Privacy Policy

1. Introduction and purpose of the policy

This Privacy Policy explains how SELLER (hereinafter also referred to as Operator) collects, uses, stores, protects, and discloses the personal data of users, members, and customers who interact with the website shop.openbiomaps.org.

The Operator undertakes to respect the confidentiality and security of personal data in accordance with:

  • Regulation (EU) 2016/679 ("General Data Protection Regulation" – GDPR);
  • Law No. 190/2018 on measures to implement the GDPR in Romania;
  • as well as other European and national regulations applicable to e-commerce and consumer protection.

The purpose of this policy is to inform you in a transparent manner about:

  • the categories of personal data we collect and process;
  • the legal grounds and purposes of the processing;
  • your rights as a data subject;
  • the measures taken by the Operator to protect this data.

By using the shop.openbiomaps.org website, creating an account, or placing an order, you confirm that you have read and understood this Privacy Policy and that you agree to the processing of your data under the conditions described herein.

The Operator reserves the right to periodically update this policy to reflect legislative or operational changes. The updated version will be published on the website, indicating the date of the last revision. We recommend that you periodically review the content of this document.

2. Operator identification data

The personal data controller is:

ÖKOINFORMATIKA SRL
A company organized under Romanian law,
with its registered office in Odorheiu Secuiesc, str. József Attila nr. 36, jud. Harghita,
registered with the Trade Register under no. J2021000079195,
with unique registration code CUI 37634236, CUI TVA RO49500718,
email address: contact@okoinformatika.ro,
website: https://shop.openbiomaps.org.

For the purposes of data protection legislation, ÖKOINFORMATIKA SRL acts as a controller when processing your personal data in connection with the products and services offered through the website.

For any questions, requests, or complaints regarding data protection, you can contact us as follows:

  • by email at: contact@okoinformatika.ro (Data Protection Officer);
  • by post at: 36 József Attila Street, Odorheiu Secuiesc, Harghita County,
    marked "For the attention of the Data Protection Officer".

The operator undertakes to respond to all requests regarding data protection within a maximum of 30 calendar days of receipt, in accordance with Art. 12(3) of Regulation (EU) 2016/679.

3. Categories of personal data collected

In order to be able to provide the products and services offered through the shop.openbiomaps.org website, the Operator collects and processes certain personal data that you provide directly or that is automatically generated during the use of the platform.

The data is collected only to the extent necessary to fulfil the legitimate purposes of the processing, in compliance with the principles of lawfulness, transparency and data minimisation, in accordance with Article 5 of Regulation (EU) 2016/679 (GDPR).

3.1 Data provided directly by you

The Operator may collect the following categories of personal data, depending on the actions you take on the Website:

  • Identification and contact data: name, surname, e-mail address, telephone number, delivery and billing address;
  • User account creation and management data: e-mail address, password (stored in encrypted format), order history, preferences;
  • Order and transaction data**: products purchased, order value, payment method, delivery status, billing details;
  • Data used for personalisation of products: photos, text, images, graphics or other information provided by you for the personalisation of your products.
    → In these cases, you warrant that you have the legal rights to these materials and that their processing does not infringe the rights of third parties.
  • Data collected in the context of communications: messages sent via the contact form, e-mail correspondence, complaints or requests for support.

The operator does not intentionally collect data of minors under 18 years of age. If such data accidentally comes into its possession, it will be deleted as soon as the situation is identified.

3.2 Automatically collected data

When you access our website, the following types of technical information may be automatically collected:

  • IP address of the device used for access;
  • browser type and operating system used;
  • pages visited, session duration and traffic source;
  • unique device identifiers and cookies.

This data is collected to improve the browsing experience, analyse site performance and prevent fraudulent activities.
The processing of this data is carried out on the basis of the legitimate interest of the Operator (Art. 6 para. (1) lit. f) GDPR) to ensure the optimal functioning and security of the online platform.

Further details on the cookies used are available in the Cookie Policy, accessible on the website.

3.3 Sensitive data

The Operator does not collect or process data of a special nature in accordance with Article 9 of the GDPR (such as: ethnic origin, political opinions, religious denomination, genetic or biometric data, data concerning health or sexual orientation).
Also, the Operator does not request and does not process data relating to criminal records.

