Privacy Policy

PRIVACY POLICY REGARDING THE PROCESSING OF PERSONAL DATA THROUGH THE SGRapp by RetuRO APPLICATION

Version updated on December 19, 2025.

Like any company, RETURO SISTEM GARANTIE RETURNARE S.A. ("the Company", "the Operator", "RetuRO", "we") processes personal data.

This Privacy Policy ("the Policy") concerns informing data subjects regarding the processing of personal data carried out through the SGRapp by RetuRO application (hereinafter referred to as "the Application"). Thus, the Policy includes information regarding the processing of your personal data by the Operator, specifically regarding how we collect and use personal data, including data processed from the perspective of using cookies and other similar technologies ("Cookies") within the Application.

The Policy takes into account the provisions of Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "the Regulation" or "GDPR"), as well as other relevant normative acts and provisions.

The Policy is addressed to all visitors/users of the Application, such as consumers or end users ("User"), meaning persons who purchase for their own consumption products packaged in non-reusable primary packaging (SGR Packaging) that are part of the DRS (Deposit Return System).

We may update this Policy from time to time to reflect changes in the Operator's practice regarding personal data processing or changes in applicable legislation. If necessary according to applicable legislation, we will also send separate and direct notifications regarding such updates.

1. IDENTITY AND CONTACT DETAILS OF THE OPERATOR

The personal data operator is RetuRO company, with registered office in Romania, Bucharest, Sector 2, Ing. George Constantinescu Street, no. 4B and George Constantinescu Street no. 2-4, building A, Globalworth Campus, floor 4, registered with the Trade Register under no. J40/3853/2022, European Unique Identifier (EUID): ROONRC.J40/3853/2022, having the unique registration code 45721171, telephone 031.9003, email suport@returosgr.ro.

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

The contact details of the DPO within the Operator are: telephone 031.9003, email suport@returosgr.ro.

You can contact the DPO, for example, if you have questions regarding information contained in this Policy or to exercise any rights you have as a data subject.

3. PURPOSES FOR WHICH PERSONAL DATA ARE PROCESSED BY THE OPERATOR AND THE LEGAL BASIS OF PROCESSING

a. Management of User accounts

Management of User accounts opened on the Application, in general (offering the possibility of account creation, administration, suspension, deletion, etc.).

b. Provision of content and specific services through the Application

Administration of the Application (including preparation and publication of information, documents), as well as other necessary IT applications, information platforms and facilities offered through them, as well as analysis of their efficiency.

c. IT infrastructure management

Ensuring, protecting, maintaining and developing IT hardware and software infrastructure and data support to facilitate the conduct, development and protection of the Operator's activities.

d. Management of the Operator's activity in relation to other persons

Management of interactions including in the form of public and private messaging. Making available relevant information for your activities.

e. Ongoing management of business relationships

Ensuring optimal collaborations by the Operator with third parties, other entities involved or wishing to offer facilities in the DRS or in connection with the Application.

f. Transmission of electronic commercial communications

Direct marketing through transmission of commercial communications, including newsletters, promotions, offers, promotional campaigns, lotteries, competitions, contests, events.

g. Conducting marketing and promotion activities

Marketing activities, advertising, promotion of activities, image, trade name and trademarks of the Operator. Market research, statistics.

h. Ensuring legal protection

Legal protection of the Operator, management and monitoring of judicial and extrajudicial procedures regarding the rights and interests of the Operator.

i. Management of requests, suggestions, notifications and complaints

Receipt, verification, resolution and monitoring of requests, suggestions, notifications and complaints, including by transmitting the Operator's responses.

j. Legislative and procedural compliance

Legislative compliance, including cooperation with authorities and public institutions. Management of archiving aspects.

3.1. Legal bases of processing

  • Your consent (art. 6 para. 1 lit. a) of GDPR)
  • Performance of a contract (art. 6 para. 1 lit. b) of GDPR)
  • Legal obligation of the Operator (art. 6 para. 2 lit. c) of GDPR)
  • Legitimate interest of the Operator (art. 6 para 1 lit. f of GDPR)

4. CATEGORIES OF PERSONAL DATA PROCESSED

4.1. Origin of personal data

We collect both personal data obtained from you directly (for example, you completed some forms) and indirectly (for example, from our analysis of how you use certain functionalities of the Application).

