Privacy Policy

Privacy policy agreement on TotoPet

Privacy Policy

Definitions of terms used 

"Controller": means the entity which determines the purposes and means of the processing of personal data.

"EU Data Protection Laws and Regulations": means all laws and regulations applicable in Romania, whether they are primary legislation (such as the GDPR, defined below), secondary legislation (such as the Art. 29 Working Party Guidelines, European Data Protection Board - EDPB, or other guidelines issued by the Supervisory Authority), or national laws applicable to the Processing of Personal Data under the Agreement.

"Data Subject": means the identified or identifiable person to whom the Personal Data relates.

"GDPR": means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

"Personal data": means any information relating to an identified or identifiable natural person which is protected under applicable EU Data Protection Laws and Regulations. "Processing": means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor": means the entity that processes personal data on behalf of the Controller.

"Special categories of personal data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.

Sub-processor": means any person appointed by or on behalf of the Data Processor to process personal data, Totopet's partner appointed by the Data Processor to deliver services and/or process customer personal data

"Supervisory Authority": means the National Supervisory and Personal Data Protection Authority or any other authority to which data protection responsibilities have been assigned in accordance with the EU Data Protection Laws and Regulations of any Member State.

"Transfer": means disclosing or otherwise making Personal Data available to third parties either by physically transmitting the Personal Data to that third party or by allowing access to the Personal Data by other means. Storage and back-up shall qualify as a transfer for the purposes of this Agreement.

"User": User means any person who has access to or uses the Totopet website/mobile application.

"Services" - means the service provided to the Customer in accordance with the Terms and Conditions, i.e. the contract entered into with Totopet.

"Technical and organisational security measures" - measures aimed at ensuring an adequate level of security including, pseudo-anonymisation and encryption of personal data, the ability to ensure confidentiality, integrity, availability and resilience of processing systems and services at all times, the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident, a regular process for testing and evaluating the effectiveness of processing security. 

2. General Information

S.C. Munchkin Tech S.R.L., a commercial company based in Șos. Ștefan cel Mare no. 15, block 15, 5th floor, ap. 18, sector 2, Bucharest, hereinafter referred to as Totopet, as author, owner, administrator of Totopet.ro, respects the privacy and security of processing personal data of each person who visits and/or uses the services offered by this website and is obliged to protect their personal data and information. This document concerns the Totopet.app website and the Totopet mobile application, hereinafter referred to as the "Platform".

In accordance with the provisions of EU Regulation 679/2016 (General Data Protection Regulation - GDPR on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Totopet is obliged to manage securely and only for the purposes and period specified in this document, the personal data you provide us about yourself, a family member or another person as well as the personal data visible in the context of the use of the Platform. 

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

This Policy applies to all electronic devices used to access the Platform. If you do not agree with this Personal Data Processing Policy, please do not use the website.

The purpose of this Policy is to establish the internal regulatory framework involving the processing of personal data as well as to ensure compliance with applicable rules and regulations in force. 

The Policy describes the conditions and the manner of carrying out activities related to the collection and processing of personal data (preparation, receipt, storage, access, transmission, transport, use and delivery of documents) in strict compliance with the rules of their protection, in order to meet legal requirements.

In this regard, in the processing of personal data of data subjects, Totopet ensures:

(a) the processing of personal data of the data subjects whose data are collected, in accordance with the legal provisions;

b) compliance with data protection principles in the operational activities of the company;

c) transparency in relation to the categories of personal data processed, as well as in relation to the purposes of the processing, the recipients of the personal data;

d) the rights of data subjects;

e) the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of natural persons.

Principles

The Data Protection Act is based on the following important principles:

- personal data should be collected and processed in a fair and transparent way;

- data collection and processing must be proportionate and necessary;

- data collection and processing is lawful;

- data collection and processing is for specified, explicit and legitimate purposes;

- the data collected and processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

- the data collected and processed must be accurate and up-to-date;

- personal data shall be kept for a limited period of time in relation to the purposes for which they were collected and processed;

- processing is carried out in a way that ensures adequate security of personal data;

- the data are processed in accordance with the rights of the data subjects;

- it is not transferred outside the European Economic Area (EEA) unless that country or territory also ensures an adequate level of data protection.