3.4 Data received from third parties

In certain limited circumstances, we may receive data about you from legitimate sources such as:

  • Online payment platforms (e.g. payment processor, which only confirms the transaction without disclosing card details);
  • Courier companies, for delivery confirmation;
  • contractual partners that provide related services (e.g. marketing, statistical analysis), solely on the basis of a processing contract in accordance with Art. 28 GDPR.

All these third parties act as PPOs and are obliged to respect the confidentiality and security of personal data.

3.5 Unsolicited data

If you voluntarily send information to the Operator that goes beyond the legitimate purpose of the contractual relationship (e.g. sensitive data, information about other persons, confidential details), it will be deleted without delay and the Operator will not process or use this information for any purpose.

4. Purposes and grounds for processing personal data

The Controller processes your personal data only for legitimate, specified and transparent purposes, in accordance with the principles set out in Articles 5 and 6 of Regulation (EU) 2016/679 (GDPR).
Processing takes place only where there is a clear legal ground and only for the period necessary to fulfil the purpose for which the data was collected.

Below are the main purposes of processing and the related legal bases.

4.1. Provision of services and performance of contract

Purpose:

  • Creation, administration and maintenance of user account on the website;
  • Processing and delivery of orders, including customisation of products with customer supplied materials (photos, text, images);
  • Issuing invoices and managing payments;
  • Providing technical support and dealing with customer enquiries.

Legal Terms:

  • Performance of a contract or pre-contractual steps at the request of the data subject (Art. 6 para. (1)(b) GDPR);
  • Compliance with a legal obligation relating to invoicing and accounting (Art. 6 para. (1) lit. c) GDPR).

4.2. Customer communication and after-sales support

Scope:

  • Sending notifications regarding order status, delivery, returns or service updates;
  • Handling inquiries, complaints or requests regarding customer rights;
  • Providing personalised answers to questions submitted via email or contact form.

Legal Terms:

  • Contract performance (Art. 6 para. (1) lit. b) GDPR);
  • The legitimate interest of the Operator to provide quality after-sales services (Art. 6 para. (1) lit. f) GDPR).

4.3. Improving services and user experience

Scope:

  • Analysis of browsing behaviour and purchase preferences;
  • Conduct satisfaction surveys or market research;
  • Optimising site functionality and security;
  • Tailoring content and recommendations to user interests.

Legal basis:

  • The legitimate interest of the Operator to continuously improve services and ensure the optimal functioning of the platform (Art. 6 para. (1) lit. f) GDPR).

The Operator shall ensure that such processing does not affect the fundamental rights and freedoms of the data subject.
Data collected for statistical analysis shall be anonymised or pseudonymised where possible.

4.4 Marketing and commercial communication activities

Purpose:

  • Sending newsletters, offers, discounts or information about similar products and services;
  • Displaying personalised recommendations on the website or in the user account;
  • Organising promotional campaigns, competitions or surveys.

Legal basis:

  • Express consent of the data subject (Art. 6 para. (1) lit. a) GDPR), expressed by ticking the option to subscribe to the newsletter;
  • The legitimate interest of the Operator to promote its activity (Art. 6 para. (1) lit. f) GDPR), in compliance with the data subject’s right to object (Art. 21 GDPR).

Right of withdrawal:
The data subject may withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal, by:

  • accessing the unsubscribe link in the emails received;
  • changing user account settings;
  • sending a request to contact@okoinformatika.ro.

4.5. Fulfilment of legal obligations

Scope:

  • Compliance with tax, accounting, commercial and archiving legislation;
  • Keeping and providing documents at the request of public authorities (e.g. ANAF, ANPC, ANSPDCP).

Legal basis:

  • Fulfilment of a legal obligation incumbent on the Operator (Art. 6 para. (1) lit. c) GDPR).

4.6 Protection of the legitimate interests of the Operator

Scope:

  • Detection and prevention of attempted fraud, abuse or unauthorised access to accounts;
  • Ensuring the security of information systems and customer data;
  • Managing and defending rights in the event of disputes.

Legal basis:

  • The legitimate interest of the Operator to protect its business and rights (Art. 6 para. (1) lit. f) GDPR).

