Data privacy policy

At Ravtech Digital Design SA (holder of the Glimtek brand and trademark, hereinafter referred to as Glimtek)) we value your privacy and are committed to protecting your personal data. This Data Privacy Section outlines how we collect, use, store, and share your information, as well as your rights concerning your personal data. We adhere to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Romanian data protection laws to ensure your data is handled with the utmost care and responsibility.

www.glimtekboutique.com

1. INTRODUCTION TO OUR DATA PRIVACY PRACTICES

Glimtek provides high-end self-service machines for seamless promotion and sales in high-traffic areas. To deliver our services effectively, we need to collect and process personal data. This privacy notice explains what information we collect, why we collect it, and how we use it. By using our services, you acknowledge that you have read and understood this policy.

 

2. TYPES OF PERSONAL DATA WE COLLECT

  • We may collect various types of personal data, including but not limited to:
  • Contact Information: Name, email address, phone number, and mailing address.
  • Account Information: Usernames, passwords, and account preferences.
  • Payment Information: Payment method details, billing address, and transaction history.
  • Technical Data: IP addresses, browser types, device identifiers, and usage data regarding our machines and website.
  • Marketing Data: Preferences for receiving marketing communications from us.
  • User-Generated Content: Any content you submit through our platform, including feedback, reviews, and promotional materials.
  • We collect personal data when you interact with our services, create an account, make a purchase, or contact us for support. 

3. LEGAL BASIS FOR DATA PROCESSING

Under the General Data Protection Regulation (GDPR), the processing of personal data must be lawful and based on one or more specific legal bases. At Glimtek, we ensure that any personal data we collect and process is done so in accordance with these legal requirements. The following outlines the legal bases upon which we rely for processing your personal data:

3.1 Consent

We may process your personal data when you have provided clear and explicit consent for us to do so for a specific purpose. For instance, if you opt to receive marketing communications or participate in promotional activities, we will process your data based on your consent.

How We Obtain Consent: We will ask for your consent before processing your personal data for marketing purposes. Consent must be freely given, specific, informed, and unambiguous. We will provide you with clear information about what your consent entails, and you will have the option to withdraw your consent at any time.

Right to Withdraw Consent: You have the right to withdraw your consent at any time. If you choose to withdraw your consent, we will stop processing your data for the purposes for which you initially provided it, provided there are no other legal grounds for processing your data.

3.2 Contractual Necessity

We may process your personal data when it is necessary to fulfill our contractual obligations to you or to take steps at your request prior to entering into a contract. For example, when you create an account with us, make a purchase, or request services, we need to process your data to perform our obligations under the agreement.

Examples of Contractual Processing: This includes processing your payment information, managing your account, delivering services, and responding to inquiries related to your account or transactions.

Implications of Non-Compliance: If you choose not to provide the necessary personal data for contractual purposes, we may not be able to provide our services to you or fulfill our obligations under the contract.

3.3 Legal Obligation

We may process your personal data when it is necessary for compliance with a legal obligation to which Glimtek is subject. This can include various legal requirements, such as those imposed by tax regulations or obligations to respond to lawful requests from public authorities.

Examples of Legal Obligations: This includes retaining transaction records for tax purposes, responding to law enforcement inquiries, or fulfilling other regulatory requirements.

Data Retention Requirements: Personal data processed under legal obligations will be retained for the duration required by law, after which it will be securely deleted or anonymized.

