PERSONAL DATA PROCESSING INFORMATION NOTICE

I. INTRODUCTION

The protection of personal data is a fundamental priority for us. In the context of our activity carried out through the platform www.daisy-medical.ro, we are committed to respecting the confidentiality and security of the information you provide.

This Policy is designed to ensure full transparency regarding the way we collect, use, store and protect data, in strict compliance with the General Data Protection Regulation (EU Regulation 2016/679) and applicable national legislation, Law no. 190/2018.

II. PURPOSE AND APPLICABILITY OF THIS POLICY

This Privacy Policy describes our practices regarding data collected through the Site, whether you are a simple visitor, a customer placing orders, or a professional requesting personalized offers for veterinary clinics or cosmetic salons. The document explains the legal grounds for processing, the categories of data covered and the rights you benefit from as a data subject. Using the Site, creating an account or completing an order implies acknowledgment of these processing rules.

III. WHO WE ARE AND WHAT ROLE WE PLAY IN DATA PROCESSING

The website www.daisy-medical.ro is administered by DAISY PET S.R.L. (headquartered in Bucharest, Bdul Ficusului, no. 21-23, Sector 1, J2006004970406, CUI RO18518510). In the context of data processing legislation, the entities DAISY MEDICAL S.R.L. and DAISY PET S.R.L. act as Joint Data Controllers and we may transfer between ourselves and the companies affiliated with the Daisy Medical brand the collected data. This means that we establish the purposes and means by which your data is processed.

IV. WHAT IS PERSONAL DATA AND WHAT DOES PROCESSING INVOLVE?

"Personal data" means any information that can lead to the direct or indirect identification of a natural person, such as name, surname, email address, phone number or location data. "Processing" means any operation performed on such data, including collection, recording, organization, storage, consultation, use, transmission to couriers or payment processors and deletion. Daisy Medical collects only the minimum data necessary to fulfill commercial, fiscal and marketing purposes, ensuring that processing is lawful, fair and transparent.

V. CATEGORIES OF PERSONAL DATA PROCESSED, PURPOSE AND LEGAL BASIS

Due to the complex nature of our activity, which combines B2C e-commerce with the provision of professional B2B equipment, the processing of your data takes place in multiple contexts. We are committed to full transparency, informing you that we do not collect more data than is strictly necessary for the stated purposes. Processing is carried out exclusively on the basis of a valid legal ground, in accordance with Article 6 of EU Regulation 2016/679.

The following paragraphs detail the categories of data, the purpose and the legal basis for each interaction on the Site:

1. USER ACCOUNT REGISTRATION AND MANAGEMENT

Creating an account on the Site is the foundation of a simplified shopping experience. Mandatory data categories collected include: email address (as a unique identifier and for communication), first and last name and a password (stored encrypted).

• Purpose of processing: Allowing access to order history, managing loyalty points and facilitating the subsequent purchasing process.
• Legal basis: Performance of a contract (Art. 6 para. (1) lit. b of EU Regulation 2016/679), represented by the Site's Terms and Conditions.

2. PLACING AND COMPLETING AN ORDER (with or without an account)

When you purchase products, we collect: first name, last name, phone number, email address, delivery address and billing details (which will include company identification data and its representative in the case of B2B).

• Purpose of processing: Validation, invoicing, shipment of the order and informing you about the delivery status. The phone number is also used for order confirmation by a Company representative.
• Legal basis: Performance of the distance sales contract (Art. 6 para. (1) lit. b) and fulfillment of legal fiscal obligations (Art. 6 para. (1) lit. c) EU Regulation 2016/679.

3. NEWSLETTER SUBSCRIPTION AND MARKETING COMMUNICATIONS

By completing the Newsletter section or checking the box in the order form, we collect your email address. Data is managed through the TheMarketer platform and may include segmentation based on purchase history.

• Purpose of processing: Sending commercial offers, exclusive promotions and product news. We use profiling to ensure that offers are relevant to your interests.
• Legal basis: Your explicit consent (Art. 6 para. (1) lit. a) of EU Regulation 2016/679 and the legitimate interest of the Company in promoting its services and optimizing marketing strategies after you have become a customer (Art. 6 para. (1) lit. f). EU Regulation 2016/679.

4. INTERACTION THROUGH THE CONTACT FORM, CUSTOMER SUPPORT AND COMPLAINT RESOLUTION

When you contact us with questions or complaints, we process: name, email, phone and the content of the message/complaint.

• Purpose of processing: Resolving support requests, providing technical details about products and managing complaints.
• Legal basis: Legitimate interest (Art. 6 para. (1) lit. f) of EU Regulation 2016/679 to provide customer support, maintain efficient communication and resolve disputes amicably.

5. REQUESTING QUOTES FOR PROFESSIONALS

For veterinary clinics or cosmetic salons, we collect: first name, last name, phone, email of the legal representative and details about the clinic/business represented.

• Purpose of processing: Developing a personalized commercial offer and negotiating specific B2B terms.
• Legal basis: Steps taken at the request of the data subject prior to entering into a contract (Art. 6 para. (1) lit. b) EU Regulation 2016/679.

