Privacy Policy (Privacy Policy, GDPR Compliance)

General Provisions

This Privacy Policy describes what personal data is collected by INTERNATIONAL DIGITAL RETAIL S.R.L. (the operator of the EXPRESS.MARKET platform, hereinafter referred to as “we” or “Operator”) from users of the Site (hereinafter referred to as “User” or “you”), how that data is used, disclosed, and protected. We comply with Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws. By using our Site, you entrust us with some of your data—we strive to handle it responsibly and give you control. This Policy applies to all information collected via our website express.market and related services.

1. Data We Collect

We collect various categories of personal data directly from you or automatically when you use the Site:

  • Contact Data: first and last name, email address, phone number, postal address (for product delivery), and other similar data provided during registration or order placement.
  • Account Data: username, password (stored encrypted), order history, favorite products, account settings, reviews, and comments you leave on the platform.
  • Payment Data: when you pay for orders, we may collect information about the payment method (for example, part of the credit card number, transaction status). Full card details are processed by our certified payment providers and are not stored in unencrypted form on our servers.
  • Activity Data: records of your actions on the Site—pages and products viewed, time and duration of visits, search queries, clicks on ads. This data is collected using cookies and similar technologies. We may also receive data on which source redirected you to our Site (referral).
  • Technical Data: your device’s IP address, browser type, operating system version, system language, screen resolution, unique device identifiers (in the case of a mobile app), and information from cookies. This technical information helps ensure the Site works correctly and improves the service.
  • Correspondence Data: if you contact us via customer support, live chat, or other channels, we store your messages, questions, and the contact details you provide to respond.
  • Verification Documents (if needed): we may request copies of identity documents or other information (e.g., proof of age for alcohol purchase, company registration documents for B2B) and will process them strictly for verification purposes.

We do not intentionally collect any sensitive data about you (racial or ethnic origin, political opinions, religious beliefs, health status, biometrics, criminal records), and we ask that you do not provide such information when using the Site, except when necessary (e.g., allergy information in a food order comment—at your discretion).

2. Purposes of Data Use

We use the collected personal data for the following purposes:

  • Providing Services and Fulfilling Contracts: primarily, we need your data so that you can use the platform—create an account, place and fulfill orders, receive products. For example, we use your name and address for shipping, your phone number so the courier can contact you, and your email for order confirmations and notifications. Processing data for these purposes is based on the necessity to perform the contract with you (Art. 6(1)(b) GDPR).
  • Account Management: to maintain your profile, display order history, wish list, and personal settings.
  • Payment Processing: transmitting necessary details (amount, order ID) to payment services for transaction processing and payment confirmation. The legal basis is to perform the purchase agreement and our legitimate obligation to keep payment records.
  • Customer Support: to answer your inquiries, questions about products, and resolve order issues. Correspondence records are used to train staff and improve service quality (legitimate interest to improve our services).
  • Order Status Notifications: we will inform you about key events—order confirmation, product shipment, delivery reminder, return status updates, etc. Such transactional notifications are not marketing-related, and you cannot opt out while using the service (except by discontinuing use).
  • Marketing Communications (with Consent): with your separate consent, we may use your contact data (email, phone) to send you promotional materials: news about new arrivals, special offers, personalized recommendations. You can always opt out of these mailings using the “Unsubscribe” link in the email or by changing settings in your Account. The legal basis is your consent (Art. 6(1)(a) GDPR). Without consent, we may send limited offers about similar products if you have already made a purchase, relying on legally permitted exceptions (soft opt-in), but you can opt out at any time.
  • Personalizing Your Experience: based on your data and history, we might show personalized product recommendations on the Site tailored to your interests or adjust the product listing order. This is part of the service and is based on our legitimate interest in improving platform usability.
  • Analytics and Service Improvement: we analyze how users in general interact with the platform, which pages are visited, what they search for, to identify trends, fix bugs, and improve functionality and assortment. We use anonymized or aggregated data whenever possible to avoid identifying you personally.
  • Fraud Prevention and Security: to protect your and our interests, we may use automated scripts to monitor activity for suspicious actions (e.g., multiple failed logins, unusual purchase patterns). This is necessary to secure accounts, prevent payment fraud, and combat illegal activities on the platform. The legal basis is the legitimate interest in ensuring service integrity and fulfilling legal obligations.
  • Legal Obligations: we may process and store certain data to comply with legal requirements. For example, transaction data is kept for tax and accounting purposes. We may also disclose data upon request by competent authorities when required by law (see the disclosure section). Processing on this basis is Art. 6(1)(c) GDPR (necessary for compliance with a legal obligation).
  • Enforcing and Protecting Rights: if a dispute arises or there is a need for legal defense, we may use relevant data to establish, exercise, or defend our legal claims. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in protecting our rights).

