Privacy policy


The purpose of this Privacy Policy is to explain to you what data we process, why we process it and what we do with it. We take your privacy seriously and never sell lists or email addresses. Fully aware that your personal information belongs to you, we do our best to store it securely and process it carefully. We do not provide information to third parties without informing you. 

  1. Other services 

This Privacy Policy does not cover other third party websites and applications that you may access through links on our website. This is beyond our control. We encourage you to review the Privacy Policy on any website and/or application before providing any personal data.

  1. Who are we? 

CAVVAS LIMITED SRL, with registered office in Tăuți village,  Floresti commune, str. 144B, Cluj County, registered at Cluj Trade Register Office, with Sole registration code 30117828 (hereinafter referred to as “CAVVAS LIMITED SRL”) is responsible for processing your personal data that it collects directly from you or from other sources.

According to the law, our company is a personal data controller. To ensure that your data is processed securely, we have made every effort to implement reasonable measures to protect your personal information.

  1. Who are you? 

According to the law, you, the natural entity benefiting from our products or the person in a relationship of any kind with us, are a “data subject”, i.e. an identified or identifiable natural entity. In order to be fully transparent about data processing and to allow you to easily exercise your rights at any time, we have implemented measures to facilitate communication between us, the data controller, and you, the data subject.

  1. Changes 

We may change this Privacy Policy at any time. All updates and changes to this Policy are effective immediately upon notification, which we will make by posting on the Site and/or notification by email.

  1. Questions and applications 

If you have any questions or concerns about the processing of your data or wish to exercise your legal rights in relation to the data we hold, or if you have any concerns about the way we handle any privacy issues, you can write to us at

  1. Our commitment 

Protecting your personal information is very important to us. That is why we are committed to the following principles:

Legality, fairness and transparency – We process your data legally and fairly. We are always transparent about the information we use, and you are properly informed.

Control is yours – Within the limits of the law, we give you the ability to review, amend, delete personal data you have shared with us and exercise your other rights.

Data integrity and purpose limitation – We use data only for the purposes described at the time of collection or for new purposes compatible with the original purpose. In all cases, our purposes are compatible with the legislation. We take reasonable steps to ensure that personal data is accurate, complete and up-to-date.

Security – We have implemented reasonable security and encryption measures to protect your information as best we can. However, keep in mind that no website, no app and no internet connection is completely secure.

  1. What kind of information do we collect about you? 

You can use the Platform without disclosing personal data. However, if you wish to benefit from our services, you will be asked to provide your details during a registration process.

Data requested may include: full name, telephone number, e-mail address, home address.

We may collect data through cookies or other similar technologies, such as your IP address, web browser, ads you clicked on, location, web pages you access on our site.

  1. Why do we collect this information? 

We collect your information for specified and legitimate purposes that include, but are not limited to the following:

  • For the purpose of entering into or performing an agreement between you and us;
  • Account registration;
  • To answer your questions and applications;
  • For marketing purposes, but only where we have your prior consent;
  • To provide and improve the services and products we offer;
  • To diagnose or fix technical problems;
  • To provide you customized advertising and content;
  • To defend against cyber attacks;
  • For creating and/or maintaining accounts;
  • To comply with legislation;
  • To establish or claim a right in court.
  1. What are the legal grounds for collecting data?


  • You have given your consent to the processing of personal data – Please note that you can withdraw your consent at any time by following the unsubscribeinstructions in each email or by sending a written application to the email address
  • The processing is necessary for the conclusion or performance of an agreement between you and us – such as the performance of an Agreement in relation to the sale or purchase of one or more services, or to take steps, at your application, prior to entering into an Agreement.
  • The processing is necessary to accomplish a legal obligation – such as keeping accounting records for 10 years.

