4. WHAT ARE THE PURPOSES AND LEGAL BASES FOR PROCESSING?
We will use your personal data for the following purposes:
For processing orders and delivering purchased products
This general purpose may include, as applicable, the following:
-
Creating and managing your account on the MYGRACE platform;
-
Processing orders, including receiving, validating, shipping, and invoicing them;
-
Handling cancellations or resolving any issues related to an order, the purchased goods, or services;
-
Returning products in accordance with legal provisions;
-
Refunding the value of products in accordance with legal provisions;
-
Providing support services, including responding to your questions regarding your orders or MYGRACE goods and services.
Additionally, some processing activities related to these purposes are required by applicable law, including fiscal and accounting legislation.
For improving our services
We continuously aim to provide you with the best online shopping experience. For this purpose, we may collect and use certain information regarding your behavior as a customer, invite you to complete satisfaction questionnaires after completing an order, or conduct, directly or with the help of partners, market research and surveys.
We base these activities on our legitimate interest in carrying out business activities, always ensuring that your fundamental rights and freedoms are not affected.
For marketing purposes
We want to keep you informed about the best offers for products/services you are interested in. To this end, we may send you messages (such as email/SMS/mobile push/web push, etc.) containing general and thematic information, information about products similar or complementary to those you purchased, information about offers or promotions, information regarding products added to the “My Account/My Cart” or “My Account/Favorites” sections, or products you have shown interest in purchasing, as well as other commercial communications, such as market research and surveys, and we may display personalized recommendations on the website and mobile app.
To provide you with information relevant to your interests, we may use certain data about your behavior as a customer (e.g., viewed products / added to favorites / purchased) to create a profile. We always ensure that this processing respects your rights and freedoms and that decisions based on this data have no legal effect on you and do not significantly affect you in a similar way.
In most cases, our marketing communications are based on your prior consent. You may withdraw your consent at any time by:
-
Accessing the unsubscribe link provided in the messages you receive from us;
-
Contacting MYGRACE using the contact details described on the contact page.
In certain situations, we may rely on our legitimate interest in promoting and developing our business activities for marketing purposes. Whenever we use your information for our legitimate interest, we take all necessary measures to ensure your fundamental rights and freedoms are not affected. Nevertheless, you may request at any time, through the means described above, that we stop processing your personal data for marketing purposes, and we will comply with your request.
For defending our legitimate interests
There may be situations in which we use or share information to protect our rights and business activities. These may include:
-
Measures to protect the website and MYGRACE platform users from cyberattacks;
-
Measures to prevent and detect attempts at fraud, including sharing information with competent public authorities;
-
Measures to manage other risks.
The general legal basis for these types of processing is our legitimate interest in defending our business activities, ensuring that all measures we take balance our interests with your fundamental rights and freedoms.
Additionally, in certain cases, we rely on legal obligations, such as the obligation to ensure the protection of property and assets as provided by applicable legislation.
5. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
As a general rule, we will store your personal data for as long as you have an account on the MYGRACE platform. You may request the deletion of certain information or the closure of your account at any time, and we will comply with these requests, subject to retaining certain information even after the account is closed, in situations where applicable law or our legitimate interests require it.
6. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?
Where applicable, we may transfer or grant access to certain personal data of yours to the following categories of recipients:
-
companies within the same group of companies as MYGRACE;
-
courier service providers;
-
payment/banking service providers;
-
marketing/telemarketing service providers;
-
market research service providers;
-
insurance companies;
-
IT service providers;
-
other companies with which we may develop joint programs to market our goods and services.
If we have a legal obligation or if it is necessary to protect our legitimate interests, we may also disclose certain personal data to public authorities.
We ensure that access to your data by private legal entities is carried out in compliance with data protection and confidentiality laws, based on contracts concluded with these entities.
7. IN WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA?
Currently, we store and process your personal data within Romania.
However, we may transfer certain personal data to entities located within the European Union or outside the Union, including to countries that the European Commission has not recognized as providing an adequate level of personal data protection.
We will always take measures to ensure that any international transfer of personal data is handled carefully to protect your rights and interests. Transfers to service providers and other third parties will always be safeguarded through contractual commitments and, where applicable, other guarantees, such as: standard contractual clauses issued by the European Commission or certification schemes, such as the Privacy Shield for personal data transferred from the EU to the United States of America.
You can contact us at any time, using the contact details provided above, to obtain more information about the countries to which we transfer your data, as well as the safeguards we have implemented for these transfers.
8. HOW DO WE PROTECT THE SECURITY OF YOUR PERSONAL DATA?
We are committed to ensuring the security of personal data by implementing appropriate technical and organizational measures in accordance with industry standards.
The transmission of your personal data is carried out using state-of-the-art encryption algorithms, and the data is stored on secure servers, while also ensuring data redundancy.
