Privacy policy

Thank you for your interest in our company, website, services and/or products.

When you want to establish a relationship with us and use the services of our company (hereinafter referred to as Cheeky Hamster Crafts SRL), you entrust us with information about you, also called personal data, and we thank you for your trust. The protection and confidentiality of personal data is a very important subject for us, and we strive to store it safely and process it carefully, and in this regard, we explain to you in a clear and transparent way what our practices regarding the confidentiality of your data are.

This information is presented in this document (hereinafter referred to as the "Privacy Policy", "This document" or "The Document") and please read them together with the Terms and Conditions section.

Our Privacy Policy wishes to inform you about the processing of your personal data in connection with your visit to our website www.happycandles.ro (hereinafter referred to as the "site") and your use of any additional platforms and services offered by Cheeky Hamster Crafts SRL.

By visiting the site, purchasing our products and/or services, or interacting with us by any means, you declare that you have taken note of the Privacy Policy. If you do not agree with what is described in this Document, please do not use our services.

We inform you that Cheeky Hamster Crafts SRL is a personal data controller within the meaning of the GDPR for the processing of personal data.

  1. Definitions

    Personal data - means any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

    Processing - means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    GDPR (General Data Protection Regulation) or Regulation – means REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF THE EUROPEAN UNION No. 2016/679 of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

    Operator or Company or We – means Cheeky Hamster Crafts SRL, a Romanian company with registered office at 26 Lastarisului Street, Ground Floor, Apartment. 1, District 1, Bucharest, registered in the Trade Register under order no. J20/2501/5646005, with fiscal registration code 51397291.

    Data subject – represents any identified or identifiable natural person whose data is processed by us as a controller, such as customers, potential customers or visitors to the website.

    Consent – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear statement, signifies agreement to the processing of personal data concerning him or her.

    Anonymization – means the irreversible removal of the identification of personal data, so that the person cannot be identified using a reasonable period, cost and technology, either by the Operator or by any other person, to identify that natural person. The principles of personal data processing do not apply to anonymized data, as they are no longer personal data.

     

  2. Who are we?

    Below you will find our identification data:

    Name

    CHEEKY HAMSTER CRAFTS SRL

    Address

    26 Lastarisului Street, Ground Floor, Apartment 1, District 1, Postal code 012825, Bucharest, Romania

    Trade Register Number

    J20/2501/5646005

    Tax registration code

    51397291

    E-mail

    contact@happycandles.ro

    Phone

    +40.774.040.590

    In accordance with the legislation in force, our company is a personal data controller, and for your data to be processed securely, we make every effort to implement reasonable and appropriate technical and organizational measures to protect your personal data.

     

  3. Who are you?

    According to the legislation, You, the individual person beneficiary of our services/products, the representative or contact person of a company that is our client or potential client, the visitor of the site or the person in any kind of relationship with us, are a "data subject", i.e. an identified or identifiable natural person. To be completely transparent about data processing and to allow you to easily exercise your rights at any time, we have implemented measures to facilitate the exercise of your rights related to the processing of personal data.

     

  4. Applicability of the Policy

    This Privacy Policy is applicable to the use of the website and communication platforms managed or administered by us (e.g., the official Facebook page).

    This Privacy Policy does not cover other third-party applications and websites that you may reach by following links from our website, and we encourage you to review the Privacy Policy on any other website and/or application before providing any personal data.

     

  5. Complaints

    For any problem or uncertainty regarding the processing of personal data, you should know that you can file a complaint with the personal data supervisory authority, but please first send us a request to the address mentioned in this document, and we will make every effort to resolve your request as soon as possible, amicably.

    For Romania, the contact details are as follows:

    Name

    National Supervisory Authority for Personal Data Processing

    Address

    28-30 General Gheorghe Magheru Blvd., District 1, Postal code 010336, Bucharest, Romania

    Phone

    +40.318.059.211 or +40.318.059.212

    E-mail

    anspdcp@dataprotection.ro

     

  6. Purpose of the Privacy policy

    We process the personal data of Data Subjects in accordance with the applicable legal provisions regarding the protection of personal data, including those contained in the GDPR.

