Privacy Policy
Privacy Policy
Last updated: 1 January 2026
Please read this Privacy Policy carefully before using our website or placing an order. By accessing the website https://www.rootfulnutrition.com and using our services, you acknowledge that you have read and understood this policy.
1. Identity of the data controller
The personal data controller is:
- Company name: SC Pro Natura Biotechnologies S.R.L.
- CUI (Unique Registration Code): RO50513932
- Trade Register No.: J2024020346007
- Registered office: Jud. Ilfov, Sat Snagov, Comuna Snagov, Șoseaua Principală, Bl. D1, Etaj Parter
- E-mail: support@rootfulnutrition.com
- Website: https://www.rootfulnutrition.com
SC Pro Natura Biotechnologies S.R.L. (hereinafter referred to as “Rootful”, “we”, “our” or “the Controller”) is a company registered in Romania, specialising in the sale of dietary supplements in the greens and superfoods category through the Shopify platform.
2. Categories of personal data collected
Depending on your interaction with our website and services, we may collect the following categories of personal data:
2.1. Account data (registration)
- First and last name
- E-mail address
- Account password (stored in encrypted form)
2.2. Order and delivery data
- First and last name
- Delivery address and/or billing address
- E-mail address
- Details regarding the products ordered, quantity and price
- Order number and order history
2.3. Payment data
- Selected payment method (bank card, cash on delivery, bank transfer)
- Last 4 digits of the card (in the case of card payment) — solely for identification purposes
2.4. Browsing data (technical data)
- IP address (anonymised where possible)
- Browser type and version
- Operating system
- Pages visited, visit duration and actions performed on the website
- Referral source (referring URL)
- Cookie identifiers and similar technologies
2.5. Subscription data (newsletter / communications)
- E-mail address
- Name (optional)
- Communication preferences
- Date and time of consent (including opt-in proof)
2.6. Marketing and interaction data
- Interaction with e-mail campaigns (opens, clicks)
- Data collected through remarketing pixels (Meta Pixel, Google Ads)
- Advertising identifiers
- Aggregated data regarding purchasing behaviour (for marketing segmentation)
2.7. Direct communication data
- Content of messages transmitted via the contact form or e-mail
- Information voluntarily provided in the context of support requests
3. Purposes of processing and legal basis
We process your personal data exclusively on the basis of a valid legal ground, in accordance with Article 6(1) of the GDPR. The table below details the purposes of processing, the categories of data used, the applicable legal basis and the retention period:
| Purpose of processing | Data categories | Legal basis (Art. 6 GDPR) | Retention period |
|---|---|---|---|
| Creation and management of the customer account | Account data | Performance of the contract — Art. 6(1)(b) | For the duration of the account's existence + 30 days from its deletion |
| Processing and delivery of orders | Order data, delivery data, payment data | Performance of the contract — Art. 6(1)(b) | For the period necessary to fulfil the order + the statutory warranty period |
| Issuance of invoices and fulfilment of accounting and tax obligations | Order data, billing data | Legal obligation — Art. 6(1)(c) (Codul Fiscal (Tax Code), Legea contabilitatii nr. 82/1991 (Accounting Law No. 82/1991)) | 10 years from the end of the financial year in which the invoice was issued |
| Payment processing | Payment data (last 4 digits of the card, payment method) | Performance of the contract — Art. 6(1)(b) | For the period necessary to process the transaction + legal retention obligations |
| Order status communications (confirmation, dispatch, delivery) | E-mail address | Performance of the contract — Art. 6(1)(b) | For the duration of order processing |
| Customer support and complaint resolution | Account data, direct communication data | Performance of the contract — Art. 6(1)(b); Legitimate interest — Art. 6(1)(f) | 3 years from the date of the last interaction |
| Sending newsletters and commercial communications | Subscription data, marketing data | Consent — Art. 6(1)(a); Legea nr. 506/2004 (Law No. 506/2004), Art. 12 | Until withdrawal of consent |
| Personalised marketing and audience segmentation | Browsing data, marketing data, order data (aggregated) | Consent — Art. 6(1)(a) | Until withdrawal of consent or a maximum of 2 years from the last interaction |
| Remarketing and online advertising (Meta, Google) | Browsing data, advertising identifiers | Consent — Art. 6(1)(a) | In accordance with the cookie policy; maximum 13 months from collection |
| Website and service analysis and improvement | Browsing data (anonymised/pseudonymised) | Legitimate interest — Art. 6(1)(f) | Maximum 26 months |
| Fraud prevention and transaction security | Account data, order data, IP address | Legitimate interest — Art. 6(1)(f) | For the period necessary for the investigation + legal obligations |
| Defence of rights before courts or authorities | Any relevant data | Legitimate interest — Art. 6(1)(f) | For the duration of the applicable limitation period (3 years as a general rule) |
4. Recipients and sharing of personal data
In order to carry out our activities and provide services to you, we may transmit personal data to the following categories of recipients, solely to the extent that this is necessary and subject to appropriate safeguards:
4.1. E-commerce platform
- Shopify Inc. — the provider of the platform on which our website is hosted. Shopify acts as a data processor on behalf of the Controller and processes data in accordance with the Shopify Data Processing Agreement (DPA).
