Privacy Policy (GDPR)

Privacy Policy

1. Introduction

SC Scut Protection SRL respects the privacy of its customers and website visitors and is committed to processing personal data lawfully, fairly and transparently.

This Privacy Policy explains what personal data we process when you use www.skidplate.eu and when you make a purchase through our online store, the purposes and legal bases of the processing, how long we retain the data, to whom we may disclose it and what rights data subjects have.

Data processing is governed primarily by Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (GDPR), together with the applicable Romanian legislation.

Last updated: 3 July 2026.

2. Identity of the data controller

Data controller: SC Scut Protection SRL

Registered office: Str. Lemnarilor nr. 14, 535600 Odorheiu Secuiesc, Harghita County, Romania

Tax identification number / CUI: RO 25929276

Trade Register number: J19/403/2009

Telephone: +40 754 514 916

Email: info@skidplate.eu

Website: www.skidplate.eu

The company has not appointed a separate Data Protection Officer. Any questions or requests concerning personal data protection may be sent to the email address above.

3. Data processing principles

  • We process personal data only for specified, explicit and legitimate purposes.
  • We request and use only the data necessary for the relevant purpose.
  • We protect personal data through appropriate technical and organisational measures.
  • We do not retain personal data longer than required by the purpose of the processing or by a legal obligation.

4. Placing and fulfilling an order

When processing and fulfilling an order, we process the following data:

  • name;
  • email address;
  • telephone number;
  • postal code;
  • delivery address;
  • billing address;
  • information about the products ordered;
  • order value;
  • selected payment method and payment status;
  • delivery status;
  • order date and order identifier.

Purposes of processing: receiving and processing the order, identifying the customer, delivering the product, communicating with the customer, checking payment status, performing the contract and managing returns, warranties and complaints.

Legal basis: Article 6(1)(b) GDPR, namely performance of a contract or taking pre-contractual steps at the customer’s request.

The customer’s name, email address, telephone number, postal code, delivery address and billing address are necessary to fulfil the order. Without this information, we cannot properly process or deliver the order.

5. Optional information

The customer may optionally provide:

  • county, province or region;
  • information about the vehicle;
  • a message concerning the order;
  • the vehicle identification number (VIN).

Providing the county, province or region is not mandatory where the address can be identified unambiguously from the postal code and the full delivery address.

We do not request the VIN in a separate mandatory field. The customer may choose to include it in the order comments if assistance is required to identify the vehicle or the correct product.

Purposes of processing: more accurate vehicle identification, verification of the appropriate product choice, prevention of ordering errors and handling a specific customer request.

Legal basis: Article 6(1)(b) GDPR where the data is necessary for performance of the contract or for assistance before the contract is concluded.

Please do not include personal data in the order comments unless it is necessary to fulfil the order.

6. Business customer data

Where a customer purchases on behalf of a company or another legal entity, we may process:

  • company name;
  • tax identification number or EU VAT number;
  • billing address;
  • the name and contact details of the individual placing the order.

We do not request the company’s Trade Register number.

Purposes of processing: issuing a correct invoice, checking tax status and fulfilling the order.

Legal basis: performance of the contract and compliance with legal obligations.

7. Invoicing and accounting

For invoicing and compliance with accounting obligations, we may process the name or company name, billing address, tax number or EU VAT number, products purchased, order value and payment and billing data.

Invoices are created in the company’s internal order processing system, after which the invoicing and accounting data is imported into the SAGA accounting software.

The accountant may access invoice data and the customer information required to comply with accounting and tax obligations.

Legal basis: Article 6(1)(c) GDPR, namely compliance with a legal obligation to which the company is subject.

Invoices and their supporting accounting documents are retained for the period required by applicable Romanian accounting legislation. As a general rule, this period is 5 years calculated from 1 July of the year following the financial year in which the document was issued.

8. Payment processing

The following payment methods may be available in the online store:

  • PayPal;
  • bank card payment through Stripe;
  • bank transfer.

Bank card payments are processed directly through Stripe’s or PayPal’s systems.

SC Scut Protection SRL does not store or have access to customers’ full card numbers, security codes or other complete bank card details.

The company receives only the information necessary to process the order, such as whether the payment succeeded or failed, the transaction identifier, the payment amount and date and certain limited payment information.

PayPal and Stripe may also act as independent data controllers for certain processing operations, in accordance with their own privacy policies.

In the case of a bank transfer, we may process the data contained in the bank transaction, including the account holder’s name, bank account number, amount and payment reference.

Legal basis: performance of the contract and compliance with accounting and tax obligations.

9. Failed or incomplete payments

Where a customer starts an order but does not complete the payment, we may retain the order data for no more than 30 days.

In such a case, the company may manually send one email to the customer to allow the payment for the started order to be completed. Even if several payment attempts fail, only one reminder email is sent.

This email is not a newsletter or a general advertising message and does not contain marketing offers relating to other products.

Legal basis: Article 6(1)(b) GDPR, namely a measure connected with the contract and the order initiated by the customer.