4.3. Personal data processed

  • Identity information (name and surname, image/photograph, biometric data)
  • Contact information (email address, telephone number)
  • Financial-banking information and transaction-related information
  • Data related to the Application (User account, usage data, technical information)
  • Security data (login details, records of internal investigations)
  • Information generated by us during our activities

5. RECIPIENTS OF PERSONAL DATA

To fulfill the purposes mentioned above, in some cases, it may be necessary for personal data to be transmitted to:

  • Business partners
  • Entities providing marketing campaign design, implementation and analysis services
  • Entities providing IT services
  • Persons involved in investigations or research conducted by the Operator

6. TRANSFER OF PERSONAL DATA OUTSIDE THE COUNTRY

In general, RetuRO does not intend to transmit your personal data outside the European Union/European Economic Area.

However, there may be particular situations where the Operator and/or its authorized persons may transfer personal data to international organizations or third countries. In these particular situations, the Operator ensures adequate safeguards through:

  • European Commission decision regarding the adequate nature of data protection
  • Standard data protection clauses adopted by the European Commission
  • Binding corporate rules
  • Prior explicit consent of the data subject

7. DURATION OF PERSONAL DATA STORAGE

The Operator takes reasonable measures to ensure that personal data are processed only for the minimum period necessary for the purposes set out in this Policy.

The criteria for establishing the time period are:

  • Duration of User account maintenance in the Application
  • Duration of User involvement in using certain functionalities
  • Duration of business/collaboration relationship
  • Duration necessary for service development, maintenance and improvement
  • Duration imposed by applicable legislation
  • Duration of a limitation period in accordance with applicable law

8. RIGHTS OF DATA SUBJECTS

As a data subject, you benefit from the following rights:

Right to information

The right to receive information regarding personal data processing carried out by the Operator.

Right of access

You can obtain from us clarification regarding whether we process your personal data and the right to obtain access or a copy of such data.

Right to rectification of personal data

You can request us to rectify your personal data that you consider incorrect/inaccurate.

Right to erasure of personal data ("right to be forgotten")

You can request the erasure of personal data concerning you, without undue delay, in cases provided by law.

Right to restriction of processing

Under certain conditions, you can request the restriction of processing of your personal data.

Right to data portability

You can request us to provide your personal data in a structured, commonly used and machine-readable format.

Right to object

You can object at any time, for reasons based on your particular situation, to personal data concerning you being subject to processing.

Right not to be subject to a decision based solely on automated processing

The right not to be subject to a decision based solely on automated processing, including profiling.

Right to lodge a complaint

If you consider that the processing of your personal data violates GDPR, you have the right to lodge a complaint with:

National Supervisory Authority for Personal Data Processing in Romania
B-dul G-ral. Gheorghe Magheru 28-30
Sector 1, postal code 010336, Bucharest, Romania
Email: anspdcp@dataprotection.ro

Withdrawal of consent

You can withdraw at any time your consent regarding the processing of your personal data based on consent. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. SPECIFIC INFORMATION REGARDING PERSONAL DATA PROCESSED THROUGH COOKIES USED

9.1. Personal data processed

Personal data we may process through Cookies are:

  • Identification information (name, surname, User name, password)
  • Contact information (email address, telephone number)
  • Technical information (location data, IP address, device data, browser)
  • Security data (login details, login activities)

9.2. Processing purposes

We use Cookies and personal data for:

  • Monitoring Application traffic, statistical records
  • Understanding how the Application is used
  • Improving Application functionalities
  • Providing requested products and services
  • Marketing and advertising activities
  • Market research, statistics
  • Legal protection

9.3. Processing basis

For non-essential Cookies, we rely on the processing basis represented by your consent. For essential Cookies, we rely on the processing basis represented by "our legitimate interests".

9.4. Storage duration

We store personal data processed through Cookies for as long as is necessary to ensure the performance of the Application and associated functionalities.

ANNEX 1 - BASIC DEFINITIONS

According to the General Data Protection Regulation:

"Personal data" means any information relating to an identified or identifiable natural person.

"Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Processor" means a natural or legal person who processes personal data on behalf of the controller.

"Processing" means any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.

"Consent" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Last updated: December 19, 2025
Version: 1.0