Privacy Policy

Ensuring the right to the protection of personal data is a fundamental commitment of our company and we will make every effort to process your data in full compliance with Regulation (EU) 2016/679 ("General Data Protection Regulation" or "GDPR") , as well as with any other legal provision applicable on the territory of Romania.

This document describes how we collect, use, transfer and protect your personal data when you interact with us in relation to our products and services, including through our website or mobile applications.

We reserve the right to periodically update and amend this Privacy Policy to reflect any changes in the way we process your personal data or any changes in legal requirements. In the event of any such change, we will display the modified version of the Privacy Policy on our website, so please check its content periodically.

Who we are and how you can contact us

Catleya is the commercial name of SC Severinești Viticola SRL, a legal entity of Romanian nationality, with its registered office in Mehedinți County, Corcova township, Main Street no. 102, with order number in the Trade Register J25/591/2007, unique tax registration code RO19109689 (hereinafter referred to as "Catleya" or "us"). For the purposes of data protection legislation, we are the controller when we process your personal data.

We are always open to your views, as well as providing you with any additional information you may need regarding the processing of your data. If you wish, you can contact the Data Protection Officer at the e-mail address contact@catleyawines.com with the mention: to the attention of the Data Protection Officer.

What categories of personal data we process

We collect your personal data directly from you, so you have control over the type of information you give us. By way of example, we receive information from you as follows:

When you contact us by sending a message from our website, you give us: your e-mail address, your name and your first name.

We may also collect and further process certain information about your behavior while visiting our website in order to personalize your online experience and provide you with data tailored to your profile. We invite you to learn more about this meaning by consulting the section on purposes of processing below.

On our website we may store and collect information in cookies and similar technologies, according to the Cookie Policy.

We do not collect or otherwise process sensitive data, included by the General Data Protection Regulation in special categories of personal data. We also do not wish to collect or process data of minors under the age of 16.

What are the purposes and grounds of processing your data

We will use your personal data for the following purposes:

1. To provide the services for your benefit.

This general purpose may include, as appropriate, the following:

• Processing requests, including receiving, validating and invoicing them;
• Resolving cancellations or problems of any nature related to a request, goods or services requested;
• Reimbursement of the consideration for services according to legal provisions;
• Providing support services, including providing answers to your questions about our services.

The processing of your data for these purposes is in most cases necessary for the conclusion and execution of a contract between us and you. Also, certain processing subsumed for these purposes is required by applicable law, including tax and accounting law.

2. To improve our services

We always want to give you the best experience interacting with our website. For this, we may collect and use certain information related to your behavior as a user, we may invite you to complete satisfaction surveys following the completion of the provision of services, or we may conduct, directly or with the help of partners, studies and market research.

We base these activities on our legitimate interest in carrying out commercial activities, always taking care that your fundamental rights and freedoms are not affected.

3. For marketing

We want to keep you informed about the best offers for the products/services you are interested in. In this regard, we may send you any type of message (such as: e-mail, SMS, mobile push, webpush, etc.) containing general information, information regarding products and/or services similar or complementary to those that you have purchased or requested, information about offers or promotions, information about services you have shown interest in purchasing, and other commercial communications such as market research and opinion polls, and we may display personalized recommendations. In order to provide you with information of interest to you, we may use certain data about your purchasing behavior (e.g. services viewed / purchased) to create a profile for you. We always ensure that this processing is carried out with respect for your rights and freedoms and that the decisions made on the basis of them do not have legal effects on you and do not similarly affect you to a significant extent.

In most cases, we base our marketing communications on your prior consent. You can change your mind and withdraw your consent at any time by:

• Accessing the unsubscribe link displayed in the messages you receive from us; or through
• Contacting the Company using the contact details described above.

