This policy describes how H2O SPORTS DISTRIBUTION SRL (CUI: 32327257, JJ20/1301/2400/401) collects, uses, and protects your personal data through the website insta360-store.ro, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and Law 190/2018.
1. Data Controller
H2O SPORTS DISTRIBUTION SRL
Headquarters: Calea Dorobanților 48, Building B, Ground Floor, Code 010574, Sector 1, Bucharest
Email: service@h2o.ro (including DPO/GDPR requests)
Phone: 0752005201
GDPR Contact Person: TODO (to be confirmed) — TODO@h2o.ro
2. Personal Data Collected
2.1. Data provided directly by you:
- When placing an order: First name, last name, delivery address, billing address, email, phone
- When creating an account: Name, email, password (encrypted)
- When subscribing to the newsletter: Email address
- When contacting us: Any information submitted via form or email
2.2. Automatically collected data:
- Cookies: As per the Cookies Policy
- Navigation data: IP address, browser type, pages visited, visit duration
- Device data: Operating system, screen resolution
3. Purposes and Legal Bases of Processing
| Purpose | Legal Basis (GDPR) | Retention |
|------|-------------------|----------|
| Order processing | Art.6(1)(b) — Contract performance | 5 years (fiscal) |
| Invoice issuance | Art.6(1)(c) — Legal obligation | 10 years (accounting) |
| Product delivery | Art.6(1)(b) — Contract performance | Delivery duration |
| Responding to requests | Art.6(1)(b) — Pre-contractual measures | 2 years |
| Newsletter marketing | Art.6(1)(a) — Consent | Until unsubscribe |
| Website improvement | Art.6(1)(f) — Legitimate interest | 26 months |
| Fraud prevention | Art.6(1)(f) — Legitimate interest | 5 years |
4. Data Recipients
Data may be transmitted to:
- Payment processor: Shopify Payments / Stripe
- Courier company: TODO (to be confirmed) — for delivery
- Email marketing provider: Shopify Email / Klaviyo — for newsletter
- Shopify Inc. — as a hosting platform (data stored in EU/USA with Standard Contractual Clauses)
- Public authorities — when required by law (ANAF, courts)
We do not sell or rent your data to third parties for marketing purposes.
5. Data Transfer Outside the EU/EEA
Some service providers (Shopify, payment processors) may store data in the USA or other countries. The transfer is based on:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions of the European Commission
6. Your Rights
According to GDPR, you have the following rights:
| Right | Description |
|-------|-----------|
| Access (Art.15) | To request a copy of the data we hold |
| Rectification (Art.16) | To correct inaccurate data |
| Erasure (Art.17) | To request data deletion ("right to be forgotten") |
| Restriction (Art.18) | To limit processing in certain situations |
| Portability (Art.20) | To receive data in a structured format |
| Objection (Art.21) | To object to processing based on legitimate interest |
| Withdrawal of consent (Art.7) | To withdraw consent for the newsletter at any time |
How to exercise these rights: Send an email to service@h2o.ro with the subject "GDPR Right — [type of right]". We respond within a maximum of 30 days.
Complaints: You can file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP): https://www.dataprotection.ro.
7. Data Security
We implement appropriate technical and organizational measures:
- SSL/TLS encryption across the entire site
- Passwords stored as hashes (bcrypt)
- Restricted access to data (minimization principle)
- Regular encrypted backups
- Shopify platform — PCI DSS Level 1 certified
8. Minors
We do not intentionally collect data from individuals under 16 years of age. If we become aware that we have collected such data, we will delete it immediately.
9. Changes
We reserve the right to update this policy. Significant changes will be communicated via email or announcement on the website.