We do not carry out fully automated decision-making that produces legal effects or similarly significantly affects you without human involvement. Any automated assessments (e.g., transaction fraud checks) are reviewed by a responsible employee if the outcome affects service provision.

3. Cookies and Similar Technologies

3.1. What Are Cookies: Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies (pixel tags, local storage) to ensure the Site functions properly and for traffic analysis and marketing purposes.

3.2. Types of Cookies We Use:

  • Necessary Cookies: without these, the Site cannot function correctly. They are used, for example, to remember the contents of your shopping cart, maintain login sessions (so you don’t have to enter your password on every page), and protect against CSRF attacks. These cookies collect and store data only to support these services and are usually first-party cookies (from our domain).
  • Analytics Cookies: allow us to see visit statistics, understand which pages are popular, and where visitors come from. We may use third-party analytics tools such as Google Analytics (with IP anonymization enabled), Yandex.Metrica, or their European equivalents. Collected data is aggregated and not targeted at individual users. The basis for use is our legitimate interest to improve the service. You can disable these cookies without significant loss of functionality.
  • Functional Cookies: help remember your preferences (such as site language, chosen currency, filters) to enhance convenience. They can be disabled, but some of your settings will not be saved.
  • Advertising Cookies: we may use these to show you more relevant ads on our site or third-party sites (retargeting). These cookies track your interaction with the site and may be shared with advertising partners. They are used only with your consent, requested via a cookie banner on first visit. If you do not consent, advertising cookies will not function.

3.3. Managing Cookies: On your first visit to the Site, you will see a cookie notification with options to consent or configure them. You can change your choice at any time by deleting cookies in your browser settings and selecting options again. Most browsers allow you to disable cookies entirely or block third-party cookies. Note that disabling all cookies may degrade functionality (e.g., you may not be able to log in because the session will not be maintained).

3.4. Other Technologies: We may use pixel tags (tiny images) in our email newsletters to see if they were opened and interacted with. This helps us evaluate the effectiveness of communications and improve them. You can opt out of marketing emails (and thus these pixels) at any time.

4. Disclosure of Data to Third Parties

We do not sell or share your personal data with third parties for their own marketing purposes without your explicit consent. However, in the normal course of platform operations and service provision, some of your data may be shared with certain categories of parties strictly for specified purposes, as outlined below:

