Questions? Call: 0760 078 462 / 0763 484 869 Mo-Fr | 08:00 - 18:00

Wishlist
Wishlist Wishlist

Questions? Call: 0737475411 Monday-Friday | 08:00-18:00

700+ producatori din Romania

Free shipping on every order

Personal Data Processing Policy

Last updated: 19.06.2026

1. Introduction

As of 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR") is applicable in all Member States of the European Union.

This Personal Data Processing Policy has been adopted in order to align with the provisions of the GDPR.

2. Identification and contact details of the Controller

OCEANO MERCADO S.R.L., a company incorporated and existing under the laws of Romania, Commercial Register Number: J18/930/2020 (assigned on 09.11.2020) Unique Registration Code: 37397636, address: Sat Cornești, Comuna Bălești, Strada Corneștilor, Nr. 34, Judet Gorj, Romania (hereinafter referred to in this Policy as "the Company", "we", "us"), email: [email protected], is the owner and the author of the website www.supreva.com (for the purposes of this Policy, hereinafter referred to as the “platform" or "site" or "website") and acts as controller of the personal data collected through the website www.supreva.com.

If you have any questions or requests regarding the processing of your personal data, you can contact us by sending an e-mail to: [email protected].

3. Definitions:

  • “personal data” means any information relating to an identified or identifiable natural person (hereinafter as: “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
  • “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with EU or Member State law shall not be regarded as recipients; the processing of such data by those public authorities must be in compliance with the applicable data protection rules in line with the purposes of the processing;
  • “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • “consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • “GTC” General Terms and Conditions of Oceano Mercado SRL, available on the website.

4. Rights of the data subjects

The controller has implemented technical and organizational measures to ensure that the rights of data subjects are respected in accordance with the GDPR, namely:

  • The right of access. You have the right to obtain confirmation as to whether or not personal data concerning you are being processed. If so, you have the right to obtain access to the data and certain information related to their processing, as well as the right to receive a copy of this data.
  • The right to data portability. If we process personal data on the basis “performance of a contract to which the data subject is party” or on the basis “consent”, you may require from us to receive personal data in a structured, commonly used and machine- 4 readable format and/or to transmit the personal data to another personal data controller.
  • The right to object to processing of your personal data. You have the right, on grounds relating to your particular situation, at any time to object to processing of your personal data which is performed on the basis “legitimate interest” or “for the performance of a task carried out in the public interest”, including in cases of profiling on these bases. In order to continue processing, we shall demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

    Also, you have the right to object in the following cases:

    • You have the right at any time to object to the processing of personal data concerning you when we process them for the purposes of direct marketing, including in cases of profiling related to direct marketing. When you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
    • Where personal data are processed for scientific or historical research purposes or statistical purposes, you, on grounds relating to your particular situation, shall have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

  • The right to rectification. You have the right to obtain from the controllers without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • The right to erasure of data ("right to be forgotten"). This gives you an opportunity to ask us to erase/remove your personal data without undue delay when there is no justifiable reason for the continuing of its processing by us. You have this right if one of the following grounds applies (as far as there is no exception for the application of the right under the GDPR): they are no longer necessary for the purposes for which they were collected or otherwise processed; you withdraw your consent and there is no other legal basis for the processing; you object to the processing and there are no overriding legitimate grounds or you object to the processing where personal data are processed for direct marketing purposes; the personal data have been unlawfully processed; the personal data must be erased for compliance with a legal obligation in EU or EU Member State law to which the controller is subject; the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR (offer of information society services directly to a child). Where the controller has made the personal data public and is obliged to erase the personal data pursuant to a data subject’s request for erasure, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  • The right to restriction of processing. This gives you an opportunity to ask us to stop processing (except for certain processing activities provided in applicable legislation) personal information about you in the following cases:
    • the accuracy of the personal data is contested by you, as the restriction of processing shall be applied for a period enabling us to verify the accuracy of the personal data;
    • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
    • we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
    • you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether our legitimate grounds override yours.
  • The right to withdraw consent If we use the basis for processing “consent” the consent you provide us with may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of the GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

5. How do we collect personal data and from whom we collect personal data? Are you obliged to provide us personal data?

5.1 How do we collect personal data:

Through the Platform, the Company offer services exclusively to professionals who are legal entities, sole traders or self-employed individuals, who have opened an account on the Platform, as sellers or buyers, and who offer goods and/or services for sale (sellers) or buy goods and/or services offered by sellers (buyers). For the purposes of this Policy, all of the above-mentioned legal entities, sole traders and self-employed individuals are referred to as Users. We collect personal data through the Platform and/or otherwise, as described in the following item 6.

