Privacy Policy

Find out all the details about how we store and manage your personal data in our Privacy Policy.

1. General Information.

a) Introduction
  • We inform you that we process your personal data in compliance with European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Regulation).
  • Its main purpose is to increase the level of protection of personal data and create a climate of trust that allows each person to control their own data.
  • Therefore, we believe that this is the right time to inform you about how we protect your personal data and how we comply with the provisions of the Regulation.
  • The following document presents our data protection policy, which is designed to inform you about the processing of your personal data and your rights regarding this processing in accordance with the General Data Protection Regulation ('GDPR') and applicable local legislation.
b) The controller
  • We, the company Grepfrut SRL , CUI 48350280, with headquarters in Iași, str. Vasile Pogor nr. 6, mansardă, camera 8, jud. Iași, represent the operator, in accordance with the GDPR, and are therefore responsible for the data processing described below. For questions or requests regarding data processing, please contact us.
  • This data is collected only with your consent.
  • Your refusal makes it impossible for the operator to conclude the contract for the provision of services/sale of products, to send information or the products ordered, as the latter lacks one of the essential conditions, namely the identity of the parties.
c) Personal data

Grepfrut SRL processes the following personal data:

  • The Customer's first and last name, telephone number, email address.
  • The child's first and last name, age, eye and hair color.
  • Information about your use of our website.
  • Communications you make with us or direct to us via emails and phone calls.
  • Information about your computer and your visits to and use of this website, including your IP address, geographical location, browser type, referral source, length of visit, page views, and whether you opened emails from us or clicked on links in our emails.

2. Information about Processing.

a) Types of data processing

'Processing' means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

b) Principles of personal data processing

The controller shall comply with the principles of personal data protection (hereinafter referred to as ‘Principles’) set out in the GDPR to ensure that all data is:

  • Processed fairly, lawfully, and transparently;
  • Collected for specified, explicit, and legitimate purposes;
  • Adequate, relevant, and limited in relation to the purposes for which they are processed;
  • Accurate and kept up to date;
  • Kept in a form which does not permit identification of data subjects for longer than is necessary for the purposes for which the data were processed;
  • Processed in accordance with the rights of the data subject in a manner that ensures appropriate security of the processing, including appropriate security measures to protect the data against accidental loss or destruction or accidental or unlawful processing or access.
c) Purposes and grounds for data processing

User registration and order placement. We will process the personal data collected through the registration form on our website through which you create an account or place an order for better and easier administration. We also collect your data so that we can: register an order, process orders, pick up, deliver, and invoice them, cancel orders, and resolve complaints or other issues related to the order. This processing is necessary for the conclusion and performance of the contract.

Improvement and development of services: Analyzing how you use our services helps us to understand you better and shows us what we can improve. For example: we analyze your purchase history to provide you with information or advice on how you can best use our services, we analyze the results of our marketing activities to measure their effectiveness and the relevance of our campaigns. This processing is based on our legitimate interest in conducting commercial activities.

Compliance with legal obligations. Personal data may be processed for the purpose of complying with legal obligations. We use your payment information for accounting, billing, and auditing purposes and to detect and/or prevent any fraudulent activity, if applicable. Processing is necessary for compliance with a legal obligation.

For marketing purposes. We want to keep you informed about the best offers for products that interest you. To this end, we may send you any type of message (such as email/SMS/telephone/web push/etc.) containing general and thematic information, information about our products, similar or complementary to those you have purchased, information about offers or promotions, information about products added to the 'My Account/My Cart' section or that you have entered in the order form and for which you have shown an interest in purchasing. In order to provide you with information that is of interest to you, we may use certain data about your purchasing behavior (e.g., products viewed/added to your wish list/purchased) to create a profile for you. In most cases, we base our marketing communications on your prior consent. You can change your mind and withdraw your consent at any time by sending an email to the contact address. Processing is based on the consent you have given.

To defend our interests. In certain cases, we may use or disclose information to protect our rights and business, such as: measures to protect our website and users from cyber attacks, measures to prevent and detect fraud attempts, including the disclosure of information to the relevant public authorities, or measures to manage various other risks.The general basis for these types of processing is our legitimate interest in protecting our business.

d) Data recipients

To achieve the above purposes, we use service providers, i.e. persons authorized under Art. 28 of the GDPR, such as our hosting, platform, and maintenance service providers, for sending emails and text messages, telephone contact, external collaborators, all of whom may be located in Romania or outside Romania or the European Union/European Economic Area.

