I.General information

We believe that the protection of your data is a fundamental right that you have and we undertake to dedicate all necessary resources and efforts to process your data in accordance with Regulation (EU) 2016/679 ("General Data Protection Regulation" or "GDPR"), as well as with any other legislation applicable on the territory of Romania.

The purpose of this document is to inform you correctly, specifically and unequivocally about the way in which, the purpose for which this data is collected, processed, the period for which this data is stored, the way in which individual rights are exercised as well as to provide you information related to the secondary purpose of the processing if the data are processed for a purpose other than that for which these were collected by the collectors concerned.

We reserve the right to periodically update and change this Privacy Policy in order to reflect any changes to the way in which we process your personal data or any changes with regard to legal requirements. In the event of any such changes, we will display the modified version of the Privacy Policy on our website, which is why we ask you to please check the contents of this Privacy Policy periodically.

II. Who we are and how you can contact us

COMMON DESIGN LAB S.R.L. having its registered office in Str. Milcov, nr. 42, parter, camera 1, Mun. Focsani, Jud. Vrancea is the owner of the common.parts online store.

According to the requirements of Regulation no. 679 of 27.04.2016 (GDPR) on the protection of individuals with regard to the processing of personal data and the free movement of such data, common.parts has the obligation to manage safely and only for the specified purposes, the personal data you provide to us about yourself.

As we are interested in finding out your opinion and in answering any additional questions regarding the processing of Personal Data, we encourage you to contact the common.parts data protection officer at the email address info@common.parts or by mail or courier at: Str. Milcov, nr. 42, parter, camera 1, Mun. Focsani, Jud. Vrancea with the mention "to the attention of the common.parts data protection officer".

III. What categories of personal data do we process

We generally collect your personal data directly from you, so you have control over the type of information you provide to us. By way of example, we receive information from you as follows: When you create a common.parts account, you send us: your email address, last name, and first name;

Within your personal page (My Account) on the common.parts website, you can add additional information, such as delivery addresses, frequently used payment cards, etc.

When you place an order, you provide us information such as the desired product, last name, and first name, delivery address, invoicing details, payment method, phone number, bank card details, etc.

By providing these data you give your free and unequivocal consent that all your personal data may be included in our database, in strict compliance with the legal provisions regarding the protection of individuals with regard to the processing of personal data and the free movement of such data. According to the legitimate interest stipulated in GDPR, we mention that the reasons why we need this data are: online trade, sending our offers and marketing and advertising messages by e-mail, organizing contests, etc.

We also offer you the opportunity to register on the common.parts website through your Facebook or Google account. If you opt for one of these, you will be directed to a page managed by Facebook Inc/Google LLC, where they will inform you about the transfer of your data to common.parts. You can view the privacy policies of Facebook and Google, respectively, using the following links:

https://www.facebook.com/about/privacy

https://policies.google.com/privacy

We may also collect and further process certain information about your behaviour while visiting our website, in order to personalize your online experience and provide you offers tailored to your profile. We invite you to find out more details in this regard by consulting the section with regard to the purposes of processing below.

On our website we may store and collect information in cookies and similar technologies, according to the Cookies Policy.

We do not collect or otherwise process sensitive data, included in the General Data Protection Regulation in special categories of personal data. We also do not want to collect or process data belonging to minors under the age of 16.

IV. What are the purposes and grounds of processing

We will use your personal data for the following purposes:

For the provision of common.parts services and/or products for your benefit.

This general purpose may include, as appropriate, the following:

a) Creation and administration of the account within the common.parts website;

b) Order processing, including the taking over, validation, shipping and invoicing thereof;

c) Solving cancellations or issues of any kind related to an order, to the goods or services purchased;

d) Returning the products according to the legal provisions;

e) Refunding the value of products according to the legal provisions;

h) Providing support services, including answers to your questions about your orders or common.parts goods and services.

The processing of your data for these purposes is in most cases necessary for the conclusion and performance of a contract between common.parts and you. Also, certain processing subject to these purposes is required by the applicable law, including the tax and accounting law.