At the same time, the Platform may be visited by third parties, hereinafter referred to as Visitors, for whom certain personal data are also collected.

This Policy is intended and addressed to both Users, the natural persons related to them (their representatives, employees, etc.) and the Visitors of the Platform, whose personal data are processed under the conditions set out in this Policy, in compliance with the GDPR.

5.2 From whom we collect personal data:

Most often the personal data are provided by the Users (incl. through natural persons, related to them - representatives, employees, etc.).

Also we may collect/verify personal data using publicly accessible sources - commercial registers, as well as other public registers. The categories of data collected/verified using these sources may be the following data of the User and/or of natural persons related to the User: names, identification/tax number, email address, registered address, telephone number, representative(s) and method of representation. We may also collect contact details from other publicly accessible sources, e.g. from a website of a company which is a potential or existing User.

5.3 Are you obliged to provide us personal data:

You are obliged to provide us with personal data only if you have such a contractual (for example, in accordance with the GTC or any annexes/contracts to them) or a legal obligation (for example for tax purposes).

The contract with us according to which a User account is created in the Platform may not be entered into/performed unless you fill in the obligatory personal data or provide us with additional information that we have considered necessary for entering into/performance of the contract.

If you do not provide us with your data, it is possible that we are not be able to enter into or perform a contract with the User, or fulfil any of our other purposes of processing listed in the present Policy, or this may be a breach of some contractual or legal provisions with all related consequences.

6. What personal data do we collect and for what purposes?

6.1 As far as Users are concerned, the Controller process personal data of Users that are natural persons, of natural persons who are representatives/employees of Users, and/or of other natural persons whose data have been voluntarily entered by Users on the Platform, or have been submitted by Users in the course of prior operations to access the Platform, or in the course of commercial relations between the Controllers and Users. Thus, the Controller may process the following personal data: name, surname, telephone number, whatsapp/ viber number, e-mail address, IP, password, address for the delivery of ordered goods/products, order history and other data.

The Controller process personal data collected through the Platform for the following purposes: logging in to the Platform, providing the services offered on the Platform, informing about the functioning and functionalities of the Platform, evaluating products and/or services offered on or by the Platform, analyzing Users' preferences, for the management of business relationships with Platform Users, take steps related to entering into a contract, ensuring the performance of obligations of the Companies, the Users and/or other parties related to the functioning of the Platform, exercising the Companies contractual and/or statutory rights and/or performing the Company contractual/statutory obligations and marketing communications - for promoting the Controller business (incl. promotion of the platform) and/or products/services offered by sellers.

The Controller processes data on the history of orders and deliveries of Users, as well as data on Users' business, in order to create statistics on the products and services offered through the Platform, the degree of success of the products and services offered, as well as Users' preferences, in order to offer the most appropriate business opportunities to Platform Users. The purpose of processing of data that are not collected through the platform is for the Company to enter into a contract with a potential/existing User.

Also, the Controller processes the following data for analytical purposes:

  • with regard to Users: IP, geographical location, type and version of browser used, operating system, referral source, duration of visit, page views and time spent on each page.
  • with regard to Visitors: IP, geographical location, type and version of browser used, operating system, referral source, duration of visit, page views and time spent on each page.

In the event that Users and/or Visitors have consented to receive marketing communications from the Controller (via push notifications, telephone calls, sms, email, whatsapp messages, viber messages, messages sent through the chat available on the Platform etc.), we may send you information on the services, offers or opportunities that you can benefit from by using the Platform. The processing of personal data relating to the transmission of such marketing communications is done exclusively on the basis of your consent. Consent for marketing communications may be withdrawn at any time.

The data processed through the Platform may also be used for the following purposes: carrying out target marketing activities through social media platforms (e.g. Facebook, Youtube, X) and/or search engines (Google); carrying out general advertising activities, and/or activities aimed at building User loyalty; carrying out market research, tracking and monitoring of sales made through the Platform, as well as User behaviour - for the purpose of creating better user experience and for analytical purpose; solving by the Company of requests made by Users or Visitors; generating reports on the activity of the Platform and/or its sections (including, but not limited to, Buyers' segmentation) - for the purpose of creating better user experience and for analytical purpose.

6.2 Social plug-ins or buttons Facebook, Instagram, LinkedIn, Youtube and/or others:

Their use is at your discretion. They are a link to third party websites that collect and process personal data in accordance with their terms/policies. In order to be informed and in view of your rights, please read the terms/policies of the respective third parties.