Processing of personal data

The client shall be solely responsible for the accuracy, quality and processing of the data subjects' data. Totopet will only access, use or process such data on behalf of the customer in the following cases:

1) at the direct request of the customer;

2) in order to provide the contracted services;

3) to provide technical assistance in relation to the services provided;

4) for maintenance operations.

Totopet will process certain categories and types of personal data on behalf of the customer as authorised and requested by the customer.

Categories of personal data requested and processed

The Totopet platform (website and mobile application) is structured in a way that allows visiting and using it without the need to disclose any personal information from its visitors. 

With each visit/use of the Platform, the server collects, respectively stores in the form of electronic logs for short periods of time, basic information including IP address, browser used, referring domain name (through which the visitor reached the Platform), access times, duration of visit and pages visited. Apart from the IP address, none of this traffic data is identifiable information and is stored only for statistical/analytical purposes to improve the services and, of course, to prevent fraud or abuse of the information system. This data is not disclosed to any natural or legal person outside Totopet in any form. Any other information is provided on a strictly voluntary basis by the visitor/user and there is no obligation to provide personal data to Totopet. Although some services offered by Totopet cannot be used without the provision of certain data, the provision of such data is strictly voluntary.

This Policy applies to all data sent by the customer to Totopet for processing, all data accessed by Totopet for processing on behalf of the customer, all data received by Totopet on behalf of the customer. 

The types and categories of personal data processed by Totopet are:

  • data provided in sections involving the completion of a form: directly: name, email; indirectly: IP; 
  • data provided in interaction with Totopet team members through the use of the online support system: directly: name, email; indirectly: IP;
  • data provided when creating a customer account or placing an order: 
  • individuals: name, surname, secondary contact (optional), email, secondary email (optional), address, postcode, telephone number, serial number and ID number;
  • legal persons: company name, registration number at the Trade Register Office, tax code/unique registration code, IP, name, surname, position of legal representative.

Totopet does not knowingly or intentionally collect data on minors. We do not offer services to minors.

Purposes of processing. Legal basis of processing

Our general principles regarding the processing of personal data belonging to visitors to the website or mobile application (considered to be purchasers of any of the services available on the Website or in the application) as well as those belonging to visitors to the website or mobile application are set out below:

a) Website or mobile app visitor

to respond to requests submitted by filling in the forms available on the Website;

to respond to requests submitted via the online support system;

to monitor traffic and improve the experience offered on the Website or app;

b) Client of the Website or mobile application

With regard to Customers or potential Customers, the data and documents provided by them during or after the conclusion of the contract will be used exclusively for the purpose of performing the contract between Totopet and the respective Customer, and will not be transmitted in any form to third parties or be subject to any disclosure. Legal basis for the processing carried out for this purpose: (art. 6 para. (1) lit. b) GDPR);

The processing of your data is based on the legitimate interest of Totopet to ensure the proper functioning of the website or mobile application, as well as for a continuous improvement of the experience of visitors to the website or mobile application, including by addressing various comments, questions or complaints (Art. 6 (1) (f) GDPR);

c) to carry out the contractual relationship between the customer and Totopet, i.e. for taking, validating, invoicing and activating the order placed on the Website and informing you about the status of the order;

d) fulfilling the legal obligations incumbent upon Totopet in the context of the services provided through the Website or mobile application, including tax obligations as well as archiving obligations (art. 6 para. (1) lit. c) GDPR);

e) communication of information about the status of the network and any maintenance work/interruptions in the provision of services;

f) sending, via remote communication means (e-mail, sms) of commercial communications regarding the services offered by Totopet. 

The processing of your data for these purposes is based on the contract concluded between the customer and Totopet and is necessary on the basis of legal obligations. Refusal to provide data may result in Totopet being unable to comply with its legal obligations and therefore unable to provide services to you via the website or mobile application. The processing of data for marketing purposes is done on the basis of your consent, if you choose to provide it by ticking the appropriate box at the time of account creation or subsequently via your customer account; the processing is based on the provisions of Article 6(1)(a) GDPR. 

