DATA PROTECTION NOTICE
The protection of your personal data is very important to us. This notice describes our practices regarding the collection and use of your personal data—for example, what data we collect, why and for what purpose—and explains the rights you have in relation to your personal data.
In this document, you can find information on the following topics:
- WHO WE ARE
- HOW WE COLLECT YOUR PERSONAL DATA
- HOW WE SHARE INFORMATION
- INFORMATION TRANSFERS OUTSIDE THE EUROPEAN UNION
- SECURITY
- YOUR RIGHTS
- CHANGES TO THIS NOTICE
- CONTACT INFORMATION
WHO WE ARE
Create Direct is a joint-stock company headquartered at Str. Siriului, no. 42-46, 3rd floor, Sector 1, Bucharest, registered with the Bucharest Trade Register under number J40/13124/2004, fiscal code RO16678558. We collect and process various categories of personal data from you, which, in accordance with European Union data protection legislation, makes us the data controller for such data.
HOW WE COLLECT YOUR PERSONAL DATA
Personal data may be collected or accessed in several ways, including:
• Directly from you (for example, by signing a contract, filling out a form on our website, or contacting us by phone);
• Automatically (for example, data observed by us when you browse our website, https://rewardiful.com/– e.g., cookies, IP address, etc.);
• From third parties (for example, your employer, your representative, or from public sources such as a company website, an internet search, or social media platforms like LinkedIn, Facebook, etc.).
2.1. Data Provided Directly by You
We may collect data that you provide directly. This usually occurs when you:
• Purchase our products or services;
• Contact us via the contact forms on our website, by email, phone, chat, or through social media platforms;
• Enter into an agreement with us to provide us with products or services;
• Enter into an agreement with us to receive products or services from us;
• Participate in an event organized by us;
• Register to receive marketing communications from Create Direct;
• Visit our headquarters or other business locations.
2.2. Data Collected Automatically
We may collect data about you automatically. This usually occurs when you:
• Visit our headquarters or business locations (e.g., via CCTV recordings and building access logs);
• Communicate with us (e.g., via social media platforms);
• Make public posts on social media platforms that we monitor (e.g., to respond to inquiries regarding Create Direct products and services).
We may also automatically collect data about you through the use of cookies and similar tracking technologies. How we use tracking technologies (e.g., cookies and non-cookie-based technologies such as web beacons) on our website is described in the Cookie Policy section.
2.3. Data Provided by Third Parties
Where permitted by law, we may obtain data about you from third parties, for example, publicly available profile information (such as your preferences and interests) from third-party social media sites (such as Facebook).
We may also collect data in other contexts, which will be communicated to you at the time.
What data do we collect about you?
We may collect the following types of data:
• Data necessary to provide you with our products and services;
• Data you provide in forms and contracts;
• Data about your visits to our headquarters and business locations;
• Data you provide during phone calls;
• Data you provide in emails you send to us;
• Data you provide in chat requests;
• Data about your preferences and interests;
• Data necessary to respond to your inquiries and complaints;
• Data necessary to manage and administer our relationship with you, your employer, or your representative;
• Data necessary for the purchase of products or services;
• Data necessary for marketing or providing consulting related to our products or services;
• Information about your activities related to our clients, products, services, or us.
Data collected directly from you will be apparent from the context in which you provide it. For example:
• If you request information about one of our services using forms on our website, you provide your name, contact details, company name, and the services you are interested in;
• If you are a supplier, to manage our relationship with you or your employer, you provide your name, contact information, billing details, and product/service details so we can fulfill contractual obligations;
• You may provide information about your preferences and interests so we can invite you to events that may be of interest to you.
Data collected automatically will generally include:
• Details about your visit or call (e.g., time and duration);
• How often you visit our offices and business locations, which areas you access/visit, and for how long;
• Your device (e.g., IP address or unique device identifier, details about any cookies we have stored on your device, etc.).
Data collected from third parties will generally consist of publicly available information (such as job title, preferences, and interests), for example obtained from social media posts.
For what purposes and on what legal basis do we use your data?