To improve our services.

We always want to offer you the best online shopping experience. To do this, we may collect and use certain information about your behaviour, as buyer we may invite you to fill in satisfaction questionnaires after the completion of an order or we may conduct, directly or with the help of partners, market research and studies.

These activities are based on our legitimate interest to carry out commercial activities, always making sure that your fundamental rights and freedoms are not affected.

For marketing.

We want to keep you informed about the best offers for the products/services that interest you. In this regard, we can send you any type of message (such as: e-mail/SMS/telephone/mobile push/webpush/etc.) containing general and thematic information, information on similar products or on products complementary to those that you have purchased, information on offers or promotions, information on products added in the "My Account/My Cart" section or the "Account/Favourites" section or in relation to which you have shown interest in purchasing them, as well as other commercial communications such as market research and opinion polls. In order to provide you information of interest to you, we may use certain data about your buyer behaviour (eg products viewed/added to your wishlist/purchased) to create a profile for you. We always ensure that such processing is carried out in compliance with your rights and freedoms and that the decisions taken on the basis thereof have no legal effect on you and do not affect you similarly to a significant extent.

In most cases, our marketing communications are based on your prior consent. You can change your mind and withdraw your consent at any time by:

- Changing the settings in the customer account in the "My Subscriptions" section;

- Accessing the unsubscribe link displayed in the messages you receive from us; or

- Contacting common.parts using the contact details described above.

In certain situations, our marketing activities are based on our legitimate interest in promoting and developing our business. In any case where we use information about you for our legitimate interest, we take care and we take all necessary measures to ensure that your fundamental rights and freedoms are not affected. However, you can ask us at any time, by the means described above, to stop the processing of your personal data for marketing purposes, and we will process your request.

In order to create a profile, monitor and send personalized communications and offers, we use ____________, an automated marketing software, dedicated to online stores.

• These activities have no legal effect or other similar significant effect on users. The only consequence of using this profiling is for users to receive discounts and customized marketing offers. The user can choose not to be profiled or to receive commercial communications, without any effect, other than that of receiving these discounts or customized marketing offers.

• For the purpose of processing, monitoring activities (profiling) and interaction with the website, common.parts must automatically collect and store the following personal data: e-mail, phone number, last name, first name, gender, date of birth, city, county, IP address (including possible location), browser, order ID, discount code, discount value, shipping cost, total value of order, individual price of ordered products, product variations, products, device, OS, IP location, timestamps related to page visit, page visit, category visit, brand visit, click on the picture, mouse over cart, mouse over price, scroll up, scroll down, add to cart, remove from cart, select variation, add to wishlist , comment, Like on Facebook, help page visit.

• The categories of data subjects are visitors, registered users, or customers of the website, as the case may be, depending on the chosen service. Visitors' data will be stored for 2 months, and those of registered users or customers for 3 years.

• In order to provide its services, common.parts uses authorized third parties (subcontractors) from the EEA and the USA (only for push notifications), and the transfer of personal data is done under the EU-US Privacy Shield: the data is retained/stored during the agreement between the two parties.

To defend our legitimate interests.

There may be situations in which we use or transmit information to protect our rights and commercial activity. These may include:

- Measures to protect the common.parts website from cyber-attacks:

- Measures to prevent and detect fraudulent attempts, including the transmission of information to the competent public authorities;

- Measures to manage various other risks.

The general ground of these types of processing is our legitimate interest in defending our commercial activity, meaning that we ensure that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms.

Also, in certain cases, in processing your data we rely on legal provisions such as the obligation to ensure the protection of goods and values ​​provided by the applicable legislation in this matter.

V. To whom we transmit your personal data

Where applicable, we may transmit or provide access to certain personal data that belong to you to the following categories of recipients:

- courier service providers;

- payment/banking service providers;

- marketing/telemarketing service providers;

- market research service providers;

- insurance companies;

- IT service providers;

- to other companies with which we can develop joint programs for the marketing of our goods and services.