    This Privacy Policy aims to inform Data Subjects about the processing of their personal data by us, including the categories of personal data processed, the purposes of the processing and the rights of Data Subjects.

    We reserve the right to modify this Privacy Policy to reflect legislative changes and the evolution of our personal data processing operations. Any substantial modification to this Privacy Policy will be communicated to Data Subjects by e-mail or by any other means of communication that ensures the receipt of information by Data Subjects.

     

  7. Processing of personal data

    When you browse our website and use our services/products or when you contact us for any purpose and using any communication channel, we will process your personal data to provide the services, improve the services and browsing experience, provide assistance and support, prevent violations of legal norms or to present products, services and information that may be of interest to you.

    1. Purposes, categories of personal data and grounds for processing related to the use of the site and ordering products and services through the site

      The Operator processes the personal data of the Data Subjects for contractual, statistical, marketing and security purposes, as well as to improve the experience of the Data Subjects.

      The purposes, categories and grounds for processing the personal data of Data Subjects are detailed in the table below:

      Purpose of processing

      Personal data category

      Grounds for processing

      Creating a customer account.

      Name, surname, email address, password.

      Contract execution.

      Receiving, processing and delivering ordered products and services.

      Name, surname, billing address, delivery address, email address, telephone number, products and services ordered.

      Contract execution.

      Improving the experience of using the website by Data Subjects.

      Order history.

      The Operator's legitimate interests relate to improving user experience and facilitating sales.

      Allowing the operation of optional technical elements of the site.

      The location.

      Consent.

       

      The Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out based on consent before its withdrawal.

      Making payments for products and services.

      Last name, first name, order ID, transaction ID, payment made/not made.

       

      Information regarding the card used by users to make payments is not collected, accessed or processed in any other way by the Operator. This information is processed exclusively by the Operator's partners who are authorized entities to carry out transactions.

      Contract execution.

      Refund of amounts paid in the event of returning products or cancelling the order for services.

      Last name, first name, order ID, transaction ID, IBAN account, bank where the account is opened.

      Contract execution.

      Ensuring the proper functioning, maintaining security and continuous improvement of the website.

      IP address, time and date of accessing the website, duration of visit, protocol (HTTP or HTTPS), type and version of the internet browser.

       

      This data is collected through cookies. More details on the use of cookies can be found in the Cookie Policy.

      The Operator's legitimate interests relating to ensuring optimal functioning of the website, preventing abusive use and improving the browsing experience.

      Analyzing website browsing behavior, trends and understanding how the website is used in order to generate statistics, provide personalized offers and suggestions.

      This data is collected through cookies. More details on the use of cookies can be found in the Cookie Policy.

      Consent.

       

      The Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out based on consent before its withdrawal.

      Providing assistance and support regarding products, services and use of the website via the "Contact" form.

      Name, email address, phone number, order ID, personal data contained in the message sent.

      The legitimate interests of the Operator relate to maintaining the relationship with the Data Subjects and resolving requests or complaints.

      Providing assistance and support regarding products, services and website use via telephone.

      Name, phone number, voice, order ID, personal data contained in the message sent.

      Consent.

       

      The Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out based on consent before its withdrawal.

      Processing the newsletter subscription request and sending commercial (marketing) communications.

      Name, email address.

      Consent.

       

      The Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out based on consent before its withdrawal.

      Management and publication on the website of reviews written by Data Subjects.

      First and last name, email address, length of use of the product, ratings given for products or services, and content of the review.

      The Operator's legitimate interests relating to promoting the quality of its services and facilitating sales.

      Establishing, claiming or defending rights before public authorities or courts.

      Name, address, e-mail address, IP address, time and date of accessing the website, duration of the visit, protocol (HTTP or HTTPS), type and version of the internet browser, categories of personal data relating to the placement, payment and delivery of orders, and categories of personal data relating to correspondence between the Data Subject and the Operator.

      The legitimate interests of the Operator relating to the establishment, assertion or defense of its rights.

      Ensuring the recording of the fact that the Data Subject has been informed about the purposes and limits of use of the services, the Terms and Conditions, the performance of the services and the related risks, as well as recording the Data Subject's choice regarding the use of cookies, receipt of marketing communications and other types of consent expressed or refused.