The provision of data for any of the above situations in which you find yourself is voluntary, but it is necessary for the use of the above mentioned services and the conclusion of a contract between you and Totopet. 

g) administration and improvement of the services provided;

h) commercial activities of sales services, research/market studies, statistics.

advertising, marketing and promotional activities of the operator's services, running promotional campaigns, tracking and monitoring of service sales and consumer behaviour.

Other activities, including customer relations services, informing users/customers on the evaluation of services offered (including evaluation of services on the Website).

Duration for which we keep/process data

As a matter of principle, Totopet will process your personal data for as long as it is necessary to achieve the processing purposes mentioned above.

If you are a customer, we will process your data for the duration of the contractual relationship and thereafter in accordance with Totopet's legal obligations.

In the case of a customer account - this will be kept for a period of 5 years from the last financial transaction recorded on your account, and will be automatically deleted at the end of this period if there are no more active services on the account.

In the case of financial-accounting supporting documents, as well as contracts and additional acts, the retention period stipulated by law is 10 years from the end of the financial year.

If you do not want your personal data to be processed or if you want your data to be deleted, you can exercise your rights as detailed below.

Deletion of the account is only possible if there are no active services on the account. In case there are one or more active services on the account, it can only be closed if one of the following conditions is met:

- the contracted period of the active service(s) on the account is/are expected to end;

- the active service(s) on the account is/are terminated by means of a written request, i.e. the active service(s) is/are transferred to other providers.

If you withdraw your consent to the processing of your data for marketing purposes, Totopet will cease processing your personal data for this purpose, without however affecting the processing carried out by Totopet on the basis of the consent expressed by you prior to your withdrawal of consent.

At the same time, the storage of personal data for a longer period of time may be carried out for statistical purposes, service improvement and research/market studies.

Disclosure of personal data

The registered information is intended for use by Totopet, but in order to satisfy the contractual relationship and provide the requested services, the information may be disclosed to the following third parties:

Totopet's contractual partners, only on the basis of a confidentiality undertaking on their part, guaranteeing that this data is kept secure and that the provision of this personal information complies with the legislation in force;

to service providers (marketing, payment/banking or other services, registrars, courier companies), including entities assisting Totopet in data processing, as processors and other companies in the same group as SC Munchkin Tech S.R.L.;

public authorities, if they are requested for the prevention, investigation and prosecution of crimes, authorities at law for the purpose of verifying commercial transactions or other authorities at law for carrying out any checks justified by law.

Transfer of personal data

Personal data will only be transferred outside the country or outside the European Union if the fulfilment of the contractual relationship depends on this transfer.

Data subjects' rights

The GDPR provides for eight specific rights with regard to the processing of personal data, which can be exercised insofar as they do not adversely affect the rights and freedoms of others, as follows: 

I. The right to withdraw consent

Where the processing of personal data is based on the data subject's consent, the data subject will be able to withdraw his/her consent at any time by following the procedures described in the respective consent form. The company shall ensure that consent can be withdrawn by the same means by which it was given, for example, electronically.

II. Right of rectification

The data subject may obtain from the controller the rectification of personal data relating to him or her. Munchkin Tech S.R.L. shall make reasonable efforts to ensure that personal data in its possession or under its control is accurate, complete, current and relevant, based on the most recent information available to the Company.

III. Right to Restriction

The data subject may obtain from Munchkin Tech S.R.L. restrictions on the processing of his or her personal data if: 

- disputes the accuracy of the personal data for the period during which we need to verify the accuracy;

- the processing is unlawful and requests restriction of the processing rather than deletion of the personal data;

- the company no longer needs the personal data, but the data subject requests it for the establishment, exercise or defence of a right, or 

- the applicant objects to the processing while Munchkin Tech S.R.L. is verifying whether our legitimate reasons prevail over those of the data subject.

IV. Right of access

The data subject may request information about the personal data Munchkin Tech S.R.L. holds about him or her, including information about what categories of personal data Munchkin Tech S.R.L. has in its possession or control, what they are used for, where they are collected from, whether they do not come directly from the data subject, and to whom they have been disclosed, if applicable. The data subject may obtain a copy from the Company, free of charge, of the personal data it holds about him or her. The Operator reserves the right to charge a reasonable fee for each additional copy the data subject may request.  