  • Platform Sellers (Merchants): When you place an order, necessary data for fulfilling the order is provided to the relevant Merchant. Specifically, the Merchant receives order details (product, quantity, price) and shipping information—recipient’s name, address, phone number, and contact email for order-related communication. The Merchant is prohibited from using these data for any purpose other than fulfilling the order (including post-sale support and handling returns). The Merchant is an independent controller of these data for the purpose of fulfilling your order and must handle them in accordance with data protection laws and our Policy.
  • Delivery Companies and Logistics Partners: To deliver the product to the address you provided, we share your contact information—name, address, phone number, sometimes email (for delivery status notifications)—with carriers. These companies act as separate controllers or processors, using the data only to deliver the package to you and contact you if needed.
  • Payment Providers and Financial Institutions: During payment processing, we transmit necessary details to payment systems—amount, order number, your payment credentials (card, account). If you choose installment plans or other financial products, information must be shared with the respective financial entity. These providers (e.g., Stripe, PayPal, Adyen, etc.) act as independent controllers (accountable to their own regulators) or as processors for us—in any case, they must ensure your data’s security and comply with standards (PCI DSS for card data).
  • IT Service Providers: We use external companies for hosting our servers, data storage, backups, and analytics. For example, our servers may be hosted in the cloud (AWS, Azure, Google Cloud, or a certified local provider). These providers may have technical access to data but are not permitted to use it for their own purposes. We have Data Processing Agreements (DPAs) with them as required under Art. 28 GDPR, and they act only on our instructions.
  • Marketing and Analytics Services: With your consent, we may share limited data (e.g., a hashed email identifier or cookie) with analytics services (Google Analytics, Facebook Pixel) or advertising platforms to measure ad effectiveness or show targeted advertisements. These platforms may combine the data received with information they already have about you (e.g., your Google profile). We minimize the volume of such data and use anonymization features (e.g., IP masking).
  • Law Enforcement and Government Authorities: We may disclose personal data in response to an official request if required by law. For example, to tax authorities for fiscal reporting, or to law enforcement/courts if a properly formatted request is received as part of an investigation. We may also disclose data if we believe it is necessary to prevent a crime, fraud, or to protect the rights, property, or safety of our users or employees (basis—legal obligation or legitimate interest in security). Disclosures will be limited to what is required by law (we review each request’s validity and challenge overly broad requests).
  • Affiliated Companies: If we have subsidiaries or affiliates, data may be shared with them for management purposes (e.g., centralized storage or maintenance). Such companies adhere to this Policy. In the event of a merger, acquisition, or sale of the business, your data may be transferred to the successor owner of the platform—we will notify users in advance and provide the option to delete data if they do not agree with the new policy.
  • Professional Advisors: In certain situations, we may provide limited information to lawyers, auditors, or accountants if necessary for them to perform services for us (e.g., financial audits, legal representation). These parties are bound by confidentiality obligations.

Transfers Outside the EEA: If we transfer your personal data to countries outside the European Economic Area (e.g., a third-party service in the United States or a merchant in Ukraine), we will ensure appropriate legal mechanisms for such transfers. Typically, this involves an EU Commission adequacy decision (for recognized safe countries) or Standard Contractual Clauses (SCCs) with the recipient. We also assess the risks of such transfers and, where necessary, implement additional safeguards (e.g., encryption, pseudonymization). Your rights remain intact, and you can request details about international transfers by contacting us.

5. Data Retention and Security

5.1. Retention Periods

We retain your personal data no longer than necessary for the purposes for which it was collected. Specific retention periods are:

  • Account Data – retained as long as you maintain an account on EXPRESS.MARKET. If you choose to delete your account, we will delete or anonymize your personal data within 30 days, except for data we are legally required to retain (e.g., transaction records).
  • Order History – retained for warranty support, returns, and compliance with legal obligations. Financial purchase information is kept for at least 10 years in accordance with accounting and tax regulations (for Romania and most EU countries).
  • Support Correspondence – retained for up to 3 years after the issue is resolved, in case the issue reoccurs or for internal analysis.
  • Marketing Data (Email for Newsletters) – retained until you unsubscribe from our mailing list. After unsubscribing, your contact may be placed on a “do-not-send” list to ensure you do not receive further emails, or completely deleted, depending on circumstances.
  • Activity Logs – server logs and technical logs containing IP addresses and event data are typically retained for 6–12 months. Aggregated analytics data that does not identify individuals may be stored indefinitely.
  • Cookies – have varying lifespans: session cookies are deleted when you close your browser; persistent cookies usually last from 1 month to 1 year (sometimes longer—e.g., Google Analytics cookies can last up to 2 years if not deleted sooner).

After the retention periods expire, we will either permanently delete the data or anonymize it (so it can be used for statistical purposes without identifying individuals).