6. AUTOMATICALLY COLLECTED DATA

Each time the Site is accessed, we collect technical data: IP address, browser type, operating system, pages viewed and visit duration, through server logs and technical cookies managed by the Gomag platform.

• Purpose of processing: Ensuring cybersecurity (attack prevention), monitoring the proper functioning of the Site.
• Legal basis: Legitimate interest (Art. 6 para. (1) lit. f) EU Regulation 2016/679 to ensure a safe and optimized digital environment.

7. INTERACTIONS AND COMMUNICATIONS

We process data (name, email, social profile and message content) when the User/Buyer writes to us directly by email or interacts with the Company's official pages.

• Purpose of processing: Managing commercial and technical correspondence, direct communication with the public and moderating content published on our pages to maintain a civilized dialogue. Processing is also necessary to fulfill archiving obligations of official communications with clients.
• Legal basis: Legitimate interest (Art. 6 para. (1) lit. f of EU Regulation 2016/679 to manage the online presence and ensure user assistance.

VI. DURATION OF STORAGE OF YOUR PERSONAL DATA

The Company processes personal data only for the period necessary to fulfill the purposes for which it was collected, as detailed above, as well as to comply with legal obligations or to defend a legitimate interest before courts. In the absence of an express legal term, storage periods are established internally, based on the principles of proportionality and necessity.

Retention periods by processing category:

• Account data (registration and login): identification data (name, email, password) will be retained for the entire duration of your account's existence on the Site. If you choose to delete your account or if it remains inactive for a period of 5 years, the data will be deleted or anonymized, except for those necessary to fulfill legal obligations or to resolve complaints/litigation, which will be retained in accordance with civil prescription periods (3 years).
• Transactional, billing and order data: data regarding product purchases (including B2B billing data) are subject to retention periods imposed by fiscal legislation. This data will be retained for a period of 10 years from the end of the financial year in which it was generated.
• Marketing data (Newsletter and profiling): the email address used for commercial communications is retained until consent is withdrawn (unsubscription). Data regarding consumer profiles and segmentation carried out through TheMarketer are stored for a maximum period of 2 years from the last interaction, after which they are anonymized for statistical analysis purposes.
• Automatically collected data (security and functionality): server logs, IP address and traffic data processed for Site security (through the Gomag platform) are stored temporarily, usually for a period of 30 - 90 days, except in cases of investigating a security/fraud incident, when they may be retained for the duration necessary to resolve the dispute.
• Data from interactions (email and social media): email correspondence and social media messages are retained for the period necessary to resolve your request or for a maximum period of 2 years from the last interaction, to ensure continuity of technical or commercial support.

VII. RECIPIENTS AND DATA TRANSFERS

The Company respects the confidentiality of your data and does not disclose it except to the extent necessary to fulfill legitimate purposes and only on the basis of a valid legal ground (contract, consent, legal obligation).

Your data may be disclosed to the following categories of recipients:

1. Internal Recipients

Your data is accessible only to Company staff (sales, logistics, accounting, support departments) who have a genuine need to know it (need-to-know basis). For example, warehouse staff access the delivery address, while the support department accesses the order history to resolve complaints.

2. Public Authorities and Control Bodies

Disclosure is made exclusively on the basis of a legal obligation or at their express request:

• Tax authorities (ANAF): For reports related to commercial transactions and invoicing.
• ANPC: In the context of resolving complaints or inspections regarding consumer protection.
• National Supervisory Authority (ANSPDCP): In the context of compliance audits with data processing legislation.
• Courts and criminal prosecution bodies: In case of litigation or at their official request.

3. Service Providers (Processors)

The Company works with specialized third parties who act as processors and process your data strictly in accordance with our instructions (art. 28 of EU Regulation 2016/679):

• IT and Maintenance: Providers that ensure the security and operation of IT systems.
• E-commerce Platform and Hosting Provider: Gomag, which provides the technical infrastructure and database security.
• Payment Services: Netopia Payments, necessary for the secure processing of online transactions.
• Email Marketing Services: TheMarketer, used for managing the newsletter database and sending commercial communications.
• Courier Services: Logistics partners necessary for the physical delivery of parcels.
• Third-Party Analytics and Marketing: Google (Analytics, Ads), Meta (Facebook, Instagram) and TikTok, as well as affiliate networks (Profitshare, 2Performant) or price comparison sites (Compari.ro).
• Communication: Meta Platforms (WhatsApp) in compliance with Standard Contractual Clauses (SCC).

4. Transfer of Data Outside the European Economic Area (EEA)

The Company ensures that your data is processed, as a rule, on the territory of Romania or EEA member states.

In situations where data transfer to third parties requires transfer to countries outside the EEA, the Company will take measures to ensure that the transfer complies with the provisions of art. 44 and following of EU Regulation 2016/679, relying on:

• Adequacy decisions (where applicable).
• Standard Contractual Clauses (SCC) adopted by the European Commission.
• Your explicit consent, after prior information about the risks.