4.7 Exceptional situations – explicit consent

In limited situations, the Operator may require your explicit consent to process additional data that is strictly necessary for the provision of certain services (e.g. participation in a competition, publication of a personalised review, uploading of visual content for promotional purposes).

In these cases:

  • you will be informed in advance about the purpose of the processing, the storage period and the related rights;
  • consent can be withdrawn at any time by sending an e-mail to contact@okoinformatika.ro.

4.8 Prohibition of automated profiling with legal effects

The Controller does not make automated decisions based solely on automated data processing, including profiling, that produce legal effects or significantly affect you, in accordance with Article 22 GDPR.
Any personalisation of the user experience is carried out solely for legitimate business purposes without legal consequences for the data subject.

5. Duration of storage of personal data

The Controller shall keep personal data only for the period strictly necessary for the fulfilment of the purposes for which they were collected, in compliance with the principles of limitation of storage set out in Article 5 para. (1) lit. e) of Regulation (EU) 2016/679 (GDPR) and the time limits imposed by applicable national law.

The exact retention period may vary depending on the nature of the data and the purpose of the processing, as detailed below.

5.1 User account data

  • Description: identification data (name, surname, e-mail), password, order history, account preferences.
  • Storage duration: for as long as the account is active.
    At the express request of the user, the account and related data will be deleted, with the exception of information whose retention is required by law (e.g. invoices, accounting records).
  • Legal basis:** art. 6 para. (1) lit. b) GDPR – fulfilment of contract.

5.2. Order and invoicing data

  • Description: name, surname, delivery and invoicing addresses, details of products purchased, value, transaction date.
  • Storage period: minimum 10 years from the transaction date, in accordance with Romanian accounting and tax legislation (Accounting Law 82/1991).
  • Legal basis:** art. 6 para. (1) lit. c) GDPR – legal obligation.

5.3. Data on personalised products

  • Description: photos, texts, images, other files uploaded by the customer in order to personalise products.
  • Storage duration: maximum 30 calendar days** from the upload date, after which they will be deleted automatically or manually by the Operator.
  • Legal term: art. 6 para. (1) lit. b) GDPR – fulfilment of the contract.
  • Note: in the event of a return, complaint or dispute, the Operator may retain the data strictly necessary to prove the situation for an additional period of maximum 6 months.

5.4 Marketing and commercial communication data

  • Description: e-mail address, telephone number, newsletter subscription preferences.
  • Storage duration: until withdrawal of consent or exercise of right to object.
  • Legal basis:** art. 6 para. (1) lit. a) GDPR – consent; art. 21 GDPR – right to object.
  • Note: after unsubscribing, the Operator may keep a minimal record (e-mail address) only to prove that it no longer sends unwanted communications.

5.5. Data collected to improve services and analyse traffic

  • Description: browsing data, IP addresses, device identifiers, cookies, usage sessions.
  • Storage duration: between 30 days and 12 months, depending on cookie type and purpose of use.
  • Legal basis: art. 6 para. (1) lit. f) GDPR – legitimate interest.
  • Note: data is anonymised or pseudonymised and the exact period is detailed in the Cookie Policy.

5.6. Data submitted via contact form or correspondence

  • Description: name, e-mail, message content, attachments.
  • Duration of storage: until the request has been resolved, plus a period of maximum 6 months for possible clarifications.
  • Legal basis:** art. 6 para. (1) lit. f) GDPR – legitimate interest of the Operator.

5.7. Data retained for the defence of legal interests

  • Description:** information necessary for the establishment, exercise or defence of a right in court or before other public authorities.
  • Duration of storage:** until the final finalisation of the judicial or administrative procedure, plus the applicable statutory limitation period.
  • Legal time limit:** art. 6 para. (1) lit. f) GDPR – legitimate interest.

5.8 Deletion and anonymisation of data

Upon expiry of the above periods, personal data will be:

  • finally deleted from the Operator’s systems, or
  • irreversibly anonymised so that it can no longer be associated with an identifiable person.

The Operator may retain certain data strictly necessary for archiving, auditing, legal defence or compliance with legal obligations.

