Skip to main content

Privacy Policy

1. DEFINITIONS

1.1.GDPR” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

1.2.Applicable Legislation” – all and any legal provisions in force in Romania at any given time governing the Processing of Personal Data;

1.3.Data / Personal Data” – any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity;

1.4.DPA” – the data processing agreement concluded with each Processor;

1.5.Recipient” – any natural or legal person, public authority, agency, or other body to whom the personal data are disclosed or may be disclosed;

1.6.Data Subject” – any natural person whose Personal Data are processed by the Controller;

1.7.Processing” – any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;

1.8.Processor” – any natural or legal person that processes Personal Data on behalf of and for the Controller;

1.9.Controller” – UZINA DE NET INTERACTIVE S.R.L., headquartered in Bucharest, Sector 1, Bulevardul Nicolae Bălcescu no. 17A, 2nd floor, office no. 2C, email: hello@bucuresti.ro, website: www.bucuresti.ro, phone: +40 723 152 632, Trade Registry no.: J40/5829/2010, VAT ID: RO27031599, bank account: RO12INGB0000999914505008 at ING Bank N.V. Amsterdam – Bucharest Branch, legally represented by Nicoara Ilie Orlando, as the owner and administrator of the online platform www.bucuresti.ro (hereinafter the “Platform” / “Bucuresti.ro”);

1.10.User” – a natural or legal person (via authorized legal representatives) who accesses, visits Bucuresti.ro and/or requests and obtains a User Account and/or uses, by any means, information/content published/displayed/uploaded on this online platform and/or posts/uploads—on their sole responsibility—information or content (e.g., merchant/product/service/price/offer info, comments, photos, videos, etc.);

1.11.Partner” – a business (legal entity / authorized individual) registered and operating in compliance with applicable legal provisions, who, based on and in accordance with the Promotion and Intermediation Contract and/or other agreements between the parties, requests the Platform Owner to publish/display/upload, using their own means or through subcontractors, commercial offers, advertisements, discount or promotional campaigns, etc., on the Platform;

1.12.Parties” – UZINA DE NET INTERACTIVE S.R.L. and the User or Partner, as applicable; each individually referred to as a “Party”;

1.13.Policy” – the Privacy Policy, which includes information about all Data processed by the Controller, directly or indirectly;

1.14.Platform / Online Platform” – Bucuresti.ro;

1.15.Platform Owner” – UZINA DE NET INTERACTIVE S.R.L.;

1.16.Cookies Policy” – the document listing all cookies used on the Platform, including detailed information about each one; it helps Users understand how cookies are used, how long they stay on their device, and more;

1.17.Account” – the electronic tool allowing Partners and Users to access Services not publicly available without registration.

1.18. For the purposes of this Policy, terms not defined here have the meanings provided in the General Terms and Conditions, the GDPR, and Applicable Legislation. Terms in the singular also apply in the plural. In case of inconsistencies between these definitions and those established by mandatory legal norms, the legal definitions shall prevail.

2. GENERAL PROVISIONS

2.1. This Policy contains information on how UZINA DE NET INTERACTIVE S.R.L. processes Personal Data when:

  • Users or Partners access/visit/use the Bucuresti.ro online Platform by any means, including when they upload/post information or content (e.g., merchant/product/service/price/offer info, comments, photos, videos, etc.);
  • Users or Partners benefit from services provided by UZINA DE NET INTERACTIVE S.R.L., except where specific contractual or legal provisions take precedence over this Policy.

2.2. This Policy complements the General Terms and Conditions (GTC), the Cookies Policy, the Notice and Takedown Policy for Illegal Content, the Guide on the Recommendation and Promotion System, the Promotion and Intermediation Contract, and any other applicable documents issued by UZINA DE NET INTERACTIVE S.R.L.

2.3. By visiting the Platform and/or requesting services and/or providing Personal Data, Users and Partners acknowledge that they have read and understood this Policy.

2.4. The Controller may amend this Policy at any time. The current and applicable version is always published on the Platform. Unless otherwise required by mandatory law, changes take effect from the time they are published online.

2.5. The Controller makes all reasonable efforts to ensure the security and protection of processed Personal Data and complies with all applicable legal obligations in this regard.

2.6. The Controller processes Personal Data:

  • either in its own name and for its own purposes (e.g., fulfilling obligations under applicable laws, fulfilling obligations under the GTC and/or Promotion and Intermediation Contract, communicating with Users or Partners, promoting services, preventing fraud or abuse, exercising legitimate interests, etc.);
  • or on behalf of other data controllers (e.g., Partners or institutions who contractually request the Controller to publish specific content or conduct certain activities), in which case it acts as a Processor under a Data Processing Agreement (DPA).