5.2. Security Measures

We implement organizational and technical measures to protect your data from unauthorized access, alteration, disclosure, or destruction. Key measures include:

  • Encryption: confidential data (e.g., login credentials, payment information) is transmitted over HTTPS (SSL/TLS) with up-to-date certificates. Sensitive data (passwords, tokens) is stored in encrypted/hashed form.
  • Access Control: employee access to personal data is limited based on job necessity (principle of least privilege). Only authorized personnel (e.g., support staff, engineers) have access to systems, and their actions are logged. We use multi-factor authentication for administrative panels.
  • Infrastructure Protection: our servers are protected by firewalls and intrusion detection systems. Security updates are applied regularly. We conduct periodic vulnerability assessments and penetration tests, including external audits.
  • Backup: data is backed up regularly to prevent loss from technical failures. Backups are stored in encrypted form.
  • Policies and Training: our employees undergo data protection training and are required to maintain confidentiality. Internal policies govern data handling and establish accountability for breaches.

Despite these measures, no method of transmitting data over the Internet or storing data is 100% secure. We continuously improve our security practices, but cannot guarantee absolute protection against all risks. You also play a role in security—please keep your password confidential, use unique strong passwords, and do not share verification codes with others. If you suspect your account has been compromised, contact us immediately.

5.3. Breach Notifications: If a data breach or other incident threatens the rights and freedoms of our users despite our efforts, we comply with GDPR requirements: we notify the supervisory authority (in Romania—ANSPDCP) within 72 hours and affected individuals if there is a high risk to their rights (Arts. 33–34 GDPR). We will provide all necessary information and take measures to minimize harm.

6. Data Subject Rights

Under GDPR and similar laws, you have a number of rights regarding your personal data:

  • Right of Access: you may request confirmation whether we process your personal data, and if so, obtain a copy of the personal data we hold about you, along with information about its processing (purposes, categories, recipients, retention periods, etc.). We will provide the data free of charge (first copy); subsequent copies may incur a reasonable fee for frequent or unfounded requests.
  • Right to Rectification: you have the right to request correction of inaccurate or incomplete personal data we process about you. Most data can be updated directly in your Account (e.g., contact phone, shipping address). For other data, contact us and we will make the corrections.
  • Right to Erasure (“Right to be Forgotten”): you may request deletion of your personal data if: the data is no longer needed for the purposes for which it was collected; you withdrew consent and no other legal basis exists; you object to processing (see below) and we have no overriding legitimate grounds; the data was processed unlawfully; the data must be erased to comply with a legal obligation. Note that this right is not absolute—if we are required to retain data by law (e.g., transaction records) or the data is needed to establish, exercise, or defend legal claims, we may not delete it immediately. In any case, we will inform you of our decision. You can delete your account in the Site settings or request support to do so, which initiates the process of deleting your data (except data we must retain).
  • Right to Restriction of Processing: you can request temporary restriction of processing your data (only storage, no further processing) in these situations: you contest data accuracy (during verification); processing is unlawful, but you oppose deletion and request restriction; we no longer need the data, but you need it to establish, exercise, or defend legal claims; you object to processing—pending verification whether our legitimate grounds override yours. If restricted, we will only store the data and use it for legally permitted purposes.
  • Right to Data Portability: for data you have provided and that is processed based on your consent or a contract with you and carried out automatically, you may request the data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) or direct transfer to another controller, if technically feasible. This right applies only to data you actively provided (e.g., profile, orders) processed automatically. For example, you can export your order history.
  • Right to Object: you may object at any time to processing of your personal data based on our legitimate interests (Art. 6(1)(f) GDPR) if you have reasons related to your situation. If you object, we will stop that processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or if processing is needed for legal claims. Practically, you may object to profiling for marketing purposes—we will stop it. You may object to analytics—we will assess if it can be stopped without impairing the service. However, you cannot object to processing/retention of transaction data, as we have a legal obligation to keep them.
  • Right to Object to Direct Marketing: you can opt out of marketing communications at any time. If you no longer wish to receive email newsletters—unsubscribe, and we will cease sending them. The same applies to push notifications (browser or app)—you can disable them in device/browser settings.
  • Right to Withdraw Consent: where processing is based on your consent (Art. 6(1)(a)), you can withdraw it at any time, and we will stop the processing. Withdrawal does not affect the lawfulness of processing prior to withdrawal. For example, if you consented to marketing emails, you can withdraw consent and no longer receive them.
  • Right Not to Be Subject to Automated Decisions: you have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you. As noted, we do not make such decisions without human involvement. If we do, we will provide you the opportunity to request human review of the decision.

