Privacy Policy

This document is provided for information purposes and is being reviewed by a legal adviser / data protection officer before the official launch of the online shop. It does not constitute legal advice. Certain trader identification details (legal name, tax identification code, Trade Register number, registered office, IBAN) are shown as placeholders of the form „[CLIENT: …]” and will be completed with the real information before publication.

This Privacy Policy describes how „Meșteșugarul Brăilean” processes the personal data of customers, website visitors and persons who contact us or place an order, as well as the rights you are entitled to. The processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR), with Law no. 190/2018 and with Law no. 506/2004.

We recommend that you read this document carefully. For any clarification, you can contact us using the details below.

The controller of the personal data is the trader operating under the trade name „Meșteșugarul Brăilean” (a workshop and shop for fur and leather goods — making, sale and reconditioning/restoration), with its premises in Brăila, Romania.

• Legal name: [CLIENT: company/sole-trader name]

• Tax identification code (CUI): [CLIENT: CUI]

• Trade Register registration number: [CLIENT: J__/____/____]

• Registered office / place of business (workshop and shop): [CLIENT: full address], Brăila, Romania

• E-mail: [CLIENT: e-mail address]

• Phone / WhatsApp: [CLIENT: phone number]

For any question or request regarding the processing of your data and the exercise of the rights provided by the GDPR, you can write to us at the e-mail address above or in writing, at the address indicated, marked „For the attention of the data protection officer”.

Given the nature and size of the business (a small workshop and shop, without large-scale processing within the meaning of Art. 37 GDPR), we have not appointed a Data Protection Officer (DPO). However, we have established the e-mail address above as the contact point for all data protection matters. Insofar as we process the personal numerical code (CNP) — usually only when it is necessary for issuing fiscal documents —, we apply the additional safeguards required by Art. 4 of Law no. 190/2018.

Depending on how you interact with us, we may process the following categories of data:

• Identification and contact data: surname, first name, e-mail address, telephone number and, where applicable, the delivery and billing address. The CNP or, for business customers, the tax identification code may be processed only when they are necessary for issuing the invoice or other documents required by law.

• Order data: the products ordered, the dimensions/measurements provided, the options chosen (material, colour, personalisation), the order value, the payment and delivery method, the history of orders and requests.

• Data submitted through the website forms (the contact form, the quote/estimate request, the made-to-order form): the content of the message, the reason for the request, any photographs of the item you wish to repair or have us reproduce, and any other information you choose to include.

• Data from your interaction with us: correspondence (e-mail, telephone, WhatsApp), the history of quote requests, visit bookings and service/restoration requests.

• Data from your interaction with the virtual assistant (chatbot): the content of the conversation and the questions you ask.

• Technical and website usage data: IP address, device and browser identifiers, the pages accessed, the date and time of access, as well as the data collected through cookies and similar technologies (including, where enabled, Google Analytics 4 and Google Ads), under the conditions described in the Cookies Policy and only on the basis of your consent.

• Data from public reviews: the displayed name and the content of the review you have published on external platforms (for example Google or Facebook).

We do not ask for and do not wish to receive, through online channels, more data than is necessary for the specific purpose of the interaction. We do not process special categories of data (such as health data) for the purposes of our commercial activity; please do not submit such data through the website forms.

We process your data only for specific purposes and on the basis of a legal ground provided by the GDPR:

• Conclusion and performance of the distance sales contract (taking, confirming, preparing and delivering the order and managing returns) — basis: the performance of a contract to which you are a party or steps taken at your request prior to entering into the contract [Art. 6(1)(b) GDPR].

• Handling requests submitted through the contact form, by e-mail, by telephone or via WhatsApp (including quote/estimate requests, made-to-order requests and repair/restoration requests) — basis: pre-contractual steps at your request [Art. 6(1)(b) GDPR] and, where applicable, our legitimate interest in responding to you and communicating efficiently [Art. 6(1)(f) GDPR].

• Invoicing and compliance with accounting and tax obligations (issuing and keeping invoices, including in the national RO e-Factura system, accounting records, reports to authorities) — basis: legal obligation [Art. 6(1)(c) GDPR].

• Handling withdrawal requests, returns, complaints and requests concerning the legal guarantee of conformity — bases: performance of the contract [Art. 6(1)(b) GDPR] and legal obligation [Art. 6(1)(c) GDPR].

• Cookies and analytics and advertising tools (for example Google Analytics 4, Google Ads) — basis: your consent [Art. 6(1)(a) GDPR], which you can give or refuse from the cookie banner and withdraw at any time.