4.2. Payment processors
- Shopify Payments / Stripe — for card payment processing, PCI-DSS Level 1 certified
- Other authorised payment processors, as applicable (for example, for bank transfer payments)
4.3. Courier and delivery services
- Partner courier companies (for example: FAN Courier, Sameday, Cargus or other contracted courier services) — for the fulfilment of order deliveries. The following data is transmitted: recipient name, delivery address and parcel details.
4.4. Marketing and analytics service providers
- Klaviyo — e-mail marketing and automation platform, used for sending newsletters and commercial communications (on the basis of your consent)
- Meta Platforms (Facebook / Instagram) — through Meta Pixel and Conversions API, for measuring the effectiveness of advertising campaigns and remarketing (on the basis of your consent)
- Google (Google Analytics, Google Ads) — for website traffic analysis and measuring the performance of advertising campaigns (on the basis of your consent)
4.5. IT and hosting service providers
- Providers of maintenance, cybersecurity and technical infrastructure administration services
4.6. Public authorities
- Tax authorities, investigative bodies or courts of law — solely in cases provided for by law or at the legitimate request of a competent authority
5. International data transfers
Some of our service providers, including Shopify Inc., may store or process personal data on servers located outside the European Economic Area (EEA), including in the United States of America and Canada.
In all cases where personal data is transferred outside the EEA, we ensure that appropriate safeguards are implemented, in accordance with Chapter V of the GDPR, including:
- Standard Contractual Clauses (SCCs) — adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, Implementing Decision (EU) 2021/914
- Adequacy decisions — where the destination country benefits from an adequacy decision issued by the European Commission (for example, Canada for commercial operators subject to PIPEDA)
- Supplementary measures — encryption, pseudonymisation and Transfer Impact Assessments, where necessary
You may request additional information regarding the safeguards applicable to international transfers by contacting us at the e-mail address indicated in Section 13.
6. Data retention period
Rootful retains personal data only for the period strictly necessary to fulfil the purposes for which the data was collected, in compliance with the storage limitation principle set forth in Article 5(1)(e) of the GDPR.
The general criteria used to determine the retention period are as follows:
- Account data: for the entire duration of the active account's existence. Following a request to delete the account, the data shall be erased within 30 days, except for data required to fulfil legal obligations.
- Order and billing data: 10 years from the end of the financial year in which the invoice was issued, in accordance with Legea contabilitatii nr. 82/1991 (Accounting Law No. 82/1991) and the Codul Fiscal (Tax Code).
- Payment data (last 4 digits of the card): for the period necessary to process the transaction and resolve any potential disputes, maximum 13 months.
- Marketing and newsletter data: until withdrawal of consent. Following unsubscription, the e-mail address is retained on a suppression list to prevent the further sending of communications.
- Browsing data and cookies: in accordance with the periods specified in the Cookie Policy, generally a maximum of 13 months.
- Communication data (customer support): 3 years from the date of the last interaction.
- Data necessary for the defence of rights before courts: for the duration of the general limitation period of 3 years or for the duration of judicial or administrative proceedings, as applicable.
Upon expiry of the retention period, data shall be deleted or irreversibly anonymised so that identification of the data subject is no longer possible.
7. Your rights
In accordance with Regulation (EU) 2016/679 (GDPR), you benefit from the following rights with respect to your personal data:
7.1. Right of access (Art. 15 GDPR)
You have the right to obtain confirmation from us as to whether or not your personal data is being processed and, where that is the case, to access the data in question, as well as information regarding the purposes of processing, the categories of data, the recipients and the retention period.
7.2. Right to rectification (Art. 16 GDPR)
You have the right to request the rectification of inaccurate personal data concerning you, as well as the completion of incomplete data.
7.3. Right to erasure (“right to be forgotten”) (Art. 17 GDPR)
You have the right to request the erasure of personal data concerning you where one of the grounds set out in Article 17 of the GDPR applies (for example, the data is no longer necessary for the original purposes, you withdraw your consent, the data has been unlawfully processed). This right does not apply where the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
7.4. Right to restriction of processing (Art. 18 GDPR)
You have the right to obtain the restriction of processing in the cases provided for by Article 18 of the GDPR, for example where you contest the accuracy of the data or object to the processing.
7.5. Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, as well as the right to transmit that data to another controller without hindrance from us.
7.6. Right to object (Art. 21 GDPR)
You have the right to object, at any time, to the processing of personal data based on the legitimate interest of the Controller (Art. 6(1)(f) GDPR), including profiling. In the event of an objection to processing for direct marketing purposes, the data shall no longer be processed for this purpose.
7.7. Right to withdraw consent (Art. 7(3) GDPR)
Where the processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal. Consent may be withdrawn by:
- The unsubscribe link in any commercial e-mail;
- Your account settings on the website;
- Sending a request to the e-mail address indicated in Section 13.
7.8. Right to lodge a complaint with the supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) (National Supervisory Authority for Personal Data Processing) if you consider that the processing of personal data concerning you infringes the provisions of the GDPR.
