Table of Contents

Introduction

This Privacy Policy describes how ELORYS, as a personal data Controller, collects, uses, stores and protects your personal data in the context of using the Website www.elorys.com (hereinafter referred to as the “Website”).

Through this Policy, we wish to inform you in a transparent and clear manner regarding:

  • what types of personal data we collect about you;
  • for what purposes and on what legal grounds we process this data to whom we may transmit it and under what conditions;
  • what rights you have in relation to your personal data;
  • how we ensure the confidentiality and security of this data

ELORYS strictly complies with applicable data protection provisions, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation — GDPR) and relevant national data protection legislation and related legislation applicable in Romania.

By using the Website www.elorys.com and/or by providing your personal data, you confirm that you have read the content of this Privacy Policy and that you understand the rights and options you have in relation to your data.

Personal data collected

When using the Website www.elorys.com and the services offered through it, ELORYS may collect and process the following categories of personal data, depending on your interaction with the platform and the services used:

  • Identification information: first and last name; delivery address; billing address
  • Contact information: email address; telephone number
  • Order and transaction information: details of the products ordered; order history; information related to delivery and order status
  • Payment method information: payment method information is collected and processed securely by the payment processor Mollie;

Elorys.com does not store and does not have direct access to full bank card data or other sensitive payment details. We may only receive limited information regarding the status of the transaction (e.g.: payment confirmation, transaction code).

  • Website usage data: IP addresses; cookie identifiers and other tracking technologies (according to the Cookie Policy); data regarding the user’s interaction with the Website (e.g.: pages visited, time spent on the page, browsing behavior, clicks, browsing errors).

Purposes of processing

ELORYS processes your personal data for specified, explicit and legitimate purposes, in accordance with the provisions of Regulation (EU) 2016/679 (GDPR).

The data are processed only to the extent necessary to achieve these purposes and will not be further used in a manner incompatible with the initial purposes.

The main purposes for which we process your data are the following:

Processing and delivery of orders placed on the Website

  • Management of online orders placed through the Website www.elorys.com;
  • Preparation, invoicing, shipping and delivery of ordered products;
  • Management of any returns or refunds.

Communication with you

  • Communication necessary to confirm orders and inform about delivery status;
  • Communication related to the customer account (e.g.: updating data, user requests);
  • Management of requests and complaints submitted by users.

Compliance with legal and fiscal obligations

  • Fulfillment of legal obligations in the fiscal and accounting field (e.g. issuing tax invoices, keeping accounting records);
  • Compliance with other legal obligations arising from the commercial relationship (e.g. in matters of consumer protection).

Improving your experience on the Website

  • Optimizing and personalizing the browsing experience on the Website;
  • Analyzing user behavior in order to improve the performance of the website and the quality of the services offered;
  • Preventing and detecting possible fraud or abusive use of the Website.

Direct marketing (only with your explicit consent)

  • Sending newsletters and personalized commercial communications regarding our offers and products;
  • Carrying out promotional campaigns or invitations to events;
  • The processing of these data for marketing purposes is only based on your express, prior and freely expressed consent, in accordance with art. 6 para. (1) letter a of the GDPR.

If you withdraw your consent for direct marketing, you will no longer receive commercial communications, but we will continue to send you notifications related to your orders and the active contractual relationship (e.g.: order confirmations, delivery information).

Legal grounds for processing

We process your personal data only to the extent that there is an appropriate and justified legal basis, in accordance with Article 6 of Regulation (EU) 2016/679 (GDPR).

Here are the main legal grounds on which ELORIS processes personal data:

Execution of the sales contract (art. 6 par. (1) lit. b GDPR)

We process the personal data necessary for:

  • processing orders placed on the Website;
  • delivery of ordered products;
  • management of payments and returns;
  • communication with you in relation to the order and the contractual relationship.

This processing is essential in order to be able to honour the sales contract concluded between you and ELORYS.

Compliance with legal obligations (art. 6 par. (1) lit. c GDPR)

We process personal data to comply with obligations imposed by applicable law, such as:

  • tax and accounting obligations (issuance and archiving of tax documents);
  • consumer protection obligations and other applicable legal obligations.

Your explicit consent (art. 6 par. (1) lit. a GDPR)

For direct marketing (e.g. sending newsletters and commercial communications), we process personal data only on the basis of your express, prior and freely given consent.

