Privacy policy

Privacy Policy (GDPR) — Toya Shop

Last updated: June 2026

This privacy policy explains how Toya Shop (toyashop.ro) — operated by RELAXITY S.R.L. — collects, uses, stores, and protects your personal data. We are committed to complying with EU Regulation 2016/679 (GDPR), Romanian Law 190/2018, and all applicable data protection regulations.

1. Data Controller

RELAXITY S.R.L. Tax ID (CUI): 30533870 Trade Register: J05/1309/2012 EUID: ROONRC.J5/1309/2012 Registered address: Strada Vlădeasa 14, Oradea 410222, Bihor, Romania Email: office@toyashop.ro Phone: +40 744 334 507

RELAXITY S.R.L. is the data controller within the meaning of Art. 4(7) GDPR. The toyashop.ro platform is 100% owned by RELAXITY S.R.L. and operates as a legally registered online store in Romania.

Toya Shop is the authorised Romanian reseller of Erbolinea Botanica products (Italian home fragrance brand), distributed exclusively in Romania through toyashop.ro.

2. Data Protection Contact (DPO)

RELAXITY S.R.L. is not legally required to appoint a DPO under Art. 37 GDPR (we do not process special category data or personal data at large scale on a systematic basis). However, for any data protection enquiry or request, please contact us directly:

Data Protection Contact: Email: office@toyashop.ro Post: RELAXITY S.R.L., Strada Vlădeasa 14, Oradea 410222, Romania

We will respond within a maximum of 30 calendar days, in accordance with Art. 12 GDPR.

3. Categories of Data Collected

3.1 Data you provide directly

Category Specific data When
Identity First and last name When placing an order / creating an account
Contact Email, phone number When placing an order / account / newsletter
Address Billing and/or delivery address When placing an order
Account Username, password (hashed) When creating an account (optional)
Payment Transaction confirmation, last 4 card digits At checkout
Communications Messages sent to our support team When contacting us

Full card details are never stored on our servers. Payments are processed directly by Stripe or the processor displayed at checkout.

3.2 Data collected automatically

  • IP address and approximate geolocation
  • Browser type, operating system, screen resolution
  • Pages visited, products viewed, time on site
  • Traffic source (direct, organic, referral, advertising campaign)
  • Cookies and similar identifiers (see Section 7)

3.3 Data received from third parties

  • Shopify Inc. — e-commerce platform hosting toyashop.ro (Shopify acts as a data processor in relation to us, under the Shopify Data Processing Agreement)
  • Payment processors (Stripe, Visa, Mastercard, PayPal) — payment status confirmation
  • Delivery providers (GLS Romania) — data required for delivery
  • Google / Meta — if you accessed the site through an advertisement or interacted with tracking pixels (subject to your consent)

4. Purposes of Processing and Legal Basis

Purpose Legal basis (GDPR Art. 6) Details
Processing and fulfilling orders Art. 6(1)(b) — performance of contract Without this data, we cannot deliver products
Issuing invoices / accounting documents Art. 6(1)(c) — legal obligation Romanian Accounting Law 82/1991, Tax Code
Sending order and delivery confirmations Art. 6(1)(b) — performance of contract Email/SMS with order status
Managing returns and complaints Art. 6(1)(b) and (c) GEO 140/2021, Law 449/2003
Fraud prevention and platform security Art. 6(1)(f) — legitimate interest Monitoring suspicious transactions
Service improvement (traffic analytics) Art. 6(1)(f) — legitimate interest Anonymised or aggregated data
Email / SMS marketing (newsletter) Art. 6(1)(a) — consent You may withdraw consent at any time
Personalised advertising (retargeting) Art. 6(1)(a) — consent Activated only with your agreement in the cookie banner
Compliance with legal obligations Art. 6(1)(c) — legal obligation ANPC, ANAF, judicial authorities

Note on legitimate interest: Where we rely on legitimate interest, we have conducted a balancing test and concluded that your fundamental rights are not disproportionately affected. You may request details of this test at the contact address above.

5. Data Retention

Data category Retention period
Order data (identity, address, products) 5 years from order date (accounting obligation)
Billing data 10 years (Romanian Tax Code)
Customer account data Duration of active account + 1 year after deactivation
Analytics cookies Max. 13 months (per ANSPDCP recommendations)
Support communications 3 years from last interaction
Marketing data (newsletter) Until consent is withdrawn
Security logs 12 months

Upon expiry of the applicable period, data is permanently deleted or anonymised.

