Privacy Policy concerning the processing of personal data

We consider ensuring the right to the protection of personal data as a fundamental Sameday commitment, thus we will devote all the resources and efforts necessary to process your data in full compliance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”), as well as any other applicable legislation. As one of the essential principles of this legal framework is transparency, we have prepared this document by which we want to inform you about how we collect, use, transfer and protect your personal data when you interact with us about our products and services, including through our website.

We reserve the right to regularly update and modify this Privacy Policy to reflect any changes in the way we process your personal data or any changes to legal requirements. In the event of any such change, we will post on our website the amended version of our Privacy Policy, therefore we ask you to check periodically the content of this Privacy Policy.

Who we are and how you can contact us

Sameday is the trade name of S.C. DELIVERY SOLUTIONS SA, legal person of Romanian nationality, having its registered office in Bucharest, Splaiul Independenţei, no. 319, Building OB 17C, 1st Floor, sect. 6, Romania, registered with the Registry of Commerce under no. J40/7031/2008, with tax registration code RO23743772S.A., (hereinafter “Sameday” or “we”). For the purposes of data protection legislation, we are an operator when we process your personal data.

As we are always open to find out your opinions, as well as to provide you with any additional information you may need regarding the processing of your data, we encourage you to contact the Sameday Data Protection Officer at the e-mail address [email protected] or by post or courier to Bucharest, Splaiul Independenţei, no. 319, Building OB 17C, 1st Floor, sect. 6 – with the indication: to the attention of the Sameday Data Protection Officer.

What categories of personal data we process

In general, we collect your personal data directly from you, so you have control over the type of information you provide us. As example, we receive information from you as follows:

  • When you create a Sameday account, you send us your e-mail address, first and last name;
  • Within your personal page (My Account) on the Sameday platform, you can add additional information such as: nickname, cell phone number, phone number, date of birth, education level, delivery address, alternative e-mail address, bank card data etc.;
  • When you place an order, you provide us with information such as delivery address, billing details, payment method, phone number etc.
  • When you are the recipient of a delivery, you give us your name, surname, serial number and identity card number, signature, so that we can verify the accuracy of the delivery and to ensure that deliveries intended for you do not end up in the possession of other people, but also to protect our own legitimate interests in the event of any subsequent misunderstandings related to the correct/incorrect delivery of shipment.

We may also collect and process later certain information about your behavior while visiting our website or using the smartphone app to personalize your online experience and provide you with offers adapted to your profile. We invite you to learn more about this by consulting the section below on the purposes of the processing.

On our website and in the smartphone app we can store and collect information in cookies and similar technologies, according to the Cookie Policy.

We do not collect or otherwise process sensitive data included by the General Data Protection Regulation in special categories of personal data. We also do not wish to collect or process data of minors who have not reached the age of 16.

What are the purposes and reasons for the processing

We will use your personal data for the following purposes:

  1. For the provision of Sameday services for your benefit

This general purpose may include, where appropriate, the following:

  • Create and manage your account within the Sameday platform;
  • Processing of orders, meaning taking over, validating, transporting, delivering and billing them;
  • Collection of cash on delivery

The processing of your data for these purposes is in most cases necessary for the conclusion and execution of a contract between Sameday and you. Certain processing covered by those purposes is also required by applicable law, including tax and accounting legislation.

  1. To improve our services

We always want to offer you the best service purchase experience through an online platform. To do this, we may collect and use certain information about your Customer behavior, invite you to fill in follow-up questionnaires following the completion of an order, or conduct, directly or with the help of partners, studies and market research.

We base these activities on our legitimate interest in conducting business activities, always making sure that your fundamental rights and freedoms are not affected.

  1. Communications

To keep you informed about the status of your deliveries, we may send you information on the date and time of delivery via e-mail/SMS channels. We always ensure that these processing is carried out in compliance with your rights and freedoms.

You may always stop the processing of your personal data for information purposes by the means described herein, and we will comply with your request as soon as possible. Withdrawing your consent will have the effect of inability to conduct information on the status of the services delivered.

  1. To protect our legitimate interests

There may be situations where we will use or transmit information to protect our rights and business. These may include:

  • Measures to protect the website and users of Sameday platform against cyberattacks;
  • Measures to prevent and detect attempts of fraud, including the transmission of information to the competent public authorities;
  • Measures to manage various other risks.