3.4 Legitimate Interests

We may process your personal data when it is necessary for our legitimate interests or those of a third party, provided that your interests and fundamental rights do not override those interests. Our legitimate interests include:

  • Improving Our Services: We analyze user interactions with our services to identify areas for improvement, enhance user experience, and develop new features or functionalities.
  • Marketing and Communication: We may process your data to send you information about our services, promotions, and events that we believe may be of interest to you, as long as such processing aligns with your preferences and rights.
  • Security and Fraud Prevention: We may process your data to ensure the security of our systems, detect and prevent fraud, and protect against unauthorized access.
  • Investor Evaluation: We may process certain personal data of prospective investors based on our legitimate interest to assess potential partnerships and align investment opportunities with Glimtek's strategic objectives. This evaluation process involves collecting relevant financial and professional background information necessary for a thorough assessment. Processing under this basis is conducted solely to support Glimtek’s investment strategy while ensuring that your fundamental rights and freedoms are not adversely affected. To balance this interest, we apply strict data minimization principles, collect only essential data, and limit access to authorized personnel directly involved in the investor evaluation process.
  • In situations where we rely on legitimate interests, we will conduct a balancing test to assess whether our interests outweigh your rights. If we determine that your rights and interests prevail, we will not proceed with the processing. 

3.5 Special Categories of Personal Data

In the course of our activities, we may occasionally process special categories of personal data, as defined by Article 9 of the GDPR. This includes sensitive information such as health data, racial or ethnic origin, or biometric data.

Explicit Consent Required: In such cases, we will only process these special categories of personal data if you have provided explicit consent for a specific purpose or if we are required to do so by law.

Enhanced Protection: We take additional measures to protect special categories of personal data, ensuring that any processing is compliant with GDPR provisions and that the data is only accessible to authorized personnel.

3.6 Children's Data

We do not knowingly collect personal data from individuals under the age of 16 without obtaining verifiable consent from a parent or guardian. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information.

Parental Consent: If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us so we can take appropriate action. 

4. HOW WE USE YOUR PERSONAL DATA

We use your personal data for various purposes, including:

Service Delivery: To operate our self-service machines, process transactions, manage your account, and provide customer support.

Personalization: To customize your experience and improve our services based on your preferences and feedback.

Marketing: To communicate with you about promotions, new products, and updates, with your consent.

Analytics: To analyze usage patterns, improve our services, and understand customer behavior.

Security: To protect our systems, prevent fraud, and ensure the integrity of our services.

 

5. DATA SHARING AND DISCLOSURE

We do not sell your personal data to third parties. However, we may share your information in the following circumstances: 

  • Service Providers: We may engage third-party vendors to assist us with various services, including payment processing, marketing, and analytics. These service providers are obligated to protect your data and use it only for the purposes for which it was disclosed.
  • Partner Brands: Limited personal data may be shared with Partner Brands for advertising purposes, subject to your consent where required.
  • Legal Compliance: We may disclose your information if required by law or in response to valid requests by public authorities, including law enforcement.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction, subject to the same privacy protections. 

6. DATA RETENTION

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. The retention period may vary based on the type of data:

  • Account Information: Retained for the duration of your account activity and for a reasonable period thereafter.
  • Transaction Data: Retained to comply with legal obligations, such as tax reporting.
  • Marketing Data: Retained until you withdraw your consent.
  • After the retention period expires, we will securely delete or anonymize your personal data. 

7. DATA SECURITY MEASURES

At Glimtek, we take the security of your personal data seriously. Given our business model, which involves high-end self-service machines and digital advertising, we implement a range of technical and organizational measures designed to protect your data from unauthorized access, loss, or misuse. This chapter outlines the security measures we have put in place to safeguard your personal information.

7.1 Risk Assessment and Management

We conduct regular risk assessments to identify potential vulnerabilities in our data processing systems and practices. These assessments help us understand the specific risks associated with our operations, allowing us to implement tailored security measures. Our risk management strategies include:

  • Identifying Data Assets: We maintain an inventory of personal data we process, understanding its sensitivity and criticality.
  • Evaluating Risks: We evaluate the likelihood and impact of potential security incidents, informing our security strategy and resource allocation.
  • Mitigating Risks: Based on our assessments, we develop and implement measures to mitigate identified risks, continuously monitoring and adapting our approach as needed.

