Privacy Policy
Your privacy matters to us. This Privacy Policy explains what personal data Liquid Gold Oils SRL collects when you use our website, why we collect it, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Romanian data-protection law.
1. Data Controller
The controller responsible for the processing of your personal data within the meaning of Art. 4(7) GDPR is:
Strada Calea Rădăuți nr. 33
Com. Frătăuții Vechi
727256 Mănăuți, Romania
Cod Unic de Înregistrare: 53862546
Email: info@liquid-gold.eu
Phone: +40 (790) 994 499
For any data-protection questions, requests or complaints, please contact us at the email address above.
Contents
2. What Data We Collect
Depending on how you use our site, we may collect the following categories of personal data:
Account data
When you sign up: first name, last name, email address, hashed password, phone (optional). When you sign in we store a short-lived session token in an HttpOnly cookie.
Order data
When you place an order: billing and shipping address, items ordered, total amount, currency, payment status, and a payment-intent reference returned by Stripe. We never see or store your full card number — Stripe handles card data directly under their PCI-DSS certification.
Contact form & newsletter
When you write to us through the contact form: name, email, subject, message, plus your IP address and browser user-agent for spam triage. When you subscribe to the newsletter: email, optional name, your IP address, and the source of the signup.
Reviews & comments
When you leave a product review or a blog comment while signed in: your rating, comment text, and a reference to your user account so the site can show your name on the review.
Server logs
Like every web service, our server records each HTTP request with the URL, timestamp, response status, IP address and user-agent. These logs are kept for a maximum of 30 days for security and operational analysis.
3. Purposes & Legal Bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and maintaining your customer account | Performance of a contract — Art. 6(1)(b) |
| Processing and shipping your orders | Performance of a contract — Art. 6(1)(b) |
| Sending order confirmations and shipping notifications | Performance of a contract — Art. 6(1)(b) |
| Newsletter (after explicit subscription) | Consent — Art. 6(1)(a); revocable at any time |
| Replying to contact-form messages | Legitimate interest — Art. 6(1)(f) — to answer your inquiry |
| Storing the language cookie | Strictly necessary for the requested service |
| Fraud prevention, security logs | Legitimate interest — Art. 6(1)(f) |
| Tax and accounting record-keeping | Compliance with a legal obligation — Art. 6(1)(c) |
4. Cookies & Local Storage
We keep cookie usage to an absolute minimum. We do not use advertising or third-party analytics cookies.
- access_token — HttpOnly session cookie, lets you stay signed in. Lifetime: 1 day.
- refresh_token — HttpOnly cookie, used to renew your session without asking for your password. Lifetime: 30 days.
- language — your selected interface language (DE / EN / RO). Lifetime: 1 year.
- liquid_oil_wishlist — your wishlist of products on this device. Lifetime: 1 year.
Your shopping cart is stored in your browser's localStorage (not in a cookie) and never leaves your device until you check out.
5. Third-Party Processors
We work with a small number of carefully selected service providers ("processors" within the meaning of GDPR Art. 28). They process data on our behalf, under data-processing agreements:
- Stripe Payments Europe Ltd. (Ireland / USA) — payment processing. Stripe receives your name, email, billing address and the payment amount; we never receive your card details. stripe.com/privacy.
- Postmark (ActiveCampaign LLC, USA) — sending transactional email (order confirmations, password resets, contact-form replies). Postmark receives your email address and the message body. postmarkapp.com/privacy-policy.
- Linode / Akamai Technologies (EU region) — object storage for product, blog and recipe images. No personal data is stored here.
- Cloudflare (EU region) — content delivery and DDoS protection. Sees your IP address and the URLs you request, in transit only.
6. Data Retention
- Account data: kept while your account is active, plus 30 days after you ask us to delete it.
- Order data: kept for 10 years to comply with Romanian tax-law retention obligations.
- Newsletter subscription: kept until you unsubscribe (one-click link in every email or via the admin on request).
- Contact-form messages: kept for up to 12 months after the conversation is closed.
- Server logs: maximum 30 days.
7. Your Rights
Under the GDPR you have the following rights with regard to your personal data:
- Right of access (Art. 15) — get a copy of the data we hold about you.
- Right to rectification (Art. 16) — have inaccurate data corrected.
- Right to erasure (Art. 17) — "right to be forgotten" where we no longer need your data.
- Right to restriction (Art. 18) — limit how we use your data while a query is being resolved.
- Right to data portability (Art. 20) — receive your data in a machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
- Right to withdraw consent (Art. 7(3)) — at any time, with effect for the future.
To exercise any of these rights, write to info@liquid-gold.eu. We will respond within one month, free of charge.
You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP, www.dataprotection.ro) or with the supervisory authority in your EU country of residence.
8. International Transfers
Some of our processors are based outside the European Economic Area (mainly in the United States). Where this is the case we rely on the EU Standard Contractual Clauses (SCCs) and the EU–U.S. Data Privacy Framework, where applicable, to ensure an adequate level of data protection. Copies are available on request.
9. Security
We use TLS/HTTPS for all traffic, store passwords as salted hashes (never in plain text), enforce role-based access in the admin area, and run daily encrypted backups. Sessions are protected with HttpOnly cookies and short-lived JWT tokens.
10. Children
Our shop is intended for adults. We do not knowingly collect personal data from anyone under 16 years old. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our processing or in the law. The "Last updated" date at the top of this page indicates when the most recent change was made. We will notify registered customers by email about material changes.