Privacy Policy
and processing of personal data
This document is protected by copyright law and may not be reproduced in whole or in part without the express consent of the author.
#001 introduction
We consider ensuring the right to the protection of personal data as a fundamental commitment of HERET.RO, therefore we will devote all the necessary resources and efforts to process your data in full accordance with Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR), as well as with any other legislation applicable on the territory of Romania. As one of the essential principles of this legal framework is transparency, we have prepared this document to inform you about how we collect, use, transfer and protect your personal data when you interact with us in relation to our products and services, including through our website or apps available on your mobile phone.
We reserve the right to periodically update and amend this Privacy Policy to reflect any changes in the way we process your personal data or any changes in legal requirements. In case of any such change, we will display on our website the modified version of the Privacy Policy, which is why we ask you to periodically check the content of this Privacy Policy.
HERET.RO (hereinafter: “Data Operator”) is a company incorporated and operating in Romania, whose main field of activity is the sale of products through the HERET.RO website. In this Privacy Policy, the terms “company”, “we”, “our” etc. always represent the data controller.
The terms “you”, “user”, “customer” refer to the person who either accesses HERET.RO, creates an account or purchases the products sold by the company.
The user is informed about the provisions of this Privacy Policy when creating the account on HERET.RO, when requesting the information necessary to validate the account and when placing an order on HERET.RO. The user confirms that he has been informed about the Privacy Policy by checking the relevant section on the site, during account creation or order completion.
By creating an account or placing an order, the User gives consent for the use of data for marketing purposes. This consent may be withdrawn at any time through the platform or through the communication channel used.
The data controller is responsible for the development of this Privacy Policy, for ensuring compliance, and for monitoring and making any necessary updates. The Data Controller may unilaterally and at any time modify this Privacy Policy. Some business processes and improvements may require adjustments to data management practices. The Data Controller undertakes to comply with GDPR directives in all cases involving personal data processing. This Privacy Policy enters into force upon publication.
The data controller grants each interested person the right to know the purpose of processing, the duration (where possible), recipients of data, the logic of automated processing, and the consequences of such processing. This right shall not adversely affect the rights and freedoms of others, including trade secrets or intellectual property rights.
Acceptance of this Privacy Policy by electronic means is voluntary, specific and informed, confirming that you have read its provisions.
The data operator undertakes to protect users’ personal data, ensuring confidential processing and implementing all necessary technical and organizational measures for data security.
The Data Controller processes personal data lawfully, fairly and transparently. Data is collected only for specific, explicit and legitimate purposes, limited to what is necessary. The Data Controller ensures that data is accurate and up to date and will promptly correct or delete inaccurate data.
As the Data Operator is based in Romania, data protection is guaranteed by the competent national authority, the National Supervisory Authority for Personal Data Processing (ANSPDCP).
Data operator: HERET SRL
Contact: office@heret.ro
Trade register number:J2023001793056
VAT code: RO48472393
Register authority: Oficiul Registrul Comerțului pe lângă Tribunalul Bihor
WEB page: www.heret.ro
To exercise your rights and obtain additional information regarding data processing, you may contact the Data Protection Officer at: office@heret.ro
#002 applicable law
The data operator declares that, at all times, it will treat the personal data of any subject with whom it is not yet in a contractual relationship, such as any contracted User, in accordance with applicable law, in particular with:
- European Union Regulation: European Union General Data Protection Regulation 2016/679/EU (“GDPR”)
The Romanian Constitution
- The new updated Civil Code 2019 – Law 287/2009
- Law no. 365/2002 on electronic commerce
- Law no. 363/2007 on combating unfair practices of traders in the relationship with consumers and harmonizing regulations with European legislation on consumer protection
- Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector, with subsequent amendments and additions).
#003 what categories of data we process
Personal data are collected directly through HERET.RO, the collection being carried out in different stages, such as:
When you place an order on HERET.RO, you send us: name and surname, address (street, city, county), postal code, telephone number, e-mail address; We may also collect and further process certain information about your behavior while visiting our website or using our smartphone app, in order to personalize your online experience and provide you with offers tailored to your profile. we invite you to find out more details in this regard by consulting the section regarding the purposes of processing below.
On our website we may store and collect information in cookies and similar technologies, according to the Cookie Policy. We do not collect or otherwise process sensitive data, included by the General Data Protection Regulation in special categories of personal data. We also do not wish to collect or process data of minors under the age of 16.