5.9 Request for erasure by the data subject

The data subject may request erasure of his or her personal data at any time by sending an e-mail to contact@okoinformatika.ro.
The Controller will analyse the request and respond within 30 calendar days, in accordance with Articles 12 and 17 of Regulation (EU) 2016/679 (right to erasure – "right to be forgotten").

6. Recipients and transfers of personal data

The Operator may transmit or provide access to certain personal data to third parties, solely for the legitimate purposes described in this Privacy Policy, subject to the necessity principle and the obligation of confidentiality.

All data transfers shall be made in accordance with articles 28-29 and 44-49 of Regulation (EU) 2016/679 (GDPR), only to partners that provide adequate data protection safeguards.

6.1 Categories of recipients

The Controller may provide your data to the following categories of recipients:

  1. IT and hosting service providers
    • who maintain the online platform, server infrastructure, backup solutions and IT security;
    • they act as persons authorised by the Operator, with limited access to data strictly necessary.
  2. Courier and logistics service providers
    • for the purpose of delivering orders;
    • data transmitted include: name, surname, delivery address, telephone number.
  3. On-line payment service providers (payment processors)
    • exclusively for processing bank card transactions;
    • The operator does not have access to the card details and does not store them;
    • transactions are secured and processed according to PCI DSS and PSD2 standards.
  4. Marketing and communication service providers
    • managing newsletter campaigns, surveys or performance analyses;
    • they act on the basis of a processing contract (Art. 28 GDPR), under the control of the Controller.
  5. Accounting, legal or auditing service providers
    • for the fulfilment of legal obligations relating to financial reporting and operational compliance.
  6. Public authorities or state institutions
    • when there is a legal reporting obligation (e.g. ANAF, ANPC, ANSPDCP) or for the defence of the Operator’s rights in a litigation.
  7. Commercial or contractual partners
    • exclusively in the context of joint projects or promotional campaigns, and only on the basis of a written agreement guaranteeing data confidentiality and security.

6.2 International data transfers

Currently, all personal data are stored and processed on the territory of Romania or of the European Union, in secure infrastructures.

If, in the future, it will be necessary to transfer data to countries outside the European Economic Area (EEA), the Operator will ensure that adequate safeguards are in place, in accordance with Article 46 of the GDPR, such as:

  • Standard contractual clauses approved by the European Commission;
  • Suitability Decisions issued by the European Commission for the country concerned;
  • Internal processing agreements (BCR – Binding Corporate Rules) for group partners.

In the absence of these safeguards, transfers will only be carried out with the explicit consent of the data subject and with prior information on the potential risks.

6.3. Obligations of Authorised Processors

All partners processing data on behalf of the Controller have a legal obligation to:

  • Act only on the documented instructions of the Controller;
  • ensure data confidentiality and security through appropriate technical and organisational measures;
  • notify the Operator as soon as possible of any security incident (as per Art. 33 GDPR);
  • delete or return the personal data after finalisation of the services provided.

The Operator periodically checks the compliance of these partners and reserves the right to suspend the collaboration with any entity that does not comply with the legal data protection requirements.

6.4 Disclosure of data in exceptional circumstances

The Operator may only disclose personal data in exceptional circumstances, such as:

  • Protecting the vital interests of the data subject or another person;
  • preventing, investigating or reporting illegal activities (fraud, abuse, unauthorised access);
  • responding to lawful requests from competent authorities.

In all cases, disclosure will be made in accordance with the principles of proportionality and confidentiality.

7. Personal data security measures

The Operator attaches particular importance to the protection of your personal data and applies appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of your personal data in accordance with art. 32 of Regulation (EU) 2016/679 (GDPR).

The measures are constantly adapted to identified risks and technological developments with the aim of preventing the loss, misuse, misuse, unauthorised access, disclosure, alteration or destruction of personal data.

Technical measures implemented

The Operator uses modern security solutions to protect data in the digital environment, including:

  • encryption of communications between user browser and server (SSL/TLS);
  • data storage in secure systems hosted in EU certified data centres;
  • encrypted password authentication for user accounts;
  • control access to data by authorisation levels;
  • periodic backup systems** and data restoration mechanisms;
  • traffic monitoring to detect attempted unauthorised access or cyber-attacks.