6. Your Rights (GDPR)

You have the following rights in relation to your personal data:

  • Right of access (Art. 15): You may request a copy of the data we hold about you.
  • Right to rectification (Art. 16): You may request correction of inaccurate data or completion of incomplete data.
  • Right to erasure (Art. 17): You may request deletion of your data if it is no longer necessary, or if you withdraw consent, except where processing is required by law.
  • Right to restriction of processing (Art. 18): You may request that we limit processing in certain circumstances.
  • Right to data portability (Art. 20): You may receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): You may object to processing based on legitimate interest or for direct marketing purposes — the latter is absolute.
  • Right not to be subject to automated decision-making (Art. 22): We do not use automated profiling with significant legal effects.
  • Right to withdraw consent: At any time, free of charge, without retroactive effect.

How to exercise a right: Send a request to office@toyashop.ro with the subject line "GDPR Right — [type of right]". We will respond within 30 days. In complex cases, this period may be extended by a further 60 days, with prior notice to you.

7. Cookies

We use the following categories of cookies:

Type Purpose Basis
Strictly necessary Cart, session and checkout functionality Legitimate interest / performance of contract
Analytics Understanding visitor behaviour (e.g. Google Analytics) Consent
Marketing / Retargeting Personalised advertising (Meta Pixel, Google Ads) Consent
Preferences Saving language, currency, region Legitimate interest

You can manage your cookie preferences at any time through the banner displayed on your first visit, or through your browser settings. Withdrawing consent for marketing cookies does not affect order processing.

Further details on Shopify cookies: shopify.com/legal/cookies.

8. Recipients of Data

Your data may be shared with the following recipients, strictly within the limits necessary:

Recipient Role Location
Shopify Inc. Processor — e-commerce platform Canada / USA (SCC clauses)
GLS Romania Processor — parcel delivery Romania (EU)
Stripe / payment processors Processor — payment processing EU / USA (SCC)
Google LLC Processor — traffic analytics, Google Ads USA (SCC + DPF)
Meta Platforms Ireland Processor — Meta Pixel, ads Ireland (EU)
Hosting / IT providers Processor — infrastructure EU
Legal authorities Independent controller Romania / EU (upon request)
Erbolinea Botanica Product supplier — no access to personal data Italy (EU)

We do not sell or transfer your data to third parties for commercial purposes.

9. International Transfers

Some of our processors (Shopify, Google, Stripe) process data in the United States or other third countries. These transfers are carried out in compliance with the safeguards provided in Chapter V GDPR, principally through:

  • Standard Contractual Clauses (SCC) adopted by the European Commission
  • Data Privacy Framework (DPF) EU–USA, where applicable

You may request a copy of the relevant safeguards at: office@toyashop.ro.

10. Security

We apply appropriate technical and organisational measures to protect your data:

  • TLS/SSL encrypted connection across the entire site (HTTPS)
  • Role-based access control (need-to-know principle)
  • Passwords stored exclusively as hashes (bcrypt)
  • Regular vulnerability monitoring
  • Internal security incident response policies

In the event of a security incident affecting your data, you will be notified in accordance with Art. 34 GDPR if the incident poses a high risk to your rights.

11. Complaints

If you believe that processing of your data infringes GDPR, you have the right to lodge a complaint with the competent supervisory authority:

ANSPDCP — Romanian National Supervisory Authority for Personal Data Processing Bd. G-ral. Gheorghe Magheru 28–30, Sector 1, Bucharest 010336 Email: anspdcp@dataprotection.ro Website: dataprotection.ro

If you reside in another EU member state, you may contact the supervisory authority in your country: edpb.europa.eu/about-edpb/members.

We encourage you to contact us directly first — we are happy to resolve any issue amicably.

12. Alternative Dispute Resolution (ADR/ODR)

If you have a dispute relating to a purchase made on toyashop.ro, you are entitled to use alternative dispute resolution platforms:

Your right of withdrawal from the contract (14 calendar days from delivery, without giving any reason) is guaranteed by Romanian GEO 34/2014 and EU Directive 2011/83/EU.

13. Changes to This Policy

We reserve the right to update this policy to reflect legislative or operational changes. Significant changes will be communicated by email or through a prominent banner on the site, at least 30 days before they take effect. The date of the last update is indicated in the header of this document.

14. Contact

RELAXITY S.R.L. Tax ID (CUI): 30533870 | Trade Register: J05/1309/2012 Strada Vlădeasa 14, Oradea 410222, Bihor, Romania Email: office@toyashop.ro Phone: +40 744 334 507 Office phone: +40 359 435 678

IBAN: [TODO: confirm from Gossip] Bank: [TODO: confirm from Gossip] VAT registered: [TODO: confirm from Gossip — yes/no]