or you have made multiple requests, in which case we will respond within a maximum of two months. We will let you know if we need more than a month. We may ask if you can tell us exactly what you want to receive or what you are concerned about. This will help us act faster and shorten the response time to your request. Third Party Rights. We must not comply with a request if it would adversely affect the rights and freedoms of other data subjects.

This document is protected by copyright law and may not be reproduced in whole or in part without the express consent of the author.