Privacy Policy-GDPR

1. About Us

DC STORY SRL, a Romanian legal entity with its registered office in Bucharest, Sector 4, 21 Berceni Road, block 28, staircase 2, floor 6, apartment 72, registered with the Trade Registry Office attached to the Bucharest Tribunal under no.J40/1473/2023, VAT number 47522280, represented legally by MARINESCU CEZAR-ANDREI, as an Operator in accordance with Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, processes personal data collected directly from the data subjects, for whose authenticity the Operator does not assume responsibility.

2. Definitions

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

"Pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

"Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

"Recipient" means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not;

"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

"Cross-border processing" means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

3. Categories of Processed Personal Data

The Operator collects, processes, stores, and transmits the following personal data belonging to data subjects: name, surname, date of birth, email address, billing/delivery address (country, city, county/sector, street, number, block, staircase, apartment), postal code, bank account, bank account holder, phone number, gender, IP address, internet browser used by the data subject and the operating system version of the device, duration of the website visit, viewed products, Facebook account, Google user account, device location, order AWB number, amount paid as cash on delivery.

4. Personal Data of Minors

The Operator does not process the personal data of individuals who have not reached the age of 18. Data subjects are required to confirm before creating an account, placing an order, and subscribing to the newsletter that they have reached the age of 18. Without confirmation by the data subject, the data subject cannot subscribe to the newsletter, cannot generate their customer account, or place any order.

5. Personal Data in the Case of 3D Secure Card Payment

In the case where the customer opts for card payment for the placed order, the card details for 3D Secure payment, consisting of the card number, cardholder, card expiration date, card type, and security code will not be accessible or collected by the Operator.

6. Purpose of Processing Personal Data

The Operator processes personal data belonging to data subjects for the purpose of finalizing and executing the sales contract, order processing, issuing invoices, product delivery, profiling, direct marketing, customer loyalty, promotional campaigns, contests, raffles, promotions, return of ordered products, refund of payment made, complaint resolution, customer support, reviews, implementation and maintenance of website security, preparation of financial and accounting documents, within the control procedures carried out by state institutions, defending the rights of the operator in judicial and extrajudicial proceedings, for negotiating or concluding collaborations or contracts with third parties, for carrying out commercial/contractual/collaboration activities of the operator, managing relationships with business partners, commercial communication with customers/suppliers/collaborators through any means of communication, communication with public or public-interest bodies or authorities in accordance with legal provisions, audit and control/surveillance activities, monitoring website traffic and its access history, creating content hierarchy, and identifying the most relevant content for the user.

7. Legality of Personal Data Processing

The Operator processes personal data of data subjects under the following conditions: (a) the data subject has given consent to the processing of their personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

8. Duration of Personal Data Processing

The Operator will process personal data of data subjects for the duration of the sales contract execution, order processing, preparation of financial-accounting documents, order delivery, complaint resolution, and publication of reviews on the website.

9. Data Storage Period

The Operator will store personal data of data subjects as follows: for a period of 2 years regarding order history, unless the data subject withdraws consent or deletes their customer account, 1 year in the case of complaints, unless the data subject withdraws consent, 4 years for reviews posted on the website, 10 years concerning the issuance of fiscal invoices for placed orders, 10 years for newsletter subscription, unless the data subject withdraws consent. In the event that legislative changes require other retention periods, the Operator will comply with legal provisions.

10. Rights of Data Subjects

According to Regulation (EU) 2016/679, data subjects have the following rights:

• Right to Information: The data subject has the right to receive information about the operator's data, the personal data processed, the purpose and method of processing personal data.

• Right of Access to Data: The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, if so, access to such data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

• In cases where personal data are transferred to a third country or an international organization, the data subject has the right to be informed about the appropriate safeguards.

• The Operator provides a copy of the personal data being processed. For any other copies requested by the data subject, the Operator may charge a reasonable fee based on administrative costs. If the data subject makes the request electronically and unless otherwise requested by the data subject, the information shall be provided in an electronic format commonly used.

• Right to Rectification: The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

• Right to Erasure of Data ("Right to be Forgotten"): The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based; (c) the data subject objects to the processing; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services.

• • Right to Restriction of Processing: The data subject has the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or (d) the data subject has objected to processing.

  • Right to Data Portability: The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent; (b) the processing is carried out by automated means.

  • Right to Object: At any time, the data subject has the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

  • Right not to be Subject to Automated Decision-Making, including Profiling: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit consent.

  • Right to Lodge a Complaint with the National Authority for Personal Data Processing Supervision or Courts: The data subject has the right to lodge a complaint with the National Authority for Personal Data Processing Supervision or the court regarding the processing of their personal data.

  • Right to Withdraw Consent for Processing Personal Data: The data subject has the right to withdraw their consent regarding the processing of personal data. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

  Data subjects can exercise these rights by submitting a written request to the Operator via email at contact@libreve.com.

  The Operator undertakes to maintain the confidentiality of the data and to internally ensure a process of confidentiality for all persons who come into contact with this information, and to conclude with third parties who have access to this information an agreement regarding the use and processing of data in accordance with the provisions of EU Regulation 679/2016 on the protection of individuals with regard to the processing of personal data.

  To prevent the creation of fictitious customer accounts, the Operator will communicate to the data subject an email to confirm the generated customer account after its creation. In the absence of confirmation by the data subject, the generated customer account will be automatically deleted.

  Access to the data subject's account is only possible by entering the chosen password, to which the Operator does not have access as it is saved in an encrypted form.

  The Operator reserves the right to terminate, without prior notice, accounts and access of members who violate the Terms and Conditions, engage in fraudulent activities, defamation, or attack the security and confidentiality of information within the website or the company operating the website.