Privacy Policy – ROMANIA LTD

Overview: The policy starts with an introduction that explains the website’s commitment to protecting the privacy of its customers and users.
Company Information: It will include details about the business, such as the name of the company (e.g., Romania Ltd), its registered address, and contact information for data protection inquiries.

Types of Data Collected: The policy should specify what types of personal data are collected from users. This can include:
- Personal Information: Name, address, email address, phone number.
- Payment Information: Credit/debit card details (but payment processing is typically handled by a third party).
- Transaction Data: Purchase history, order information, and preferences.
- Device Information: IP address, browser type, cookies, and device identifiers (collected for website functionality and analytics).

Order Processing: Data is collected to process and deliver orders, confirm transactions, and communicate with customers.
Marketing and Promotions: Information may be used for marketing purposes, including email newsletters, promotions, or special offers (with user consent).
Customer Support: Data is used to handle inquiries, complaints, or returns and to improve customer service.
Legal Compliance: Data may be collected to comply with legal obligations, such as tax requirements or fraud prevention.

Under GDPR, businesses must specify the legal basis for processing personal data. Common bases include:

Consent: The user has explicitly agreed to the collection and use of their data (e.g., through an opt-in form).
Contractual Necessity: Data is needed to fulfill a contract (e.g., processing and delivering an order).
Legitimate Interests: The company has a legitimate interest in processing data (e.g., for marketing or fraud prevention).
Legal Obligation: Data is processed to comply with a legal requirement.

Third-Party Service Providers: The policy should disclose if the e-commerce site shares customer data with third-party services such as payment processors, shipping companies, or marketing platforms.
Data Protection: Any third parties that have access to customer data must be compliant with GDPR, and the e-commerce site must ensure that data is protected through contracts or agreements.

Retention Period: The policy should explain how long the e-commerce site will keep personal data. For example, personal data may be retained as long as necessary to fulfill orders, provide customer support, or comply with legal requirements.
Deletion or Anonymization: Once the data is no longer needed, it should be deleted or anonymized as per GDPR guidelines.

Protection Measures: The policy should mention the security measures in place to protect customer data from unauthorized access, loss, or breaches. This includes using encryption, firewalls, and secure payment gateways.
Breaches: The site should outline the procedure in case of a data breach and how customers will be informed if their data is compromised.

Use of Cookies: The policy must explain how cookies are used on the website. Cookies are small files placed on a user’s device to track behavior and preferences.
Cookie Consent: Users must be informed of cookie usage, and they must give consent before cookies are placed on their devices (as per GDPR guidelines).

Under GDPR, customers have several rights regarding their data:

Right to Access: Customers can request access to the personal data held by the e-commerce site.
Right to Rectification: Customers can ask for corrections to inaccurate data.
Right to Erasure: Also known as the “right to be forgotten,” users can request the deletion of their data.
Right to Restrict Processing: Customers can request that their data be restricted from processing in certain circumstances.
Right to Data Portability: Customers can request their data in a structured, machine-readable format to transfer to another provider.
Right to Object: Customers can object to data processing for marketing purposes.
Right to Withdraw Consent: If data processing is based on consent, customers can withdraw their consent at any time.

Data Protection Officer (DPO): If the business is required to have a Data Protection Officer, their contact details will be provided.
Customer Inquiries: Information on how customers can contact the company for any data privacy-related inquiries, including email addresses or phone numbers.

The privacy policy should include a statement that the policy may be updated over time, and users will be notified of significant changes.

If personal data is transferred outside the EU/EEA (for example, to a third-party service provider in the US), the policy should clarify the mechanisms in place to protect the data (such as the use of Standard Contractual Clauses or Privacy Shield Framework).