You can withdraw this consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal.

Our legitimate interest (art. 6 par. (1) lit. f GDPR)

In certain situations, we process personal data to protect our legitimate interests, for example:

  • ensuring the security of the Website and the IT infrastructure;
  • preventing and detecting possible fraud or attempted fraud;
  • continuously improving the user experience and the services offered

In all cases, we respect the principle of balance between our legitimate interests and the fundamental rights and freedoms of the data subjects.

Data storage period

ELORYS stores your personal data only for the period necessary to fulfill the purposes for which they were collected, while respecting applicable legal requirements regarding retention periods.

The exact storage period may vary depending on:

  • the nature of the data collected;
  • the purposes of the processing;
  • applicable legal obligations and compliance requirements.

Examples of storage periods

Data related to commercial transactions and accounting documents data regarding orders, invoices and other fiscal documents are kept in accordance with legal obligations in tax and accounting matters, usually 10 years, according to Romanian tax legislation.

The data necessary for managing the customer account will be kept for the entire duration of the customer account and subsequently, for a reasonable period of maximum 3 years after the account is closed, for evidentiary purposes and to defend our legal rights.

Data processed based on consent for direct marketing will be kept until you revoke your consent or until you exercise your right to object, as applicable.

Technical and Website usage data (e.g.: traffic data, IP addresses, cookies): will be kept in accordance with the terms established in the Cookie Policy and depending on the settings and options expressed by you.

Deletion or anonymization of data

Upon expiry of the applicable retention periods, personal data will be permanently deleted; or transformed into anonymous data so that it no longer allows the identification of the data subjects.

In certain cases, we may retain data beyond the expiry of the initial period, to the extent that this is necessary for the establishment, exercise or defence of legal claims and/or compliance with other legal obligations or requirements of public authorities.

Disclosure of data to third parties

ELORYS may disclose your personal data to certain categories of recipients, strictly to the extent necessary to achieve the purposes for which the data were collected and processed, and in compliance with legal requirements regarding data protection.

We assure you that your data is shared only with trusted third parties, who provide adequate guarantees regarding their security and confidentiality.

Recipient Categories

Courier Service Providers

To deliver your orders to you, we may transmit data such as:

  • first and last name;
  • delivery address;
  • phone number;
  • email address (for delivery notifications)

Mollie payment processor

To process online payments, certain transaction data is shared with Mollie — our certified payment processor, under maximum security conditions.

ELORYS does not have access to your full card details or other sensitive banking data.

IT and hosting service providers

In order to host the Website and ensure the technical functioning of the platform, data may be processed by our IT and hosting service providers.

We ensure that these providers comply with high standards of security and confidentiality.

Public authorities

We may disclose personal data to competent public authorities, to the extent that we are obliged to do so by law or by virtue of an official request, for example:

  • tax and accounting authorities;
  • judicial authorities;
  • other public authorities with legal powers

We do not sell, rent or transfer your personal data to third parties for commercial purposes.

All transfers to third parties take place on the basis of contractual agreements and in compliance with the provisions of Regulation (EU) 2016/679 (GDPR).

Data transfer outside the European Economic Area

In principle, ELORYS does not transfer your personal data to recipients outside the European Economic Area (EEA).

We operate using IT infrastructure and service providers operating within the EEA or in jurisdictions that offer an adequate level of data protection, according to decisions issued by the European Commission.

Exceptional transfers

In exceptional circumstances, when necessary for the provision of services or the performance of contractual obligations, certain data may be transferred to recipients located outside the EEA (e.g. IT service providers or technical partners).

In such cases, we will ensure that the transfer takes place in strict compliance with the provisions of the GDPR, by applying one of the following appropriate safeguards:

  • using an adequacy decision adopted by the European Commission for the respective country;
  • concluding standard contractual clauses (SCCs) approved by the European Commission with the recipient of the data;
  • other mechanisms and safeguards in accordance with European data protection law.

Protection of transferred data

Regardless of the location of the recipient, we ensure that your data benefits from an adequate level of protection equivalent to the standards imposed by the GDPR.

We will inform data subjects accordingly if such transfers become relevant for the processing of their personal data.

Data Security

ELORYS attaches great importance to the security of the personal data it processes.

