Privacy Policy

This privacy policy describes how BORN ONLINE S.R.L. processes the personal data of users who visit the website and who place orders for products with cash on delivery payment, pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable legislation.

1. Data Controller

The data controller for personal data is BORN ONLINE S.R.L., with registered office at Bradetu 71, bl 0252, 627232 Nistoresti, Vrancea, Romania (hereinafter also “Shoplykraft” or “the company”).

For any request relating to the processing of personal data or to exercise the rights indicated in this policy, you may use the contact details provided in the “Contacts” section of the website.

2. Types of Data Collected

The website may collect and process the following categories of personal data:

• Identification and contact data: first name, last name, shipping address, email address and telephone number provided when filling in the order form or information request form.
• Order-related data: products purchased, quantities, any delivery notes, amounts due. The store exclusively uses cash on delivery payment; therefore, no credit card, bank account or other online payment data is collected or processed.
• Browsing data: IP address, device identifiers, browser type and version, operating system, request times, pages visited, time spent and interactions with the website, collected automatically through cookies and similar technologies.
• Voluntarily provided data: content of messages sent through contact forms, any reviews or communications sent spontaneously to the company.

3. Purposes of Processing and Legal Bases

Personal data is processed for the following purposes, with the corresponding legal bases:

a) Order management and fulfilment of contractual obligations

Preparation and delivery of products, management of pre- and post-sale requests, management of any returns or disputes.
Legal basis: performance of a contract or pre-contractual measures taken at the request of the data subject (Art. 6(1)(b) GDPR).

b) Legal obligations

Tax, accounting and administrative obligations, as well as management of any requests from competent authorities.
Legal basis: compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR).

c) Website security and abuse prevention

Monitoring the correct technical functioning of the website, prevention and detection of fraudulent activities or unlawful use.
Legal basis: legitimate interest of the controller in ensuring the security of the website and the protection of its infrastructure and rights (Art. 6(1)(f) GDPR).

d) Statistical analysis and service improvement

Analysis of traffic, most visited pages and user interactions, in aggregate or pseudonymised form, to improve the content and functionality of the website.
Legal basis: legitimate interest of the controller; where required by law, user consent via the cookie management banner (Art. 6(1)(a) and (f) GDPR).

e) Marketing and remarketing activities

Sending commercial communications by email (if applicable), personalisation of advertising through remarketing tools and profiling via cookies and similar technologies.
Legal basis: user consent expressed through the consent collection mechanisms on the website (Art. 6(1)(a) GDPR). Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

4. Methods of Processing

Data processing is carried out by electronic means and, in limited cases, also on paper, using logic related to the stated purposes and in compliance with the principles of lawfulness, fairness, transparency and minimisation. Adequate technical and organisational measures are adopted to prevent loss, unlawful or improper use and unauthorised access to personal data.

5. Cookies, Tracking Tools and Third-Party Services

The website uses technical cookies and, with the user’s consent, cookies for statistical and marketing purposes, including from third parties. For further details on types, duration and the possibility of withdrawing consent, please refer to the Cookie Policy accessible via the consent banner or from the link at the bottom of the website pages.

Below is a list of the main third-party services that may process personal data through the website. For each service, the provider, general purpose and links to their respective policies are indicated. Users are invited to consult these policies for further details.

Google reCAPTCHA

Provider: Google LLC / Google Ireland Limited
Purpose: Spam protection and automated traffic detection. Analyses certain device information and user interactions to distinguish real people from bots.
Information: Google Privacy Policy, Google Terms of Service.

Google Tag Manager

Provider: Google Ireland Limited
Purpose: Tool that allows managing and distributing other tags and scripts on the website, without adding new tracking functionalities of its own, but enabling the operation of other Google and third-party services.
Information: Tag Manager Page, Google Privacy Policy.

Google Fonts

Provider: Google Ireland Limited
Purpose: Service for integrating external fonts; the server may receive certain information about the device and usage of the page requesting the font.
Information: Google Fonts FAQ, Google Privacy Policy.

Microsoft Clarity

Provider: Microsoft Corporation
Purpose: Behavioural analytics service that uses heatmaps and session recordings to understand how users interact with pages, in pseudonymised form.
Information: Clarity – Data Privacy, Microsoft Privacy Statement.

Google Analytics (Universal and GA4)

Provider: Google Ireland Limited
Purpose: Web analytics services that collect aggregated information on website usage (pages visited, time spent, navigation path) via cookies. In the GA4 configuration, IP addresses are anonymised after collection.
Information: Google Analytics Page, Google Privacy Policy, Google Analytics Opt-out Browser Add-on.