7.2 Access Controls

Access to personal data is restricted to authorized personnel who require it to perform their job functions. We implement the following access control measures:

  • Role-Based Access Control (RBAC): Access to systems and data is granted based on the roles and responsibilities of employees, ensuring that individuals can only access information necessary for their tasks.
  • Unique User Credentials: All personnel with access to personal data are assigned unique usernames and passwords, promoting accountability and traceability.
  • Regular Access Reviews: We regularly review access permissions to ensure that only authorized personnel have access to sensitive data, revoking access when employees change roles or leave the company.

7.3 Data Encryption

To protect personal data both at rest and in transit, we utilize encryption technologies:

  • Encryption at Rest: Personal data stored in our databases and systems is encrypted using strong encryption algorithms to prevent unauthorized access.
  • Encryption in Transit: We employ Transport Layer Security (TLS) to encrypt data transmitted over the internet, ensuring that information shared between our machines and our servers is secure from interception.

7.4 Network Security

We implement robust network security measures to protect our systems and data from external threats:

  • Firewalls and Intrusion Detection Systems (IDS): We use firewalls to monitor and control incoming and outgoing network traffic based on predetermined security rules. Intrusion detection systems alert us to suspicious activity, enabling us to respond promptly to potential threats.
  • Regular Security Audits: We conduct regular audits and vulnerability assessments to identify and remediate weaknesses in our network infrastructure.

7.5 Secure Software Development

Glimtek is committed to maintaining security throughout the software development lifecycle (SDLC). We adopt secure coding practices and conduct security testing to identify vulnerabilities before deployment:

  • Code Reviews: Regular code reviews are conducted to identify potential security flaws, ensuring that best practices are followed.
  • Security Testing: We implement various security testing methods, such as penetration testing and vulnerability scanning, to identify and rectify security weaknesses in our applications.

7.6 Data Minimization and Retention

We follow the principles of data minimization and retention, ensuring that we only collect and process personal data necessary for specific purposes:

  • Data Minimization: We only collect the minimum amount of personal data required to deliver our services effectively, reducing the risk of exposure in the event of a data breach.
  • Retention Policies: We have established data retention policies to ensure that personal data is not retained longer than necessary. After the retention period expires, we securely delete or anonymize the data.

7.7 Incident Response Plan

In the event of a data breach or security incident, we have established a comprehensive incident response plan that outlines our procedures for addressing and mitigating the impact of such incidents:

  • Incident Detection and Reporting: Employees are trained to recognize and report security incidents promptly, ensuring that potential breaches are addressed quickly.
  • Containment and Investigation: Once an incident is identified, we take immediate action to contain the breach and initiate an investigation to assess the extent of the incident and its impact on personal data.
  • Notification: In the event of a data breach that poses a risk to individuals’ rights and freedoms, we will notify affected individuals and relevant supervisory authorities in accordance with GDPR requirements.

7.8 Employee Training and Awareness

We believe that a well-informed workforce is essential for maintaining data security. Therefore, we provide ongoing training and awareness programs to our employees:

  • Data Protection Training: All employees receive training on data protection principles, privacy rights, and our internal data security policies to ensure compliance and best practices.
  • Phishing and Social Engineering Awareness: Regular training sessions are conducted to educate employees about the risks of phishing and social engineering attacks, empowering them to recognize and report suspicious activities.

7.9 Third-Party Security Assessments

When we engage third-party service providers, we ensure they adhere to our data security standards. This includes:

  • Due Diligence: We conduct thorough due diligence to evaluate the security practices of third-party vendors who handle personal data on our behalf.
  • Data Processing Agreements (DPAs): We enter into Data Processing Agreements with third parties that outline their obligations regarding data security and compliance with applicable data protection laws.

7.10 Continuous Improvement

Data security is an ongoing process. We continuously review and update our security measures to adapt to evolving threats and regulatory requirements. This includes:

  • Regular Policy Reviews: We periodically review our data security policies and procedures to ensure their effectiveness and alignment with industry best practices.
  • Adapting to New Technologies: We monitor advancements in technology and security practices, integrating new solutions that enhance our data protection measures.

