Privacy Policy.

Last updated: November 1, 2025 · The Timber Tale S.R.L. · Brașov, Romania

1. Who We Are

The Timber Tale S.R.L. is a social enterprise registered in Romania, operating at thetimbertale.ro. We are the data controller for personal data collected through this website, our e-commerce platform, and associated services.

Contact: hello@thetimbertale.ro · +40 771 297 980 · Brașov, Romania

2. Data We Collect

We collect the following categories of personal data:

• Account data: Name, surname, email address, phone number, date of birth (for membership and birthday discounts)
• Order data: Delivery address, billing information, order history, payment method tokens (we do not store full card numbers — payments are processed by Netopia Payments)
• Communication data: Messages sent via contact forms, emails, and support requests
• Referral data: Referral code usage, earnings, IBAN (for cash-out requests only)
• Community platform data: Project submissions, documents, photos submitted by NGOs and applicants
• Technical data: IP address, browser type, device type, pages visited, session duration (via cookies — see Section 8)
• Newsletter data: Email address and subscription preferences

3. How We Use Your Data

• To process and fulfil your orders, including sending order confirmation and delivery updates
• To manage your member account, TimberCoins balance and referral earnings
• To send newsletters and marketing communications (only with your explicit consent)
• To respond to support requests and custom order enquiries
• To review and approve Community platform project submissions
• To process referral cash-out requests (IBAN used solely for bank transfer)
• To improve our website and services via analytics
• To comply with legal obligations (invoicing, tax records)

4. Legal Basis for Processing

• Contract performance: Processing orders, managing accounts, fulfilling purchases (Art. 6(1)(b) GDPR)
• Legitimate interest: Fraud prevention, website security, internal analytics (Art. 6(1)(f) GDPR)
• Consent: Newsletter subscriptions, marketing cookies, non-essential analytics (Art. 6(1)(a) GDPR)
• Legal obligation: Issuing invoices, tax compliance under Romanian law (Art. 6(1)(c) GDPR)

5. Who We Share Data With

We do not sell your data. We share data only with:

• Courier partners (Fan Courier, Cargus, Sameday) — name, address, phone for delivery purposes only
• Netopia Payments — payment processing (they are independently GDPR compliant)
• Our accountant — billing data for invoicing and tax compliance
• Email service provider — for newsletter delivery (subscriber email only)
• Hosting provider — server infrastructure (EU-based)

All processors are contractually bound to use data only for the specified purpose and in compliance with GDPR.

6. How Long We Keep Data

• Order and invoice data: 10 years (Romanian legal requirement for accounting records)
• Account data: For the duration of your account, plus 2 years after deletion
• Newsletter subscriptions: Until you unsubscribe
• Support messages: 3 years from last correspondence
• Community project submissions: 5 years from submission
• Analytics data: 14 months (anonymised after 26 months)

7. Your Rights

Under GDPR, you have the right to:

• Access: Request a copy of the data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure ("right to be forgotten"): Request deletion of your data (subject to legal retention obligations)
• Restriction: Ask us to limit how we process your data
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interest or for direct marketing
• Withdraw consent: At any time, where processing is based on consent
• Lodge a complaint: With the Romanian data protection authority (ANSPDCP) at dataprotection.ro

To exercise any of these rights, email hello@thetimbertale.ro. We will respond within 30 days.

8. Cookies

We use cookies to operate the website and improve your experience. For full details, see our Cookie Policy. You can manage cookie preferences via the banner displayed on your first visit or in your browser settings.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These include HTTPS encryption, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure. If you believe your data has been compromised, contact us immediately at hello@thetimbertale.ro.

10. Contact

For all privacy-related queries, requests or complaints:

The Timber Tale S.R.L.
Email: hello@thetimbertale.ro
Phone: +40 771 297 980
Brașov, Romania