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (National Supervisory Authority for Personal Data Processing)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania
Website: www.dataprotection.ro
E-mail: anspdcp@dataprotection.ro
Exercising your rights
To exercise any of the rights mentioned above, please send a written request to the e-mail address support@rootfulnutrition.com or by post to the registered office address. We shall respond to your request within a maximum of 30 calendar days from the date of receipt. In complex cases or where a large number of requests are received, this period may be extended by a further 60 calendar days, with prior notification to the applicant.
We reserve the right to verify your identity before processing your request, in order to protect personal data against unauthorised access.
8. Data security
Rootful implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, including but not limited to:
- Encryption: all connections to our website are protected by SSL/TLS protocol (HTTPS), ensuring the encryption of data in transit. Sensitive data is also encrypted at rest.
- Access control: access to personal data is limited exclusively to authorised personnel, on the basis of the “need-to-know” principle, with multi-factor authentication where available.
- Shopify platform security: the Shopify platform is PCI-DSS Level 1 certified and implements advanced security measures, including continuous monitoring, automated backups and DDoS attack protection.
- Monitoring and auditing: periodic monitoring of data access and regular vulnerability assessments.
- Staff training: employees and collaborators who have access to personal data receive periodic training regarding confidentiality obligations and security procedures.
- Incident management procedures: we have internal procedures for the detection, reporting and investigation of security incidents, in accordance with Articles 33 and 34 of the GDPR, including notification of the ANSPDCP within 72 hours and informing data subjects, where applicable.
9. Cookies and similar technologies
Our website uses cookies and other tracking technologies (such as tracking pixels, local storage and device fingerprinting) to ensure the proper functioning of the website, improve the browsing experience, analyse traffic and enable marketing functionalities.
Non-essential cookies (analytics, marketing, remarketing) are activated exclusively on the basis of your explicit consent, granted through the cookie banner displayed upon your first visit to the website.
For detailed information regarding the types of cookies used, their purposes, providers and retention period, as well as how to manage your preferences, please consult the Cookie Policy.
10. Marketing and commercial communications
Rootful may send commercial communications (newsletters, promotional offers, product recommendations) exclusively to persons who have expressed their explicit and freely given consent to this effect, in accordance with Article 6(1)(a) of the GDPR and Art. 12 of Legea nr. 506/2004 (Law No. 506/2004).
Consent is obtained through clear opt-in mechanisms (for example, ticking an unchecked checkbox at account creation, when placing an order or when subscribing to the newsletter). We do not use pre-checked boxes and do not consider inaction as consent.
Right to unsubscribe
You have the right to withdraw your consent to commercial communications at any time, without justification and free of charge, by:
- Clicking the “Unsubscribe” link present in the footer of every commercial e-mail;
- Modifying the preferences in your account on the website;
- Sending a request to the address support@rootfulnutrition.com.
Following the withdrawal of consent, you will no longer receive commercial communications. We shall process the unsubscription request as soon as possible, but no later than 48 hours from receipt. The withdrawal of consent does not affect transactional communications (for example, order confirmation, delivery notifications), which are sent on the basis of the performance of the contract.
11. Protection of minors' data
The Rootful website and services are not intended for persons under the age of 16. We do not knowingly collect personal data from minors under the age of 16.
If we become aware that we have collected personal data of a minor under the age of 16 without the consent of the holder of parental responsibility, we shall delete such data as soon as possible.
If you are a parent or legal guardian and are aware that the minor in your care has provided us with personal data, please contact us at the e-mail address indicated in Section 13 to request the deletion of such data.
12. Changes to this policy
Rootful reserves the right to update or amend this Privacy Policy at any time, in order to reflect legislative changes, changes in our data processing practices or improvements to our services.
In the event of significant changes, we shall take reasonable steps to inform you in advance, by:
- Displaying a visible notice on the website;
- Sending a notification by e-mail (to customers with an active account or newsletter subscribers);
- Updating the “Last updated” date at the top of this document.
We recommend that you periodically consult this page to stay informed of any changes. Continued use of the website and our services after the publication of changes constitutes implicit acceptance of the updated version.
In the event that a change requires new consent on your part (for example, for new consent-based processing purposes), we shall request such consent explicitly prior to the implementation of the respective changes.
13. Contact — Data Protection Officer
For any questions, requests or enquiries regarding the processing of your personal data or the exercise of the rights set out in this policy, you may contact us at:
- Data Protection Officer (DPO): SC Pro Natura Biotechnologies S.R.L.
- E-mail: support@rootfulnutrition.com
- Correspondence address: Jud. Ilfov, Sat Snagov, Comuna Snagov, Șoseaua Principală, Bl. D1, Etaj Parter
We shall make every effort to respond to your requests as soon as possible, but no later than 30 calendar days from the date of receipt of the request.
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) (National Supervisory Authority for Personal Data Processing)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania
Website: www.dataprotection.ro
E-mail: anspdcp@dataprotection.ro
© SC Pro Natura Biotechnologies S.R.L. — All rights reserved. This Privacy Policy has been drafted in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Romanian legislation.