#004 type of collected data, purposes and legal basis of data processing
1.TO PROVIDE HERET.RO SERVICES
DATA TYPES:
- name, surname
- phone number
- delivery address
- invoice data
- info about product payment
- zip code
COLLECTION PURPOSE:
- Placing an order on HERET.RO
- Invoicing, order processing
- Returning products and resolving order cancellations
- To fulfill the Company’s legal obligations
- Delivery of products
- Direct marketing if there is express consent
LEGAL BASIS:
- Concluding and execution of a contract-art.6 letter f) GDPR
- Legal obligation – art. 6 letter c) GDPR
- Consent – art. 6 letter a) GDPR – in the case of direct marketing
2.TO IMPROVE OUR SERVICES
We may collect and use certain information related to your Buyer behavior, we may invite you to complete satisfaction surveys following the completion of an order, or we may conduct, directly or with the help of partners, studies and market research.
DATA TYPES: e-mail, phone number
COLLECTION PURPOSE: optimizing and adapting the experience on HERET.RO
LEGAL BASIS: Legitimate interest – art. 6 letter f) GDPR
3.FOR MARKETING PURPOSES
In order to promote the products sold, expand the visibility of HERET.RO and inform you about marketing campaigns, we collect and use the following types of data.
DATA TYPES: e-mail, phone number
COLLECTION PURPOSE:
- Information on similar products, offers, promotions, complementary product recommendations
- Granting vouchers for shopping
- Information regarding promotional campaigns
LEGAL BASIS: art.6 letter a) GDPR – obtained in advance and with the possibility of withdrawal at any time.
You can change your mind and withdraw your consent at any time by:
- Accessing the unsubscribe link displayed in the messages you receive from us; or
- Contacting HERET.RO using the contact details described above.
You can ask us at any time to stop processing your personal data for marketing purposes, and we will comply with your request. We will ask for your consent before processing your personal data for direct marketing purposes. You may withdraw consent at any time and will no longer receive marketing communications. We will include an unsubscribe link in all marketing messages.
4.TO DEFEND OUR INTERESTS AND COMPLY WITH LEGAL PROVISIONS
There may be situations where we will use or share information to protect our rights and business. These may include:
- Protection measures for the website and users of the HERET.RO platform against cyber attacks
- Measures to prevent and detect fraud attempts, including transmission of information to competent public authorities
- Measures to manage various other risks
The general basis of these types of processing is our legitimate interest to defend our commercial activity as well as compliance with legal obligations. We ensure a balance between our interests and your fundamental rights and freedoms.
5.TO NOTIFY YOU ABOUT PRODUCT AVAILABILITY
In order to keep you informed about the availability of products you are interested in, we collect and use your email address and product identification information. When you request to be notified about a product that is currently out of stock, we will send you a notification email as soon as that product becomes available again.
DATA TYPES: email, product ID
COLLECTION PURPOSE: notifying you when a previously unavailable product becomes available in stock
LEGAL BASIS: art. 6 letter a) GDPR – obtained in advance and with the possibility of withdrawal at any time.
You can change your mind and withdraw your consent at any time by:
- Accessing the unsubscribe link displayed in the notification email you receive from us or
- Contacting HERET.RO using the contact details described above.
How long we keep your personal data
As a general rule, we will store your personal data provided for placing an order on HERET.RO (e-mail, first name, last name, telephone number, delivery address) for a period of 1 year from the last order placed. You may request deletion or account closure at any time, subject to legal retention obligations or legitimate interests. In such cases, data may be stored until final resolution of legal actions.
We constantly review the need to retain personal data and delete it when no longer necessary or legally required. Data stored electronically will be deleted securely so it cannot be recovered. The data necessary for invoicing and accounting records is kept for 10 years according to legal obligations. Other personal data is stored for a maximum of 3 years.
#005 transmission of personal data
In order to carry out the commercial activity and fulfill the previously described purposes, as the case may be, we may transmit or provide access to certain of your personal data to the following categories of recipients:
- companies within the same group of companies as HERET.RO;
- RO partners;
- courier service providers;
- payment/banking service providers;
- marketing / telemarketing service providers;
- market research service providers;
- IT service providers;
- other companies with which we can develop joint programs for offering our goods and services on the market.
If we are under a legal obligation or if it is necessary to defend a legitimate interest, we may also disclose certain personal data to public authorities.
