CONTENTS

1. 1. When is it applicable?

2. 2. What is the purpose of this policy?

3. 3. What constitutes personal data?

4. 4. For what purposes do we collect it?

   1. CONTRACTUAL purposes

   2. FUNCTIONAL purposes

   3. MARKETING purposes

5. 5. How do we collect it?

6. 6. What rights do you have?

   • Right of access

   • Right to modification and deletion

   • Right to restrict processing

   • Right to data portability (export)

   • Right not to be subject to automated decision-making

   • Right to file a complaint

7. 7. To whom do we disclose the data?

8. 8. How do we ensure data security?

9. 9. What are the retention periods?

10. 10. How do we handle minors' requests?

11. 11. What do we do in case of security incidents?

12. 12. What records do we keep?

1. When is it applicable?
The privacy policy applies to the personal data of those who wish to become, are, or have been customers of CONCEPT24 ONLINE S.R.L., including data collected, used, or disclosed while using our company's website, available at www.concept24.ro. When we refer to "Concept 24," "we," or "our company" in this statement, we mean CONCEPT24 ONLINE S.R.L. You can manage your consent for the purposes your personal data will be used through the cookie management module. This policy is effective from 25.04.2024.

2. 2. What is the purpose?

3. When you use our website, you entrust us with some of your personal data. We understand and appreciate this. Through everything we do, we strive to protect your data and offer you the best possible control over it.

This privacy policy helps you understand what personal data we collect about you, how we use your personal data, and what choices you have regarding its use.

We are committed to maintaining the accuracy, confidentiality, and security of your personal data. To comply with legislative changes and/or practical realities, we reserve the right to adjust this policy at any time, with changes becoming mandatory upon their publication on the website.

3. 3. What constitutes personal data?

4. We want you to clearly understand what "personal data" means.

Personal data is information about an identified or identifiable person. Examples include: name, surname, address, phone number, email, identity card details, personal numerical code (CNP), banking information, cookies, IP address of the computer, mobile device IDs, information from your web browser (such as browser type and language), actions you take on our website, etc.

4. 4. For what purposes do we collect it?

5. Personal data is collected to effectively carry out commercial relationships, to offer you the best services (quick deliveries, electronic payments, etc.), to continually improve the functionalities of our website, or to bring relevant ads and promotions to your attention.

We limit the personal data we collect to what is relevant for the particular processing purpose. We do not process your personal data in ways incompatible with the purposes for which the information was collected or subsequently authorized by you.

CONTRACTUAL Data (mandatory) - for initiating the contracting process and effectively conducting the commercial relationship.

Data (name, surname, phone, email, etc.) can be collected to respond to your inquiries about our products and services (including through a dedicated CRM solution), to organize and effectively deliver your orders. These data are collected through dedicated forms on the site such as: contact, request offer, online order, request consultancy, my account, etc. These data are generally referred to as "contractual data." Without them, your order cannot be processed (e.g., we cannot respond to your questions), cannot be processed (e.g., fiscal documents for payment cannot be issued), and cannot be delivered (via courier or other accepted methods). You cannot benefit from our services or products using our site without providing these data. We may disclose your personal data without giving you the option to opt out when we use third-party processors (courier companies, online payment processors, etc.) to perform services on our behalf and according to our instructions. Customers cannot opt out of receiving emails related to the processing, execution, and delivery of the order (or other processes associated with this purpose). The legal basis for processing these data is our legitimate interests (Article 6 paragraph 1 lit. (f) of the General Data Protection Regulation).

FUNCTIONAL Data - for a better experience using the website.

Direct data (name, surname, phone, email, etc.) can be collected to ensure a better experience using the site. Data is collected through site forms such as: price alert (to notify you of a price drop), stock alert (to notify you when a product is back in stock), abandoned carts (to remind you of incomplete purchases), review requests, etc. These data are generally referred to as "functional data." Indirect data can also be collected to create a better-structured website (e.g., Google Analytics reports). These data help us see the visitor navigation flow on the site, the volume of navigation, and other relevant useful information for improving the site, to provide you with the best browsing experience. All these functionalities are designed to offer you the best options for information and purchase. If you do not agree with the use of data for this purpose, you cannot benefit from the advantages of these functionalities. The legal basis for collecting these data is consent (Article 6 paragraph (1) letter (a) of the General Data Protection Regulation).

MARKETING Data - for a better-structured site, relevant advertising, and social media information.
Personal data is collected, such as direct data (name, surname, phone, email, etc.) or indirect data (cookies, computer IP address, location, mobile device IDs, etc.). Direct data is collected for newsletter subscriptions (sending newsletters, commercial offers, etc.). If you no longer wish to receive such materials, you can access the "unsubscribe" link at the bottom of our company's marketing emails. Cookies are data files sent from a website to a browser to record information about users for various purposes. We use cookies and similar technologies. For more information, consult the page on our site containing the cookie policy. Data can also be used to display ads tailored to your preferences (e.g., Google Remarketing, Facebook Pixel, etc.). You may be shown ads for products you were interested in or viewed.

Our site allows you to connect with social media networks such as Facebook (facebook.com), LinkedIn (linkedin.com), and Twitter (twitter.com) ("Social Media"). By connecting, IP address and the page you visit on our site can be collected. A cookie is also set to allow social media applications to function properly. You may be offered an option by social media accounts to post information about your activities on your personal profile page in the social media network to allow other users in your network to access that information. These data are generally referred to as "marketing data." The legal basis for collecting these data is consent (Article 6 paragraph (1) letter (a) of the General Data Protection Regulation).

