PRIVACY AND COOKIES POLICY

1. Introductory provisions

1.1. CREATIVE ONLINE ACTIVITIES SRL (“BADREPUTATION”, “we”, “us”, “the controller” or the “Company”) declares that it treats all personal data (“data”) as confidential and processes it in accordance with Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection rules.

1.2. The security of your personal data is a priority. These principles (the “Principles”) explain: (i) which categories of personal data we process, (ii) for what purposes, (iii) on what legal bases, (iv) to whom we disclose the data, (v) how long we retain the data, (vi) how we protect the data, and (vii) what rights you have and how you may exercise them.

1.3. BADREPUTATION operates exclusively online. We do not own or operate physical retail stores and, consequently, we do not process personal data through in-store CCTV or similar in-person retail monitoring.

2. Data Controller and contact details

2.1. The Data Controller is:
CREATIVE ONLINE ACTIVITIES SRL
VAT ID: RO42468644
Registered office: Strada Gloriei 11, Comuna 1 Decembrie, Judet Ilfov, 077005, Romania
Email: contact@thisisbadreputation.com

Website: thisisbadreputation.com

2.2. For privacy requests (GDPR rights, questions, complaints), you may contact us at the email address above.

3. Categories of personal data we process

3.1. Depending on how you interact with the Website, we may process the following categories of personal data:

a) Identification and contact data: first name, last name, address, email, phone number; (and, where applicable, billing details for legal entities if you choose to purchase on behalf of a company).
b) Order, delivery and contractual relationship data: purchased products, quantities, prices, order history, invoices, delivery information, delivery status, tracking number, order-related communications, returns/complaints.
c) Payment data: information necessary to process payments through authorised payment service providers (please note that we do not store raw card data; card data is processed by payment providers).
d) Technical and device data: IP address, online identifiers, browser type, operating system, resolution, language, cookie identifiers, security logs.
e) Website usage and behavioural data: pages visited, interactions, events (e.g., view content, add to cart, initiate checkout, purchase), traffic source, UTM parameters, time spent, clicks, conversions.
f) Marketing and preference data: marketing communication choices, newsletter consent, communication preferences, marketing segments, campaign results and attribution.
g) Communication data: content of messages sent to us (email, forms), requests, complaints, and any documents provided for handling.

4. Sources of personal data

4.1. We collect personal data:
a) directly from you (checkout, account, email, contact forms, newsletter sign-up);
b) automatically, through tracking technologies (cookies, pixel tags, web identifiers), logs, and analytics tools;
c) from partners involved in contract performance (couriers, payment processors) and, where applicable, from marketing/analytics providers to the extent permitted by your consent and applicable law.

5. Purposes of processing

5.1. We process personal data mainly for:
a) concluding and performing contracts (order processing, delivery, invoicing, order communications);
b) payment processing and prevention of fraudulent transactions;
c) logistics and courier coordination (tracking, delivery confirmations);
d) customer support (questions, complaints, returns, legal conformity/warranty handling);
e) compliance with legal obligations (accounting, taxation, document retention);
f) security, fraud prevention and Website protection (technical monitoring, logs, abuse detection);
g) analytics and Website improvement (performance measurement, functionality, testing, statistics);
h) marketing, personalisation and advertising (newsletter, campaigns, retargeting, conversion measurement and optimisation), subject to the conditions in Sections 6 and 8–9, including consent where required.

6. Legal bases for processing (GDPR)

6.1. We process personal data on the following legal bases, as applicable:
a) performance of a contract or steps at your request prior to entering into a contract (Art. 6(1)(b) GDPR);
b) legal obligation (Art. 6(1)(c) GDPR) – e.g., accounting and tax recordkeeping;
c) legitimate interests (Art. 6(1)(f) GDPR) – security, fraud prevention, legal claims, Website operation and optimisation, direct marketing within legal limits with the right to object;
d) consent (Art. 6(1)(a) GDPR) – newsletter, non-essential cookies/trackers, personalised advertising, advanced measurement and optimisation;
e) where relevant, establishment, exercise or defence of legal claims (typically under Art. 6(1)(f) GDPR in conjunction with applicable law).

6.2. Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

7. Marketing communications and newsletter

7.1. Marketing emails (newsletter) are generally sent only based on your explicit opt-in consent, with the possibility to unsubscribe at any time via the unsubscribe link in each email or by contacting us.

7.2. We may use specialised email marketing providers (e.g., automation platforms) acting as processors under GDPR-compliant agreements.

8. Tracking, analytics and advertising in “maximum” settings

8.1. To measure Website performance and run marketing campaigns, we may use technologies such as cookies, pixel tags, online identifiers and conversion events.

8.2. In particular, the Website may integrate (depending on the current configuration and your consent):
a) Meta Pixel (Facebook/Instagram) – conversion measurement, retargeting, campaign optimisation, audience building;
b) TikTok Pixel – conversion measurement, retargeting, optimisation;
c) Google Analytics (e.g., GA4) – traffic and behaviour analytics;
d) Google Ads / Google Marketing Platform – attribution, conversions, remarketing.

