Privacy policy

Contents
  1. Introduction
  2. Personal data collected
  3. Purposes of processing
  4. Legal grounds for processing
  5. Data storage period
  6. Deletion or anonymization of data
  7. Disclosure of data to third parties
  8. Data transfer outside the EEA
  9. Data security
  10. Your rights under GDPR
  11. Cookies
  12. Privacy Policy Modification
  13. Contact details

This Privacy Policy describes how ELORYS, as a personal data Controller, collects, uses, stores and protects your personal data in the context of using the Website www.elorys.com.
Last updated: 11 September 2025

Introduction

This Privacy Policy describes how ELORYS, as a personal data Controller, collects, uses, stores and protects your personal data in the context of using the Website www.elorys.com (hereinafter referred to as the “Website”).

Through this Policy, we wish to inform you in a transparent and clear manner regarding:

  • what types of personal data we collect about you;
  • for what purposes and on what legal grounds we process this data; to whom we may transmit it and under what conditions;
  • what rights you have in relation to your personal data;
  • how we ensure the confidentiality and security of this data.

ELORYS strictly complies with applicable data protection provisions, including Regulation (EU) 2016/679 (GDPR) and relevant national legislation applicable in Romania.

By using the Website www.elorys.com and/or by providing your personal data, you confirm that you have read the content of this Privacy Policy and that you understand the rights and options you have in relation to your data.

Personal data collected

When using the Website www.elorys.com and the services offered through it, ELORYS may collect and process the following categories of personal data, depending on your interaction with the platform and the services used:

  • Identification information: first and last name; delivery address; billing address
  • Contact information: email address; telephone number
  • Order and transaction information: details of the products ordered; order history; information related to delivery and order status
  • Payment method information: payment method information is collected and processed securely by the payment processor Mollie; Elorys.com does not store and does not have direct access to full bank card data or other sensitive payment details. We may only receive limited information regarding the status of the transaction (e.g.: payment confirmation, transaction code).
  • Website usage data: IP addresses; cookie identifiers and other tracking technologies (according to the Cookie Policy); data regarding the user’s interaction with the Website (e.g.: pages visited, time spent on the page, browsing behavior, clicks, browsing errors).

Purposes of processing

ELORYS processes your personal data for specified, explicit and legitimate purposes, in accordance with the provisions of Regulation (EU) 2016/679 (GDPR). The data are processed only to the extent necessary to achieve these purposes and will not be further used in a manner incompatible with the initial purposes.

The main purposes for which we process your data are the following:

Processing and delivery of orders placed on the Website

  • Management of online orders placed through the Website www.elorys.com;
  • Preparation, invoicing, shipping and delivery of ordered products;
  • Management of any returns or refunds.

Communication with you

  • Communication necessary to confirm orders and inform about delivery status;
  • Communication related to the customer account (e.g.: updating data, user requests);
  • Management of requests and complaints submitted by users.

Compliance with legal and fiscal obligations

  • Fulfillment of legal obligations in the fiscal and accounting field (e.g. issuing tax invoices, keeping accounting records);
  • Compliance with other legal obligations arising from the commercial relationship (e.g. in matters of consumer protection).

Improving your experience on the Website

  • Optimizing and personalizing the browsing experience on the Website;
  • Analyzing user behavior in order to improve the performance of the website and the quality of the services offered;
  • Preventing and detecting possible fraud or abusive use of the Website.

Direct marketing (only with your explicit consent)

  • Sending newsletters and personalized commercial communications regarding our offers and products;
  • Carrying out promotional campaigns or invitations to events;

The processing of these data for marketing purposes is only based on your express, prior and freely expressed consent, in accordance with art. 6 para. (1) letter a of the GDPR. If you withdraw your consent for direct marketing, you will no longer receive commercial communications, but we will continue to send you notifications related to your orders and the active contractual relationship (e.g.: order confirmations, delivery information).