• Marketing communications (for example newsletters, offers, promotional messages by e-mail, SMS or WhatsApp) — only if you have given your prior consent [Art. 6(1)(a) GDPR in conjunction with Art. 12 of Law no. 506/2004]; you can unsubscribe at any time (for example by „STOP”/„OPRESTE” or via the unsubscribe link).

• Ensuring the security of the website and systems, preventing fraud and diagnosing technical problems — basis: our legitimate interest in maintaining a safe and functional online environment [Art. 6(1)(f) GDPR].

• Establishing, exercising or defending a legal claim in court — basis: legitimate interest [Art. 6(1)(f) GDPR] or legal obligation [Art. 6(1)(c) GDPR].

When we rely on legitimate interest, this consists of the ability to give you a prompt response, to keep a record of correspondence, to organise our activity and to protect our rights; this interest has been assessed and balanced against your rights and freedoms.

We do not sell your data. We may disclose it or make it accessible to the following categories of recipients, strictly to the extent necessary:

• Courier and transport service providers — for delivering orders and managing returns; they receive the delivery data needed (name, address, telephone).

• Payment service providers — the online payment processor (for example a processor such as Netopia/Stripe) and/or the bank, for the secure processing of payments; card details are entered directly into the processor's secure environment and we do not store the full card number.

• The invoicing and accounting service provider and the national RO e-Factura system administered by ANAF — for issuing invoices and meeting accounting and tax obligations.

• The hosting and web infrastructure provider — Amazon Web Services (AWS), through the AWS Amplify service, which hosts the website and securely stores the data from the forms.

• Amazon Web Services (Amazon Bedrock) — for the operation of the virtual assistant (chatbot), which processes the content of conversations in order to generate responses; the service is used in a region within the European Union.

• Google — for displaying maps (Google Maps), for displaying reviews and, only with your consent, for analytics and advertising (Google Analytics 4, Google Ads).

• The messaging service provider — a specialised provider of e-mail and message delivery services (for example for order confirmations and newsletters), on the basis of contractual guarantees of confidentiality and security.

• Public authorities, courts or other bodies, when we have a legal obligation to do so.

Where these providers process data on our behalf, they act as processors and are bound by data processing agreements concluded in accordance with Art. 28 GDPR, which require confidentiality, appropriate security measures and processing solely on the basis of our instructions.

Some of our providers (in particular Google and, where applicable, AWS) may process data on servers located outside the European Economic Area, including in the United States of America.

When such transfers take place, we ensure that they are protected by appropriate safeguards within the meaning of the GDPR: the Standard Contractual Clauses adopted by the European Commission [Art. 46(2)(c) GDPR] and/or the provider's certification under the EU-U.S. Data Privacy Framework, where applicable. You have the right to obtain a copy of the safeguards applied or information about where they have been made available, by contacting us at the details above.

We keep the data only for as long as is necessary for the purposes for which it was collected or to comply with legal obligations. The main periods are:

• Invoices and supporting accounting documents: 10 years, in accordance with Art. 25 of Accounting Law no. 82/1991, republished, as subsequently amended; other financial-accounting documents are kept for the period provided by the applicable regulations.

• Order and contract data (including related correspondence): for the duration of the performance of the contract and, subsequently, for the period necessary to handle the legal guarantee of conformity and any disputes — as a rule for the general limitation period of 3 years [Art. 2517 of the Civil Code], except where a longer period is required by law or necessary to defend a claim.

• Requests submitted through the contact form and the related correspondence (including quote requests that do not result in an order): for the time needed to handle them and, subsequently, for a proportionate period (as a rule up to 24 months), except where they are necessary to defend a claim or to comply with a legal obligation.

• Technical logs and security data: short periods, proportionate to the security and diagnostic purpose.

• Data processed on the basis of consent (for example analytics or advertising cookies or newsletter subscription): until consent is withdrawn or until the cookie's duration expires, in accordance with the Cookies Policy.

Upon expiry of these periods, the data is securely deleted or anonymised.

As a data subject, you have the following rights provided by the GDPR:

• The right of access (Art. 15): to obtain confirmation that we process your data and a copy of it.

• The right to rectification (Art. 16): to correct inaccurate data or to complete incomplete data.

• The right to erasure — the „right to be forgotten” (Art. 17): to obtain the erasure of the data under certain conditions. This right is not absolute: it does not apply where the processing is necessary to comply with a legal obligation [Art. 17(3)(b) GDPR] — for example, we cannot delete invoices and accounting documents before the legal retention periods expire.

• The right to restriction of processing (Art. 18).

• The right to data portability (Art. 20), for data processed by automated means, on the basis of consent or of a contract.

