Privacy Policy

Privacy Policy on the Protection of Personal Data
CUTIE CRAFT SRL · Last updated: October 12, 2025

To ensure that Users of our Website enjoy full protection of their personal data rights, we have implemented specific safeguards, in compliance with applicable Romanian legislation and with Regulation (EU) 2016/679 (GDPR), effective throughout the European Union since May 25, 2018.

Personal data means any information by which you can be identified, particularly through an identifier such as a name, identification number, location data, online identifier, or one or more elements specific to your physical, physiological, genetic, mental, economic, cultural, or social identity.

CUTIE CRAFT SRL, a Romanian legal entity, registered under tax ID CUI 52548848, having its registered office in Bucharest, Sector 1, Str. Fortunei no. 27, Floor 2, Apt. 11, e-mail suport@cutiecraft.ro (hereinafter “Cutie Craft”, “we”, or the “Controller”), acts as a data controller when processing your personal data.

This policy serves as the information notice required under Articles 13–14 of the GDPR — explaining what data we collect, why and how we use it, with whom we share it, how long we retain it, and what your rights are.

Please read this document carefully and contact us if you have any questions.

1) General Considerations Regarding Your Personal Data

In accordance with the GDPR, Cutie Craft processes personal data lawfully, fairly, and transparently, for legitimate and specific purposes:
operation of the online store www.cutiecraft.ro (“the Website”), processing of orders and payments, product delivery, post-sale support, accounting/tax obligations, and — only with consent — marketing, newsletters, and traffic analysis via non-essential cookies.

Processing operations may include: collection, recording, organization, storage, adaptation, modification, consultation, use, disclosure by transmission, restriction, erasure, or anonymization.
We may share data with processors (e.g., Shopify, Netopia Payments, Sameday, newsletter provider, IT providers) based on contracts ensuring confidentiality, data security, and compliance with data subject rights.

Profiling: only for marketing segmentation or aggregated analytics, and only with cookie/ads consent.
We do not make automated decisions that produce legal or similarly significant effects.

The Website can be used without creating an account; however, certain features (checkout, order history, saved addresses) require one.
We do not process special categories of data (sensitive data) and do not target minors under 16 years old.

2) Data We Collect, Legal Grounds, and Purposes

2.1. Data Provided Directly by You

  • Identification/Contact: name, email, phone, billing and delivery address;

  • Customer Account: password (hashed by the platform), preferences, saved addresses;

  • Order/Return/Support: request content, order number, supporting documents;

  • Product Customization: chosen options (e.g., color).

Legal bases:

  • Contract performance – Art. 6(1)(b) GDPR (account, order, delivery, return/service);

  • Legal obligation – Art. 6(1)(c) GDPR (accounting/tax);

  • Legitimate interest – Art. 6(1)(f) GDPR (fraud prevention, IT security, legal defense);

  • Consent – Art. 6(1)(a) GDPR (newsletter/marketing).

2.2. Data Collected Automatically (Online)

  • Technical/Analytical: IP address, device/browser type, online identifiers, traffic events;

  • Cookies and Similar Technologies: essential (functional/checkout) and, with consent, analytical/advertising (e.g., Google Analytics, Meta Pixel).

Legal bases: legitimate interest (essential/functional cookies) and consent (analytics/ads).
Purposes: website functionality, security, audience measurement, and content or campaign optimization (subject to consent).
Details are provided in the Cookie Policy (link in footer: /politica-cookie).

3) Accounts, Newsletters, and Communications

Customer account: confirmed by email; you can update your data anytime.

Newsletter/Marketing: sent only with your explicit consent (double opt-in where applicable).
You may unsubscribe anytime via the link in each email or by contacting suport@cutiecraft.ro.

Operational communications (orders, shipping, returns) are necessary for contract performance and do not depend on marketing consent.

4) Data Disclosure (Recipients / Processors)

We share only the necessary data with:

  • E-commerce platform/hosting: Shopify (store operation).

  • Online payments: Netopia Payments – processes card payments; Cutie Craft does not access or store card data.