11. How do we disclose your data? 

  • CAVVAS LIMITED SRL may transfer the Data, by disclosing or granting remote access rights, only through secure applications, to third parties, such as affiliated entities and other business partners of CAVVAS LIMITED SRL, acting as proxies, processing personal data for and on behalf of CAVVAS LIMITED SRL (e.g., storage of Data on cloud servers, legal and financial consultants, technical service providers or shipping support providers), with whom CAVVAS LIMITED SRL has entered into the necessary contractual agreements in accordance with EU and national regulations.
  • We may also disclose your data to business partners as part of a joint effort to provide a product or service.
  • We will transfer Data to third parties only to the extent necessary to accomplish the applicable Processing Purposes for which your Data is collected and processed.
  • Personal data collected and processed for the Processing Purposes described in this Privacy Policy may be stored on servers located abroad or transferred to affiliated entities based outside the territory of the European Union. In case of transfer of Data to third countries, CAVVAS LIMITED SRL will communicate the intention of transfer as well as the third countries concerned, the purpose of the transfer and the request for consent, when such consent is required under the legal provisions in force.
  • CAVVAS LIMITED SRL may disclose the Data to comply with legal provisions or in response to an application from a court or other public authority. 
  1. How long do we store data? 

Personal data collected by CAVVAS LIMITED SRL will be stored for a period of 5 years after the termination of the contractual relationship or any longer period required by law, regulations or applicable rules on record keeping obligations or requests by public authorities.

Immediately after the end of the applicable storage period, the data will be:

  • deleted or destroyed; or
  • anonymised; or
  • transferred to an archive (unless prohibited by applicable law or regulation on record retention).

Personal data collected and used for the creation of your Account will be deleted immediately if you close your account.

To ensure that Data is not kept longer than necessary, CAVVAS LIMITED SRL will periodically review the Data and, if necessary, delete it.

  1. What security measures have we taken? 

As part of the administration of the Platform, we have taken technical and organisational measures to ensure a level of security appropriate to the risks involved in processing the Data, in particular through misuse, accidental destruction, illegal or unauthorised access, loss, alteration, disclosure, intentional or accidental manipulation, third-party access, deletion and alteration. To this end, we have developed and implemented data security policies and other privacy practices. In addition, our security procedures are constantly reviewed based on new technological developments.

For more information about our security practices, please fill out the contact form in the Contact section of the Platform.

You will be notified of a data breach within a reasonable period of time after the discovery of such a breach, unless an authorized public body determines that notification would impede a criminal investigation or harm national security. In this case, notification will be deferred, according to the instructions of such a body. We will answer promptly to your questions regarding such a data breach.

  1. What are your rights? 
  • Right to withdraw consent

The data subject has the right to withdraw consent where consent is used as a lawful basis for processing (e.g. where the processing is not based on a different justification allowed by GDPR such as a legal or contractual obligation).

Before excluding the data subject’s data from processing, we need to confirm that the application for consent is indeed the legal basis for processing. If not, the application may be rejected on the grounds that the processing does not require the data subject’s consent. Otherwise, the application should be allowed.

In many cases, giving and withdrawing consent will be available electronically online and this procedure will not be necessary.

Where consent relates to a child (defined by GDPR Regulation as a person aged 16 or under), the expression and withdrawal of consent must be authorised by the holder of parental responsibility over the child.

  • The right to be informed about the processing of your data

Where personal data are collected from the data subject or obtained from other sources, there is a requirement to inform the data subject of the purpose of the use of these data and of the rights he or she has over them. 

  • Right of access to data

The data subject has the right to ask the company what data it processes about him or her, to have access to that data, and to the following information:

  1. Purpose of processing
  2. Categories of personal data involved
  3. Recipients or categories of recipients of the data if any, in particular third countries or international organisations
  4. Length of storage of personal data (or criteria used to determine this period)
  5. The rights of the data subject to rectification or erasure of his or her personal data and to restrict or object to its processing
  6. The right of the data subject to lodge a complaint with a supervisory authority
  7. Information on the source of data, if not obtained directly from the data subject
  8. Whether personal data will be subject to automatic processing, including profiling and, if so, the possible consequences involved
  9. Where data are transferred to a third country or international organisation, information on the safeguards that apply

In most cases, the decision-making process for such applications will be straightforward unless it is concluded that the application is manifestly unfounded or excessive. However, compiling the information may require the help of data owners.

  • Right to rectify inaccurate or incomplete data

If the personal data are inaccurate, the data subject has the right to application the correction and completion of incomplete personal data on the basis of the information he or she provides.

If necessary, we will take steps to validate the information provided by the data subject to ensure that it is correct before changing it.