5. 5. How do we collect them and manage your consent?

6. When you interact with our website, we offer you the possibility to give and withdraw your consent for the use of your data at any time. We provide visitors to the site and customers who provide personal data with the means to choose how we use these data. Consent regarding the processing of personal data can be requested when creating an account, placing an order (with or without an account), submitting a form, and for any other purpose involving giving consent, by accessing a general control panel (cumulative or individual, for each data category or individual purpose) or by another technical means created for this purpose.

You will have the opportunity to explicitly give your consent for the purposes for which personal data will be used and to manage it later, in accordance with the regulations in force.

6. 6. What rights do you have?

7. We make every effort to guarantee your rights in accordance with current legislation.

You have the right to access your personal data. Therefore, if applicable, we provide you with access to the personal data we hold about you. We also offer you the possibility to choose whether you want to receive offers and promotions from us, as well as to correct, modify, or delete your information.

We may limit or refuse access to personal data if the effort or cost of providing access would be disproportionate to the risks to your privacy, or if the rights of others, other than you, would be violated. Other reasons for refusal or limitation of access may include legal restrictions or other similar justified aspects.

You have the right to modify and delete your personal data, especially incomplete or inaccurate data, for example, if some of the personal data you provided (phone number, email address, authorized person, etc.) are no longer current.

We take reasonable steps to ensure that the personal data we process is suitable for the intended use and accurate, complete, and current. In this sense, we rely on you to update and correct your personal data as necessary for the purposes for which they were collected or subsequently authorized by you.

Requests for access, modification, or deletion of information will be processed within 30 days.

You have the right to restrict processing, oppose the processing of personal data that concerns you, and request the rectification, updating, or deletion of data under legal conditions. This right can be exercised at any time, free of charge, and without justification, except for data for which processing is a legal obligation.

You have the right to request the portability (export) of personal data. We may limit or refuse the portability of personal data if the effort or cost of providing access would be disproportionate to the benefits brought in the specific case.

You have the right not to be subject to automated decision-making.

You have the right to file a complaint with the National Authority for the Supervision of Personal Data Processing (A.N.S.P.D.C.P.), as well as to address the courts, in accordance with the legal provisions in force.

7. 7. To whom do we disclose your data and where do we transfer it?
   We collaborate with courier companies, authorized electronic payment processors and internet companies: Google, Facebook etc. - all for the best experience with our website.

8. Data can be transmitted, on a need-to-know basis, to suppliers, partners, or associates (e.g., companies providing delivery or other specific services) to perform services on our behalf and in accordance with our instructions. This transfer can occur when data is necessary for executing an order or providing a requested service. The disclosure is made with the understanding that the recipients of the information will maintain its confidentiality and security.

In addition, we may disclose personal data:

• If necessary to comply with the law or in response to legal proceedings;

• If the disclosure is necessary to protect your safety or the safety of others, investigate fraud, or respond to a government request;

• If Concept 24 is involved in a merger, acquisition, or sale of all or a portion of its assets, we will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal data.

8. 8.How do we ensure data security?

9. We take the security of your data very seriously and implement appropriate measures to protect personal data from unauthorized access, loss, misuse, alteration, or destruction. These measures include, but are not limited to, technical measures (such as firewalls, encryption, and anti-virus software), organizational measures (such as access control and physical security), and staff training on data protection.
   

10. 9. What are the retention periods?

11. We store information according to legal specifications and as long as you agree.
    Personal data is stored for the periods of time specified by the legislation in force, in order to keep records related to the activities carried out, to protect rights in court and to exercise other rights according to the law and the contracts concluded, to fulfil any archiving requirements, in accordance with the legal provisions. Personal data necessary to benefit from the functionalities of our website and promotional activities are stored for an indefinite period of time, until your account is deleted.
    

12. 10. How do we handle minors' requests?

13. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data, we will take steps to delete such information. If you believe that we have collected personal data from a minor, please contact us so we can take appropriate action.
    Our company DOES NOT, in its data processing activities, process personal data of minors under the age of 16. We do not carry out promotional marketing activities directly to minors.

    Any person who provides us with personal data guarantees that he/she is of legal age and has full legal capacity. In the event that processing of personal data for a person who is not of legal age nevertheless takes place, we will stop processing such data once we are aware of this fact.

    Any processing of personal data of minors is carried out in accordance with legal requirements and in strictly defined cases. Minors who have reached the age of 14 may purchase services, request and receive communications from our company only if they have the consent of their legal representative or guardian, as required by law.

14. 11. What do we do in case of security incidents?

12. What do we do in case of security incidents?
    Informing you and the authorities is the first step. Remedying the situation is our priority.
    In the event of a personal data breach, we will notify the competent data protection authorities within 72 hours, depending on the degree of risk to the customer or site visitor. Affected customers or site visitors will also be notified of the breach.
    We will take all necessary measures to remedy the situation in order to protect your rights.
    
    
    12. What records do we keep?

13. What records are kept?
    We keep records to demonstrate compliance with the requirements of this policy.
    
    We will keep relevant records about:
    a. the purpose of processing personal data;
    b. the categories of data subjects and personal data processed;
    e. where possible, the expected retention periods for different categories of personal data;
    f. a general description of the security measures used to protect personal data;
    g. the exercise of your rights.