Despite the measures taken to protect your personal data, please note that the transmission of information over the Internet in general, or via other public networks, is not completely secure, and there is a risk that data may be viewed and used by unauthorized third parties. We cannot be held responsible for such vulnerabilities in systems that are beyond our control.
9. WHAT RIGHTS DO YOU HAVE?
The General Data Protection Regulation (GDPR) recognizes a series of rights regarding your personal data. You can request access to your data, correct any errors in our files, and/or object to the processing of your personal data. You can also exercise your right to lodge a complaint with the competent supervisory authority or take legal action. Where applicable, you may also benefit from the right to request the deletion of your personal data, the right to restrict the processing of your data, and the right to data portability.
More information about each of these rights can be found in the section below.
| Right | Description |
|---|---|
| Right of access | You can request us to: · confirm whether we are processing your personal data; · provide you with a copy of this data; · provide you with other information about your personal data, such as the data we hold, how we use it, to whom we disclose it, whether it is transferred abroad and how it is protected, how long we retain it, what rights you have, how to make a complaint, and where we obtained your data, to the extent that this information has not already been provided to you through this notice. |
| Right to rectification | You can request us to correct or complete your inaccurate or incomplete personal data. We may verify the accuracy of the data before correcting it. |
| Right to erasure (“right to be forgotten”) | You can request the deletion of your personal data, but only if: · the data is no longer necessary for the purposes for which it was collected; · you have withdrawn consent (where processing was based on consent); · you exercise a legal right to object; · the data has been processed unlawfully; · we have a legal obligation to delete it. We are not required to comply with your request if processing is necessary: · to comply with a legal obligation; or · to establish, exercise, or defend a legal claim. There may be other circumstances where we are not obliged to delete the data, though the above are the most common. |
| Right to restriction of processing | You can request the restriction of processing if: · the accuracy of your data is contested; · processing is unlawful but you do not want the data deleted; · the data is no longer necessary for the purposes collected, but you need it to establish, exercise, or defend a legal claim; · you have exercised the right to object while verifying whether our legitimate interests override yours. We may continue to use your data if: · you have given consent; · it is needed to establish, exercise, or defend legal claims; · it is necessary to protect the rights of GODDESS INTERNATIONAL or another person. |
| Right to data portability | You can request to receive your personal data in a structured, commonly used, and machine-readable format, or request it to be transferred directly to another data controller, but only if: · processing is based on consent or a contract with you; and · processing is carried out by automated means. |
| Right to object | You can object at any time, for reasons related to your particular situation, to the processing of your personal data based on our legitimate interest if you believe your rights and freedoms prevail. You can also object at any time to direct marketing processing (including profiling) without giving a reason, in which case we will stop this processing as soon as possible. |
| Right not to be subject to automated decision-making | You can request not to be subject to a decision based solely on automated processing if it produces legal effects concerning you or significantly affects you in a similar way. This right does not apply if the automated decision is: · necessary for entering into or performing a contract with you; · authorized by law with appropriate safeguards; or · based on your explicit consent. |
| Right to withdraw consent | If personal data is processed based solely on your prior consent, you can withdraw consent at any time. Withdrawal leads to the automatic deletion of personal data, except where processing cannot cease for legitimate reasons (e.g., for court purposes). |
| Right to lodge a complaint with the supervisory authority | You have the right to lodge a complaint with the competent data protection authority. In Romania, the contact details are: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, Bulevardul General Gheorghe Magheru, no. 28-30, Sector 1, postal code 010336, Bucharest, Romania; Phone: +40.318.059.211 / +40.318.059.212; Email: anspdcp@dataprotection.ro. |
Without affecting your right to contact the supervisory authority at any time, please contact us first and we promise to make all reasonable efforts to resolve any issue amicably.
To exercise your rights, you can contact us using the details provided above. Please note the following when exercising these rights:
-
We take the confidentiality of all records containing personal data seriously. Therefore, please send your requests using the email associated with your MYGRACE account. Otherwise, we reserve the right to verify your identity by requesting additional information to confirm your identity.
-
We will not charge a fee to exercise any right regarding your personal data, except where the request is unfounded, repetitive, or excessive, in which case we may charge a reasonable fee. We will inform you of any fees before processing your request.
-
Response time: We aim to respond to valid requests within one month, except in particularly complex cases or multiple requests, where we will respond within two months. We will inform you if more time is needed. We may ask for clarification to better understand your request and expedite processing.
-
Third-party rights: We are not obliged to comply with a request if it would negatively affect the rights and freedoms of other individuals.
10. DPO CONTACT (Data Protection Officer – Person Responsible for Data Protection)
We remind you that you can contact the MYGRACE Data Protection Officer at any time by submitting your request using any of the following methods:
-
By email: protectia.datelor@mygrace.ro
By mail or courier to the address: Bucharest, Sector 4, Strada Drumul Jilavei, No. 52, 1st Floor, Apartment 7 – with the mention: “Attention: Data Protection Officer at MYGRACE.”