Organisational and procedural measures

To ensure data protection also internally, the Operator has implemented:

  • internal privacy policies and personal data management procedures;
  • regular training of employees and collaborators on data protection and GDPR obligations;
  • limiting access to personal data to authorised persons only, depending on their role and responsibilities;
  • privacy agreements signed with all partners, collaborators and employees who may have access to personal data.

Security incident management

In the event of a security incident that may lead to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data, the Operator shall:

  1. immediately assess the situation and take corrective measures to mitigate the impact;
  2. notify the National Supervisory Authority for Personal Data Processing (ANSPDCP) no later than 72 hours after the incident has been detected, in accordance with Article 33 GDPR;
  3. inform the data subjects without undue delay, if the incident is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).

7.4. Situations related to personalised products

Given that certain products marketed involve manual personalisation with information provided by customers (photos, text, images), the Operator:

  • has put in place strict procedures to manage this data, accessible only to trained staff;
  • ensures the automatic deletion of files used for personalisation after a maximum period of 30 days;
  • in the unlikely event of a handling error (e.g. sending the wrong personalised product), the Operator undertakes to immediately inform the persons concerned and to remedy the situation by appropriate measures (deletion, destruction or return).

Customers who accidentally receive personalised products with other people’s data are also obliged to immediately notify the Operator at contact@okoinformatika.ro and to follow the instructions received to protect the confidentiality of all parties involved.

7.5. Limitations of liability

Although the Operator applies reasonable security measures, it should be noted that data transmission over the Internet cannot be guaranteed to be 100% secure.
The Operator cannot be held responsible for incidents caused by systems or services not under its direct control (e.g. public communication networks, Internet Service Providers or human error beyond the Operator’s control).

However, the Operator undertakes to treat any security incident as a priority and responsibly and to use all reasonable efforts to minimise the impact on data subjects.

8. Rights of data subjects

Pursuant to Regulation (EU) 2016/679 (GDPR), individuals whose personal data is processed by the Operator have a number of specific rights designed to ensure transparency and control over how their data is used.

The Operator fully respects these rights and ensures that they are exercised free of charge, fairly and without undue delay.

Any request concerning your rights may be sent to contact@okoinformatika.ro. The Operator will respond within no more than 30 calendar days, in accordance with Art. 12 para. (3) GDPR.

8.1. Right to information (Art. 13-14 GDPR)

You have the right to be clearly and transparently informed about:

  • The Operator’s identity and contact details;
  • the purposes and legal bases of the processing;
  • the categories of data processed;
  • the recipients or categories of recipients of the data;
  • the duration of storage and the criteria for determining it;
  • Your rights under the GDPR;
  • The right to lodge a complaint with the supervisory authority.

The information is set out in this Privacy Policy and can be requested at any time by contacting the Operator directly.

8.2. Right of access (Art. 15 GDPR)

You have the right to obtain a confirmation from the Operator whether or not it processes your personal data and, if so:

  • Receive a copy of the processed data;
  • to be informed about the purposes of the processing, the categories of data, the recipients, the storage period and the related rights.

Upon request, the Controller will provide this information in a secure electronic format.

8.3. Right to rectification (Art. 16 GDPR)

You have the right to request that inaccurate or incomplete personal data be corrected or updated.
The Controller will rectify the data without undue delay and inform you of the measures taken.

8.4. Right to erasure ("right to be forgotten") – Art. 17 GDPR

You may request erasure of your personal data in any of the following situations:

  • the data is no longer necessary for the purposes for which it was collected;
  • You have withdrawn your consent and there is no other legal basis for the processing;
  • you have objected to the processing and there are no legitimate grounds that prevail;
  • the data have been processed unlawfully;
  • erasure is necessary to comply with a legal obligation.

Exceptions:
The controller may refuse erasure where processing is necessary:

  • for compliance with a legal obligation;
  • for the establishment, exercise or defence of legal claims.

Requests for erasure may be sent to contact@okoinformatika.ro.

8.5. Right to restrict processing (Art. 18 GDPR)

You have the right to request restriction of processing in the following cases:

  • you contest the accuracy of the data (during the verification period);
  • the processing is unlawful, but you do not want the data erased;
  • The controller no longer needs the data, but they are necessary for the defence of a legal claim;
  • you object to the processing (during the verification of the prevailing legitimate interest).

