Privacy Policy

The controller of your personal data is NEUROBYTE ENTERPRISE S.R.L., headquarters in Bucharest, Sector 2, Str. Recreerii nr 2D.

For data protection questions, you can contact us at privacy@onlydeal.ro. If we formally appoint a Data Protection Officer where legally required, we will publish the relevant contact details separately.

**Identity/Profile:** username, display name, profile content, account type.

**Contact:** email, phone, address book and shipping details.

**Trader/Business Verification Data:** company name, VAT/tax identifiers, registration documents, representative identity, bank details, and other information necessary to verify trader status or trader traceability.

**Transaction Data:** listings, orders, delivery events, payouts, support/dispute records.

**Security/Technical:** device and session metadata, IP logs, fraud and abuse signals.

**Operational Request Metadata:** endpoint/path, query key names, request/response size and timing, protocol/host, selected HTTP headers (e.g., user-agent, accept-language, referer/origin), and infrastructure request identifiers.

**Data from Other Sources:** information from payment processors, logistics partners, verification/anti-fraud providers, other users involved in a transaction, public sources, or authorities, to the extent permitted by law.

We process personal data for account creation and administration, listing publication and moderation, processing orders, payments, payouts, deliveries, returns, and disputes, service communications, support, fraud prevention, and compliance with legal obligations.

For trader/business accounts and certain transactions, we may process additional data for identity and trader-status verification, tax compliance, trader traceability obligations, and cooperation with authorities or relevant processors.

We also process strictly necessary server-side telemetry for service security, abuse detection, incident investigation, audit, platform integrity, operational continuity, and technical performance improvement.

Legal bases include contract performance or pre-contractual steps (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interests (Art. 6(1)(f)), and consent where required (Art. 6(1)(a)). Our legitimate interests may include platform security, fraud prevention, defense of rights, and safe administration of the service.

Recipients may include payment processors, logistics partners, cloud/storage vendors, communication providers, authentication, verification and anti-fraud services, consultants, auditors, and authorities where required or necessary.

Where providers act as processors, we use GDPR-compliant contracts and security controls. We may also disclose data where necessary to establish, exercise, or defend legal claims.

Data is retained only as long as necessary for service delivery, legal compliance, fraud prevention, and dispute handling.

Operational/security telemetry is retained for limited periods with rotation and access controls, unless longer retention is required for investigations or legal obligations.

Certain records (including accounting, tax, transaction, anti-fraud, or legal-claims records) may be retained for mandatory statutory periods or until applicable limitation periods expire.

When data is no longer needed, we delete, anonymize, or isolate it in accordance with our internal policies and legal obligations.

If data is transferred outside the EEA, we apply appropriate safeguards (such as Standard Contractual Clauses) and supplementary protections where required.

You may request access, rectification, erasure, restriction, objection, and portability, subject to legal limitations.

Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

You may also lodge a complaint with your competent supervisory authority.

Some data is contractually or legally required for account creation, order processing, delivery, payments, fraud prevention, and compliance. If you do not provide it, we may be unable to create the account, execute the transaction, or provide certain services.

You are not required to provide data for processing based solely on consent, but the absence of such data may make certain optional features unavailable.

We may use automated rules for fraud detection, security, risk scoring, or operational checks. Based on the information published here, we do not take solely automated decisions producing legal effects or similarly significant effects on individuals unless this is permitted by law and separately disclosed where required.

For privacy requests, contact privacy@onlydeal.ro. We may request identity verification for account safety and to prevent unauthorized disclosure.