We ensure, for example, through contractual provisions, that these service providers process personal data in accordance with European data protection legislation in order to guarantee a high level of data protection (e.g., standard contractual clauses, the existence of binding corporate rules, etc.). even if personal data is transferred to a country where a different level of data protection is normally applied and for which no adequacy decision has been made by the EU Commission.

For more information about the appropriate protection of international data transfers or copies thereof, please contact our data protection officer by email at: [email protected].

e) How long we keep it

We store your personal data for as long as you have an account on our website and for as long as processing is necessary, as well as until you request us to delete it. We will comply with these requests, subject to the retention of certain information even after the account is closed, in cases where applicable law or our legitimate interests require it.

When we no longer need your personal data, we will delete or destroy it securely. We will also consider whether and how we can minimize the amount of personal data we use over time and whether we can ensure the anonymity of your personal data so that it is no longer associated with you or identifies you, in which case we may use that information without further notice to you.

3. Your rights.

You can contact the company to exercise your rights under Regulation No. 2016/679 at the following contact details:

Grepfrut SRL , CUI 48350280, with registered office in Iași, str. Vasile Pogor nr. 6, mansardă, camera 8, jud. Iași, email [email protected]

To obtain official interpretations regarding the exercise of your rights under the legislation on the protection of personal data or to express your dissatisfaction with the manner in which we process personal data, you may contact the National Supervisory Authority for Personal Data Processing at the following contact details: (i) by post or courier to the address in Bucharest, 28-30 General Gheorghe Magheru Boulevard, Sector 1, postal code 010336, (ii) by email to: [email protected], (iii) by fax to 0318.059.602 or (iv) by telephone at 0318.059.211.

In accordance with the GDPR. These rights are as follows:

  • The right to receive information about the processing of data and a copy of the processed data (right of access, Article 15 GDPR),
  • The right to request the rectification of inaccurate data or the completion of incomplete data (right of access, Article 16 GDPR),
  • Right to request the deletion of personal data (right to be forgotten) and, if the personal data has been made public, the transmission of information regarding the deletion request to other controllers (right to erasure, Article 17 GDPR),
  • Right to request restriction of data processing (right to restriction of processing, Article 18 GDPR) - you may request restriction of processing if you contest the accuracy of the data, as well as in other cases provided for by law,
  • Right to receive personal data concerning the data subject in a structured, commonly used and machine-readable format and to request the transmission of such data to another controller (right to data portability, Article 20 GDPR),
  • The right to object to processing with the intention of terminating the processing – you may object, in particular, to data processing based on our legitimate interest (right to object, Article 21 GDPR),
  • Right to withdraw consent at any time to stop data processing based on your consent. Withdrawal will not affect the lawfulness of processing based on consent given before withdrawal (right to withdraw consent, Article 7 GDPR),
  • Right to lodge a complaint with a supervisory authority if you consider that the data processing is a breach of the GDPR (right to lodge a complaint with a supervisory authority, Article 77 GDPR),
  • Additional rights related to automated decisions: you may request and obtain human intervention with regard to the processing, express your own point of view on the processing, and contest the decision.

4. Security of processing.

We have adopted technical and organizational measures for data processing, updated in accordance with the requirements of the GDPR, in order to protect your personal data against any unauthorized access, improper use or transmission, unauthorized modification, destruction or accidental loss. All our employees and collaborators, as well as any third parties acting on our behalf, are required to respect the confidentiality of your information and the requirements of the GDPR, in accordance with the provisions of this Policy.

We ensure that our contractual partners who have access to the personal data we process are subject to contractual obligations in accordance with legal provisions and that we verify their compliance with the obligations they have undertaken. They will process personal data on our behalf and only in accordance with the instructions received from us and only in compliance with the security and confidentiality requirements within the limits imposed.

5. Processing of personal data in partnership

Some of the personal data processed through our website may be transferred to third parties and you expressly consent to this, as well as in situations where there is a legal obligation for the controller to do so.

Our website may at times contain links to other websites whose data processing policies may differ from ours.

Please also consider and consult the personal data protection policies of the other websites, as we cannot assume responsibility for them.