If we have a legal obligation or if it is necessary to defend a legitimate interest, we may also disclose certain personal data to public authorities.

We ensure that access to your data by third-parties legal entities under private law is made in accordance with the legal provisions on data protection and confidentiality of information, under certain contracts concluded with them.

VI. How long do we store your personal data

We will usually store your personal data as long as you have an account on the common.parts platform. You may ask us to erase certain information or close your account at any time, and we will respond to such requests, subject to the keeping of certain information, including after your account has been closed, where applicable law or our legitimate interests so require.

 

VII. In which countries we transfer your personal data

We currently store and process your personal data in Romania.

However, we may transfer certain personal data that belong to you to entities located in the European Union or outside the Union, including in countries in relation to which the European Commission has not acknowledged an adequate level of protection of personal data.

We will always take steps to ensure that any international transfer of personal data is carefully managed in order to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, other securities, such as standard contractual clauses issued by the European Commission or certification schemes, such as the Privacy Shield for the protection of personal data transferred from within the EU to the United States.

You can contact us at any time, using the contact details set out above, in order to find out more information about the countries in which we transfer your data, as well as about the securities we have put in place regarding these transfers.

VIII. How do we protect the security of your personal data

We undertake to ensure the security of personal data by implementing appropriate technical and organizational measures, according to industry standards. For the payments, we use the services of the payment processor Stripe.

Despite the measures taken to protect your personal data, we warn you that the transmission of information via the Internet, in general, or through other public networks, is not completely secure, as there is a risk that the data may be seen and used by unauthorized third parties. We cannot be held responsible for such vulnerabilities occurred in systems that are beyond our control.

Common Design Lab S.R.L. tries, by all means, to monitor and limit the access of its employees directly to the database but is not responsible for their malicious intent or for the theft of the database caused by them during the working hours, which is considered abusive and for which they shall be subject to criminal penalties and termination of the employment contract as well as to the payment of indemnities.

Common Design Lab S.R.L. collects information and processes it into statistical data about which pages you access inside the common.parts website, including the IP address from which you visit the common.parts website.

Common Design Lab S.R.L. uses cookies as a method to improve its activity and the online experience of its users. What are the cookies and what cookies do we use? See here - ___________________________________________.

By filling in your data in the account creation and/or Order form, you hereby declare that you accept that your personal data be included in the common.parts database and you expressly and unequivocally agree that all such personal data be stored, used and processed under an unlimited territorial and/or temporal basis by common.parts, their affiliates and collaborators for the development and/or carrying out by common.parts, their affiliates, and collaborators of activities such as commercial activities, product promotion and services, marketing, advertising, media, administrative, development, market research, statistics, tracking and monitoring of sales and consumer behavior activities.

IX. What rights do you have?

The General Data Protection Regulation gives you a number of rights in relation to your personal data. You may request access to your data, the correction of any errors in our files and/or you may object to the processing of your personal data. You may also exercise your right to complain to the competent supervisory authority or to go to court. Where applicable, you may also have the right to request the erasure of your personal data, the right to restrict the processing of your data, and the right to data portability.

You can find out more information about each of these rights by consulting the table below.

In order to exercise your rights, you can contact us using the contact details set out above. Please note the following aspects if you wish to exercise these rights:

Identity. We take seriously the confidentiality of all records that contain personal data. For this reason, please send us your requests regarding such registrations using the email address associated with the common.parts account. Otherwise, we reserve the right to check your identity by requesting additional information aimed at confirming your identity.

Fees. We will not charge you any fee in order for you to exercise any rights with respect to your personal data, unless your request for access to information is ungrounded, repetitive or excessive, in which case we will charge a reasonable amount in such circumstances. We will inform you of any fees applied before resolving your request.

Response time. We intend to respond to any valid requests within a maximum of one month, unless this is particularly complicated or if you have made several requests, in which case we will respond within a maximum of two months. We will let you know if we need more than a month. We may ask you if you can tell us exactly what you want to receive or what worries you. This will help us act faster and shorten the response time to your request.

