Privacy Policy

Privacy Policy — LARIÉTTE

Last updated: 10.12.2025
This Privacy Policy applies to personal data processing carried out through www.lariette.ro and in our interactions with customers/users in the EU/EEA.

1) The Controller

CUCERENCU MARIN SOLE PROPRIETORSHIP (“LARIÉTTE”, “we”, “us”)
Registered office: Șoseaua Păcurari 157, Floor 1, Office 3, 700545 Iași, Romania
Trade Registry (ONRC): ROONRC.F2025050456009 · Tax ID (CUI): 53081855
General contact & GDPR rights: contact@lariette.com · Phone/WhatsApp: +40 743 078 080

We have not appointed a Data Protection Officer (DPO). For any GDPR-related matter, please use the contact details above.

“Processor” = a provider that processes personal data on our behalf, under Article 28 GDPR.

2) What data we process, why, and on what legal basis

Below are the main purposes, examples of data processed, and legal bases under Article 6 GDPR:

Account, orders & delivery

  • Data (examples): name, address, phone number, email address, ordered products, delivery instructions

  • Legal basis: performance of a contract (Art. 6(1)(b))

Payments

  • Data (examples): transaction ID, payment status (card details are processed by the payment processor)

  • Legal basis: performance of a contract (Art. 6(1)(b)) + legitimate interest in fraud prevention (Art. 6(1)(f))

Invoicing / accounting

  • Data (examples): billing details for individuals/companies, fiscal documents

  • Legal basis: legal obligation (Art. 6(1)(c))

Loyalty program

  • Data (examples): email, account details, points, purchase history

  • Legal basis: Art. 6(1)(b) and/or Art. 6(1)(f)

Customer support

  • Data (examples): email/WhatsApp/chat conversations, photo attachments

  • Legal basis: legitimate interest (Art. 6(1)(f))

Marketing (newsletter/SMS)

  • Data (examples): email/phone number, preferences

  • Legal basis: consent (Art. 6(1)(a)); for existing customers: legitimate interest (Art. 6(1)(f), with the right to object)

Analytics & UX personalization

  • Data (examples): online identifiers/cookies, browsing events

  • Legal basis: consent (Art. 6(1)(a)) – see the Cookie Policy

Fraud prevention & IT security

  • Data (examples): IP address, logs, transaction patterns

  • Legal basis: legitimate interest (Art. 6(1)(f))

Warranties / returns / findings reports

  • Data (examples): order number, findings reports, photos

  • Legal basis: Art. 6(1)(b) + Art. 6(1)(f)

Recruitment (if you apply)

  • Data (examples): CV, contact details

  • Legal basis: Art. 6(1)(a) and/or Art. 6(1)(b)

We do not request special categories of data (Art. 9 GDPR). We do not intentionally target or process personal data of minors under 16.

Legitimate interest & objection. Where we rely on legitimate interest, we carry out a balancing test (LIA). You may object at any time (Art. 21 GDPR). For direct marketing, we will stop processing without conditions.

3) Where we obtain data from

We obtain data directly from you (orders/account/support), from your interaction with the website, and to a limited extent from technical partners (payment/delivery confirmations).

4) Who we share data with (recipients / processors)

  • E-commerce platform & hosting: Shopify

  • Payment processor: the provider integrated within Shopify (e.g., Netopia/PlățiOnline/Stripe, depending on the active integration)

  • Couriers: Urgent Cargus, FAN Courier, Sameday (Romania); DHL (international)

  • Invoicing: Oblio (invoice issuance and transmission)

  • Communications: email providers & Shopify Inbox; WhatsApp (Meta)

  • Consultants / lawyers / auditors / authorities: only when legally required or necessary

We sign Data Processing Agreements (Art. 28 GDPR), implement appropriate technical and organizational measures, and we do not sell your data.

5) Transfers outside the EEA

Some providers may process data outside the EEA (e.g., Shopify/Inbox/Meta). We use valid GDPR transfer mechanisms: Standard Contractual Clauses (SCCs), adequacy decisions, plus supplementary measures (encryption in transit, data minimization, access controls). Details can be requested at contact@lariette.com.

6) How long we keep data (retention)

  • Orders & delivery: warranty period + 3 years (statutory limitation) — Art. 6(1)(b)/(f)

  • Fiscal documents/invoices: 10 yearsArt. 6(1)(c)

  • Customer account: until account closure or 2 years of inactivity (after notice) — Art. 6(1)(b)/(f)

  • Support (tickets/attachments): 3 years from resolution — Art. 6(1)(f)

  • Marketing (newsletter/SMS): until consent is withdrawn; consent logs kept 3 yearsArt. 6(1)(a)

  • Anti-fraud & security logs: 12 months (longer if justified) — Art. 6(1)(f)

  • Recruitment: 6 months (with consent, up to 2 years) — Art. 6(1)(a)/(b)

After the retention period, we securely delete or anonymize the data. Deletions from active systems propagate to backups through rotation within a maximum of 90 days.

7) Security

We use TLS encryption in transit, role-based access control, hashed passwords, platform-level WAF/firewall, logging & audits, data minimization and need-to-know access, staff training, and periodic review of critical suppliers.

Incidents. If a breach is likely to result in a risk to individuals’ rights and freedoms, we notify ANSPDCP within 72 hours and, if the risk is high, we inform affected individuals without undue delay (Art. 33–34 GDPR).

8) Marketing, SMS & cookies

  • Newsletter/SMS: only with consent, or for existing customers based on legitimate interest (similar offers), with easy opt-out in every message.

  • Cookies & similar technologies: used only according to the preferences expressed in the consent banner (categories: essential/analytics/marketing). Full details are available in the Cookie Policy (providers, durations, purposes).

  • Automated decisions / profiling: we do not make automated decisions producing legal effects; we use simple segmentation to improve relevance.

9) UGC / Reviews / Photos

If you submit reviews or photos, we process them under legitimate interest for moderation and publication on our website/social channels. You may request removal at any time at contact@lariette.com.

10) Social media (joint controllers)

For Facebook/Instagram Page Insights statistics, LARIÉTTE and Meta Platforms act as joint controllers (under Meta’s terms). You may exercise your rights directly with Meta as well.

11) Communication via third-party channels (WhatsApp/Inbox)

If you contact us via WhatsApp or Shopify Inbox, your messages are processed by third-party providers. Please avoid sending sensitive data; if needed, we can move the conversation to email.

12) Your rights (Art. 12–22 GDPR)

You have the right to access, rectification, erasure, restriction, portability, objection (especially to marketing/legitimate interest), and to withdraw consent (without affecting prior lawfulness).

How to request: email contact@lariette.com. For security, we may request identity verification (e.g., the order email address or an authenticated account). We respond within 30 days (may be extended by up to 60 days where necessary, with prior notice).

13) Minors

Our services are not intended for persons under 16. If you are a parent/guardian and believe a minor has provided us with data, contact us for deletion.

14) Supervisory authority

You have the right to lodge a complaint with ANSPDCP – Bd. G-ral Gheorghe Magheru 28–30, Bucharest, Romania, www.dataprotection.ro.
Before doing so, we encourage you to contact us first so we can resolve the issue promptly and amicably.

15) Changes to this Policy

We may update this Policy (e.g., changes in providers or legal requirements). The current version shows the last update date; for significant changes, we will provide appropriate notice (email/banner).