8.3. Under “maximum” tracking settings, such tools may involve:
a) collection of events (view content, add to cart, initiate checkout, purchase, etc.);
b) use of marketing cookies and online identifiers;
c) use of hashed identifiers (e.g., hashed email/phone) for measurement and attribution (where implemented), to support deterministic/probabilistic matching within partner systems;
d) advanced measurement and optimisation, including attribution reporting, modelling, and conversion deduplication.

8.4. Within the European Union, activation of non-essential tracking technologies generally occurs only on the basis of your consent expressed through the cookie banner/preferences centre, except where the law permits otherwise (e.g., strictly necessary cookies).

9. Cookies and similar technologies

9.1. For full details about cookies, please consult the separate “Cookie Policy” below.

9.2. In general, cookies may be essential/functional, preference, analytics and marketing cookies. You can manage preferences through the consent banner and/or browser settings.

10. Data sharing (recipients / processors)

10.1. We may share personal data, strictly to the extent necessary, with:
a) payment service providers (for authorisation and payment processing);
b) courier/logistics providers (for delivery and tracking);
c) IT and hosting providers (infrastructure, maintenance, security);
d) email marketing / CRM providers (newsletter, automation, support);
e) analytics and advertising partners (Meta, TikTok, Google) – primarily via cookies/pixels and events, depending on your consent;
f) legal/accounting/audit advisors (where necessary);
g) public authorities where disclosure is required by law or necessary to establish/exercise/defend legal claims.

10.2. We do not sell your personal data.

11. Transfers outside the EEA

11.1. Some service providers (in particular analytics/advertising platforms) may process data outside the European Economic Area.

11.2. Where such transfers occur, they are carried out, as applicable, based on:
a) an adequacy decision; or
b) Standard Contractual Clauses (SCCs); and/or
c) other safeguards recognised by GDPR, including supplementary measures where required.

12. Data retention

12.1. We retain personal data only for as long as necessary for the purposes described, including:
a) orders/invoices/accounting records: typically up to 10 years (in line with applicable legal obligations);
b) customer support and complaints: during resolution and a reasonable archiving period to protect legal rights;
c) marketing consents: until consent is withdrawn;
d) cookies: according to the Cookie Policy and the settings of the platforms used (often up to 1 year for certain identifiers, depending on category and configuration);
e) analytics data: for periods defined by the tools used, preferably in aggregated/anonymous form where possible.

12.2. After the applicable retention periods, data is deleted, anonymised or archived as required by law.

13. Security measures

13.1. We implement appropriate technical and organisational measures, including:
a) encrypted connections (HTTPS/SSL);
b) access controls and restriction to authorised personnel;
c) IT security measures (monitoring, patching, internal policies);
d) GDPR-compliant vendor contracts and compliance checks.

13.2. No transmission or storage method is 100% secure; however, we take steps to reduce risks to an appropriate level.

14. Your rights (GDPR) and how to exercise them

14.1. Under GDPR, you have the right to:
a) access;
b) rectification;
c) erasure (“right to be forgotten”);
d) restriction of processing;
e) data portability;
f) objection to processing based on legitimate interests (including direct marketing);
g) withdrawal of consent (where processing is based on consent);
h) lodge a complaint with a supervisory authority.

14.2. To exercise your rights, contact us at: contact@thisisbadreputation.com
. We may request additional information to verify your identity.

14.3. You may lodge a complaint with the Romanian Supervisory Authority (ANSPDCP) or with the competent authority in your EU country of residence.

15. Updates to these Principles

15.1. We may update these Principles periodically. The applicable version is the one published on the Website at the time of your interaction/order, as applicable.

COOKIE POLICY

1. Introduction

1.1. This Cookie Policy explains how we use cookies and similar technologies in accordance with GDPR and applicable ePrivacy rules.

2. What cookies are

2.1. Cookies are small text files stored on your device to enable functionality, preferences, analytics and/or marketing.

3. Categories of cookies used

3.1. We may use:
a) essential cookies (Website functionality, cart, checkout, security);
b) preference cookies (remembering settings);
c) analytics cookies (performance and usage measurement);
d) marketing cookies (retargeting, attribution, conversions, campaign optimisation).

4. Third-party technologies and “maximum” tracking

4.1. We may integrate third-party technologies such as:

Meta Pixel

TikTok Pixel

Google Analytics / Google Ads

email marketing tools (open/click tracking), where enabled and legally permitted

4.2. These technologies may collect online identifiers, conversion events and, where applicable, hashed identifiers, for the purposes described.

5. Consent and cookie banner

5.1. When you access the Website, we display a cookie banner/preferences centre.

5.2. You may accept or reject non-essential cookies and change your choices later. Withdrawal of consent does not affect processing performed before withdrawal.

6. Managing cookies

6.1. You can also manage cookies through your browser settings. Restricting cookies may affect Website functionality.

7. Do Not Track

7.1. The Website may not respond uniformly to “Do Not Track” signals; primary control is provided via the consent banner and browser settings.

8. Updates

8.1. We may revise this Cookie Policy periodically; the current version is the one published on the Website.