Third-party rights. We must not comply with a request if it adversely affects the rights and freedoms of other data subjects.

Aimed rights Description

Access You can ask us:

• to confirm you if we process your personal data;

• to provide you a copy of these data;

• to provide you other information about your personal data, such as the data we have, what we use it for, to whom we disclose it, if we transfer it abroad and how we protect it, how long we keep it, what rights you have, how can you make a complaint, where we obtained your data from, to the extent that the information has not already been provided to you by this notification.

Rectification

You may ask us to rectify or supplement your inaccurate or incomplete personal data.

We may try to check the accuracy of the data before rectifying it.

Erasure of data

You can ask us to delete your personal data, but only if:

• these are no longer necessary for the purposes for which these were collected; or

• you withdrew your consent (if the data processing was based on consent); or

• you exercise a legal right to object; or

• these were processed illegally; or

• we have a legal obligation in this regard.

We do not undertake to comply with your request to erase your personal data if the processing of your personal data is necessary:

• for compliance with a legal obligation; or for finding, exercising, or defending a right in court.

There are certain other circumstances in which case we are not required to comply with your request to erase the data, although these two are most likely the circumstances in which we may deny this request.

Please note that before exercising this right, you must download from the common.parts account and save all the documents related to the orders made from common.parts, regardless of whether the invoicing was made to you or to another natural or legal person (such as invoices, warranty certificates). If you fail to do this before exercising your right to erasure, you will lose all these documents and common.parts will be unable to provide them to you, as appropriate, because of the process of data erasure, respectively of the common.parts account, with all its data and documents, is an irreversible process.

Restriction of Data

Processing You can ask us to restrict the processing of personal data, but only if:

• the accuracy thereof is challenged (see the rectification section), in order to allow us to verify the accuracy thereof; or

• the processing is illegal, but you do not want the data to be erased; or

• these are no longer needed for the purposes for which they were collected, but you need them in order to find, exercise or defend a right in court; or

• You have exercised your right to object, and the check whether our rights prevail is ongoing.

We may continue to use your personal data following a request for a restriction if:

• we have your consent; or

• to find, exercise or ensure the defense of a right in court; or

• to protect the rights of common.parts or of another natural or legal person.

Data portability You can ask us to provide your personal data in a structured, commonly used and automatically readable format, or you can request that it be "ported" directly to another data controller, but in each case only if:

• the processing is based on your consent or on the conclusion or performance of a contract with you; and

• the processing is done by automatic means.

Objection

You may object at any time, for reasons related to your particular situation, to the processing of your personal data under our legitimate interest, if you consider that your fundamental rights and freedoms prevail over this interest.

You may also object at any time to the processing of your data for direct marketing purposes (including profiling), without giving any reason, in which case we will terminate such processing as soon as possible.

Automatic decision making

You may request not to be subject to a decision based solely on automatic processing, but only when that decision:

• produces legal effects in relation to you; or

• affects you in a similar way and to a significant extent.

This right shall not apply where the decision reached following the automatic decision-making:

• is required in order to conclude or perform a contract with you;

• is authorized by law and there are adequate securities for your rights and freedoms; or

• is based on your explicit consent.

Complaints

You have the right to lodge a complaint with the supervisory authority regarding the processing of your personal data. In Romania, the contact details of the data protection supervisory authority are as follows:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal

(National Authority for the Supervision of Personal Data Processing)

B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, zip code 010336, Bucharest, Romania

Phone: +40.318.059.211 or +40.318.059.212;

E-mail: anspdcp@dataprotection.ro

Without prejudice to your right to contact the supervisory authority at any time, please contact us in advance, and we promise you that we will make every effort to resolve any issue amicably.

We remind you that you can contact the common.parts Data Protection Officer at any time by submitting your request in any of the following ways:

- by e-mail to: info@common.parts or

- by mail or courier to the address: Str. Milcov, nr. 42, parter, camera 1, Mun. Focsani, Jud. Vrancea with the mention "to the attention of the common.parts Data Protection Officer ".