Privacy policy

Last updated: January 26, 2026

Alis Lalu (“we”, “us”, “our”, “the data controller”) operates this online store and website, including all related information, content, features, products and services made available through it (the “Services”).

The online store is hosted on the Shopify platform, which provides the technical infrastructure necessary to operate the website and process online sales.

This Privacy Policy describes how we collect, use, disclose and protect your personal data when you visit the website, place an order, create an account or otherwise interact with us.

This Policy applies to all users of the Services, regardless of their country of residence. Where local data protection laws apply, such laws will be complied with in addition to the requirements of the GDPR, where applicable.

In the event of any conflict between the Terms and Conditions and this Privacy Policy, this Privacy Policy shall prevail with regard to the processing of personal data.

This Privacy Policy is drafted in accordance with Regulation (EU) 2016/679 (GDPR), Romanian Law no. 190/2018, as well as the practice and guidelines of the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).

This Privacy Policy is supplemented by, and should be read together with, the Cookie Policy, which forms an integral part hereof.


1. Data Controller

The data controller for the processing of personal data is:

Alis Lalu
Address: Bd. Tineretului 27, Bl. 18, Sc. A, 1st Floor, Apt. 8, Sector 4, Bucharest, Romania
Email: atelier@alislalu.ro


2. What Personal Data Means

Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, such as name, address, email address, phone number or IP address.


3. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

  • name and surname

  • billing and shipping address

  • email address and phone number

  • order, invoicing, return and warranty information

  • customer account data (if an account is created)

  • data voluntarily provided by the user (e.g. engraving or customization text)

  • technical data (IP address, browser type, device, cookies)

We do not store or process credit or debit card details.
Payments are processed securely by authorized payment service providers, such as Netopia Payments or other authorized payment processors.


4. Sources of Personal Data

Personal data is collected:

  • directly from you when placing orders or contacting us

  • automatically through the use of the website (cookies and similar technologies)

  • through service providers involved in order processing (Shopify, payment processors, courier companies)


5. Purposes and Legal Bases of Processing

We process personal data for the following purposes and legal bases, in accordance with Article 6 GDPR:

  • processing and delivering orders – performance of a contract

  • invoicing and accounting obligations – legal obligation

  • managing customer accounts – performance of a contract

  • customer support and order-related communications – legitimate interest

  • website security, fraud prevention and technical functionality – legitimate interest

  • newsletters and promotional communications – consent

  • use of non-essential cookies and similar technologies – consent

Further details regarding cookies are available in the Cookie Policy.
Cookie preferences can be managed at any time via the cookie banner or browser settings.


6. Recipients of Personal Data

Personal data may be disclosed, strictly for the purposes listed above, to the following categories of recipients:

  • Shopify Inc., acting as a data processor (e-commerce platform and hosting provider)

  • Netopia Payments and other authorized payment service providers, acting as independent data controllers for payment processing

  • courier and delivery companies

  • IT, hosting, analytics or marketing service providers

  • public authorities, where disclosure is required by law

We do not sell, rent or share personal data with third parties for cross-platform behavioral advertising purposes.


7. International Data Transfers

The use of Shopify and certain service providers may involve transfers of personal data outside the European Economic Area.

Such transfers are carried out in compliance with the GDPR, based on Standard Contractual Clauses approved by the European Commission or other appropriate safeguards.


8. Data Retention Periods

Personal data is retained as follows:

  • order and invoicing data: in accordance with applicable tax and accounting legislation

  • marketing data: until consent is withdrawn

  • customer account data: until the account is deleted at the user’s request

  • technical and security data: for as long as necessary to ensure website functionality and security


9. Your Rights

In accordance with the GDPR, you have the following rights:

  • the right of access

  • the right to rectification

  • the right to erasure (“right to be forgotten”)

  • the right to restriction of processing

  • the right to data portability

  • the right to object to processing based on legitimate interest

  • the right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal

  • the right to lodge a complaint with the ANSPDCP

Supervisory authority: www.dataprotection.ro


10. Children’s Data

The Services are not intended for persons under the age of 18.
We do not knowingly collect personal data from minors.


11. Data Security

We implement appropriate technical and organizational measures to protect personal data.
However, no method of transmission over the Internet or electronic storage is completely secure.


12. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time.
Any changes will be published on the website together with an updated “Last updated” date.