Data Protection Good Practices & Guidelines

This document is aimed to inform our Clients on their relationship with from a data protection point of view, detailing the technical aspects of our activities and what they need to do from a data protection standpoint.

Please note that during the usage of the services, the Client is the data Controller and is the data Processor. acts only within the confines of the law and under the instructions of the Clients, as a data Processor as stated in the Data Processor Contracting Rules established based on the provisions of art. 28 of the GDPR. The data processed is not shared with any other Clients' data in any form.

1. Internal data protection assessment

Each of our Clients must perform, before contracting any services (SaaS) an initial and prior data protection internal assessment and a data protection impact assessment, if needed, in order to be compliant with the relevant data protection legislation. The Clients must apply internally the General Data Protection Regulation (applicable from 25th of May, 2018).

2. Relationship between data controller and the data processor

Clients should be aware that each Client and must sign an agreement stating that Data Processor Contracting Rules are mandatory.

This document details: the duration, the actions to be done, the time frame of the data processing and data retention periods, the categories of data processed, the rules applicable to the process of data processing, the transfers of data to third countries allowed, the purposes and means of the processing and of the transfer.

3. Transparency and Information note of the data subjects

Each of our Clients must inform, accordingly, their data subjects about the processing of data, at the moment of the collection.

For the specific situation of using services, the following information should be included, if not already covered:
  • the identity and contact details of the data Controller;
  • the contact details of the data protection officer (”DPO”), if the case may be;
  • data subjects specific rights, stated by GDPR (ex. the right to erasure of data) processing, portability, the right to withdraw consent, the right to address to a data protection authority) and the procedure necessary for the exercise of the specific rights (ex. 30 days response); Clients need to check for any update necessary;
  • the mechanism used for the processing, data Processors included; Clients need to check if any update is necessary;
  • you have the obligation of informing the data subjects on the usage of the cookie on your website, information about the access of data Processors, including;
  • you have the obligation of obtaining the data subjects’ consent for such processing, at the moment of their visit to your website, for such a first party cookie; if the user does not consent, the processing for such purposes is not allowed;
  • you have the obligation to unsubscribe your clients that chose to opt-out from (see details of how to do that at article 4).
You should copy and paste the following information in the Terms and Conditions from your online shop:
  • With the purpose of profiling, tracking and sending personalised communications and offers, we are using (with its registered office in 49 Nicolae Caramfil Street, 1st floor, District 1, Bucharest, Romania, VAT Number: RO34270947, Identification Number: J40/3525/23.03.2015, email:, phone: +40-727-383-165), a marketing automation software dedicated to e-commerce.
  • These activities do not have a legal effect or a similarly significant effect on the users. The only consequence of using this profiling is for the user to receive discounts and personalized marketing offers. The user may opt-out of this profiling or from receiving commercial communication, with no effect, other than not receiving these discounts or personalized marketing offers.
  • For the purposes of the processing, monitoring activities (profiling) and interaction on the website, needs to automatically collect and store the following personal data: client’s email address, phone number, name, sex, address, hometown, date of birth, order ID, county, discount code, discount code value, order value, shipping costs, products’ prices, products’ variations, IP, browser, device, OS, cookie, location due to IP, timestamp, viewed pages, categories, brand, product, click on image, mouse over cart, mouseover price, scroll up & down, add to cart, remove from cart, variation selection, add to wishlist, comment, Facebook Likes, Help page visit.
  • The groups of persons targeted are visitors, registered users and clients of this website, as appropriate, accordingly to the chosen service. Visitors data will be stored for 2 months, registered users and clients data will be stored for 3 years.
  • While providing the Service to the Customer, uses third party service providers (subcontractors) located in EEA and USA ( only for push messages), and the transfer of personal data is based on EU-US Privacy Shield; the data is retained/stored only during the contract between the two parties.
  • Cookies: this website will have to use a first party cookie and will grant access to to that information. This cookie is placed by this website and thus it can be used only in connection to this website. Consequently, a connection between the internal tracking of the users on this website and the tracking on other websites is not technically possible, through this cookie.
  • To unsubscribe or opt-out from please send an email to --please insert your website contact email address here--.