We have put these plugins/buttons to make our website more functional for visitors, as well as to promote our business. For more information on this, read the relevant Privacy Policies:

6.3 Also, we use the following tools:

7. What are the legal bases for data processing?

We may base our processing of personal data on the following legal bases:

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6, para 1, letter (b) of the GDPR).
  • Consent (Art. 6, para 1, letter (а) of the GDPR): we may process personal data on the basis of your free and unambiguous consent when you provide us with such data (e.g. in the case of sending communications regarding promotions existing/run within/through the Platform). This consent is provided by subscribing to the newsletter on the website www.supreva.com or by marking the checkbox in order to receive marketing communications through whatsapp messages or viber messages a or by marking the respective checkbox in the process of creating a user account or otherwise, as provided by the Companies.
  • Legitimate interest (Art. 6, para 1, letter (f) of the GDPR): we may process personal data on the basis of legitimate interest when, in our assessment, we consider the processing to be fair, reasonable and proportionate to the purpose of the processing (e.g. for the management of business relationships with Platform Users, for the promotion of services and opportunities offered through the Platform, for contacting potential Users).
  • Legal obligation (Art. 6, para 1, letter (c) of the GDPR): we may process personal data in order to fulfill our legal obligations.

8. Recipients of personal data, do we transfer your personal data outside the EU/EEA or to international organizations and protection of personal data. Data retention periods

8.1 Recipients of personal data:

We will not disclose your personal data collected through the Platform or obtained in any other manner that is provided for in this Policy, with the following exceptions:

  • employees and/or contractors/service providers to whom this data is necessary to process it on our behalf and/or to provide services available to the Companies (e.g. Platform maintenance providers, payment processors, hosting companies, courier services, email transmission application, analytics service providers, lawyers, banks, transport service providers, the companies listed in item 8.2. below, etc.);
  • where the obligation to disclose is a legal obligation applicable to us, our employees or contractors/service providers (in such cases we can disclose data to recipients, according to the applicable law, e.g. to authorities);
  • where the data subject's consent to the use (including disclosure) of personal data has been obtained.

8.2 Do we transfer your personal data outside the EU/EEA or to international organizations and protection of personal data:

Personal data collected through the Platform is stored on (cloud) servers located in the European Union.

Our use of platforms / tools / services of Google LLC/Google Ireland Limited (e.g. Google Analytics, Google Ads, YouTube); Meta Platforms Ireland Ltd. (e.g. Facebook social network, Messenger service, Facebook Pixel, Instagram, Whatsapp), X Internet Unlimited Company (X social network); LinkedIn Ireland Unlimited Company/LinkedIn Corporation (LinkedIn social network) HubSpot, Inc., Intuit Inc. (Mailchimp platform) and Viber Media S.à r.l. could be related to data transfers outside the European Union (EU) and the European Economic Area (EEA). Such transfers of data are based on adequacy decisions, standard contractual clauses, and possibly your explicit consent (pursuant to Article 49 (1) (a) of the GDPR) and / or other basis, if such is specified in the Privacy Policies of these platforms / tools / services.

For more information on this, read the relevant Privacy Policies:

and you can also contact us for help using the contact details provided in item 2 of this Policy.

In all other cases, your personal data will not be transferred to third countries (countries that are not members of the European Union and are not parties to the Agreement on the European Economic Area) and will not be transferred to international organizations.

8.3 Data retention periods:

Personal data processed in any of the ways and for any of the purposes described in this Policy are retained only for the period necessary for the purpose for which they were collected.

According to tax/accountancy legislation, we will keep the respective documents and data (for example data, contained in invoices) for the periods provided by law.

With regard to other data:

  • Our standard term for keeping the personal data related to Users is 5 (five) years as from the termination of the contractual relationship with the particular User. However, keep in mind that some personal data could be deleted/erased earlier - for example, upon withdrawal of your consent; if the law obliges us to delete/erase data; when we have informed you that we will store certain information for a shorter period of time; for the purposes of marketing communication - we will keep data until the consent for such processing is withdrawn (if we use the legal basis “consent” and you have given such consent) or until the end of the contractual relationship between the Company and the User (if there is such relationship) - whichever occurs earlier, but we may erase the data even earlier if we deem necessary in view of GDPR. The periods for keeping certain data can be extended in rare cases and if there is reason to continue to keep them - for example in cases of stopping and/or interruption of certain statutory limitation (prescription) periods.
  • Regarding Visitors - you can see the data retention periods in the cookie table.

