Privacy and personal data processing policy applicable in the process of accessing and using the "Sameday" mobile app

We consider ensuring the right to the personal data protection as a paramount commitment of Sameday, therefore we will dedicate all the necessary resources and efforts to process your data in full compliance with Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR“), as well as with any other applicable legislation. Since one of the essential principles of this legal framework is transparency, we have prepared this document whereby we would like to inform you on how we collect, use, transfer and protect your personal data when you interact with us in relation to our products and services, including via our website.

We reserve the right to update and modify this Privacy Policy from time to time, to reflect any changes in the way we process your personal data or any changes in the legal requirements. In case of any such changes, we will display the modified version of the Privacy Policy on our website, therefore, we kindly ask you to check the content of this Privacy Policy, from time to time.

Who are we and how can you get in touch with us?

“Sameday” is the trade name of the company DELIVERY SOLUTIONS SA, a Romanian legal entity, with registered address in Bucharest, Str. Gara Herastrau no. 6, Globalworth Building, floors 6 and 7, District 2, Romania, registered with the Trade Register under no. J40/7031/2008, with VAT code RO23743772S (hereinafter referred to as “Sameday” or “us/we“).

Within the meaning of data protection legislation, we are the controller when we process personal data collected directly from you, and the processor when we process personal data collected by the controller.

Since we are always open to your opinions, as well as to provide you with any additional information you may need regarding the processing of your data, we encourage you to contact the Sameday Data Protection Officer at the e-mail address [email protected] or by post or courier to the address in Bucharest, Str. Gara Herastrau no. 6, Globalworth Building, floors 6 and 7, District 2, Romania, specifying: “To the attention of the Sameday Data Protection Officer”.

What categories of personal data do we process?

We generally collect your personal data directly from you, so you have control over the type of information you provide us. For example, we receive information from you as follows:

When you create a Sameday account, you send us your e-mail address, first and last name, phone number.
When you place an order, you provide us with your personal data, such as first and last name, pickup address, phone number, etc.
When you are the recipient of a postal item/dispatch, we process the data collected by the sender or the data provided by you, such as: first and last name, delivery address, phone number, e-mail address, signature, necessary to ensure that the deliveries reach you and not to others, but also to protect our legitimate interests in the event of misunderstandings regarding the correctness of the delivery.
In the Sameday application, as the recipient, we process the e-mail address, first and last name, phone number, as well as options regarding addresses, redirections and delivery preferences (e.g. favourite locker/EasyBox).
On our website (sameday.ro), as well as in the mobile app, we can store and collect information in cookies and similar technologies, according to the Cookie Policy.
We do not collect or otherwise process sensitive data, included by the General Data Protection Regulation in special categories of personal data.
We do not collect or process data of minors under the age of 16.
Any persons who provide us with personal data directly or through the sender collecting them, declare on sole responsibility that they are at least 16 years old and can validly consent with the collection and processing of own data.
Any persons providing us with personal data are responsible for the correctness of the data provided, as well as for informing the data subjects on this privacy policy.

What are the purposes and grounds of personal data processing?

We will use your personal data for the following purposes:

To provide the services offered by Sameday for your benefit. This general purpose may include, as the case may be, the following:

Account creation and administration within the Sameday platform
Processing of orders, namely their collection, validation, transport, delivery and invoicing, as the case may be
Collection of refunds in the case of cash on delivery services.

The processing of your data for these purposes is in most cases necessary for the conclusion and execution of a contract for the provision of postal and courier services, as well as road haulage services. Also, certain processing under these purposes are required by the applicable legislation, including the tax and accounting legislation in Romania.

To improve the services offered by Sameday

We permanently strive to offer you the best experience for service purchasing via an online platform. For this, we can invite you to fill in satisfaction surveys following the completion of an order or we can carry out, directly or with the help of partners, market studies and research. We base these activities on our legitimate interest to carry out business, always making sure that your fundamental rights and freedoms are not affected.

For communications

In order to keep you informed on the status of your deliveries, we can send you, through electronic communication channels (e-mail/SMS) details regarding the delivery of a postal item/dispatch or access codes for deliveries in the lockers/EasyBox. We always make sure that this processing is carried out observing your rights and freedoms.

You can ask us at any time, via the means described herein, to cease the processing of your personal data for informational purposes, and we will comply with your request as soon as possible. Withdrawing your consent will lead to the impossibility of informing you on the status of the services provided.

To defend our legitimate interests

There may be cases when we will use or send information to protect our rights and business. These may include:

Measures to protect the website and users of the Sameday platform against cyberattacks.
Measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities.
Measures to handle other risks.