  • Right to erasure (“right to be forgotten”)

We offer the data subject the right to ask us to delete personal data without delay in connection with one of the following situations:

  • personal data are no longer necessary for the purposes for which they were collected or processed; 
  • the data subject withdraws the consent on the basis of which the processing takes place and there is no other legal basis for the processing; 
  • the data subject objects to the processing and there are no compelling legitimate grounds for the processing;
  • personal data have been unlawfully processed; 
  • personal data must be deleted to comply with the law; 
  • personal data were collected in connection with the provision of online services to children.

We will make a decision on each case of such applications as to whether the application can or should be rejected for one of the following reasons:

  • the data are necessary for the exercise of the right to free expression and information;
  • the data are necessary for the accomplishment of a legal obligation;
  • for reasons of public interest in the field of public health;
  • for archiving purposes in the public interest;
  • to establish, exercise or defend a right in court.
  • Right to restrict processing

The data subject may exercise the right to restrict processing in the following situations:

  • the data subject disputes the accuracy of data, for a period allowing the controller to verify the accuracy of the data;
  • the processing is illegal and the data subject opposes the deletion of personal data, instead requesting the restriction of their use; 
  • the operator no longer needs personal data for the purpose of processing, but the data subject requests them for the establishment, exercise or defense of a right in court; or 
  • the data subject has objected to the processing for the period of time during which it is verified whether the legitimate rights of the controller prevail over those of the data subject.

If the data is restricted, it will remain stored but cannot be processed without the individual’s consent. As an exception, they may be processed for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State( provided that the data subject is informed thereof). Other organisations processing personal data on our behalf must also be informed of the restriction.

  • The right to transfer data we hold about you to another controller

The data subject has the right to request that personal data be provided in a “structured, commonly used and machine-readable format(Article 20 of GDPR) and to transfer that data to another party, for example to another service provider. This applies to personal data where the processing is based on the consent of the data subject, on the lawful basis of the agreement or where the processing is carried out by automated means.

  • Right to object to data processing

The data subject has the right to object to processing based on the following legal grounds:

  • For the performance of a task carried out in the public interest or in the exercise of the controller’s public authority
  • In the legitimate interests of the controller

Once the objection has been made, the organisation must justify the grounds on which the processing is based and suspend the processing until the decision has been made (the rule). The organisation will no longer process personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of a right in the court.

If personal data are used for direct marketing, the organisation will stop processing.

  • The right not to be subject to a decision based solely on automated processing, including profiling

The data subject has the right not to be subject to an automated decision, including profiling where the decision has a significant or legal effect on him or her. The data subject also has the right to express his or her point of view, to request human intervention and to appeal against the decision. 

There are exceptions to this right when the decision:

    1. It is necessary for the conclusion or execution of the agreement;
    2. It is authorised by national or European law;
    3. It is based on the explicit consent of the data subject;

In the situations under points (1) and (2), the organisation shall put in place appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the data subject’s right to obtain human intervention on the part of the controller, to express his or her point of view and to to appeal against the decision.

  • The right to seek justice

The data subject also has the right to take legal action if he or she considers that his or her rights have been violated.

  • The right to lodge a complaint with a Surveillance Authority

 It is important to know that:

  • If you have given your consent to direct marketing, you can withdraw it at any time by following the unsubscribe instructions in each email/sms or other electronic message.
  • If you want to exercise your rights, you can do so by sending a written, signed and dated application to the following e-mail address
  • The rights listed above are not absolute. There are exceptions, so each application received will be examined to decide whether it is justified or not. To the extent that your application is justified, we will facilitate the exercise of your rights. If the application is unfounded, we will reject it, but we will inform you of the reasons for the refusal and of your rights to lodge a complaint with the Supervisory Authority and to to take legal action.
  • We will try to respond to the application within 30 days. However, the deadline may be extended depending on various aspects, such as the complexity of application, the large number of applications received or the impossibility of identifying you within a useful timeframe.
  • If, despite our best efforts, we are unable to identify you and you do not provide us additional information to identify you, we are not obliged to act on your application.
  1. Questions, applications and exercise of rights 

If you have any questions or concerns about the processing of your information or wish to exercise your legal rights or have any other privacy concerns, you can write to us at