Free shipping for orders over 1000 RON • Delivery across Romania

Privacy Policy

Last updated: April 2026

Introduction

This privacy policy describes how ICON Shop ("we", "us", "our") collects, uses, and protects your personal information in accordance with Regulation (EU) 2016/679 on the protection of personal data (GDPR) and applicable Romanian law. By using our site and services, you accept the practices described in this policy.

1. Data Controller

The data controller is SC ICON SHOP SRL, CUI RO35230541, registered at Timișoara, Str. Petre Râmneanțu Nr. 35, Romania. For any privacy-related queries, contact us at: Email: contact@icon-shop.ro Website: icon-shop.ro

2. Personal Data We Collect

We collect the following categories of personal data: 2.1 Identification and contact data • Full name • Email address • Phone number • Delivery / billing address 2.2 Payment data Credit and debit card data is processed exclusively by Stripe, Inc., a PCI-DSS certified payment processor. ICON Shop never stores full card data. We retain only payment confirmations and transaction identifiers provided by Stripe. 2.3 Browsing and usage data • IP address (stored in anonymised hash form for internal analytics) • Browser type and version • Pages visited and session duration • Product preferences (wishlist, recently viewed) • Anonymised Google Analytics 4 data 2.4 User account data • Email address (for authentication) • Order history • Accumulated loyalty points • Saved addresses

3. How We Process Your Data

Your data is processed via the following third-party services, with whom we have entered into GDPR-compliant data processing agreements (DPA):

Supabase (Supabase Inc.)
We use Supabase as our database and authentication service. Supabase stores account data, orders, wishlists, and loyalty programme data. Supabase servers are located within the European Union (Frankfurt, Germany). Supabase privacy policy: supabase.com/privacy

Stripe (Stripe, Inc.)
We use Stripe for online payment processing. Stripe collects and processes payment data in accordance with PCI-DSS standards. Stripe privacy policy: stripe.com/privacy

OpenAI (AI visual search)
The visual product search feature uses the OpenAI API. Images uploaded for search are transmitted temporarily to OpenAI servers solely for processing and are not stored permanently. OpenAI privacy policy: openai.com/privacy

Google Analytics 4
We use Google Analytics 4 to understand how our site is used. Data is anonymised and aggregated. You can opt out of Google Analytics via the browser add-on: tools.google.com/dlpage/gaoptout

Resend (transactional email)
The Resend transactional email service is used for order confirmations, delivery notifications, and account-related communications.

4. Legal Basis for Processing

We process your data on the following legal grounds under Art. 6 GDPR: • Performance of a contract — for processing orders and managing your account • Consent — for newsletter and marketing communications (withdrawable at any time) • Legitimate interests — for fraud prevention and service improvement • Legal obligation — for retaining invoices and fiscal records

5. Cookie Policy

We use cookies and similar technologies to provide an optimal shopping experience. Strictly necessary cookies Required for site operation: authentication session, shopping cart, language preferences. No consent needed. Analytics cookies Google Analytics 4 uses cookies to collect anonymised data on user behaviour. These cookies require your consent. Payment cookies Stripe uses cookies for fraud detection and payment transaction security. You can manage cookie preferences via your browser settings or through the "Cookie Settings" link in the site footer.

6. Data Retention

• Account data — for the duration of the account + 2 years after deletion • Order and invoice data — 10 years (Romanian fiscal legal obligation) • Newsletter data — until consent is withdrawn • Anonymised analytics data — 14 months (Google Analytics default) • Visual search images — not stored permanently

7. Your Rights (GDPR)

Under GDPR, you have the following rights:

  • Right of access — you may request a copy of the data we hold about you
  • Right to rectification — you may correct inaccurate or incomplete data
  • Right to erasure (right to be forgotten) — you may request deletion of your data
  • Right to data portability — you may receive your data in a structured format (JSON/CSV)
  • Right to restriction of processing — you may limit how we use your data
  • Right to object — you may object to processing based on legitimate interests
  • Right to withdraw consent — for data processed on the basis of consent

To exercise any of these rights, send an email to contact@icon-shop.ro with the subject "GDPR Request". We will respond within 30 days.

If you believe your rights have not been respected, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — dataprotection.ro.

8. Data Security

We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss, or destruction, including: • Encrypted transmission via HTTPS/TLS • Passwords stored in hashed form (bcrypt) • Data access restricted on a need-to-know basis • Authentication tokens with limited validity • Monitoring and anomaly alerting

9. International Data Transfers

Some of our providers (Stripe, OpenAI) are located in the United States. Transfers are carried out with adequate safeguards: Standard Contractual Clauses (SCC) approved by the European Commission and/or EU-U.S. Data Privacy Framework certification.

10. Changes to This Policy

We reserve the right to update this privacy policy. Any significant change will be communicated by email (if you hold an account) or via on-site banners. The date of the most recent update is shown at the top of this document.

11. Contact

Questions about privacy? Contact us at contact@icon-shop.ro

Back to shop