During the restriction period, the data will not be processed for any purpose other than storage, except with your express consent or for the defence of a legal claim.

8.6. The right to data portability (Art. 20 GDPR)

You have the right to receive the personal data provided to the Controller in a structured, commonly used and machine-readable format (e.g. CSV, XML) and to request their transmission to another controller, where:

  • the processing is based on consent or a contract; and
  • the processing is carried out by automated means.

8.7. Right to object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data carried out on the basis of the Controller’s legitimate interest, including for direct marketing purposes (e.g. sending newsletters).
In case of opposition, the Controller will cease processing the data, unless it can demonstrate compelling legitimate grounds overriding your interests, rights and freedoms.

8.8. The right not to be subject to automated decisions (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on you or significantly affects you in a similar way.
The controller does not carry out such automated processing.

8.9. Right to withdraw your consent (Art. 7 para. (3) GDPR)

Where the processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal.
The withdrawal of consent can be realised by:

  • Accessing the unsubscribe link in commercial messages;
  • changing user account settings;
  • sending a request to contact@okoinformatika.ro.

8.10. Right to lodge a complaint (Art. 77 GDPR)

If you consider that the processing of your personal data violates the legal provisions, you have the right to lodge a complaint with the National Supervisory Authority for the Processing of Personal Data (ANSPDCP):

  • Address. Gheorghe Magheru nr. 28-30, sector 1, București, postal code 010336
  • Telephone: +40 318 059 211 / +40 318 059 212
  • E-mail: anspdcp@dataprotection.ro
  • Website: https://www.dataprotection.ro

Before contacting the authority, we encourage you to write to us at contact@okoinformatika.ro – we will endeavour to resolve the situation amicably.

8.11. How to exercise your rights

To exercise any of the above mentioned rights, the data subject may submit a written request:

  • by e-mail to contact@okoinformatika.ro, or
  • by post to the address: str. József Attila József Attila nr. 36, Odorheiu Secuiesc, jud. Harghita,
    marked "for the attention of the Data Protection Officer".

The controller may request additional information to verify the identity of the applicant where there are reasonable doubts as to the identity of the applicant, in accordance with Art. 12 para. (6) GDPR.

9. Policy update and other final provisions

9.1. Privacy policy update

The Operator reserves the right to modify or update this Privacy Policy from time to time to reflect legislative, technical or operational changes that may occur in its business.
Updated versions will be published on the shop.openbiomaps.org website, together with the date of the last revision.

Any significant changes relating to the way personal data is processed will be prominently communicated on the website and, where applicable, you will be asked for your updated consent in accordance with the law.

We recommend that you check the contents of this policy periodically to keep up to date with any changes.

9.2. Correlation with other legal documents

This Privacy Policy is an integral part of the Terms and Conditions of use of the shop.openbiomaps.org website, as well as other internal policies of the Operator, including:

  • Cookies Policy, which describes the use of cookies and similar technologies on the Site;
  • Data Security Policy (Operator’s internal document);
  • any other contractual documents governing the relationship between the Operator and its customers.

In case of inconsistency between this policy and other public documents on the website, the provisions of the Privacy Policy regarding the processing of personal data shall prevail.

Limitation of Liability

The Operator cannot be held liable for:

  • loss or compromise of data resulting from the use of unsecured networks or external services over which it has no control;
  • external links displayed on the website which may lead to other third party websites;
  • the content, privacy policy or practices of those third parties.

Visiting and use of any external links is at the user’s own risk.

Applicable law and jurisdiction

The present Policy is governed by the laws of Romania and the regulations of the European Union applicable to personal data protection.
Any disagreement arising in connection with the interpretation or application of this Policy shall first be settled amicably.
In the absence of an amicable solution, the Romanian courts shall have jurisdiction.

Effective Date

This Privacy Policy is effective as of 15 October 2025 and replaces any previous version published on the Site.
All subsequent changes will be highlighted by updating the "Last Updated" date at the end of the document.

Operator: ÖKOINFORMATIKA SRL
Website: https://shop.openbiomaps.org

Last updated: 15 October 2025