Depending on the nature of our relationship with you, we may use information about you for the following purposes:
• To comply with legal obligations, such as data archiving under applicable law or paying taxes and social contributions;
• To sell you our products and services;
• To send you relevant product/service offers based on advanced analysis of your interests;
• To defend our rights and interests in legal proceedings;
• To manage the contractual relationship with you or your employer;
• To ensure compliance with applicable laws, such as retaining and using records related to any anticipated disputes, for obtaining legal advice from lawyers or other consultants;
• To purchase products or services from you or your employer, including contacting you to maintain our relationship, obtain services related to sales operations, and settle payments or reimburse expenses (where applicable);
• To sell our products and services to you, including processing payments;
• To respond to information requests;
• To inform you about our products, services, promotions, and events;
• To defend our rights and interests in legal proceedings;
• For other purposes we communicate to you or that will be clear from the context when your information is first collected.
The legal basis for processing your data will be one of the following:
• Compliance with a legal obligation to which we are subject;
• Performance of a contract to which you are a party;
• Our legitimate interest that is not overridden by your interest in protecting your personal data;
• Your consent, which we will request before processing the data.
Purposes for which we use your information, along with the corresponding collection methods and legal basis for processing, are as follows:
|
Purpose |
Collection Method and Legal Basis for Processing |
|
Compliance with regulatory obligations
|
This information is generally provided to us directly by you when a relationship with us is established or when you interact with us.
We use this information because it is necessary for us to conduct our activities in compliance with the law (including company law and the tax code), to maintain financial and tax records, to comply with trade sanctions, to adhere to health and safety regulations (which may include keeping records of incidents), to prepare reports, to respond to information requests from competent authorities, and to manage any conflicts of interest. |
|
Purchasing products or services
|
In general, we receive this information either directly from you or through your employer (usually name, position, company address, business email, orders, services, payment information, and, where applicable, expense details, correspondence).
We use this information to fulfill the contract concluded with you or your employer as the buyer of your or your employer’s products or services, or as our client. Where no such legal obligation exists, we use this information based on our legitimate interest to operate our business, to contact you regarding products or services we receive from you or your employer, or regarding the products and services we provide to you, to process payments, and to manage the relationship with you or your employer—an interest that is not overridden by your interests, rights, and freedoms to protect your personal information |
|
Commercial promotion and relationship management (where permitted by law)
|
This information is generally provided to us directly by you or by your employer, as applicable (usually name, position, company address, business email, orders, payment information, correspondence). We use this information to fulfill our contractual obligations to you or your employer as the buyer of our products. |
|
Commercial promotion and relationship management (where permitted by law)
|
This information is generally provided to us directly by you or by your employer, as applicable (usually name, position, company address, business email). We use this information based on our legitimate commercial interest to manage our relationship with you and to inform you about our activities, products, and events—an interest that is not overridden by your interests, rights, and freedoms to protect your personal information. |
|
Business administration
|
In general, we receive this information either directly from you or from your employer. We use this information based on our legitimate commercial interest to conduct our business, manage our relationship with you, and maintain the security and integrity of our buildings and IT systems—an interest that is not overridden by your interests, rights, and freedoms to restrict the use of your personal information. |
|
System security and monitoring
|
This information is collected automatically through various means, such as automated systems, device monitoring, and CCTV recording within our premises. We use this information based on our legitimate commercial interest to ensure the confidentiality, integrity, and security of our physical and digital infrastructure and premises—an interest that is not overridden by your interests, rights, and freedoms to protect your personal information. |
|
Support for all of the above purposes
|
These generally consist of a combination of information you provide to us (e.g., contact details) and information we collect automatically (e.g., device information, cookies, and similar tracking technologies). We use this information based on the legal grounds corresponding to the purpose for which the support is provided. |
In some cases, we may use your data in ways not described above. In such cases, we will provide an additional privacy notice explaining this use.
3. HOW WE SHARE DATA
We may share information about you with:
• Third parties that provide products or services to us or to you (such as your employer, advisors, payment service providers, courier services, retailers, information service providers, etc.);
• Third parties that provide products or services, such as couriers, IT system providers, and related support service providers, including telecommunications providers, backup and disaster recovery services, cybersecurity services, and other outsourced service providers, such as off-site storage and cloud storage service providers;
• Third parties, where necessary or permitted by law, for example: regulatory authorities, government departments, in response to requests from law enforcement or other government officials, when disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity, and in the context of organizational restructuring.