The general reason for these types of processing is our legitimate interest in protecting our business, being understood that we ensure that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms.

In certain cases, we also base our processing on legal provisions such as the obligation to ensure the security of property and values provided for by the legislation applicable in this matter.

How long do we keep your personal data

As a general rule, we will store your personal data while you have an account in the Sameday platform. You may always ask us to delete certain information or close your account, and we will comply with these requests, subject to the retention of certain information including after the account is closed, in situations where the applicable law or our legitimate interests require it.

If you do not have an account in the Sameday platform, the general rule is to preserve information about orders made for a period of 4 years from the time of completion of the order (“Retention Period”). Similar to the previous situation, it is possible to retain certain data after the expiry of that period, in accordance with applicable law or our legitimate interests, in particular with a view to exercise the rights of the defense in the event of a litigation relating to the services delivered. For this purpose, the data will be kept separate from the data of other customers being stored as backup, encrypted and/or under pseudonym, and will only be accessed in the event of a litigation. Immediately after the Retention Period expires, Sameday will delete your Personal Data and any copies thereof from its systems.

To whom we transmit your personal data

Where appropriate, we may transmit or provide access to certain of your personal data to the following categories of recipients:

  • companies within the same group of companies as Sameday;
  • Sameday partners and subcontractors;
  • payment/banking service providers;
  • marketing/telemarketing service providers;
  • market research service providers;
  • IT service providers;
  • other companies that we can develop joint market offering programs for our goods and services.

Where we have a legal obligation, or if necessary to protect a legitimate interest, we may also disclose certain personal data to public authorities.

We ensure that access to your data by third parties, private law legal entities, is carried out in accordance with the legal provisions on data protection and confidentiality of information, based on contracts concluded with them.

In which countries we transfer your personal data

We are currently storing and processing your personal data across Romania.

However, from time to time, we may transfer certain personal data to entities located outside Romania. These entities may be located in the European Union or outside the Union, including countries to which the European Commission has not recognized an adequate level of personal data protection.

We will always take action to ensure that any international transfer of personal data is carefully managed in order to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual arrangements and, where appropriate, other safeguards, such as standard contractual clauses issued by the European Commission or certification schemes, such as the Privacy Shield for the protection of personal data transferred from the EU to the United States of America.

You may contact us at any time, using the contact details set out above, to learn more about the countries to which we are transferring your data, as well as the safeguards we have implemented with regard to these transfers.

How do we protect the security of your personal data

We are committed to ensure the security of personal data by implementing appropriate technical and organizational measures, in line with industry standards.

We keep your personal data on secure servers using the latest generation encryption algorithms and providing storage redundancy.

For payments we can also use the services of the payment processor PayU. Any payment information is encrypted using SSL technology.

Despite the action taken to protect your personal data, we draw your attention to the fact that the transmission of information via the Internet in general or through other public networks is not entirely secure, with the risk that the data may be seen and used by unauthorized third parties. We cannot be held liable for such vulnerabilities of systems that are not under our control.

Which are your rights

The General Data Protection Regulation recognizes a number of rights in relation to your personal data. You can request access to your data, correct any mistakes in our files, and/or object to the processing of your personal data. You can also exercise your right to complain to the competent supervisory authority or to refer to the court of justice. Where appropriate, you may also have the right to request the deletion of your personal data, the right to restrict the processing of your data and the right to data portability.

More information on each of these rights can be obtained by consulting the table below.

In order to exercise your rights, you can contact us using the contact details outlined above. Please note the following if you want to exercise these rights:

Identity. We take seriously the confidentiality of all records containing personal data. For this reason, please send us your requests for such records using the e-mail address of the Sameday account. Otherwise, we reserve the right to check your identity by requesting additional information that aims to confirm your identity.

Fees. We will not ask you for a fee to exercise any right regarding your personal data, unless your request for access to information is unfounded or repetitive or excessive, in which case we will charge a reasonable amount in such circumstances. We will inform you of any fees applied before resolving your request.

