Privacy Policy

Last updated: 15 May 2026

This Privacy Policy explains how Handmade Pasta SRL (“Verdella”, “we”, “us”, “our”) collects, uses, and protects your personal data when you visit verdella.food or purchase our products.

1. Who we are (Data Controller)

  • Handmade Pasta SRL
  • Registered office: Str. Pășunii nr. 1B/31, Baia Mare, Maramureș, Romania
  • Companies Registry: J24/607/2017
  • Tax ID (CIF): RO37447050
  • Business: office@verdella.food
  • Customer support & data requests: team@verdella.food

We have not appointed a dedicated Data Protection Officer, as we are not required to under Article 37 GDPR. For all data-related matters, contact us at team@verdella.food.

2. What personal data we collect

Information you provide

  • Identification: name, email, shipping address, billing address, phone (optional).
  • Payment data: processed by Shopify Payments. We do not store full card numbers — we receive only last 4 digits and transaction status.
  • Account data: if you create an account: login email, encrypted password, order history.
  • Communications: messages sent to us via email, chat, or contact forms.
  • Marketing consent: when you subscribe to our newsletter.

Information collected automatically

  • Technical: IP address, browser, device, OS, referring URL.
  • Behavioural: pages visited, time on site, clicks, scroll depth — via Google Analytics, Meta Pixel, TikTok Pixel (only with your consent).
  • Cookies and similar technologies: see our Cookies Policy.

3. Why we process your data (legal bases under GDPR Art. 6)

  • Processing orders, payment, delivery: performance of a contract (Art. 6(1)(b)).
  • Customer support: performance of contract / legitimate interest (Art. 6(1)(b)/(f)).
  • Issuing invoices and accounting: legal obligation (Art. 6(1)(c)) — Romanian Accounting Law.
  • Marketing emails (newsletter): consent (Art. 6(1)(a)).
  • Analytics and advertising pixels: consent (Art. 6(1)(a)).
  • Fraud prevention and security: legitimate interest (Art. 6(1)(f)).
  • Legal requests, disputes: legal obligation / legitimate interest.

4. Who we share your data with

We share personal data only with the following categories of processors, each bound by GDPR-compliant Data Processing Agreements:

  • Shopify Inc. (Canada/Ireland) — e-commerce platform and Shopify Payments.
  • Klaviyo Inc. (USA) — email marketing automation.
  • Google LLC (USA) — Google Analytics 4 (only with cookie consent).
  • Meta Platforms Ireland Ltd. — Meta Pixel for Facebook/Instagram (only with cookie consent).
  • TikTok Pte. Ltd. (Singapore/Ireland) — TikTok Pixel for advertising (only with cookie consent).
  • Judge.me (Hong Kong) — review collection platform.
  • Shipping carriers — DPD, GLS, PostNL, DHL or equivalent — for delivery only.
  • Romanian tax authorities (ANAF) — for invoice and accounting compliance, where legally required.

5. International data transfers

Some processors are based outside the European Economic Area (EEA), including the United States and Hong Kong. We rely on the following safeguards under GDPR Chapter V:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914/EU).
  • EU-US Data Privacy Framework certification, where applicable.
  • For shipments to Switzerland, transfers operate under Swiss-EU adequacy (FDPIC).

6. How long we keep your data

  • Order & invoice records: 10 years (Romanian Accounting Law obligation).
  • Account data: until you delete your account, plus 30 days for backup retention.
  • Newsletter subscriptions: until you unsubscribe (you can opt out anytime via the email link).
  • Analytics data: 14 months (Google Analytics 4 default).
  • Support communications: 3 years from last contact.
  • Cookies: see Cookies Policy for individual lifespans.

7. Your rights under GDPR

You have the following rights regarding your personal data:

  • Access — receive a copy of the data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure (“right to be forgotten”) — request deletion (Art. 17), subject to legal retention obligations.
  • Restriction — limit how we process your data (Art. 18).
  • Portability — receive your data in a structured, machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interest (Art. 21).
  • Withdraw consent — at any time, for any consent-based processing (Art. 7(3)).
  • Lodge a complaint with the Romanian Data Protection Authority (ANSPDCP).

To exercise any of these rights, email team@verdella.food. We respond within 30 days as required by Article 12 GDPR. See our GDPR Notice for full procedures.

8. Children

Our services are not directed at children under 16. We do not knowingly collect personal data from minors. If you are a parent who discovers we have collected data from your child, contact us at team@verdella.food and we will delete it.

9. Security

We implement appropriate technical and organisational measures including HTTPS/TLS encryption, secure payment processing via PCI-DSS certified Shopify Payments, encrypted password storage, and limited access controls. No system is 100% secure — if you suspect a breach, contact us immediately at team@verdella.food.

10. Updates to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date reflects the most recent revision. Material changes will be communicated via email to active customers and posted on this page.

11. Complaints to supervisory authority

If you are not satisfied with how we handle your data, you may lodge a complaint with the competent supervisory authority:

  • Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
  • Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania
  • Email: anspdcp@dataprotection.ro
  • Website: www.dataprotection.ro

You may also contact the supervisory authority of your country of residence.

12. Contact

For any privacy-related questions or requests: team@verdella.food