      The Data Subject's acceptance or refusal, IP address, time and date of accessing the website, duration of the visit, protocol (HTTP or HTTPS), type and version of the internet browser.

      The legitimate interests of the Operator relating to the establishment, assertion or defense of its rights.

      Fulfillment of the Operator's legal obligations, including those imposed by financial and accounting legislation, consumer protection legislation and GDPR.

      Legal obligation.

      Also, personal data may be collected and processed by our company if the order is submitted by means other than through the website (for example, by phone, WhatsApp, social networks), to fulfill the order. In these situations, we will process the personal data provided by the Data Subjects in the messages sent through these communication channels, the identification data of the Data Subject's account related to the respective communication channel, as well as the name, surname, billing address, delivery address, e-mail address, telephone number, products and services ordered. This data will be processed exclusively for the purpose of executing the contract and will not be used for purposes other than those described in this document.

       

    2. Data processing on social networks

      This Privacy Policy is applicable to the processing of personal data by the Operator through the Operator's official Facebook, Instagram pages, as well as other official pages managed by the Operator.

      The controller is the administrator of the official Happy Candles pages and communities ("Happy Candles pages") and the controller of your personal data processed through these pages. At the same time, Facebook is the controller of your personal data, for example, in relation to the transfer of data to other countries.

      In some situations, the Operator and Facebook/Instagram share obligations with respect to your data and are joint controllers (e.g. statistical data made available to the Operator by Facebook/Instagram, collected following your interaction with the Happy Candles pages). For these situations, you can contact us to learn more details about the way in which we and Facebook/Instagram process your personal data.

       

    3. What personal data do we process?
      1. When you visit the Happy Candles pages, we may process the following data:
        • if you like/share or leave a comment on our posts, we have access to your public profile (name, surname, photos and other public profile details), as well as the content of the comment.
        • If you send us a private message, we have access to your public profile, as well as the content of the message sent. For example, we may request your private phone number or email address to manage your request or to validate the winners of some contests.
        • if you are a person who receives a tag from a friend in the post of a contest/raffle organized on one of the Happy Candles pages, we will have access to your first and last name and your public profile.
      2. Content sharing. As a rule, Stories published on the Instagram page are automatically transferred to the official Facebook page.

      At the same time, we may share content from partner pages (e.g. influencer or entity pages) or followers' pages on our pages. For example, we may share a Story in which we are tagged by an influencer or follower, we may share a post by an influencer or partner that you have commented on, been tagged in, or in which your image/voice appears, or we may repost/share a post of yours in which your image/voice and your public profile appear.

      1. When Facebook/Instagram users interact with Happy Candles pages, Facebook provides us with general statistics regarding user actions. For example, no. of page views, no. of clicks on a post, and no. of interactions with the page content (like, share, comment, etc.). These statistics are anonymized, and Happy Candles cannot identify you based on them.
      2. When we personalize advertising campaigns on Facebook/Instagram, we set interest categories that may include you. Facebook uses predefined categories of people and shows our ad to people who belong to the category we indicate.

      We process your data for the purpose of promoting the Happy Candles brand, products, services or certain public events or charitable actions in which Happy Candles is an organizer or partner, to respond to public or private messages, to analyze statistics regarding the audience of our pages and to personalize the audience of posts or advertising campaigns.

      We note that providing data is not mandatory, but Facebook or other social media providers operate in a uniform manner for all pages and all users, so if you interact with our pages, we will automatically have access to certain data about you, as shown above.

       

    4. Processing of third-party data

      If the delivery of products or services to a third party other than the visitor or registered user is requested, the latter undertakes to inform the third party of this Privacy Policy and to obtain the third party's consent to provide his/her personal data to the Operator. The user acknowledges that he/she will be fully responsible for informing and obtaining the full consent of the person he/she designates as the recipient.

     

  8. Managing marketing communications

    Regarding our marketing communications, we attach great importance to the messages we send you. Our marketing communications may contain information about the Operator's products, services, offers, discounts and events, collect feedback or request opinions and reviews about the Operator's products and services.

    We will only send you such marketing communications if you have consented to receive marketing communications. You have the option to withdraw your consent at any time.