• The right to object (Art. 21): to object to processing based on our legitimate interest, on grounds relating to your particular situation, as well as, at any time and without justification, to processing for direct marketing purposes.

• Rights related to automated individual decision-making (Art. 22) — see the section on the virtual assistant.

• The right to withdraw consent at any time [Art. 7(3) GDPR], where the processing is based on consent (for example analytics or advertising cookies or newsletter subscription). Withdrawal does not affect the lawfulness of processing carried out beforehand.

• The right to lodge a complaint with the supervisory authority (see the ANSPDCP section).

To exercise your rights, you can contact us through the channels indicated in the section on the controller. We will reply, as a rule, within one month of receiving the request, a period that may be extended by two months in the case of complex or numerous requests, in which case you will be informed. To protect you, we may ask you for additional information necessary to confirm your identity.

You have the right to obtain a first copy free of charge of your data. For any additional copy we may charge a reasonable fee based on administrative costs [Art. 15(3) GDPR]. In the case of manifestly unfounded or excessive requests, in particular due to their repetitive character, we may either charge a reasonable fee or refuse to act on the request [Art. 12(5) GDPR].

When we display customer reviews on the website, we may collect data (the displayed name and the content of the review) from external, publicly accessible sources, namely the platforms on which you have published these reviews (for example Google or Facebook). In accordance with Art. 14 GDPR, we inform you that the source of this data is the platform on which you published the review, and that its display on the website is based on our legitimate interest in presenting genuine customer opinions [Art. 6(1)(f) GDPR]. You can object to the display by contacting us at the controller's details.

We do not publish or use a score or an average rating generated by us, and we do not fabricate reviews or scores.

For the Google integrations (maps, reviews and any analytics modules), „Meșteșugarul Brăilean” is responsible solely for the operation of collecting and transmitting the data to Google from this website. The processing that Google subsequently carries out, for its own purposes, is carried out under Google's responsibility as an independent controller, in accordance with its policies; for these you can contact Google directly.

Our website and online services are not intended for direct use by minors without the involvement of a parent or legal guardian, and orders may be placed only by persons with full legal capacity. As regards services offered on the basis of consent (for example certain cookies or newsletter subscription), the processing of a minor's data is permitted only under the conditions of Art. 8 GDPR in conjunction with national law.

We do not knowingly collect data from minors in the absence of the consent of a parent or legal guardian. If you are a parent or legal guardian and consider that a minor has provided us with data without your consent, please contact us so that we can take the necessary measures.

We apply appropriate technical and organisational measures to protect the data against unauthorised access, loss, destruction or disclosure [Art. 32 GDPR]: access control, encryption in transit, restriction of access on a need-to-know basis, internal policies and training of the persons involved. Card payments are made in the secure environment of the payment processor, with authentication in accordance with the applicable standards; we do not store the full card number. No method of transmission or storage is completely secure; we make reasonable efforts to protect the data.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ANSPDCP within 72 hours of becoming aware of it [Art. 33 GDPR]. When the breach is likely to result in a high risk, we will also inform you, without undue delay [Art. 34 GDPR].

The virtual assistant (chatbot) available on the website provides automated answers to questions of a general nature (information about products, materials, care, repair services, opening hours and contact) and has a purely informational role. We inform you that you are interacting with an automated system, not with a natural person, in accordance with Art. 50 of Regulation (EU) 2024/1689 on artificial intelligence.

We do not take decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you [Art. 22 GDPR]. In particular, any indicative price estimates for a repair provided by the virtual assistant do not constitute a firm offer and produce no legal effects; any estimate becomes binding only after the concrete assessment of the item and confirmation by the workshop. We recommend that you do not enter sensitive personal data into the conversation.

Providing the data requested to place and perform an order (name, contact details, delivery and billing address) is necessary for the conclusion and performance of the sales contract; if you do not provide this data, we will not be able to process the order, issue the invoice or carry out the delivery. Providing the data requested through the other website forms (contact, quote request) is necessary in order to act on your request. Providing the data processed on the basis of consent (for example analytics or advertising cookies or newsletter subscription) is optional, and refusal does not affect your ability to use the essential functions of the website or to place an order.

If you consider that the processing of your data infringes the data protection legislation, you have the right to lodge a complaint with the supervisory authority:

The National Supervisory Authority for Personal Data Processing (ANSPDCP)

• Address: B-dul G-ral Gheorghe Magheru nr. 28-30, Sector 1, postal code 010336, București, Romania

• Telephone: +40 318 059 211 / +40 318 059 212

• E-mail: anspdcp@dataprotection.ro

• Website: www.dataprotection.ro

However, we ask that you contact us first — we will try to resolve any dissatisfaction directly.