LEGAL DOCUMENT

Privacy policy

Last updated: 17 May 2026

We treat the protection of personal data as an obligation, not a formality. This document describes what data we collect through theuniformaker.ro, for what purpose, to whom we disclose it and what your rights are under Regulation (EU) 2016/679 (GDPR) and Law 190/2018.

1. Data controller

The Uniform Maker S.R.L., with registered office in Bucharest, Str. Anina nr. 1, Sector 1. For any request related to your data, write to contact@theuniformaker.ro. We have not appointed a DPO (data protection officer) as we do not meet the thresholds in art. 37 GDPR, but the same email receives all requests.

2. What data we collect

Account and authentication: full name, email, phone, account type (individual / business), institution and identification code, if you choose to fill them in. The password is stored hashed, we never see it in clear text.
Quote requests: contact details from the form, selected products, personalisation options (sizes, colours, quantities per size) and your message.
Body measurements: entered manually by you, if you choose to save them in your account, so we can recommend the right size from our size table.
Marketing preferences: the "accept newsletter" checkbox at sign-up; you can withdraw it at any time from your account or via the unsubscribe link in emails.
Technical data: server logs (URL, status, timestamp), IP address, user-agent, strictly necessary cookies (described in the cookies policy).

3. Purpose and legal basis

Service delivery (account, requests, quotes, orders) — art. 6(1)(b) GDPR (contract performance).
Communication of personalised quotes and order status — art. 6(1)(b) GDPR.
Email marketing only with your express consent (sign-up checkbox or "subscribe me" checkbox in other forms) — art. 6(1)(a) GDPR. You can withdraw at any time from your account or with one click on the unsubscribe link.
Tax and accounting obligations — art. 6(1)(c) GDPR (legal obligation: invoicing, 10-year retention).
Security and fraud prevention — art. 6(1)(f) GDPR (legitimate interest: protecting your account and the platform from abusive access).

4. Retention period

Active account: data remains stored as long as the account is active.
Invoiced orders: 10 years (accounting obligation — OMFP 2634/2015 + Law 82/1991).
Unconverted quote requests: maximum 24 months from the last interaction, then anonymised.
Marketing: until consent is withdrawn.
Technical logs: 90 days.

5. Who we share data with

Supabase — database hosting, authentication and media storage. Processor under a signed DPA. Data is stored in the EU (Frankfurt region).
Courier providers (Sameday, FAN, Cargus) — only the delivery address and contact data, only for a specific order.
Payment processors — if you purchase through the platform, they will be explicitly listed in the quote.
Public authorities (ANAF, ANPC, courts), only based on a legal requirement.

We do not sell or rent your data to third parties for advertising.

6. Transfers outside the EU

We do not transfer data outside the European Economic Area. All data remains on EU/EEA servers.

7. Your rights

You have the right of access, rectification, erasure, restriction, portability, objection and to file a complaint with ANSPDCP (www.dataprotection.ro). Details and forms in the GDPR page. To exercise any right, write to contact@theuniformaker.ro — we respond within 30 days.

8. Security

We use encrypted connections (HTTPS/TLS 1.2+), a database with per-user Row Level Security, access limited to the team handling orders, and passwords stored hashed with bcrypt via Supabase Auth. Backups are encrypted at rest.

9. Automated decisions and profiling

We do not use automated profiling to make decisions producing legal effects on you (for example, refusing an order based on an algorithmic score).

10. ANPC, SAL and SOL

For complaints related to data processing, you may first contact contact@theuniformaker.ro. For consumer rights you also have ANPC, SAL (anpc.ro/ce-este-sal) and the SOL/ODR platform (ec.europa.eu/consumers/odr).

11. Changes

We may update this policy whenever legal or platform changes occur. The current version is shown above, with the date of the last update.

1. Data controller

2. What data we collect

Account and authentication: full name, email, phone, account type (individual / business), institution and identification code, if you choose to fill them in. The password is stored hashed, we never see it in clear text.

Quote requests: contact details from the form, selected products, personalisation options (sizes, colours, quantities per size) and your message.

Body measurements: entered manually by you, if you choose to save them in your account, so we can recommend the right size from our size table.

Marketing preferences: the "accept newsletter" checkbox at sign-up; you can withdraw it at any time from your account or via the unsubscribe link in emails.

Technical data: server logs (URL, status, timestamp), IP address, user-agent, strictly necessary cookies (described in the cookies policy).

3. Purpose and legal basis

Service delivery (account, requests, quotes, orders) — art. 6(1)(b) GDPR (contract performance).

Communication of personalised quotes and order status — art. 6(1)(b) GDPR.

Email marketing only with your express consent (sign-up checkbox or "subscribe me" checkbox in other forms) — art. 6(1)(a) GDPR. You can withdraw at any time from your account or with one click on the unsubscribe link.

Tax and accounting obligations — art. 6(1)(c) GDPR (legal obligation: invoicing, 10-year retention).

Security and fraud prevention — art. 6(1)(f) GDPR (legitimate interest: protecting your account and the platform from abusive access).

4. Retention period

Active account: data remains stored as long as the account is active.

Invoiced orders: 10 years (accounting obligation — OMFP 2634/2015 + Law 82/1991).

Unconverted quote requests: maximum 24 months from the last interaction, then anonymised.

Marketing: until consent is withdrawn.

Technical logs: 90 days.

5. Who we share data with

Supabase — database hosting, authentication and media storage. Processor under a signed DPA. Data is stored in the EU (Frankfurt region).

Courier providers (Sameday, FAN, Cargus) — only the delivery address and contact data, only for a specific order.

Payment processors — if you purchase through the platform, they will be explicitly listed in the quote.

Public authorities (ANAF, ANPC, courts), only based on a legal requirement.

We do not sell or rent your data to third parties for advertising.