The general basis of these types of processing is our legitimate interest to defend our business, it being understood that we ensure that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms.

Also, in certain cases we base our processing on legal provisions, such as the obligation to ensure the protection of goods and valuables provided by the applicable legislation in this matter, the obligation to notify security breaches or the like.

How long do we keep your personal data?

As a general rule, we will store your personal data as long as you have an account on the Sameday platform. You can ask us to delete certain information or close your account at any time, and we will comply with these requests, subject to retaining certain information also after the account is closed, in situations where the applicable legislation or our legitimate interests so require.

If you do not have an account in the Sameday platform, the general rule is to keep the information related to the orders made for a period of 4 (four) years from the moment the order was completed (“Retention Period“).

Similar to the previous case, it is possible to keep certain data even after the expiry of this period, in accordance with the applicable legislation or with our legitimate interests, mainly in order to exercise the right of defence in the event of a dispute concerning the services provided. For this purpose, the data will be kept separate from the data of other customers, being stored as backup, encrypted and/or pseudonymized and will only be accessed in the event of a dispute. Immediately after the expiry of the retention period, Sameday will delete your personal data and any copies thereof from its systems.

Who do we send your personal data to?

As the case may be, we may send or provide access to certain personal data of yours to the following categories of recipients:

companies within the same group of companies of which Sameday is a part.
Sameday partners and subcontractors.
payment/banking service providers.
marketing/telemarketing service providers.
market research service providers.
IT service providers.
legal service providers.
other companies we can develop shared programs with, for offering our goods and services on the market.

If we have a legal obligation or if it is necessary to defend a legitimate interest, we may also disclose certain personal data to public authorities.

We ensure that access to your data by private legal entities is carried out in accordance with the legal provisions on data protection and information privacy, based on contracts concluded with them.

To which countries do we transfer your personal data?

Currently, we store and process your personal data on the territory of Romania.

However, from time to time, it is possible to transfer certain personal data of yours to entities located outside Romania. These entities can be located in the European Union or outside the Union, including in countries not recognized by the European Commission as having an adequate level of personal data protection.

We will always take action to ensure that any international transfer of personal data is carefully managed so as to protect your rights and interests.

Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, by other guarantees, such as standard contractual clauses issued by the European Commission or certification schemes, such as the EU-US Privacy Shield framework for the protection of personal data transferred from within the EU to the United States of America.

You can contact us at any time, using the contact details set out above, to find out more information about the countries to which we transfer your data, as well as the guarantees we have put in place regarding these transfers.

How do we protect the security of your personal data?

We are committed to ensuring the security of personal data by implementing appropriate technical and organizational measures, according to industry standards.

We keep your personal data on secure servers, using state-of-the-art encryption algorithms and ensuring storage redundancy.

We can also use the services of the PayU payment processor to make payments. Any payment information is encrypted, using SSL technology.

Despite the measures taken to protect your personal data, we draw your attention to the fact that sending information over the Internet, in general, or via other public networks, is not completely secure, as there is a risk for the data to be seen and used by unauthorized third parties. We may not be held accountable for such vulnerabilities of systems that are not under our control.

What rights do you have?

The general data protection regulation will recognize a number of rights in relation to your personal data. You can request access to your data, the correction of any errors in our files and/or you can object to the processing of your personal data. You can also exercise your right to complain to the competent supervisory authority or to go to court. As the case may be, you can also benefit from the right to request the deletion of your personal data, the right to restrict the processing of your data and the right to data portability.

More information on each of these rights can be obtained by consulting the table presented below.

To be able to exercise your rights, you can contact us using the contact details set out above. Please take note of the following aspects if you wish to exercise these rights:

We take seriously the privacy of all records containing personal data. For this reason, please send us your requests concerning such records using the e-mail address associated with the Sameday account. Otherwise, we reserve the right to verify your identity by requesting additional information aimed at confirming your identity.
We will not request a fee to exercise any right regarding your personal data, unless your request to access the information is unfounded, repetitive or excessive, in which case we will charge a reasonable fee. We will inform you about any fees applied before settling your request.
Response time.We aim to respond to any valid requests within a maximum of 1 (one) month, except when this is particularly complicated or if you have made several requests, in which case we will respond within a maximum of two months. We will let you know if we need more than a month. We might ask you if you can tell us exactly what you want to receive or what exactly concerns you. This will help us act faster and shorten the time to respond to your request.
Third party rights.We will not comply with a request if it would negatively affect the rights and freedoms of other data subjects.