 

8. YOUR RIGHTS UNDER THE GDPR

You have several rights under the GDPR regarding your personal data, including:

  • Right to Access: You have the right to request access to your personal data and obtain a copy of the information we hold about you.
  • Right to Rectification: You can request the correction of inaccurate or incomplete personal data.
  • Right to Erasure: You have the right to request the deletion of your personal data under certain circumstances.
  • Right to Restrict Processing: You can request that we limit the processing of your data in certain situations.
  • Right to Data Portability: You have the right to request the transfer of your personal data to another service provider.
  • Right to Object: You can object to the processing of your personal data for direct marketing purposes or based on legitimate interests.
  • To exercise these rights, please contact us using the details provided in Section 12 below.

 

9. INTERNATIONAL DATA TRANSFERS

At Glimtek, we recognize that in today's globalized economy, the transfer of personal data across borders is a common practice. As a provider of high-end self-service machines and digital advertising services, we may need to transfer personal data to countries outside the European Economic Area (EEA) for various purposes, including collaboration with partners, service providers, and other third parties. This chapter outlines our approach to international data transfers, ensuring compliance with GDPR and protecting your personal data.

9.1 Legal Framework for International Data Transfers

The GDPR establishes strict rules governing the transfer of personal data to countries outside the EEA, known as third countries. These rules aim to ensure that individuals' data rights and protections are maintained, regardless of where their data is processed. At Glimtek, we comply with these regulations by ensuring that any transfer of personal data meets the following conditions:

  • Adequacy Decisions: We will only transfer personal data to countries recognized by the European Commission as providing an adequate level of data protection. These countries have been deemed to offer protections comparable to those under GDPR, ensuring that your data is adequately safeguarded.
  • Standard Contractual Clauses (SCCs): If we need to transfer personal data to a third country that does not have an adequacy decision, we will use Standard Contractual Clauses approved by the European Commission. These clauses are designed to provide appropriate safeguards for personal data, ensuring that the rights of individuals are upheld.
  • Binding Corporate Rules (BCRs): In situations where Glimtek operates as part of a multinational organization, we may implement Binding Corporate Rules, which are internal policies that set out how we handle personal data globally. BCRs are designed to ensure that data protection standards are maintained across all jurisdictions within the organization.

9.2 Types of International Data Transfers

International data transfers at Glimtek may occur in various contexts, including:

  • Service Providers: We may engage third-party service providers located outside the EEA to support our operations, such as cloud storage, payment processing, and data analytics services. In these cases, we ensure that appropriate safeguards are in place to protect your personal data.
  • Partner Brands: As part of our promotional activities, we may share limited personal data with partner brands operating in third countries. Such transfers are conducted in compliance with applicable data protection laws and with appropriate safeguards.
  • Business Operations: In the course of our business activities, we may need to transfer personal data to subsidiaries or affiliates located outside the EEA. We ensure that these transfers comply with GDPR requirements and provide the necessary protections for your data.

9.3 Ensuring Data Protection in Transfers

When transferring personal data internationally, Glimtek implements the following measures to ensure data protection:

  • Due Diligence: Before initiating any international data transfer, we conduct due diligence on the recipient’s data protection practices to assess their compliance with GDPR and relevant data protection laws.
  • Data Processing Agreements: We enter into Data Processing Agreements with any third parties receiving personal data, outlining their obligations to protect that data and comply with applicable regulations. These agreements specify the purpose of the data transfer, the types of data involved, and the security measures that must be implemented.

Regular Audits: We periodically review our international data transfers to ensure ongoing compliance with GDPR and effectiveness of the safeguards in place. This includes assessing the data protection practices of our third-party partners.

9.4 Your Rights in International Transfers

As an individual whose personal data may be transferred internationally, you retain certain rights under GDPR, including:

  1. Right to Information: You have the right to be informed about the details of any international data transfers, including the countries to which your data may be transferred and the safeguards in place.
  2. Right to Access: You can request access to your personal data and obtain information about how it is being processed, including whether it is being transferred internationally and the measures taken to protect it.
  3. Right to Object: You have the right to object to the processing of your personal data, including international transfers, under certain circumstances. If you believe that your data is being transferred in a manner that violates your rights, you may contact us to address your concerns.

9.5 Data Transfers in Emergency Situations

In certain situations, we may need to transfer personal data quickly due to unforeseen circumstances, such as legal requirements or urgent operational needs. In such cases, we will act in compliance with GDPR while taking necessary precautions to protect your data:

  • Emergency Protocols: We have established emergency protocols to ensure that any urgent data transfers are conducted with appropriate safeguards and documented for accountability.
  • Post-Transfer Assessment: After any emergency transfer, we will assess the circumstances and impact of the transfer, ensuring that any potential risks are addressed and that data protection measures are reinforced.

9.6 Changes to International Data Transfer Policies

As data protection regulations and international relations evolve, Glimtek will periodically review and update our international data transfer policies to ensure continued compliance with GDPR and the protection of your personal data. Any significant changes will be communicated to you through updates on our website or direct notifications. 

10. DATA PRIVACY FOR PROSPECTIVE INVESTORS

As Glimtek continues to explore partnerships and investment opportunities, we prioritize the privacy of our prospective investors. This section details the data handling principles specific to investor data and complements our broader data privacy commitments.

10.1 Purpose and Legal Basis for Data Processing

The collection and processing of investor data support Glimtek's goals in evaluating and establishing business relationships. Investor data is processed based on:

Contractual Necessity: Certain data is required to proceed with preliminary assessments or formalize partnerships.
Legitimate Interest: Processing may be necessary for due diligence, assessing alignment with Glimtek’s investment objectives, and risk management. Our commitment to transparency ensures this processing does not infringe upon investor rights.


10.2 Data Retention and Security

Investor data is retained only as long as required for evaluation, potential partnership formalization, or compliance with applicable laws. Glimtek applies enhanced security measures to safeguard investor information, including:

Restricted Access: Access to investor data is limited to authorized personnel involved in the investment process.
Data Minimization: Only data strictly necessary for each stage of evaluation or partnership is collected and retained.
Secure Disposal: If a partnership does not materialize, data is deleted or anonymized in line with our retention policy, typically within one year.


10.3 Rights of Prospective Investors

Investors retain specific rights regarding their personal data under applicable data protection laws. These include:

  • Right to Information: Access to details on data handling practices specific to investment interactions.
  • Right to Restriction and Deletion: Ability to limit or request deletion of data if further processing is no longer necessary or legally required.
  • Right to Withdraw Consent: Investors may retract consent where applicable.
  • For inquiries or to exercise these rights, please contact us at [*]. 

 

11. CHANGES TO THIS DATA PRIVACY POLICY

We may update this Data Privacy Policy from time to time to reflect changes in our practices or applicable law. Any updates will be posted on our website with an updated effective date. We encourage you to review this policy periodically to stay informed about how we are protecting your personal data.

 

12. CONTACT US

If you have any questions or concerns about this Data Privacy Section, our data practices, or your rights under data protection laws, please contact us at:

Ravtech Digital Design SA
E-mail Address: office@glimtekboutique.com

If you wish to exercise your rights as a data subject or make a complaint regarding the processing of your personal data, you can also use the contact information provided above.

 

13. DATA CONTROLLER

The data controller responsible for the processing of your personal data as described in this Privacy Policy is:

ANSPDCP – “Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal”
Mun. Bucharest, Sector 1, B-dul G-ral. Gheorghe Magheru nr. 28-30;
Telefon: 0.318.059.211/0.318.059.212;
Fax: 0.318.059.602;
E-mail: anspdcp@dataprotection.ro;
Web page: www.dataprotection.ro.

 

© Ravtech Digital Design SA

Website by TheKeyAdv.ro