2.7. If the Controller becomes aware that Users/Partners have shared data of third parties (e.g., family members, collaborators, clients, etc.), it will consider that such third parties were previously informed and that Users/Partners obtained their valid consent, where required by law.

3. CATEGORIES OF PROCESSED PERSONAL DATA

3.1. Depending on the circumstances and the way the Platform and Services are used, the Controller may process the following categories of Personal Data:

a) Identification Data:

  • Full name
  • Personal numerical code (CNP)
  • Series and number of the national identity card
  • Nationality
  • Date and place of birth
  • Signature
  • Identity card photo

b) Contact Data:

  • Email address
  • Telephone number
  • Residence/domicile address
  • Mailing or billing address
  • Preferred method of communication
  • IP address

c) Professional Data:

  • Job title
  • Role/function
  • Work email and phone
  • Employer name
  • Occupation and field of activity
  • Experience or expertise

d) Financial/Banking Data (if applicable):

  • Bank account (IBAN)
  • Name of account holder or legal representative
  • Payment status
  • Invoices or payment history

e) Data Required by Law:

  • Data necessary for fulfilling the Controller’s legal obligations in areas such as taxation, accounting, prevention of fraud and money laundering, and more

f) Technical Data:

  • IP address
  • Device/browser used
  • Login frequency
  • Location data (approximate)
  • Cookies and similar tracking technologies (see the Cookies Policy for full details)

g) Platform Use Data:

  • Comments posted
  • Messages or requests sent via the Platform
  • Content uploaded or accessed (e.g., reviews, media, merchant offers)
  • Account activity

3.2. The Controller collects Personal Data either:

  • directly from the Data Subject (e.g., by filling in a form, creating an Account, sending an email, calling the Company, etc.);
  • indirectly, through automated means (e.g., using cookies and analytics tools—see the Cookies Policy);
  • from third-party sources (e.g., employers, business partners, public authorities, or public databases).

4. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

4.1. Personal Data may be processed by the Controller based on one or more of the following legal grounds:

a) Contract Performance:

When processing is necessary to conclude or perform a contract with the Data Subject (e.g., GTC or Promotion and Intermediation Contract).

b) Legal Obligation:

When processing is required to fulfill legal obligations (e.g., accounting, archiving, combating fraud, money laundering prevention, or fulfilling lawful requests from public authorities).

c) Legitimate Interest:

When processing is necessary for the purposes of the Controller’s legitimate interests (e.g., ensuring platform security, preventing fraud, promoting services, responding to user requests), provided such interests do not override the fundamental rights and freedoms of the Data Subject.

d) Consent:

When the Data Subject has explicitly given consent for a specific processing purpose (e.g., sending newsletters, using non-essential cookies). Consent can be withdrawn at any time without affecting prior processing.

e) Public Interest:

Where applicable, for the performance of a task carried out in the public interest or in the exercise of official authority.

4.2. In most cases, the Controller processes Personal Data for the following purposes:

  • To ensure the operation and security of the Platform;
  • To provide services to Users and/or Partners;
  • To fulfill contractual obligations;
  • To respond to information requests, complaints, or messages;
  • To conduct commercial communication, marketing, and promotion (with consent, where required);
  • To carry out internal analyses and statistics (aggregated or anonymized);
  • To comply with legal and regulatory requirements;
  • To cooperate with public authorities upon request or when legally obliged.

5. DURATION OF PERSONAL DATA PROCESSING

5.1. The Controller stores Personal Data only for the period necessary to fulfill the purposes for which they were collected, or for as long as required by applicable legal provisions.

5.2. Specifically:

  • If the data are processed based on consent, they will be stored until consent is withdrawn, unless there is another valid legal ground that justifies continued processing.
  • If the data are processed based on a contract, they will be stored for the duration of the contract and an additional period as required by financial-accounting or legal archiving rules (e.g., typically 5 years under Romanian law).
  • If the data are processed to comply with legal obligations, they will be stored according to the retention periods set by those laws (e.g., tax laws, anti-fraud laws).
  • If the data are processed based on legitimate interest, they will be stored as long as necessary to fulfill the purpose and only for the duration justified by the nature of the interest, unless the Data Subject objects.

5.3. After the retention period expires, Personal Data will be deleted or anonymized, unless a legal obligation or the competent authority requires otherwise.