  • Courier: Sameday – for delivery and returns (name, phone, address, delivery instructions).

  • Email/newsletter provider: for email delivery and marketing communications (GDPR compliant).

  • Analytics & Ads: Google Analytics, Meta (Facebook) Pixel – only with consent.

  • Accounting / Legal / Consulting / IT – when necessary.

  • Public authorities: when required by law or for the defense of rights.

All processors are bound by Data Processing Agreements (DPAs) or contractual clauses ensuring GDPR compliance.

5) Data Transfers Outside the EEA

Some providers (e.g., Shopify, Meta) may process or store data outside the European Economic Area (EEA).
In such cases, we rely on Standard Contractual Clauses (SCCs) and additional safeguards (minimization, pseudonymization, encryption) to ensure adequate protection, in line with Art. 46 GDPR.

6) Data Retention Periods

  • Orders/accounting: for the business relationship + 10 years (legal tax requirement);

  • Customer account: until deleted by the user + technical backups per our retention cycles;

  • Support/returns/complaints: up to 3 years after resolution (limitation period);

  • Newsletter/marketing: until consent withdrawal or 2 years of inactivity (reviewed annually);

  • Cookies: as defined in the Cookie Policy.

After expiration, data is irreversibly deleted or anonymized.

7) Data Security

We apply appropriate technical and organizational measures: HTTPS/TLS connections, role-based access control, encrypted passwords, data minimization, access logs, backups, periodic testing and evaluation, and confidentiality agreements with staff and processors.

In the event of a security breach likely to pose a high risk to individuals, we will notify affected persons and the Romanian Data Protection Authority (ANSPDCP), in accordance with Articles 33–34 GDPR.

8) Your Rights (Articles 15–22 GDPR) and How to Exercise Them

You have the following rights:

  • Access to your data and a copy of it;

  • Rectification of inaccurate or incomplete data;

  • Erasure (“right to be forgotten”) under legal conditions;

  • Restriction of processing;

  • Data portability (data you provided, processed automatically based on consent or contract);

  • Objection to processing based on legitimate interest (including direct marketing and profiling);

  • Not to be subject to automated decisions producing legal or similarly significant effects;

  • Withdrawal of consent at any time (without affecting prior processing).

How to exercise your rights: contact us at suport@cutiecraft.ro.
We may request additional information to confirm your identity.
Standard response time: 30 days, extendable by up to 60 days for complex requests (with notice).

9) Complaints

If you are dissatisfied with how we process your data, please contact us first.
You also have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP)www.dataprotection.ro.

ANSPDCP contact details:
B-dul G-ral. Gheorghe Magheru no. 28–30, Sector 1, 010336, Bucharest
Tel: +40 318 059 211 / 212
E-mail: anspdcp@dataprotection.ro

10) Minors

Our services are not intended for individuals under 16 years old.
We do not knowingly collect data from minors; if we become aware of such processing, we will promptly delete the data.

11) Cookie Policy

For detailed information about the categories of cookies used, purposes, durations, and consent management, please refer to our Cookie Policy available on the Website (/politica-cookie).
The consent banner allows you to accept/reject non-essential cookies and modify preferences at any time.

12) Automated Decisions / Profiling

We do not make automated decisions that produce legal or similarly significant effects on you.
We may conduct limited marketing segmentation (e.g., audience grouping, conversion measurement) only with marketing cookie consent.
You can opt out at any time.

13) Policy Updates

We may update this policy to reflect legislative or operational changes.
The current version is always available on the Website and includes the date of the latest update.

14) Controller Contact Details

CUTIE CRAFT SRL
Address: Bucharest, Sector 1, Str. Fortunei no. 27, Floor 2, Apt. 11
E-mail: suport@cutiecraft.ro

Main Service Providers (for transparency):

  • Shopify – e-commerce platform (hosting, store infrastructure).

  • Netopia Payments – online payment processor (Cutie Craft does not access card data).

  • Sameday – courier for deliveries and returns.

  • Google Analytics / Meta Pixel – analytics and advertising (only with consent).