In the cases you decide to send messages via the platform, we store information about the time and source of the transmitted electronic statements within one year.

9. Cookies

The Platform uses cookies.

More details on the data collected through the cookies used by the Platform, as well as the period for which they are retained, can be found in the Cookie Policy, available here.

10. Amendments to the Personal Data Processing Policy

If we deem it necessary to change this Policy or if there are legislative changes making necessary to change this Policy, we will publish those changes on this page.

If you have any questions about this Personal Data Processing Policy, please email us at [email protected].

11. Information on the right to lodge a complaint

If you are not satisfied with any aspects of how we process your data you have the right to lodge a complaint to the competent supervisory authority.

The lead supervisory authority is the Romanian ANSPDCP. The contact details are as follows:
Adress: G-ral Gheorghe Magheru nr. 28-30, Sector 1, cod postal 010336, Bucuresti Telephone: +40.318.059.211
E-mail: [email protected]
Website: dataprotection.ro

12. Obligations of the Users

By accepting/agreeing with/consenting to this Personal Data Processing Policy, the Users undertake to comply with it. The following other obligations (not mentioned above) shall be complied with by the Users:

12.1 The User shall provide the Companies and shall put in the Platform personal data only if this is lawful (including if there is a legal basis for this). The User shall not provide the Company and/or shall not put in the Platform any personal data that are not requested by the Company and/or that are not necessary to the Company in view of its relationships with the Users.

12.2 The User shall notify the natural persons related to it/him/her (its/his/her employees, representatives, etc.) whose data is processed by the Company and/or put on the Platform: (i) that their data has been provided to the Company, respectively has been put on the Platform; (ii) about the rules provided in the GTC and any annexes/contracts to them, concluded with the particular User and (iii) about this Personal Data Processing Policy and any other information under Art. 13/Art. 14 of the GDPR. Upon request from the Company, the User will provide to the natural persons related to it/him/her (its/his/her employees, representatives, etc.) information about changes in information under Art. 13/Art. 14 of the GDPR and any other information related to the processing of personal data. Upon request from the Company, the User will provide it with any other necessary assistance related to the processing of personal data, carried out in view of the relationships between the Company and the Users.

12.3 All contact details provided by the User (incl. through any natural person related to it/him/her) should be ones which are for business use only and not for personal use.

12.4 The User shall notify the Company in advance if a natural person related to that User (its/his/her employee, representative, etc.) will no longer perform his/her functions (including if they will be changed or terminated) so that the Company can decide whether and how to continue processing his/her personal data.

12.5 The User shall fully comply with the data protection legislation, incl. the GDPR.

12.6 The User shall ensure that the natural persons related to it/him/her (its/his/her employees, representatives, etc.) comply with the obligations/requirements described in this Personal Data Processing Policy.

12.7 In the event that the User fails to fulfill any of its/his/her obligations under this section 12, as a result of which the Company suffer damage/miss profit (for example, a sanction is imposed by an authority and/or the Company or any of the controllers is obliged to pay compensation to the data subject and/or other amount in connection with the processing of personal data), the User undertakes to pay the Company a compensation for any suffered damage (such as paid sanctions, compensation, costs, including fees of lawyers and consultants, etc.) and missed profit. In the cases under the previous sentence, the User undertakes to render full assistance to the Company and to protect and safeguard it/him/her.

13. Other information

As of 19.06.2026, the processing of personal data in connection with the use of the website is carried out solely by the Company, which assumes the role of an independent data controller.

The companies Supreva Online Kft, company registration number: 01-09-397484, registered office: 1141 Budapest, Szugló utca 82, tax number: 27774377-2-42, and Supreva Online Ltd, registered in the Commercial Register at the Bulgarian Registry Agency, with UIC: 206887575, seat and registered address: City of Burgas, 2A Kont Androvanti str., 2nd floor, Republic of Bulgaria, which until 19.06.2026 had acted as joint controllers together with the Company, have ceased their activities in relation to the Platform and no longer participate in the processing of personal data through the website.

All rights of data subjects under Regulation (EU) 2016/679 (GDPR) may be exercised by contacting the Company.

The Company continues to process the already collected personal data for the same purposes and under the same conditions described in this policy.

This Policy is drafted in the English language. Depending on the User’s region, a version of the Policy may also be made available in the local language of such User for convenience and facilitation purposes. In the event of any discrepancy or inconsistency between the English language version of the Policy and any other language version, the English language version shall prevail.


Download Privacy policy