Processing of personal data

This notice details how CARTE DESCHISA SRL processes the personal data of visitors and customers of www.povestile-tale.ro, in accordance with Regulation (EU) 2016/679 (GDPR) and Romanian Law no. 190/2018.

Data controller

CARTE DESCHISA SRL, Tax ID 42056813, registered at DN25 no. 21, Șerbeștii Vechi, 807290, Galați county, Romania. Data protection contact: contact@povestile-tale.ro, tel. +40 747 169 169.

What data we process

  • Identification and contact data: name, e-mail address, phone number;
  • Delivery and billing data: delivery address and billing address;
  • Order data: products ordered, order history and value;
  • Payment data: card payments are processed exclusively by the payment processor; we do not store your card details;
  • Data you provide voluntarily: the child's first name, if you choose the signed-copy personalisation (used solely for the dedication in the book), and messages sent via the contact form or chat;
  • Technical data: cookies and online identifiers, as described in the Cookie policy.

Purposes and legal bases

  • Processing and delivering orders (including order-related communication): performance of the contract, Art. 6(1)(b) GDPR;
  • Invoicing and accounting records: legal obligation, Art. 6(1)(c) GDPR;
  • Newsletter and marketing communications: consent, Art. 6(1)(a) GDPR; you can withdraw it at any time via the unsubscribe link in any e-mail;
  • Replying to your requests: pre-contractual steps or our legitimate interest in answering you;
  • Site security and fraud prevention: legitimate interest, Art. 6(1)(f) GDPR;
  • Product reviews: your consent, given when you publish a review.

Who we share data with (recipients)

We share data only with the partners strictly needed, under data processing agreements:

  • Shopify International Ltd. (Ireland) and Shopify Inc. (Canada): the store's technical platform (hosting, orders, payments);
  • Urgent Cargus: the courier delivering your order (name, phone, address);
  • The payment processor (Shopify Payments): secure card payment processing;
  • The invoicing solution (Oblio): issuing invoices and submitting e-invoices to the Romanian tax authority (ANAF), as required by law;
  • Judge.me: the product reviews platform;
  • Google (Analytics 4, Ads) and Meta (Facebook Pixel): traffic and marketing campaign measurement, exclusively with your consent given in the cookie banner;
  • Anthropic PBC (USA): only the messages typed in the AI assistant chat; see the dedicated section of the Privacy policy;
  • Public authorities, upon lawful request.

We do not sell or rent your data.

Transfers outside the EU/EEA

Data is stored, as a rule, in the EU/EEA. Where a provider processes it outside the EU (for example Canada or the USA), the transfer relies on adequate safeguards: European Commission adequacy decisions or Standard Contractual Clauses (SCCs).

How long we keep the data

  • Order data and invoices: for the period required by accounting legislation;
  • Marketing data (newsletter): until you withdraw consent (unsubscribe);
  • Contact messages: as long as needed to resolve your request;
  • Customer account: until you ask us to delete it.

Children's data

The store is aimed at adults (parents, grandparents, educators). About children we process a single element, only if you provide it: the child's first name, for the signed dedication. We do not use it for any other purpose and do not link it to other data.

Your rights

Under the GDPR you have the right of access (Art. 15), to rectification (Art. 16), to erasure (the right to be forgotten, Art. 17), to restriction of processing (Art. 18), to data portability (Art. 20), to object (Art. 21), the right not to be subject to a decision based solely on automated processing that produces legal effects (Art. 22), and the right to withdraw your consent at any time, without affecting the lawfulness of prior processing.

To exercise your rights, write to contact@povestile-tale.ro; we reply within one month at the latest. If you consider your rights have been infringed, you can lodge a complaint with the Romanian supervisory authority ANSPDCP: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, 010336, Bucharest, www.dataprotection.ro.

Data security

We apply appropriate technical and organisational measures: encrypted connection (HTTPS/TLS) across the site, restricted access to data, a PCI DSS certified payment platform and vetted providers contractually bound to protect the data.

Updates

We may update this notice when services or providers change; the applicable version is the one published on this page. Last update: July 2026.