4. How to unsubscribe/opt-out users from

In order for one of your clients not to receive communications from, all you have to do is:
  • Login into your account;
  • Go to the arrow in the right upper corner near your name and click on Account;
  • Go to the Subscribers section;
  • Look for your client’s email address;
  • Now, you have more options: On/Off for emails, On/Off for SMS, Stop tracking or Remove profile.

5. Legal basis

Commercial Communications are sent only to the users agreed by the Client and only to the contact data provided by the Client. The communication is being made by, on behalf of its Clients.

The Clients have the sole and main obligation to obtain and prove a valid legal basis, for example, consent or legitimate interest.

Processing of personal data for marketing purposes (e.g.: newsletter, campaigns, email marketing, web site analysis of the user) can be done based on consent (art. 6 paragraph 1 letter a) of the GDPR) or for the purpose of a legitimate interest (art. 6 paragraph 1 letter f) of the GDPR). In case of choosing the legitimate interest, Clients must internally document their choice, by analyzing the interest, the legitimacy of the interest and the balance (proportionality) between their interest and the data subjects rights.

Consent must be obtained according to the provisions of art. 2 letter (11), art. 6 paragraph (1), letter a), art. 7 and art. 8 of the GDPR.

Being in an online environment, the consent must belong to the data subject himself/herself and must be freely given, specific, informed, unambiguous and provable. In such a case, a double opt-in mechanism is required. A transparent, easily accessible privacy policy or privacy notice on the website or location of data gathering is a must.

Data subjects must have the possibility to accept/deny, at the time of collection, a processing performed for marketing purposes and/or profiling, for the present or in the future. Implicit consent, forced consent, conditional consent, misleading or unclear consent will not be considered valid consent, thus Clients may be breaching the data protection rules.

Clients should pay attention to the age restriction of minors according to art. 8 of the GDPR.

Clients have the obligation to verify if they have obtained proper consent or if they have a legitimate interest for the following categories of website users and to inform Retargeting Biz, appropriately, for:
  • users registered for an account on the website, or
  • users that made a purchase on the website, or
  • users that subscribed for the newsletter, or
  • users that have subscribed for other forms of communications (SMS, push notification, etc.), or
  • users of the web site.

6. Data not to be collected

Clients should pay attention to the age restriction of minors according to art. 8 of the GDPR and should not collect any data which can be included in the special categories of data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

7. Control of data

Clients hold the total control upon the data accessed by the data Processor and the responsibility for the documented and legal instructions issued in relations with the data Processor, according to the Data Processor Contracting Rules.

8. Confidentiality of data

The confidentiality of data is a main principle. The Clients, the data Controllers, should set their own limits for the confidentiality of data, limits that will be followed by as a data Processor, accordingly.

The Clients need to check and inform if they have any special rules on the data confidentiality. internally assures an adequate level of data confidentiality by using diverse tools for complying with the confidentiality requirement stated by art. 28 of the GDPR.

9. Security of data; transfer of data

The security measures taken by internally, in order to protect the personal data it accesses on behalf of its Clients are settled in the Data Processors Contracting Rules. adopted its own internal set of rules needed to protect the data accessed and processed, according to the provisions of art. 32 of the GDPR.

Clients need to check and inform if they have any special rules on the data security.

No transfer of data to third countries (to countries which are not in the E.U., E.E.A. or do not have an adequate level of protection, recognized by the E.C.) will exist, unless it is included in this document, the Clients demand/accept the transfer and the transfer is in line with the rules set by art. 44-49 from the GDPR.

10. Contact us about questions or concerns

If you have any questions about this GDPR Best practices guide, you can contact us at:
  • SRL
  • Address: 49th Nicolae Caramfil St., 1st Floor, District 2,
  • Bucharest,
  • 077190, Romania
  • Email: