Cookie & Privacy Policy

The privacy of your personal data is one of the main concerns of SC [COMPANY NAME] SRL, CUI [your CUI], J40/[number]/[year], registered at [full address].

We process data in accordance with:

• EU Regulation 2016/679 (GDPR)
• Romanian Law no. 190/2018

A. Identification and contact data: Full name, email address, phone number (optional).

B. Billing data: Billing address, data required for issuing fiscal invoices.

C. Payment data: We do NOT store card data. Payments are processed by [Netopia Payments / Stripe] (PCI-DSS). We only receive payment confirmation.

D. Technical and usage data: IP address, browser and device type, operating system, cookies, pages visited, time spent, traffic source.

E. Personalisation data: Texts entered in invitations, uploaded images, personalisation settings, event information.

F. Account data: Email and password (encrypted), creation date, communication preferences.

Facebook/Google authentication: If you sign in with Facebook or Google, we process your public profile data (name, email, profile photo). We have no access to your password.

A. Contract performance (Art. 6(1)(b) GDPR): Processing orders, generating invitations, processing payments, issuing invoices, providing access, technical support.

B. Legal obligations (Art. 6(1)(c) GDPR): Issuing invoices and ANAF reports, archiving (10 years under Accounting Law 82/1991), data protection compliance.

C. Consent (Art. 6(1)(a) GDPR): Newsletter, marketing communications, non-essential cookies, remarketing. Consent can be withdrawn at any time via: unsubscribe link in emails, cookie settings in footer, or contacting us.

D. Legitimate interest (Art. 6(1)(f) GDPR): Improving site experience, fraud prevention, platform security.

Payment processors: [Netopia Payments / Stripe] — card payment processing.

Email services: [SendGrid / Resend] — transactional emails and newsletter delivery.

Hosting and infrastructure: Supabase — databases, authentication and file storage.

Analytics: Vercel Analytics (no persistent cookies), Sentry (error reporting).

Authorities: ANAF (invoices), ANSPDCP (on request), courts (if legally required).

We do NOT sell or rent your data to any third party for marketing purposes.

Active account data: While the account is active + 3 years after closure.

Invoices and financial data: 10 years from issue (legal obligation — Accounting Law 82/1991).

Marketing data: Until consent is withdrawn.

Technical logs (IP, cookies): 12 months.

Completed order data without account: 3 years.

After these periods expire, data is automatically deleted.

Right to information (Art. 13-14): You have been informed through this policy.

Right of access (Art. 15): You may request what data we hold, where we obtained it, and who we shared it with.

Right to rectification (Art. 16): You may correct inaccurate or incomplete data.

Right to erasure — "Right to be forgotten" (Art. 17): You may request deletion of your data, except invoices (legal obligation — 10 years).

Right to restriction of processing (Art. 18): You may request that processing be "frozen".

Right to data portability (Art. 20): You may receive your data in a structured format (CSV, JSON).

Right to object (Art. 21): You may stop processing based on legitimate interest or marketing.

Right not to be subject to automated decisions (Art. 22): We do not use automated profiling with legal effects.

Contact us:

Email: contact@etherealstories.com (subject: "GDPR Request")

Response time: Maximum 30 days from receipt of request (Art. 12 GDPR). This period may be extended by 60 days for complex requests — we will inform you within the first 30 days.

Identity verification: Requests sent from the email address registered in your account are processed directly. If you contact us from a different address, we may ask for proof of identity (copy of ID or verification via your existing account) to prevent disclosing data to unauthorised persons.

Costs: Exercising your rights is FREE. For excessive or repetitive requests we may charge a reasonable administrative fee or refuse the request.

Right to complain: You may lodge a complaint with:

The National Supervisory Authority for Personal Data Processing (ANSPDCP)

B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest

www.dataprotection.ro | anspdcp@dataprotection.ro | +40 21 252 5599

Technical measures:

• SSL/TLS — encrypted communications (https)
• Firewall and DDoS protection
• Encrypted daily backups
• Secure authentication (password hashing)
• Regular security updates

Organisational measures:

• Restricted data access (authorised personnel only)
• Employee confidentiality agreements
• Incident response procedures

In the event of a security breach posing risk to your rights:

• We notify ANSPDCP within 72 hours
• We notify you directly if the risk is high
• We take immediate remediation measures

Our services are NOT intended for persons under 16 years of age. If a parent discovers that a minor has provided data without consent, they can contact us for immediate deletion.

We use cookies for site operation and analytics. For full details please consult the Cookie Policy at /cookies.

We reserve the right to update this policy. Major changes are communicated by email. The current version is displayed with the update date. Continued use = acceptance of changes.

For any questions about this policy or the processing of your data:

Email: contact@etherealstories.com

Address: [full address]

Ethereal Stories provides general invitations that event organisers share with all their guests via the same link — not individual nominal invitations.

When you access a digital invitation created on our platform:

• You access the same invitation as all other guests (a general link, not personalised with your name)
• The invitation is created and distributed by the event organiser (our client)

If the invitation includes an RSVP form:

Information you submit (name, number of attendees, menu preferences, etc.) is visible ONLY to the event organiser.

• NOT visible to other guests
• NOT used by Ethereal Stories for marketing or any other own purposes
• NOT shared with third parties

Our legal role (Art. 28 GDPR):

With regard to guest data, we act as a data processor, not as a data controller. The data controller is the event organiser (our client), who bears responsibility for their guests' data.

Your rights as a guest:

The right of access, rectification, erasure, and objection should first be exercised with the event organiser. If they do not respond, you may contact us at contact@etherealstories.com and we will intervene.

Transfers within the EU/EEA:

Data may be transferred to any EU or European Economic Area member state. Under GDPR Art. 45, such transfers are free — the same level of protection throughout the EU.

Transfers outside the EU (third countries):

For services based in the US, we provide adequate safeguards under GDPR Art. 46:

• Stripe (USA): certified under EU-US Data Privacy Framework + Standard Contractual Clauses (SCC)
• Supabase (USA): Standard Contractual Clauses (SCC) + signed DPA
• Resend (USA): Standard Contractual Clauses (SCC) + signed DPA
• Sentry (USA): Standard Contractual Clauses (SCC) + signed DPA

You may request further information about the specific safeguards in place at contact@etherealstories.com.

We rely on the following third-party subprocessors to operate the Service. Each has been assessed for GDPR compliance and, where required, a Data Processing Agreement (DPA) is in place.

• Supabase (supabase.com) — Database and authentication — EU/US
• Vercel (vercel.com) — Hosting and edge functions — US/EU
• Stripe (stripe.com) — Payment processing — US/EU
• Cloudinary (cloudinary.com) — Image storage and delivery — US
• Upstash (upstash.com) — Rate limiting (Redis) — US/EU
• Resend (resend.com) — Transactional email — US