We process your personal data only to the extent that there is an appropriate and justified legal basis, in accordance with Article 6 of Regulation (EU) 2016/679 (GDPR). The main legal grounds on which ELORYS processes personal data are:

Execution of the sales contract (art. 6(1)(b) GDPR)

We process the personal data necessary for processing orders placed on the Website; delivery of ordered products; management of payments and returns; communication with you in relation to the order and the contractual relationship. This processing is essential in order to be able to honour the sales contract concluded between you and ELORYS.

Compliance with legal obligations (art. 6(1)(c) GDPR)

We process personal data to comply with obligations imposed by applicable law, such as tax and accounting obligations (issuance and archiving of tax documents), consumer protection obligations and other applicable legal obligations.

Your explicit consent (art. 6(1)(a) GDPR)

For direct marketing (e.g. sending newsletters and commercial communications), we process personal data only on the basis of your express, prior and freely given consent. You can withdraw this consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal.

Our legitimate interest (art. 6(1)(f) GDPR)

In certain situations, we process personal data to protect our legitimate interests, for example: ensuring the security of the Website and the IT infrastructure; preventing and detecting possible fraud or attempted fraud; continuously improving the user experience and the services offered. In all cases, we respect the balance between our legitimate interests and your fundamental rights and freedoms.

Data storage period

ELORYS stores your personal data only for the period necessary to fulfill the purposes for which they were collected, while respecting applicable legal requirements regarding retention periods. The exact storage period may vary depending on the nature of the data collected, the purposes of the processing, and applicable legal obligations and compliance requirements.

Examples of storage periods

  • Commercial transactions & accounting documents: data regarding orders, invoices and other fiscal documents are kept in accordance with legal obligations in tax and accounting matters, usually 10 years, according to Romanian tax legislation.
  • Customer account data: kept for the entire duration of the customer account and, subsequently, for a reasonable period of maximum 3 years after the account is closed, for evidentiary purposes and to defend our legal rights.
  • Direct marketing (based on consent): kept until you revoke your consent or until you exercise your right to object, as applicable.
  • Technical and Website usage data (e.g., cookies, IP): retained in accordance with the Cookie Policy and depending on your settings and options.

Deletion or anonymization of data

Upon expiry of the applicable retention periods, personal data will be permanently deleted or transformed into anonymous data so that they no longer allow the identification of the data subjects. In certain cases, we may retain data beyond the expiry of the initial period, to the extent that this is necessary for the establishment, exercise or defence of legal claims and/or compliance with other legal obligations or requirements of public authorities.

Disclosure of data to third parties

ELORYS may disclose your personal data to certain categories of recipients, strictly to the extent necessary to achieve the purposes for which the data were collected and processed, and in compliance with legal requirements regarding data protection. Your data is shared only with trusted third parties that provide adequate guarantees regarding security and confidentiality.

Recipient Categories

  • Courier service providers — for delivery of orders (name, delivery address, phone, email for notifications).
  • Mollie payment processor — for processing online payments. ELORYS does not have access to full card details or other sensitive banking data.
  • IT and hosting service providers — for hosting and ensuring the technical functioning of the platform.
  • Public authorities — where required by law (tax and accounting authorities, judicial authorities, other competent authorities).

We do not sell, rent or transfer your personal data to third parties for commercial purposes. All transfers to third parties take place on the basis of contractual agreements and in compliance with the GDPR.

Data transfer outside the European Economic Area

In principle, ELORYS does not transfer your personal data to recipients outside the European Economic Area (EEA). We operate using IT infrastructure and service providers operating within the EEA or in jurisdictions that offer an adequate level of data protection, according to decisions issued by the European Commission.

Exceptional transfers

In exceptional circumstances, when necessary for service provision or contractual performance, certain data may be transferred to recipients located outside the EEA (e.g. IT service providers or technical partners). In such cases, we will ensure that the transfer takes place in strict compliance with the GDPR, by applying appropriate safeguards (adequacy decisions, Standard Contractual Clauses, or other recognized mechanisms).