If the order is not completed, the data is deleted or anonymised after no more than 30 days, unless longer retention is required for security, fraud prevention or legal reasons.

10. Delivery and courier services

To deliver an order, we disclose the personal data necessary for delivery to the selected courier service.

The courier services we may use include:

  • DPD;
  • FedEx;
  • ParcelForce;
  • Sameday;
  • GLS.

We may provide the courier with the recipient’s name, delivery address, postal code, telephone number, email address, parcel information and, for cash-on-delivery shipments, the amount to be collected.

County or regional information is provided only where the customer has supplied it or where it is actually required for delivery.

Purpose of processing: delivery of the order, sending delivery notifications and handling delivery-related issues.

Legal basis: performance of the contract.

Courier companies may also act as independent data controllers in relation to their own operations and legal obligations.

11. Customer service and communications

If the customer contacts us by email, telephone or through an order-related message, we may process:

  • name;
  • email address;
  • telephone number;
  • order information;
  • the content of the message;
  • vehicle information provided voluntarily;
  • information generated during the communication.

Purposes of processing: answering questions, checking product compatibility, handling order-related issues, returns and complaints and establishing, exercising or defending legal claims.

Legal basis: performance of the contract, pre-contractual steps or legitimate interest under Article 6(1)(f) GDPR.

The company’s legitimate interest is to provide properly documented customer support, deliver appropriate customer service, clarify disputes and protect its legal rights.

General customer service correspondence is retained for 3 years from closure of the matter.

Correspondence connected with a specific order, complaint, refund or dispute may be retained for up to 5 years or, where proceedings are ongoing, until their final conclusion.

Telephone calls are not recorded.

12. Warranties, complaints and returns

In connection with a warranty claim, complaint or return, we may process the customer’s identification and contact details, order and product information, description of the issue, related correspondence, return and refund information and photographs or documents voluntarily provided by the customer.

The website does not have a permanent, separate image upload function. We process a photograph only where the customer voluntarily sends it to us, for example by email, in order to resolve a specific case.

Purposes of processing: handling and documenting the complaint, warranty claim or return.

Legal basis: performance of the contract, compliance with legal obligations and legitimate interest connected with establishing, exercising or defending legal claims.

Warranty and complaint data is retained for 3 years from closure of the matter, unless a legal provision or an ongoing dispute requires a longer period.

13. Website hosting and email service

The provider of website hosting and email services is: Claus Web SRL.

To ensure the technical operation and security of the website, the hosting provider may process server logs containing:

  • IP address;
  • date and time of the visit;
  • pages visited;
  • browser and device type;
  • operating system information;
  • referring page address;
  • technical error messages;
  • information relating to security incidents.

Purposes of processing: ensuring the technical operation of the website, detecting errors, preventing abuse, maintaining IT and network security and investigating unauthorised access.

Legal basis: legitimate interest under Article 6(1)(f) GDPR in operating the website securely and reliably.

Server logs are generally retained for no more than 90 days. In the event of a security incident, abuse or legal proceedings, the relevant log data may be retained longer, until the investigation or proceedings have been concluded.

14. Cookies and similar technologies

The website uses cookies and similar technologies.

Strictly necessary cookies are required for the operation of the website and online store. Their use therefore does not require separate consent.

Analytics and marketing cookies are activated only after the visitor has given prior consent.

Through the cookie banner, the visitor may:

  • accept the use of non-essential cookies;
  • reject them;
  • adjust individual cookie preferences.

Consent may be withdrawn or changed at any time by reopening the cookie settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

A detailed list of cookies, their purposes, providers and retention periods is available in the separate Cookie Policy.

15. Google services

We use the following Google services on the website:

  • Google Analytics 4;
  • Google Ads conversion tracking;
  • Google Ads remarketing.

We do not use Google Tag Manager.

Google Analytics 4 enables us to obtain statistical information about use of the website. Google Ads conversion tracking allows us to measure whether a visitor arriving through an advertisement completes a particular action, such as a purchase. Google Ads remarketing makes it possible to display more personalised advertisements based on the visitor’s previous use of the website.

These services are activated only after the visitor has given prior consent.

Legal basis: consent under Article 6(1)(a) GDPR.

Google may act as an independent data controller for certain processing operations.

16. Meta and Facebook services

We use the following Meta services on the website:

  • Meta Pixel;
  • Meta Conversions API.

Meta Pixel and Meta Conversions API allow us to measure the effectiveness of advertising on Facebook and Instagram and to display more relevant advertising to users who have given their consent.

The data transmitted may include actions performed on the website, products viewed, whether an order or purchase was completed, the order value, technical identifiers, cookie identifiers and protected or encoded contact details used by Meta for matching purposes.

Meta Pixel and Meta Conversions API are used for marketing purposes only after the visitor has given prior consent.

Legal basis: consent.

Meta may act as an independent data controller for certain processing operations.

19. Automated decision-making and profiling

SC Scut Protection SRL does not make decisions based solely on automated processing that produce legal effects concerning the customer or similarly significantly affect the customer.

Orders are not rejected automatically solely on the basis of an automated profile or algorithm.