6.1. How to Exercise Your Rights

To exercise any of these rights, you can contact us using the details in Section 7. For some rights, we offer self-service tools:

  • You can view and correct key information in your Account settings;
  • Unsubscribe from newsletters via the link in the email;
  • Download your order information in the “Order History” section (export option available).

If you need further assistance, send us a request. We may ask you to verify your identity (e.g., log into your account or provide identifying information) to ensure we are providing or modifying data for the correct person. This is for your protection.

We will respond within 30 days. For complex or numerous requests, the period may be extended by an additional 60 days, in which case we will notify you with reasons. If we cannot comply with your request (e.g., because we must lawfully retain data or the request is manifestly unfounded or excessive), we will explain why. You always have the right to lodge a complaint with a supervisory authority if you are dissatisfied with our response.

7. Data Controller and Contact Information

7.1. Data Controller (Operator)

The data controller is INTERNATIONAL DIGITAL RETAIL S.R.L., registered in Romania, registration number 48660664, with registered address: Strada Povestei, Nr. 10, COM.12, MOD 02/01, Sector 4, București, România, 041214. This company determines the purposes and means of processing personal data on the EXPRESS.MARKET platform and is the “controller” under GDPR.

7.2. Contact Details for Data-Related Inquiries

  • Email: [email protected] — for any requests related to this Policy or your data rights.
  • Postal Address: Strada Povestei, Nr. 10, COM.12, MOD 02/01, Sector 4, București, România, 041214.

7.3. Data Protection Officer (DPO)

In accordance with GDPR requirements, we have appointed a Data Protection Officer (DPO). You can contact the DPO at [email protected] or via the same postal address marked “For DPO.” You may address any questions about data processing and your rights directly to the DPO.

7.4. Supervisory Authority

We are under the jurisdiction of the National Supervisory Authority for Personal Data Processing in Romania (ANSPDCP). If you believe your rights are violated or data is processed unlawfully, you have the right to lodge a complaint with ANSPDCP or another competent authority in your country of residence. ANSPDCP contact details: website www.dataprotection.ro, address: B-dul Magheru 28-30, Sector 1, 010336 Bucharest, Romania, email: [email protected]. However, we would appreciate if you contact us first— we will strive to resolve your issue directly.

8. Additional Information

8.1. Policy Updates

We may periodically update this Privacy Policy to reflect changes in data processing practices or legal requirements. In case of significant changes (e.g., new processing purposes, new data categories), we will notify users via the Site (banner or pop-up) and/or by email, providing the opportunity to review the new version. The “Last Updated” date is indicated at the top of the Policy. Please revisit the Policy from time to time to stay informed about how we protect your data.

8.2. Contact Us

All questions, comments, and requests regarding this Policy are welcome. We aim to make our Policy transparent and understandable, so if anything is unclear, do not hesitate to reach out to us for clarification. Your trust is our top priority.

Active chats

×
×

Welcome!

Enter the phone number provided during registration, and we will send a code to it, which you will need to enter.

Log in via SMS

OR

By clicking "Log In", "Continue with Google", or "Facebook", you agree to the Miloepo Terms of Use and Privacy Policy.

×

Phone Confirmation

We sent you a code to your phone number, please enter it below

You can resend the code in 60 sec

×

We use cookies to enhance your experience, analyze site performance, and personalize content. To continue using the site, you must agree to our Privacy Policy, allow the use of cookies, and confirm that you are at least 18 years old.