Skip to main content

Privacy Policy

General Clauses Regarding the Protection of Personal Data

0.1. The parties collect and process the personal data included in this contract in accordance with applicable law, using methods that ensure the confidentiality and adequate security of such data, in order to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

0.2. In processing personal data, the parties apply the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as national legislation.

0.3. Personal data provided under this contract will be processed for the purpose of executing this contract.

0.4. Personal data collected and processed for the execution of this contract include the following: (e.g., full name, address, ID card series and number, personal identification number, telephone/fax number, email address, bank account/code).

0.5. Personal data provided under this contract may be communicated to public institutions in accordance with the applicable legal provisions.

0.6. If it becomes necessary to process personal data for purposes other than those specified in section 0.3, the party processing the data will inform the other party and request written consent for such processing, in accordance with applicable law.

0.7. The parties mutually guarantee the right to information and access to personal data, as well as the rights to rectification, updating, portability, erasure, restriction, and objection, in accordance with applicable law.

0.8. Personal data included in this contract will be retained for the entire duration of the contract and after its termination, in accordance with legal provisions regarding document archiving.

0.9. For the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

General Privacy Policy for Personal Data

For LUNA DAY SRL / www.lunaday.co, the protection of personal data is very important. Data processing is carried out legally, fairly, and transparently, ensuring adequate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. The staff of LUNA DAY SRL / www.lunaday.co strictly comply with legal requirements regarding data protection and ensure that all processing operations are performed solely in your interest.

This privacy commitment explains all aspects regarding the processing of personal data and ensures compliance with all processing principles established by applicable law and Regulation (EU) 679/2016 (GDPR).

1. Scope and Responsibility
LUNA DAY SRL / www.lunaday.co is not responsible for the privacy policies of any third party accessed via links on the website.

For any processing carried out fully or partially by automated means, as well as processing by non-automated means of personal data that are part of, or intended to be part of, a data record system, we ensure that your data are:

  • Processed legally, fairly, and transparently.

  • Collected for specific, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. Processing for public interest archiving, scientific or historical research, or statistical purposes is not considered incompatible with initial purposes.

  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

  • Accurate and, when necessary, kept up-to-date, with measures taken to ensure that inaccurate personal data are erased or corrected without delay.

  • Stored in a form that allows identification only as long as necessary for the purposes of processing. Personal data may be stored longer if processed exclusively for public interest archiving, scientific or historical research, or statistical purposes.

  • Processed securely, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through appropriate technical and organizational measures.

2. Cookies and Tracking
Our website uses cookies and similar technologies to ensure the best user experience, analyze trends, administer the website, track user activity, and collect demographic information. Cookies are small text files placed on the user’s device to record preferences and usage. Cookies do not contain personally identifiable information. Users can control cookie use via their browser settings, though disabling cookies may limit certain website features.

3. Purpose of Data Processing
The main purpose of processing your personal data is to ensure contractual agreements are properly implemented, relationships run smoothly, and legal requirements are met, including dispute resolution and agreement execution.

LUNA DAY SRL / www.lunaday.co collects personal data on www.lunaday.co only with the client’s consent for purposes such as:

  • Direct marketing (e.g., electronic newsletters, surveys, advertising, promotional lotteries)

  • Marketing and promotion via media channels and social networks

  • Research and statistical purposes

  • Communications, online behavior assessment, testing, development, and usage

  • Customer record keeping and database storage

Clients may withdraw consent at any time by emailing contact@lunaday.co, without affecting processing carried out before withdrawal.

4. Types of Data Collected
We collect data necessary to operate efficiently and provide the best product experiences. If required data are not provided, some services or features may not be available.

Data may include:

  • Name, surname, date of birth, email, postal address, phone number

  • Device information and interaction with our services and products

Automatically collected data via cookies and tracking technologies include IP address, browser type, ISP, page references, pages viewed, operating system, date/time, clicks, GPS/location data, and other device identifiers.

5. Legal Basis for Processing
Personal data are processed only if:

  • You give consent for one or more specific purposes

  • Processing is necessary to execute a contract or take steps before entering a contract

  • Processing is necessary for legal obligations

  • Processing serves legitimate interests, except where your fundamental rights override such interests

Anonymous or anonymized data are not subject to this policy.

6. Data Usage and Retention
Data are used solely for the purposes collected and stored only as long as necessary. Retention periods:

  • Contract-based processing: duration of contract + 3 years

  • Consent-based processing: 5 years

  • No personal data transfers to third countries or international organizations are made.