Protection of transferred data

Regardless of the location of the recipient, we ensure that your data benefits from an adequate level of protection equivalent to the standards imposed by the GDPR. We will inform data subjects accordingly if such transfers become relevant for the processing of their personal data.

Data security

ELORYS implements appropriate technical and organizational measures to protect your data against unauthorized access, unauthorized alteration, accidental or intentional loss, destruction, or unauthorized disclosure.

Examples of measures applied

  • Use of encryption technologies and secure protocols (e.g. HTTPS) for data transmission via the Website;
  • Implementation of modern IT infrastructure security and access monitoring solutions;
  • Limiting access to personal data only to authorized personnel and contractual partners who need this data to provide services;
  • Continuous training of personnel on data security good practices and confidentiality obligations;
  • Internal procedures for managing security incidents.

While we make every reasonable effort to protect your personal data, no online platform or electronic transmission can guarantee absolute security. If we identify a security incident likely to result in a high risk to your rights and freedoms, we will inform you appropriately and in a timely manner, in accordance with legal obligations.

Your rights under GDPR

In accordance with Regulation (EU) 2016/679 (GDPR), you have a number of rights in relation to the processing of your personal data. We fully respect these rights and are committed to ensuring them in a transparent and effective manner. The rights you have are as follows:

  • Right of access — to obtain confirmation and access to your data and information about processing.
  • Right to rectification — to correct or complete inaccurate/incomplete data.
  • Right to erasure (“right to be forgotten”) — in cases provided by law (e.g., data no longer necessary, consent withdrawn).
  • Right to restriction of processing — in cases provided by law (e.g., contesting accuracy, objection).
  • Right to data portability — to receive your data in a structured, commonly used and machine-readable format and transmit it to another controller.
  • Right to object — to processing based on legitimate interest or public task; and to direct marketing at any time.
  • Right to file a complaint — with the National Supervisory Authority for Personal Data Processing (ANSPDCP) if you consider your rights have been violated. Website: www.dataprotection.ro

How can you exercise your rights

To exercise any of the rights mentioned above, you can contact us in writing, at the email address: support@elorys.com. We will analyze your request with the utmost seriousness and will respond within the time limit provided by the GDPR (usually within one month, with possible extension in complex cases).

Cookies

The Website www.elorys.com uses cookies and similar technologies to improve the user experience, personalize content, and analyze visitor traffic and browsing behavior.

What are cookies?

Cookies are small files stored on your device (computer, smartphone, tablet) when you access a Website. They allow the Website to recognize your device and store certain information about your preferences and interactions.

Why do we use cookies?

  • to ensure the proper functioning and security of the Website;
  • to improve the user browsing experience;
  • to analyze the traffic and performance of the Website, with a view to continuous optimization;
  • to provide personalized content and, where appropriate, relevant advertising.

When you first access the Website, you may be asked to consent to the use of cookies through a dedicated interface. You can manage your cookie preferences at any time, using the settings available on the Website or in your browser settings.

Cookies Policy

For detailed information about categories of cookies, lifespans, third parties, and how to manage consent, please consult our Cookies Policy available on the Website.

Privacy Policy Modification

ELORYS reserves the right to modify and update this Privacy Policy periodically to reflect any changes in data processing activities, changes in legal requirements or regulatory practices, and updates to the services or functionalities offered through the Website www.elorys.com.

Publication of changes

Any changes will be published on the Website and appropriately marked to be visible and easily accessible. The updated version will enter into force from the date of its publication on the Website, unless otherwise stated.

Acceptance of changes

Your continued use of the Website following the posting of changes to the Privacy Policy will constitute acceptance of such changes. We recommend that you periodically review this Policy to be aware of any updates.

Contact details

For any questions regarding the processing of your personal data or to exercise your rights, you can contact us by email at support@elorys.com.