We implement appropriate technical and organizational measures to protect your data against:

  • unauthorized access;
  • unauthorized alteration;
  • accidental or intentional loss;
  • destruction;
  • unauthorized disclosure.

Examples of measures applied

  • use of encryption technologies and secure protocols (e.g. HTTPS) for data transmission via the Website;
  • implementation of modern IT infrastructure security and access monitoring solutions;
  • limiting access to personal data only to authorized personnel and third party contractual partners who need this data to provide services, according to the agreements concluded;
  • continuous training of personnel on good practices in data security and compliance with legal confidentiality obligations;
  • internal procedures for managing security incidents.

Limitations

While we make every reasonable effort to protect your personal data, you should note that no online platform or electronic transmission can guarantee absolute security.

If we identify a security incident affecting your personal data that is likely to result in a high risk to your rights and freedoms, we will inform you appropriately and in a timely manner, in accordance with legal obligations.

Data Security

In accordance with the provisions of Regulation (EU) 2016/679 (GDPR), you have a number of rights in relation to the processing of your personal data.

We fully respect these rights and are committed to ensuring them in a transparent and effective manner.

The rights you have are as follows:

Right of access

You have the right to obtain confirmation that your data is being processed and, if so, to request access to that data as well as relevant information regarding the processing.

Right to rectification

You have the right to request the correction or completion of inaccurate or incomplete data concerning you.

Right to erasure of data (“right to be forgotten”)

You have the right to request the erasure of your personal data, in certain situations provided for by law (e.g. when the data is no longer necessary for the purposes for which it was collected, or when you have withdrawn your consent).

Right to restriction of processing

You have the right to request restriction of processing of personal data in cases provided by law (e.g. contesting the accuracy of the data, opposition to processing).

Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit it to another controller, where applicable.

Right to object

You have the right to object to the processing of your personal data where the processing is based on the legitimate interest of the controller or the performance of a task carried out in the public interest.

You also have the right to object to processing for direct marketing purposes at any time.

Right to file a complaint

You have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) if you consider that your rights guaranteed by applicable data protection legislation have been violated.

Website: www.dataprotection.ro

How can you exercise your rights

To exercise any of the rights mentioned above, you can contact us in writing, at the email address: support@elorys.com.

We will analyze your request with the utmost seriousness and will respond to you within the time limit provided by the GDPR (usually, within one month of receiving the request, with the possibility of extension in complex cases).

Cookies

The website www.elorys.com uses cookies and similar technologies to improve the user experience, personalize content, and analyze visitor traffic and browsing behavior.

What are cookies?

Cookies are small files stored on your device (computer, smartphone, tablet) when you access a Website.

They allow the Website to recognize your device and store certain information about your preferences and interactions.

What are cookies?

Cookies are small files stored on your device (computer, smartphone, tablet) when you access a Website.

They allow the Website to recognize your device and store certain information about your preferences and interactions.

Why do we use cookies?

We use cookies for the following purposes:

  • to ensure the proper functioning and security of the Website;
  • to improve the user browsing experience;
  • to analyze the traffic and performance of the Website, with a view to continuous optimization;
  • to provide personalized content and, where appropriate, relevant advertising.

Why do we use cookies?

When you first access the Website, you will be asked to consent to the use of cookies, through a dedicated interface.

You can manage your cookie preferences at any time, using the settings available on the Website or in your browser settings.

Cookies Policy

For detailed information about: the categories of cookies used, their lifespan, third parties who may have access to the information collected through cookies, how to manage consent, please consult our Cookies Policy available on the Website, in the dedicated section.

Privacy Policy Modification

ELORYS reserves the right to modify and update this Privacy Policy periodically to reflect any:

  • changes in data processing activities;
  • changes in legal requirements or regulatory practices;
  • updates to the services or functionalities offered through the Website www.elorys.com.

Publication of changes

Any changes to the Privacy Policy will be published on the Website and will be appropriately marked so that it is visible and easily accessible to users.

The updated version will enter into force from the date of its publication on the Website, unless otherwise stated.

Acceptance of Changes

Your continued use of the Website following the posting of changes to the Privacy Policy will constitute acceptance of such changes.

We recommend that you periodically review this Policy to be aware of any updates.

Contact details

For any questions regarding the processing of your personal data or to exercise your rights, you can contact us by email at support@elorys.com