7. Your Rights
You may exercise the following rights under applicable law:

  • Right to information: Receive correct information about data processing

  • Right of access: Confirm if data are processed and access them

  • Right to portability: Receive data in a structured, commonly used format and transmit to another operator

  • Right to object: Oppose processing for public or legitimate interest purposes

  • Right to rectification: Correct inaccurate data without undue delay

  • Right to erasure (“right to be forgotten”): Delete data when no longer necessary, consent withdrawn, processing unlawful, or legal obligations require

  • Right to restrict processing: Limit processing in certain circumstances

  • Right not to be subject to automated decision-making, including profiling

8. Contact and Support
Phone: 0740 024 900
Email: contact@lunaday.co

9. Complaints
If you believe your data are not processed legally, you may file a complaint with the National Supervisory Authority for Personal Data Processing. More info: www.dataprotection.ro

Personal Data Sharing Policy

1. Definitions

1.1. “GDPR” / “Regulation” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

1.2. “Personal data” – Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

1.3. “Processing” – Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.4. “Controller” – The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. Where purposes and means are determined by Union or Member State law, the controller or the criteria for its designation may be provided by that law.

1.5. “Processor” – A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

1.6. “Recipient” – A natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether a third party or not. Public authorities receiving data in the course of an investigation under Union or Member State law are not considered recipients, provided processing by those authorities complies with applicable data protection rules.

1.7. “Third party” – Any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorized to process personal data under the direct authority of the controller or processor.

1.8. “Consent” – Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by statement or clear affirmative action, by which the data subject agrees to the processing of personal data relating to them.

1.9. “Personal data breach” – A breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

1.10. “Representative” – A natural or legal person established in the Union, designated in writing by the controller or processor, representing them regarding their obligations under the GDPR.

1.11. “Binding corporate rules” – Internal data protection policies to be followed by a controller or processor within a group of companies for transfers of personal data to a controller or processor in a third country within the same corporate group.

1.12. “Supervisory authority” – An independent public authority established by a Member State.

1.13. “DPO” – Data Protection Officer.

1.14. “DPIA” – Data Protection Impact Assessment.

1.15. “Commission” – The European Commission, the executive body of the European Union.

2. Purpose and Scope

2.1 Purpose

2.1.1. This policy establishes how LUNA DAY SRL / www.lunaday.co transfers personal data in compliance with GDPR. All transfers under this procedure must respect the rights and principles established by law and be based on a legal ground, processed fairly and transparently. Transfers without a legal basis are prohibited.

2.1.2. The provisions ensure that the protection level guaranteed by GDPR is not undermined.

2.1.3. Any questions regarding the interpretation or application of this policy should be addressed to the DPO, if appointed, or to the legal representative.

2.2 Scope

2.2.1. This policy applies to personal data transfers within LUNA DAY SRL / www.lunaday.co and to external recipients, for a specified purpose or legal requirement, or when necessary for legitimate interests pursued by the controller, recipient, or third party.

2.2.2. It also applies to occasional or ad-hoc transfers between the same recipients under the same conditions.

2.2.3. Transfers to recipients in countries or sectors without an adequate level of personal data protection are prohibited, unless the Commission has determined adequate protection exists.

2.2.4. This policy does not override other internal policies and procedures of LUNA DAY SRL, which remain in effect.

2.2.5. In the event of a security incident risk, all data transfers will be stopped, and the security incident procedure applied.

2.3 Reference Documents

  • GDPR

  • Internal regulations

  • Internal procedures

  • Internal policies

3. Rights of Data Subjects

3.1. If personal data held by LUNA DAY SRL were not provided by the data subject, the subject will be informed about the intended transfer, including DPO contact details, purpose, legal basis, and recipients or categories of recipients.

3.2. Information about the transfer will include appropriate safeguards and how to obtain copies, if applicable.

3.3. Information will also be provided if the transfer relies on a Commission adequacy decision.

3.4. All requests from data subjects will be analyzed in coordination with relevant departments.

3.5. All documents related to data subject rights to be transmitted externally must be signed by the legal representative.

4. Rules for Personal Data Transfer

4.1 Internal Transfers
No personal data may be transferred outside LUNA DAY SRL systems without proper authorization. This includes USB drives, HDDs, emails, FTP folders, or other technical means. Unauthorized transfer of personal data is prohibited.

4.2 External Transfers

4.2.1. Transfers without a legal, contractual, or legitimate interest require the data subject’s consent, obtained according to the consent procedure.

4.2.2. Transfers necessary for contract execution with the data subject must comply with GDPR and applicable law, including pre-contractual measures.

4.2.3. Transfers required to establish, exercise, or defend a legal claim may occur until the dispute is fully resolved.

4.2.4. All external transfers must be recorded in the processing activities register. Documentation proving safeguards must be attached if appropriate guarantees are used.

4.2.5. All data subject to transfer must be received and stored according to personal data receipt and storage procedures.

4.2.6. All processing operations needed to prepare or execute a transfer must comply with internal personal data procedures.

5. Transfers to Processors or Associated Operators

5.1. Transfers to processors authorized by LUNA DAY SRL must comply with applicable contractual clauses.

5.2. Processors may not subcontract without written consent from LUNA DAY SRL. Transfers to recipients or third countries must comply with GDPR, national law, and processor transfer procedures.

5.3. The DPO will ensure that processors/associated operators comply with GDPR and that enforceable rights and remedies exist for data subjects.

5.4. In the event of a processor security incident, the processor must notify LUNA DAY SRL, which will take immediate action following the security incident procedure.

Approved / Authorized
LUNA DAY S.R.L.