Meta Ads Pixel / Facebook Pixel

Provider: Meta Platforms Ireland Limited
Purpose: Tool that links actions taken on the website with advertising campaigns on Facebook and Instagram, to measure conversions and optimise ads shown to users.
Information: About Meta Pixel, Meta Privacy Policy, Meta Ad Settings.

Google Ads Conversion Tracking

Provider: Google Ireland Limited
Purpose: Service that links actions on the website (for example, submitting an order) to campaigns run through Google Ads, to measure the effectiveness of advertisements.
Information: Privacy and Security in Google Ads, Google Privacy Policy.

Amazon Affiliate Programme

Provider: Amazon Services LLC
Purpose: The website may display banners or links to Amazon products; clicks on such elements may be tracked for the purpose of attributing affiliate commissions.
Information: Amazon Associates Program Operating Agreement, Amazon Privacy Notice.

Google AdSense

Provider: Google LLC / Google Ireland Limited
Purpose: Advertising platform that uses, among other things, the DoubleClick cookie to show personalised ads to users based on browsing on this website and other websites participating in the network.
Information: Privacy and AdSense Information, Google Advertising Technologies.

Facebook Remarketing and Meta Custom Audiences

Provider: Meta Platforms Ireland Limited
Purpose: Services that allow personalised ads to be shown to website users based on their interactions with pages, through Meta’s advertising network.
Information: Meta Privacy Policy, Ad Preferences Management.

Google Ads Remarketing and Remarketing via Google Analytics

Provider: Google Ireland Limited
Purpose: Services that allow personalised ads to be shown to users who have already visited the website, by linking Analytics data with Google’s advertising network.
Information: Remarketing with Google Analytics, Google Advertising Technologies.

6. Data Recipients and Transfers to Third Countries

Personal data may be disclosed, within the limits of the purposes described above, to:

• Providers of IT services, hosting, website maintenance and technical support;
• Couriers and logistics companies responsible for product delivery;
• Consultants and professionals (for example, accountants, lawyers) who assist the company in fulfilling legal obligations;
• Entities providing marketing, analytics and advertising services (Google, Meta, Amazon and others) acting as data processors or independent controllers, according to their respective contractual terms.

Some of the entities indicated are located outside the European Economic Area. In such cases, data transfers take place in compliance with Articles 44 et seq. of the GDPR, on the basis of adequacy decisions by the European Commission or standard contractual clauses approved by the Commission. Further information on transfer mechanisms may be requested from the controller.

7. Data Retention Period

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected and, in particular:

• Order and billing data: for the duration of the contractual relationship and for 10 years thereafter, as required by civil and tax legislation;
• Data collected for marketing purposes: until consent is withdrawn by the user or a deletion request is made, without prejudice to any legal retention obligations;
• Browsing data and data processed through analytics tools: according to the retention periods indicated in the individual tools (for example, generally 26 months for Google Analytics, unless configured differently), or for the time necessary to achieve security and website improvement purposes;
• Cookies and similar tools: as indicated in the Cookie Policy or until consent is withdrawn by the user via the banner or browser settings.

8. Rights of Data Subjects

As a data subject, the user may exercise at any time the rights provided for under Articles 15–22 of the GDPR, including:

• Obtaining confirmation as to whether or not personal data concerning them is being processed and, if so, accessing the data and related information (right of access);
• Requesting the rectification of inaccurate data or the completion of incomplete data (right to rectification);
• Requesting the erasure of data in the cases provided for by law (right to erasure);
• Obtaining the restriction of processing where the conditions set out in the GDPR are met (right to restriction);
• Receiving personal data in a structured, commonly used and machine-readable format and, where technically feasible, transmitting it to another controller (right to data portability);
• Objecting at any time to processing based on the legitimate interest of the controller and to the processing of data for direct marketing purposes, including profiling related to such marketing (right to object);
• Withdrawing consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

To exercise these rights, the user may contact the controller through the contact details provided on the website.

9. Mandatory Nature of Data Provision

Providing the personal data requested in the order forms is necessary for the conclusion and performance of the purchase contract. Refusal to provide such data makes it impossible to process the order and deliver the products.

Providing data for marketing and profiling purposes is optional, and failure to give consent does not prevent access to the main services offered by the website.

10. Automated Decision-Making Processes

Users’ personal data is not subject to fully automated decision-making processes that produce legal effects or that similarly significantly affect the individual, pursuant to Article 22 of the GDPR. Any profiling activities take place through the use of cookies and tracking tools described in the Cookie Policy and are subject to the user’s consent.

11. Updates to This Policy

This privacy policy may be amended over time to adapt to regulatory changes, updates to the services offered or technological developments. The updated version is always published on this page and shows the date of the last update. Continued use of the website after changes are made will constitute acceptance of the new conditions, where necessary and within the limits permitted by law.