By using the “Redirect to a neighbour” option, the Recipient, as the data subject, is responsible for the personal data entered and ensures that they have informed the person to whom the delivery is to be made on the processing of their personal data.

Targeted rights	Description
Access	You can request us: to confirm if we are processing your personal data. to provide you with a copy of this data. to provide you with other information about your personal data, such as the data we have, what we use them for, to whom we disclose them, if we transfer them abroad and how we protect them, how long we keep them, what rights you have, how you can complain, from where we obtained your data, to the extent that the information has not already been provided to you through this information.
Correction	You can ask us to rectify or supplement your inaccurate or incomplete personal data. It is possible to try to verify the accuracy of the data before rectifying them.
Data deletion	You can ask us to delete your personal data, but only if: they are no longer necessary for the purposes for which they were collected, or you have withdrawn your consent (if data processing is based on consent), or exercise a legal right to object, or they were illegally processed, or we have a legal obligation in this regard. We may not comply with your request to delete your personal data if the processing of your personal data is necessary: to comply with a legal obligation, or to establish, exercise or defend a right in court. There are certain other circumstances when we do not have to comply with your request to delete your data, although these two are the most likely circumstances when we may refuse your request Please remember, before exercising this right, to download from your Sameday account and to save all the documents related to the orders made from Sameday, regardless of whether the billing was done to you or to another natural or legal person (such as such as: invoices, warranty certificates). If you do not proceed to this before exercising your right to deletion, you will lose all these documents, and Sameday will be unable to make them available to you because the process of deleting the data, respectively the Sameday account with all the related data and documents, is irreversible.
Restriction of data processing	You can ask us to restrict the processing of personal data, but only if: their accuracy is challenged (see rectification section), to allow us to verify their accuracy, or the processing is illegal, but you do not want the data to be deleted, or they are no longer necessary for the purposes for which they were collected, but you need them to establish, exercise or defend a right in court, or you have exercised your right to object, and the verification of whether our rights prevail is ongoing. We may continue to use your personal data following a restriction request, if: we have your consent, or to establish, exercise or defend a right in court, or to protect the rights of another natural or legal person.
Data portability	You can ask us to provide your personal data in a structured, commonly used and machine-readable format, or you can request that them to be “ported” directly to another data operator, however in each case only if: the processing is based on your consent or the conclusion or execution of a contract with you and the processing is done by automatic means.
Opposition	You can oppose at any time, for reasons related to your particular situation, to the processing of your personal data based on our legitimate interest, if you consider that your fundamental rights and freedoms prevail over this interest. Also, you can oppose at any time to the processing of your data for direct marketing purposes (including profiling), without relying on any reason, in which case we will stop this processing as soon as possible.
Automated decision-making	You can request not to be subject to a decision based exclusively on automated processing, but only when that decision: has legal effects on you, or it affects you in another similar way and to a significant extent. This right does not apply if the decision reached following automated decision-making: is necessary for us to conclude or perform a contract with you. is authorized by law and there are adequate guarantees for your rights and freedoms or is based on your explicit consent.
Complaints	You have the right to file a complaint with the supervisory authority regarding the processing of your personal data. In Romania, the contact details of the supervisory authority for data protection are as follows: The National Supervisory Authority for the Processing of Personal Data Blvd. G-ral Gheorghe Magheru no. 28-30, District 1, postal code 010336, Bucharest, Romania, phone +40.318.059.211 or +40.318.059.212 email: [email protected]. Without affecting your right to contact the supervisory authority at any time, please contact us first, and we promise that we will make every effort to solve any problem amicably.

We remind you that you can contact the Sameday Data Protection Officer at any time by sending your request through any of the following methods:
by e-mail at: [email protected]
by mail or courier at the address of the company Delivery Solutions SA: Bucharest, Str. Gara Herastrau no. 6, Globalworth Building, floors 6 and 7, District 2, Romania, specifying “to the attention of the Sameday Data Protection Officer”

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
_icl_current_language	1 day	This cookie is stored by WPML WordPress plugin. The purpose of the cookie is to store the current language.
cookielawinfo-checkbox-analize	1 year	CookieYes sets this cookie to store the user consent for the cookies in the category Analytics.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-marketing	1 year	This cookie is set by the GDPR Cookie Consent plugin to store the user consent for the cookies in the category "Marketing".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
wp-wpml_current_language	session	WordPress multilingual plugin sets this cookie to store the current language/language settings.
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gat_UA-10872482-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.

Privacy and personal data processing policy applicable in the process of accessing and using the “Sameday” mobile app

Subscribe to the SAMEDAY newsletter