6. SECURITY OF PERSONAL DATA PROCESSING

6.1. The Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in processing Personal Data. These measures include, but are not limited to:

  • limiting access to personal data only to authorized personnel;
  • regularly updating and securing computer systems and databases;
  • using encryption and anonymization where appropriate;
  • implementing data backup systems and procedures;
  • conducting regular internal reviews and audits;
  • applying access restrictions, password protections, and secure communication protocols.

6.2. Despite all efforts, the Controller cannot guarantee absolute data security, especially against sophisticated cyber-attacks or events outside its control (e.g., force majeure, attacks by hackers, etc.). In such cases, the Controller undertakes to take all necessary legal steps and inform the relevant authorities and affected individuals, in accordance with applicable law.

6.3. Users and Partners also have responsibilities regarding data security. In particular, they must:

  • keep confidential their Account login credentials;
  • avoid sharing personal or sensitive data through unsecured channels;
  • notify the Controller immediately in case of suspected unauthorized access or data breach.

7. DISCLOSURE AND TRANSFER OF PERSONAL DATA

7.1. The Controller may disclose Personal Data, strictly as necessary and only when justified, to the following categories of Recipients:

a) Authorized employees and collaborators of the Controller;

b) Contractual partners or service providers acting as Processors (e.g., IT, accounting, hosting, email, legal, or marketing services), who are contractually bound to ensure data protection;

c) Public authorities or institutions, such as courts of law, the National Authority for Consumer Protection (ANPC), the National Supervisory Authority for Personal Data Processing (ANSPDCP), tax authorities, and others—only when legally required or in response to official requests;

d) Partners whose services or offers are displayed on the Platform (only where necessary, and only in the context of contractual or promotional relationships with that Partner);

e) Other third parties when:

  • required by law, or
  • necessary to protect the rights, safety, or property of the Controller or others, or
  • the Data Subject has provided prior explicit consent.

7.2. As a rule, Personal Data are processed within the European Union (EU) and the European Economic Area (EEA). If, exceptionally, data transfers outside the EU/EEA are required, the Controller will ensure that appropriate safeguards are in place (e.g., adequacy decisions, standard contractual clauses approved by the European Commission), in accordance with GDPR requirements.

8. RIGHTS OF DATA SUBJECTS

8.1. According to GDPR and Applicable Legislation, Data Subjects have the following rights regarding the processing of their Personal Data:

a) Right of Access

To obtain confirmation as to whether or not Personal Data concerning them are being processed, and if so, access to that data and related information.

b) Right to Rectification

To request the correction or completion of inaccurate or incomplete Personal Data.

c) Right to Erasure (“Right to be Forgotten”)

To request the deletion of their Personal Data when:

  • the data are no longer necessary for the purposes for which they were collected,
  • the data were processed unlawfully,
  • the Data Subject withdraws consent (if applicable),
  • the Data Subject objects to processing and there are no overriding legitimate grounds.

d) Right to Restriction of Processing

To request that the Controller limit processing of their data in certain situations (e.g., while a correction or objection is being evaluated).

e) Right to Data Portability

To receive the Personal Data they provided to the Controller in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.

f) Right to Object

To object, at any time, to processing based on legitimate interest or for direct marketing purposes.

g) Right Not to Be Subject to Automated Individual Decision-Making, Including Profiling

To request that decisions based solely on automated processing and which produce legal effects or similarly significant consequences not be applied to them, unless such processing is necessary for a contract, is authorized by law, or based on explicit consent.

8.2. To exercise any of these rights, the Data Subject can send a written request to:

  • Email: hello@bucuresti.ro
  • Postal address: București, Sector 1, Bulevardul Nicolae Bălcescu no. 17A, et. 2, office 2C
  • Subject line: “GDPR Request – [Name]”

8.3. The Controller will respond within one (1) month of receiving the request. This period may be extended by two (2) additional months where necessary, depending on the complexity and number of requests. The Controller will inform the Data Subject of any such extension within one month of receipt of the request.

8.4. If the Data Subject believes their data protection rights have been violated, they may file a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)www.dataprotection.ro.

9. FINAL PROVISIONS

9.1. This Policy is drafted in accordance with and is governed by the provisions of the General Data Protection Regulation (GDPR), as well as other applicable Romanian and European legislation on the protection of personal data.

9.2. This Policy is available at any time on the Platform and may be provided in physical or electronic form upon request.

9.3. If any provision of this Policy is or becomes invalid or unenforceable, it will not affect the validity or enforceability of the remaining provisions. In such cases, the Controller will replace the invalid provision with one that complies with applicable law and has an equivalent effect.

9.4. This Policy is applicable starting from April 24, 2025, and supersedes any previous versions.