Response time. We intend to respond to any valid requests within a maximum of one month, unless this is particularly complicated, or if you have made several requests, in which case we are to respond within a maximum of two months. We will tell you if we need more than one month. We may ask you whether you can tell us exactly what you want to receive or what concerns you. This will help us to act faster and shorten the response time to your request.

Third parties rights. We don’t have to resolve a request if it would adversely affect the rights and freedoms of other subjects concerned.

 

Related rights Description
Access You may request:

  • confirm whether we process your personal data;
  • provide you with a copy of this data;
  • provide you with other information about your personal data, such as the data we have, how we use them, to whom we disclose them, if we transfer them abroad and how we protect them, how long we keep them, what rights you have, how you can make a complaint, from where we have obtained your data, to the extent that the information has not already been provided to you through this information.
Correction You can ask us to correct or complete your inaccurate or incomplete personal data.

It is possible to try to verify the accuracy of the data before they are rectified.
Deleting the data You may ask us to delete your personal data, but only if:

  • they are no longer necessary for the purposes for which they were collected; or
  • you have withdrawn your consent (if the processing of the data is based on consent); or
  • you give effect legal opposition; or
  • they have been unlawfully processed; or
  • we have a legal obligation to do so.

We do not have the obligation to comply with your request to delete your personal data if the processing of your personal data is necessary:

  • for compliance with a legal obligation; or
  • for the establishment, exercise or defense of a right in court;

There are certain other circumstances we are not obliged to comply with your request to delete data, although these two are the most likely circumstances we could refuse this request.

Be sure that, before exercising this right, you download and save from your  Sameday account all documents related to orders made to Sameday, whether the invoice was made to you or to another natural or legal person (such as invoices, guarantee certificates). If you do not do so before you exercise your right to delete, you will lose all these documents and Sameday will be unable to make them available to you because the process of deleting the data, the Sameday account, with all its data and documents, is an irreversible process.
Restricting data processing You may ask us to restrict the processing of personal data, but only if:

  • their accuracy is contested (see the rectification section) to allow us to verify their accuracy; or
  • processing is illegal, but you do not want the data to be deleted; or
  • they are no longer necessary for the purposes they were collected, but you need them to establish, exercise or defend a right in court; or
  • you have exercised your right to opposition and verification of whether our rights prevail is ongoing.

We can continue to use your personal data following a restriction request if:

  • we have your consent; or
  • to establish, exercise or ensure the defense of a right in court; or
  • to protect the rights of another natural or legal person.
Data portability You can ask us to provide your personal data in a structured, commonly used and machine-readable format, or you can request that these are “ported” directly to another data operator, but in each case only if:

  • processing is based on your consent or on the conclusion or execution of a contract with you; and
  • processing is done by automated means.
Objection For reasons of your particular situation, you may object at any time to the processing of your personal data for the reason of our legitimate interest, if you consider that your fundamental rights and freedoms prevail over this interest.

You may also always object to the processing of your data for direct marketing purposes (including profiling) without invoking any reason, in which case we will cease processing as soon as possible.
Automated making decisions You may request that you are not the subject of a decision based solely on automated processing, but only when that decision:

  • produces legal effects on you; or
  • otherwise affects you in a similar and meaningful way.

This right shall not apply where the decision has been made following the automatic making of decisions if:

  • we need it to conclude or execute a contract with you;
  • it is authorized by law and there are appropriate safeguards for your rights and freedoms; or
  • it is based on your explicit consent.
Complaints You have the right to complain to the supervisory authority about the processing of your personal data. In Romania, the contact details of the data protection supervisory authority are as follows:

The National Supervisory Authority for The Processing of Personal Data

B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, postal code 010336, Bucharest, Romania

Phone: +40.318.059.211 or +40.318.059.212;

E-mail:[email protected]

Without prejudice to your right to contact the supervisory authority at any time, please contact us in advance and we promise you that we will make every effort to resolve any matter by mutual agreement.

 

We remind you that you can contact Sameday Data Protection Officer at any time by transmitting your request by any of the following means:

  • e-mail to: [email protected]
  • by post or courier to Bucharest, Splaiul Independenţei, no. 319, Building OB 17C, sector 6 – with the indication to the attention of the Sameday Data Protection Officer.