The right of access and rectification is provided through the application used when accessing the customer account.

V. Right to portability

At the request of the data subject, the Controller will transfer personal data to another controller, where technically feasible, provided that the processing is based on the data subject's consent or is necessary for the performance of a contract. Instead of receiving a copy of the personal data, the data subject may request the controller to transfer the data directly to another controller.

VI. Right to erasure 

The data subject may obtain from the Company the right to erasure of personal data if:

- the personal data are no longer necessary in relation to the purposes for which they were collected or are otherwise processed;

- has the right to object to further processing of personal data (see below) and to exercise this right to object to the processing;

- processing is based on the individual's consent - if he/she withdraws consent, there is no further legal basis for processing the data;

- personal data have been processed unlawfully;

By exception, the processed data may not be erased if the processing is necessary:

- in order to comply with a legal obligation that requires processing on our part;

- in particular for legal data retention requirements;

- for the establishment, exercise or defence of legal claims.

It is possible that following a request for deletion of data, Totopet may anonymise these data (thus depriving them of their personal nature) and continue processing for statistical purposes under these conditions.

VII. Right to object

The data subject may object at any time to the processing of personal data on account of his or her particular situation if the processing is not based on consent but on our legitimate interests or those of a third party.

In this case, the Controller will no longer process his/her personal data, unless we can demonstrate with good and legitimate reasons and an overriding interest for the processing or for the establishment, exercise or defence of a legal claim. If the individual objects to the processing, he or she will have to specify whether he or she wishes to erase the personal data or restrict the processing. This right can be exercised at any time, free of charge and without justification, if the data are processed for direct marketing purposes.

The data subject also has the right not to be subject to an automated individual decision, i.e. the right not to be subject to a decision taken solely on the basis of automated processing activities, including profiling, which produces legal effects concerning the data subject or similarly affects him or her to a significant extent.

VIII. Right to lodge a complaint

In the event of an alleged breach of applicable privacy legislation, the individual may lodge a complaint with the data protection supervisory authority or the competent courts to the extent deemed necessary.

For any further questions on how personal data are processed and to exercise your rights mentioned above, please contact: help@totopet.app.

The data subject may contact the controller in writing, e.g. by email or letter. 

Control, access and security

Customer personal data is stored by organisational and technical methods in accordance with the GDPR to ensure its protection against destruction as a result of a security breach, alteration, disclosure or any other unlawful processing.

Totopet will make available to certain employees personal information and data provided by you for the sole purpose of properly providing services. Each of these employees has active confidentiality agreements and will be given specific instructions regarding the processing of this data, and Totopet assumes responsibility for how they record, store and use this data.

Totopet customers' personal information is stored and processed through a proprietary application.

A customer's personal information is only accessible to that customer and the Totopet operators, and can only be accessed on the basis of a user name and password which are different for each individual customer.

Additionally customers can activate "Two Factor Authentication" which is an additional account access security measure that requires obtaining a code from an external device to authenticate to the customer account. The data is processed exclusively in Munchkin Tech S.R.L. and its partner data centres in Romania.

Please note, however, that no information security program is foolproof.

Social Media

We maintain an online presence on social networks and platforms to communicate with customers and potential customers to inform them about our services. We use Facebook, Instagram, Twitter, Linkedin and G+. When visiting any of these platforms the terms and conditions of processing of the respective platform operator apply. 

We also process data communicated to us on these platforms and social networks. The Website includes Social Media functionality such as Facebook, Instagram, Twitter and G+ Share buttons. These functionalities fall under the Privacy Policy of the companies providing them.

The website contains links to other websites. We do not control and are not responsible for the content or practices of other sites.

The provision of links does not constitute endorsement of the activity of those sites, their content, their owners or their activities. This policy does not apply to those websites, as they are subject to their own Privacy Policies.

Validity of the document

This Privacy Policy is valid indefinitely.

Totopet reserves the right to make changes to this document and customers are therefore requested to consult it periodically.

If you have additional questions about the Personal Data Processing Policy or wish to be informed about the personal data processed by Totopet that directly concern you, please contact us.

Munchkin Tech S.R.L.

 

Home
0
Messages
Orders
MyPets