We ensure that access to your data by third parties under private law is carried out in accordance with the legal provisions on data protection and information confidentiality, based on contracts concluded with them.
The privacy of your data is important to us, which is why, where possible, the transmission of personal data in accordance with the above is only carried out on the basis of a confidentiality undertaking from the recipients, guaranteeing that this data is kept safe and that the provision of this information is done in accordance with applicable law and policies. In any case, each time we will transmit to the recipients only the information strictly necessary to achieve the respective purpose.
#006 transmission of data to other states
Currently, we store and process your personal data on the territory of Romania. However, we may transfer certain of your personal data to entities located in the European Union or the European Economic Area.
We will always take steps to ensure that any international transfer of personal data is handled carefully to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, other safeguards such as standard contractual clauses issued by the European Commission or certification schemes such as the Privacy Shield for the Protection of Personal Data transferred from within the EU to the United States of America.
You can contact us at any time using the contact details set out above to find out more information about the countries to which we transfer your data and the safeguards we have put in place in relation to these transfers.
#007 security of personal data
We are committed to ensuring the security of personal data by implementing appropriate technical and organizational measures, set out in our internal privacy policies and in line with industry standards.
The transmission of your personal data is done using state-of-the-art encryption algorithms and we store them on secure servers, ensuring data redundancy at the same time.
To make payments we use the services of the payment processor. Any payment information is encrypted, using HTTPS technology with TSL 1.2 encryption.
Despite the measures taken to protect your personal data, we draw your attention to the fact that the transmission of information over the Internet in general or through other public networks is not completely secure, there is a risk that the data will be seen and used by third parties unauthorized parties. Not we may be responsible for such vulnerabilities of systems beyond our control.
#008 your rights regarding data processing
The General Data Protection Regulation recognizes a number of rights in relation to your personal data. According to the Regulation, you have the following rights:
- The right to be informed about the processing of your data.
- Right of access to data. You have the right to obtain from us a confirmation that personal data concerning you is being processed or not and, if so, access to the respective data and to the information provided by art. 15 para. (1) of the GDPR.
- The right to rectify inaccurate or incomplete data. You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you.
- The right to erasure (“the right to be forgotten”). In the situations provided for in art. 17 of the GDPR, you have the right to request and obtain the deletion of personal data.
- The right to restrict processing. In the cases provided for in art. 18 of the GDPR, you have the right to request and obtain the restriction of processing.
- The right to transfer the data we hold about you to another operator (“the right to portability”). The right to transfer the data we hold about you to another operator (“the right to portability”)
- The right to object to data processing. In the cases provided for in art. 21 of the GDPR, you have the right to object to data processing.
- The right not to be subject to a decision based solely on automatic processing, including the creation of profiles with legal or similar significant effects on you.
- The right to go to court to defend your rights and interests.
- The right to a complaint before a Supervisory Authority, the contact details being found in the following:
The National Supervisory Authority for the Processing of Personal Data
Address: B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, cod poștal 010336, București, România
e-mail: anspdcp@dataprotection.ro
To be able to exercise your rights, you can contact us using the contact details, respectively ofQice@HERET.RO or at the company headquarters. The requests based on the exercise of the rights provided for in art. 15-21 of the GDPR will be formulated, mandatorily, in writing, in such a way as to ensure compliance with the provisions of the GDPR.
Please note the following points if you wish to exercise these rights:
Identity. We take the privacy of all records containing personal data seriously. For this reason, please send us your requests regarding such records using the e-mail address related to the HERET.RO account. Otherwise, we reserve the right to verify your identity by requesting additional information aimed at confirming your identity.
Fees. We will not charge a fee to exercise any right in relation to your personal data, unless your request for access to the information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in such circumstances. We will inform you of any fees applied before we settle your claim.
Response time. We aim to respond to any valid requests within a maximum of one month, unless this is particularly complicated or you have made multiple requests, in which case we will respond within a maximum of two months. We will let you know if we need more than a month. We may ask if you can tell us exactly what you want to receive or what you are concerned about. This will help us act faster and shorten the response time to your request. Third Party Rights. We must not comply with a request if it would adversely affect the rights and freedoms of other data subjects.
This document is protected by copyright law and may not be reproduced in whole or in part without the express consent of the author. Also, the english version of this Privacy Policy is the official version. The romanian translation is provided for convenience.