In certain situations, we may base our marketing activities on our legitimate interest in promoting and developing our business. In any situation where we use information about you for our legitimate interest, we take care and take all necessary measures to ensure that your fundamental rights and freedoms are not affected. However, you can ask us at any time, by the means described above, to stop processing your personal data for marketing purposes, and we will comply with your request.

4. To defend our legitimate interests

There may be situations where we will use or share information to protect our rights and business. These may include:

• Measures to protect the website and platform users from cyber attacks;
• Measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
• Measures to manage various other risks.

The general basis for these types of processing is our legitimate interest in defending our commercial activity, it being understood that we ensure that all measures we take ensure a balance between our interests and your fundamental rights and freedoms.

Also, in certain cases we base our processing on legal provisions such as the obligation to ensure the protection of goods and valuables provided by the applicable legislation in this matter.

How long we keep personal data

As a general rule, we will store your personal data for a period of five years.
You may request that we delete certain information or close your account at any time, and we will comply with such requests, subject to the retention of certain information, including after account closure, where applicable law or our legitimate interests require it.

To whom we transmit your personal data

As appropriate, we may transmit or provide access to certain of your personal data to the following categories of recipients:

• courier service providers;
• payment/banking service providers;
• IT service providers;
• other companies with which we can develop joint programs for offering our goods and services on the market.

If we are under a legal obligation, or if it is necessary to defend a legitimate interest, we may also disclose certain personal data to public authorities.

We ensure that access to your data by third-party legal entities under private law is carried out in accordance with the legal provisions on data protection and information confidentiality, based on contracts concluded with them.

To which countries we transfer your personal data

Currently, we store and process your personal data on the territory of Romania. However, we may transfer certain of your personal data to entities located in the European Union or outside the Union, including countries that have not been recognized by the European Commission as having an adequate level of personal data protection.

We will always take steps to ensure that any international transfer of personal data is handled carefully to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, other safeguards such as standard contractual clauses issued by the European Commission or certification schemes such as the Privacy Shield for the Protection of Personal Data transferred from within the EU to the United States of America.

You can contact us at any time using the contact details set out above to find out more information about the countries to which we transfer your data and the safeguards we have put in place in relation to these transfers.

How we protect the security of personal data

We are committed to ensuring the security of personal data by implementing appropriate technical and organizational measures in accordance with industry standards.

The transmission of personal data is done using state-of-the-art encryption algorithms and we store it on secure servers while ensuring data redundancy.

Despite the measures taken to protect your personal data, we must draw your attention to the fact that the transmission of information over the Internet in general or through other public networks is not completely secure, there is a risk that the data may be seen and used by to unauthorized third parties. As a result, we cannot be responsible for such vulnerabilities of systems that are not under our control.

What rights you have

The General Data Protection Regulation recognizes a number of rights in relation to your personal data. You can request access to your data, correct any mistakes in our files and/or object to the processing of your personal data. You can also exercise your right to complain to the competent supervisory authority or go to court. Where appropriate, you may also benefit from the right to request the erasure of your personal data, the right to restrict the processing of your data and the right to data portability.

More information about each of these rights can be obtained by consulting the table below.

In order to exercise your rights, you can contact us using the contact details set out above. Please note the following points if you wish to exercise these rights:

Identity. We take the privacy of all records containing personal data seriously. For this reason, please send us your requests regarding such records using the email address associated with your account. Otherwise, we reserve the right to verify your identity by requesting additional information aimed at confirming your identity.

Fees. We will not charge a fee to exercise any right in relation to your personal data, unless your request for access to the information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in such circumstances. We will inform you of any fees applied before we settle your claim.

Response time. We aim to respond to any valid requests within a maximum of one month, unless this is particularly complicated or you have made multiple requests, in which case we will respond within a maximum of two months. We will let you know if we need more than a month. We may ask if you can tell us exactly what you want to receive or what you are concerned about. This will help us act faster and shorten the response time to your request.

Third Party Rights. We must not comply with a request if it would adversely affect the rights and freedoms of other data subjects.