Google Ads and Meta systems may carry out advertising profiling of visitors who have given their consent, in accordance with their own privacy terms. This does not result in an automated decision with legal effects being made by Scut Protection SRL.

20. Processors and recipients of personal data

Only employees and service providers who need access to personal data in order to perform their duties may access it.

Recipients or categories of recipients may include:

  • the website hosting and email provider;
  • the accountant;
  • providers of invoicing and accounting systems;
  • PayPal and Stripe;
  • banks and payment service providers;
  • DPD, FedEx, ParcelForce, Sameday and GLS;
  • Google and Meta;
  • IT and website maintenance providers;
  • legal and tax advisers;
  • public authorities, courts and other bodies where disclosure is required by law.

We provide service providers only with the data necessary to perform the relevant task.

We do not sell personal data to third parties.

21. Transfers outside the European Economic Area

Some service providers, in particular Google, Meta, PayPal and Stripe, belong to international corporate groups that may process personal data outside the European Economic Area, including in the United States, or may access personal data from such countries.

Where such a transfer takes place, we apply the appropriate safeguards required by applicable data protection law.

The transfer may be based on:

  • an adequacy decision of the European Commission;
  • the EU–US Data Privacy Framework, where the relevant US organisation participates in it;
  • the Standard Contractual Clauses adopted by the European Commission;
  • another appropriate safeguard permitted by the GDPR.

International transfers carried out by service providers are also subject to their current privacy policies.

22. Data retention periods

  • Completed order data: generally 5 years.
  • Invoices and accounting documents: 5 years in accordance with Romanian law, calculated from 1 July of the year following the financial year in which the document was issued.
  • Failed or incomplete orders: no more than 30 days.
  • General customer service correspondence: 3 years from closure of the matter.
  • Correspondence relating to an order, refund or dispute: up to 5 years or until the dispute has been finally resolved.
  • Warranty and complaint data: 3 years from closure of the matter.
  • Server logs: generally no more than 90 days.
  • Cookies and analytics identifiers: for the periods stated in the Cookie Policy.
  • Data processed on the basis of consent: until consent is withdrawn or for the period necessary to establish, exercise or defend possible legal claims.

Where personal data relates to several processing purposes, the longest lawful retention period may apply.

Where administrative, judicial or other legal proceedings are ongoing, the relevant data may be retained until the proceedings are finally concluded.

23. Data security

SC Scut Protection SRL implements appropriate technical and organisational measures to protect personal data.

These measures may include:

  • restricting access rights;
  • password-protected systems;
  • secure hosting services and servers;
  • encryption of data transmissions;
  • regular backups;
  • IT logging;
  • limiting employee access according to responsibilities;
  • appropriate selection of processors.

Absolute security of data transmitted over the internet cannot be guaranteed. Nevertheless, we take all reasonable measures to protect personal data.

24. Children’s data

The online store is not specifically directed at minors.

To make a purchase on the website, the customer must have the legal capacity required to enter into the contract.

We do not knowingly collect children’s personal data for marketing or profiling purposes.

If we become aware that a minor’s data has been entered into our system without a valid legal basis, we will delete it.

25. Rights of data subjects

The data subject has the right to:

  • receive information about the processing of personal data;
  • access the personal data we process concerning them;
  • request correction of inaccurate or incomplete data;
  • request erasure of personal data;
  • request restriction of processing;
  • object to processing based on legitimate interests;
  • receive the data they have provided in a portable format;
  • withdraw consent at any time;
  • lodge a complaint with the competent supervisory authority;
  • seek a judicial remedy.

The right to erasure is not absolute. We cannot delete data that we are legally required to retain, including invoicing and accounting data.

Where the right to object is exercised, we will stop the processing unless we demonstrate compelling legitimate grounds that override the rights of the data subject, or unless the processing is necessary for the establishment, exercise or defence of legal claims.

26. Submitting a data rights request

Requests concerning data subject rights may be sent to:

info@skidplate.eu

Please include the information required to identify you and to process your request.

Where we have reasonable doubts concerning the identity of the requester, we may request additional information to verify that identity.

We respond to requests without undue delay and, as a rule, within one month of receipt.

This period may be extended by a further two months depending on the complexity and number of requests. The data subject will be informed of the extension and the reasons for it within the initial one-month period.

27. Lodging a complaint

If a data subject believes that the processing of personal data infringes the GDPR, a complaint may be lodged with the Romanian data protection supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal

Abbreviation: ANSPDCP

Email: anspdcp@dataprotection.ro

Website: www.dataprotection.ro

The data subject may also lodge a complaint with the data protection authority in the EU Member State of their habitual residence, place of work or the place of the alleged infringement.

Lodging a complaint does not affect the data subject’s right to seek a judicial remedy.

28. Changes to this Privacy Policy

SC Scut Protection SRL reserves the right to amend this Privacy Policy if there are changes to the law, the operation of the website or the services used.

The current version is available on the website at all times.

If a material amendment is made, the update date will be shown at the beginning of this Privacy Policy.

FREE SHIPPING