4. TRANSFERS OF DATA OUTSIDE THE EUROPEAN UNION
As a general rule, personal data will not be transferred outside the EU. However, if it becomes necessary to transfer personal data to countries outside the EEA, we will take the necessary measures to ensure an adequate level of protection and security in accordance with applicable laws, including by incorporating standard contractual clauses in agreements governing such transfers.
5. SECURITY
How do we protect your data?
We implement appropriate technical and organizational measures to protect the personal data we hold against unauthorized disclosure, use, alteration, or destruction. Where applicable, we use encryption technologies and other measures to help secure the information you provide. We also require our service providers to adhere to strict data confidentiality and security requirements.
How long will your information be retained?
We will retain your information for as long as necessary to fulfill the purposes for which it was collected. After that, it will be deleted. The retention period will vary depending on the purposes for which the information was collected. In certain circumstances, you have the right to request that we delete your information. Additionally, in some cases, we are legally required to retain information, for example, for tax and accounting purposes.
Typically, we retain data according to the criteria described in the table below:
|
Type |
Typical retention explanation/criteria |
|
If you have provided us with services (either directly or through your employer), most of the information about you is retained for the duration of our relationship with you; for example, as long as you continue to provide services or respond to our communications. However, certain elements, such as purchase history, will naturally expire over time and will be automatically deleted after defined periods, depending on the purpose for which they were collected. |
|
We retain records of invoices, sales, purchases, payments made and received, and related documents (such as contracts and emails) in accordance with company law requirements and the tax code, typically for 11 years. We also keep records of audits conducted on suppliers for as long as necessary to comply with our legal and regulatory obligations. |
|
If you visit our premises, visitor logs are typically retained for only a few months. |
|
If you visit our premises, CCTV recordings are typically retained for a period of a few days up to a few weeks, depending on the purpose of the recording. |
|
If you purchase services, we will retain the details of this transaction for as long as necessary to fulfill the contract and comply with any legal obligations (e.g., for the purpose of maintaining fiscal and accounting records). |
|
System audit logs are typically retained for only a few months. |
- YOUR RIGHTS
Under the law, you have the following rights regarding your personal data that we process:
- Right of access: You can obtain confirmation from us whether we process your personal data, as well as information about the specifics of the processing. This right allows you to receive a free copy of your personal data that is being processed, and, if requested, additional copies for a reasonable fee.
- Right to rectification: You can request that we correct any inaccurate personal data or, where applicable, complete incomplete data.
- Right to erasure: You may request the deletion of your personal data when:
(i) the data is no longer necessary for the purposes for which it was collected and processed;
(ii) you have withdrawn your consent for processing based on consent, and we have no other legal grounds to process the data;
(iii) the personal data has been processed unlawfully; or
(iv) the personal data must be deleted in accordance with applicable law. - Right to object and withdraw consent (if applicable): You may object to processing for reasons related to your particular situation, or you may withdraw your consent at any time for processing based on consent, without affecting the lawfulness of processing carried out before the withdrawal.
- Right to restriction of processing: You can request restriction of processing if:
(i) you contest the accuracy of personal data, for the period we need to verify it;
(ii) processing is unlawful, and you oppose erasure, requesting restriction instead;
(iii) the data is no longer necessary for processing, but you need it for a legal claim; or
(iv) you have objected to processing, during the time it is verified whether the legitimate interests of the company as a data controller prevail over your rights as a data subject. - Right to data portability (if applicable): You may request, under applicable law, that we provide your personal data in a structured, commonly used, and machine-readable format. If you explicitly request, we can also transmit your personal data to another entity where technically feasible.
- Rights related to automated decision-making, including profiling: Create Direct does not perform such profiling that leads to automated decisions with legal or similarly significant effects for the data subject.
- Right to lodge a complaint with a supervisory authority: You have the right to file a complaint with the National Supervisory Authority for Personal Data Processing if you believe your rights have been violated. Contact details: B-dul G-ral Gheorghe Magheru 28-30, Sector 1, Postal Code 010336, Bucharest, Romania, anspdcp@dataprotection.ro
- CHANGES TO THIS NOTICE
We may update this notice (and any supplemental privacy notices) from time to time. We will notify you of any changes when required by law. - CONTACT INFORMATION
If you have any questions about this notice or wish to exercise your rights as described above, you can contact us using the following details:
Correspondence Address: Strada Siriului, no. 42-46, 3rd floor, Sector 1, Bucharest, Romania
Email: office@createdirect.ro
Phone: +40212246552