VIII. RIGHTS OF DATA SUBJECTS

In accordance with the provisions of EU Regulation 2016/679, as a data subject, you benefit from a series of rights designed to give you control over your personal data. The Company is committed to facilitating the exercise of these rights in an efficient and transparent manner.

1. Right to information (art. 12, 13, 14). You have the right to receive clear, transparent, intelligible and easily accessible information regarding the processing of your data. This right is fulfilled through this Privacy Policy, which details the Controller, purposes, legal bases, categories of data collected, recipients and storage period.

2. Right of access (art. 15). You have the right to obtain from the Company confirmation as to whether or not personal data concerning you is being processed. If so, you have the right to request access to this data, as well as additional information about the purpose of processing, categories of data, recipients and storage period. The Company will provide you free of charge with a copy of the data being processed. For additional copies, we may charge a reasonable fee based on administrative costs. Manifestly unfounded, excessive or repetitive requests may not receive a response or may receive a substantiated negative response.

3. Right to rectification (art. 16). You have the right to obtain the rectification of inaccurate data concerning you and/or the completion of incomplete data. We will inform all recipients to whom the data has been disclosed about the rectification carried out, except where this proves impossible or involves disproportionate efforts.

4. Right to erasure ("Right to be forgotten", art. 17). You may request the erasure of data in situations provided by law (e.g.: data is no longer necessary, withdrawal of consent or objection to processing). We will analyze the request and delete the data, except in cases where processing is necessary to comply with a legal obligation (e.g.: fiscal archiving for 10 years) or to defend a right in court.

5. Right to restriction of processing (art. 18). You have the right to obtain restriction of processing in certain cases (e.g.: you contest the accuracy of the data or the processing is unlawful, but you object to erasure). When processing is restricted, data may only be stored and may not be processed for any other purpose without your consent.

6. Right to data portability (art. 20). You have the right to receive the data provided to the Company in a structured, commonly used and machine-readable format, as well as the right to request that this data be transmitted to another controller, if this is technically feasible and the processing is based on consent or contract.

7. Right to object (art. 21). You may object at any time to the processing of your data for reasons relating to your particular situation, when the processing is based on the legitimate interest of the Company (art. 6 para. (1) lit. f). The Company will cease processing, unless it demonstrates compelling legitimate grounds which override your interests.

8. Right not to be subject to a decision based solely on automated processing (art. 22). You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects you. The Company does not use decisions based solely on automated processing with legal effects on data subjects.

9. Right to withdraw consent. If processing is based on consent (e.g.: marketing), you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the moment of withdrawal.

10. Right to lodge a complaint with the Supervisory Authority. If you consider that your rights have been violated, you have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP), on the website www.dataprotection.ro, at the address in Bucharest, B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1 or by email at anspdcp@dataprotection.ro.

To exercise any of the above rights, please address a written, dated and signed request to the Company. Please send your request by email to office@daisy-medical.ro or by post/courier to our headquarters.

The Company will respond to your request within 30 days. This period may be extended by two months in complex cases, with prior notice to you. To the extent that the request is unfounded or excessive, the Company may reject it, informing you of the reasons for refusal.

IX. SECURITY OF PROCESSING

The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk inherent in the processing of personal data, in accordance with Article 32 of EU Regulation 2016/679. These measures are designed to protect information against destruction, loss, alteration or unauthorized access, regardless of whether processing takes place in a digital or physical environment. Data security is a constant priority, and our protocols are periodically reviewed and updated to address new technological challenges.

Technical security is based on the use of encryption technologies, including secure transmission through SSL/TLS protocols for the website, installation of updated antivirus and firewall solutions, as well as the implementation of periodic backup systems. These tools ensure data resilience and the ability to rapidly restore availability in the event of a technical incident. On an organizational level, access to data is strictly limited on a need-to-know basis, with our staff and collaborators being periodically trained and subject to strict confidentiality obligations.

In accordance with Articles 33 and 34 of EU Regulation 2016/679, the Company applies clear internal procedures for managing potential personal data breaches. In the event that we identify an incident that poses a risk to your rights and freedoms, we undertake to notify the National Supervisory Authority (ANSPDCP) within a maximum of 72 hours. Data subjects will also be informed without undue delay, thus ensuring full transparency of the remediation process.

X. FINAL PROVISIONS AND COMMITMENT

This Privacy Policy enters into force on the date of publication and may undergo occasional changes to reflect legislative changes or changes to our internal processes. In the case of substantial changes, we will publish the updated version on the Site and update the date of entry into force.

We encourage you to periodically consult this section to stay informed about our commitment to protecting your data.

This document represents a transparency obligation assumed by the Company towards you, designed to guarantee that personal data is treated with the utmost diligence. By continuing to use the Site, creating an account or voluntarily providing data in the available sections, you confirm that you have read and fully understood the provisions of this Policy and that you agree to the processing of data under the described conditions.

Our commitment is to ensure a safe digital environment, based on respect for the fundamental rights of every Buyer and User.