     

  9. Storage period of personal data

    The site user's data will be stored and processed by the Operator until the legitimate purposes presented in the above sections of the Policy are fulfilled.

    Thus, the data of the user registered on the site will be stored and processed by the Operator until he requests the deletion of his account or, for any processing of his data based on his consent, until he declares the withdrawal of consent for the purpose of providing the Company's services. If the purposes for which the respective categories of personal data were processed are fulfilled earlier than the moments mentioned above, the Operator will cease processing the respective categories of data upon fulfillment of the processing purposes.

    However, personal data relating to transactions with the Operator, as well as the member's information, consent and withdrawal of consent regarding the processing of his/her data will be processed for a period of 3 years from the termination of the contractual relationship between the parties, in order to provide proof of the legality of the processing of his/her data by the Operator and to protect the legal rights of the parties.

    We inform you that we do not collect any Special Categories of Personal Data about you (this includes data about racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for your unique identification, data concerning health or data concerning your sex life or sexual orientation or information about criminal convictions and offences.

     

  10. What happens if you don't provide us with your data?

    The Operator processes only those personal data that are necessary for the fulfillment of the legitimate purposes presented above. Thus, the Data Subjects are requested to provide the personal data necessary for the optimal development of the relations between them and the Operator.

    In the event of refusal to provide the personal data mentioned above, the Operator will not be able to provide the services or ensure an appropriate quality of services.

    The above does not apply to personal data processed by the Operator based on the consent of the Data Subjects. Consent can be freely expressed by the Data Subjects, and the refusal/withdrawal of consent will not generate any negative consequences for the Data Subjects.

     

  11. Disclosure of personal data and data transfers

    We inform you that we may disclose your data, in compliance with applicable law, to business partners or other third parties. We constantly make reasonable efforts to ensure that these third parties have implemented appropriate protection and security measures. We have contractual clauses with these third parties so that your data is protected. In these situations, we will ensure that any transfer is legitimate according to the law.

    These third-party partners include:

    • the technical service providers with whom the Operator collaborates and with whom the Operator has concluded contracts, including:
      • providers of website creation, development and provision of websites and web domains
      • cloud storage service providers
      • maintenance and technical assistance service providers
      • electronic communications service providers
      • other categories of technology service providers
    • logistics and billing integration platforms, which take orders and facilitate the choice of delivery services or the issuance of fiscal documents.
    • payment service providers.
    • public authorities and courts.
    • legal aid service providers.
    • partner entities that provide marketing services.

    The transmission of data to these partners is done strictly for the purposes of executing orders and other purposes expressly mentioned in this Policy, based on the contracts concluded with them, in compliance with the requirements of the GDPR.

    We may also transmit the data to other parties with your consent or according to your instructions, for example, if you exercise a portability request or to authorized state bodies, based on and within the limits of legal provisions and because of expressly formulated requests.

    The transfer of personal data to a third country may only take place if the country to which the transfer is intended ensures an adequate level of protection.

    The transfer of data to a country whose legislation does not provide a level of protection at least equal to that offered by the General Data Protection Regulation is only possible if there are sufficient guarantees regarding the protection of the fundamental rights of the Data Subjects. These guarantees will be established by us through contracts concluded with the suppliers/service providers to which your personal data will be transferred.

    Whenever we transfer your personal data outside the European Economic Area, we will ensure that a similar level of protection is in place through one of the following safeguards:

    • We will transfer your personal data to countries where it has been demonstrated by the European Commission that they provide an adequate level of security for personal data.
    • When we use certain service providers, we will be able to use certain contract models provided and approved by the European Commission that provide personal data with the same protection as they have in Europe.

    To obtain details regarding the transfer of personal data, including obtaining a copy of the transfer safeguards applied by the Operator, Data Subjects may contact the Operator via the contact details provided in this Policy.

     

  12. The existence of an automated decision-making process

    The Operator does not adopt decisions exclusively based on automated processes, decisions that would produce significant negative legal effects or that would similarly significantly affect the Data Subjects.

     

  13. Data security

    We understand how important the security of personal data is, and we take the necessary measures to protect our customers and other people whose data we process, from unauthorized access to personal data, as well as from unauthorized modification, disclosure or destruction of the data we process during our daily activities.

    We have implemented the following technical and organizational measures for the security of personal data:

    Dedicated policies

    We adopt and constantly review internal personal data processing practices and policies (including physical and electronic security measures) to protect our systems from possible unauthorized access or other possible threats to their security. These policies are subject to constant checks to ensure that we comply with legal requirements and that the systems are functioning adequately.

    Data minimization

    We ensure that your personal data that we process is limited to what is necessary, adequate and relevant for the purposes stated in this Policy.

    Restricting access to data

    We try to restrict access to the personal data we process to the minimum necessary: employees, collaborators and other persons who need to access this data to process it and perform a service. Our partners and collaborators are subject to strict confidentiality obligations (either by contract or by law).

    Specific technical measures

    We use technologies that ensure the security of our customers, always trying to implement the most optimal solutions for data protection. We also make periodic data back-ups to be able to recover them in the event of a possible incident and we have implemented periodic audit procedures regarding the security of the equipment used. However, no website, no application and no internet connection is completely secure and untouchable.

    Ensuring the accuracy of your data

    Sometimes we may ask you to confirm the accuracy or timeliness of your data to ensure that it reflects reality.

    Staff training

    We constantly train and test our employees and collaborators on legislation and best practices in the field of personal data processing.

    Data anonymization

    Where we can, we try as much as possible to anonymize/pseudo-anonymize the personal data we process, so that we can no longer identify the people to whom they refer.

    However, although we make constant efforts to ensure the security of the data you entrust to us, we may also experience less fortunate events and have security incidents/breaches. In these cases, we will strictly follow the security incident reporting and notification procedure and will take all necessary measures to return the situation to normal as soon as possible.

     

  14. Your rights - questions, requests and exercising rights

    For any other information regarding his/her data, as well as their processing and protection, each person concerned may contact the data protection officer of Cheeky Hamster Crafts SRL (data protection officer) at the e-mail address contact@happycandles.ro and at the telephone number +40.774.040.590.

    Your rights under the GDPR Regulation are as follows:

    The right to be informed about the processing of your data.

    Right of access to data

    You have the right to obtain confirmation from us as to whether personal data concerning you are being processed and, if so, access to the data and information provided for in Article 15(1) of the GDPR.

    The right to rectify inaccurate or incomplete data

    You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you.

    Right to erasure ("right to be forgotten")

    In the situations provided for in Article 17 of the GDPR, you have the right to request and obtain the deletion of personal data.

    Right to restriction of processing

    In the cases provided for in Article 18 of the GDPR, you have the right to request and obtain restriction of processing.

    The right to transmit the data we have about you to another controller ("right to portability").

    You have the right to receive the data in a structured format and to transmit it to another controller.

    The right to object to data processing

    In the cases provided for in Article 21 of the GDPR, you have the right to object to the processing of your data.

    The right not to be subject to a decision based solely on automated processing, including profiling which has legal effects or similar significant effects on you.

    The right to seek justice to defend your rights and interests.

    Please note that the rights listed above are not absolute. There are exceptions, therefore each request received will be analyzed to decide whether it is well-founded or not. To the extent that the request is well-founded, we will facilitate the exercise of your rights, and if the request is unfounded, we will reject it, but we will inform you of the reasons for the refusal and of your rights to file a complaint with the Supervisory Authority and seek legal action.

    We will also try to respond to your request within 30 (thirty) days. However, this period may be extended depending on various aspects, such as the complexity of the request, the large number of requests received or the impossibility of identifying you within a reasonable time. If, despite our best efforts, we are unable to identify you and you do not provide us with additional information to enable us to identify you, we are not obliged to comply with the request.

     

  15. Privacy Policy Updates

    We may occasionally update the Privacy Policy and will notify you via the Site or by email of the most recent version. All updates and changes to this document are effective immediately upon notification, which we will make by posting on the Site and/or by email. Even if you do not receive a notification, we encourage you to access and read the Privacy Policy periodically to stay up to date with the latest versions.

    Privacy Policy updated on 15.02.2026 (fifteenth February 2026).