Premium Handpans, mit Seele gefertigt

Nala Sound SculpturesNala Sound Sculptures

Legal

Privacy Policy

Last updated: May 2026

1. Who we are (Data Controller)

  • Nala Sound Sculptures S.R.L.
  • CUI: RO00000000
  • Reg. Com.: J00/0000/0000
  • Registered office: Str. Example nr. 1, București, Sector 1, România
  • Email: contact@handpan.ro
  • Phone: +40 700 000 000

For privacy / GDPR queries: privacy@handpan.ro.

2. Data we collect

We collect the minimum data needed to fulfill orders and respond to inquiries:

  • Order data — name, email, phone, shipping address, order items, total. Required to ship the instrument and issue the invoice.
  • Payment data — processed by Netopia Payments. We never see or store your full card number; we receive only a transaction ID and status.
  • Account data (optional) — if you create an account: email and authentication tokens via Supabase.
  • Chat data — if you use the live chat: email (required), display name (optional), and message content. See section 7.
  • Technical data — IP address (used briefly for spam/rate limiting and Cloudflare protection), browser type, and referrer. Aggregated, not used to identify you.
  • Cookies — see the Cookie Policy for the full list.

3. Lawful basis (GDPR Article 6)

  • Contract performance (Art. 6.1.b) — for order fulfilment, payment, and shipping.
  • Legal obligation (Art. 6.1.c) — for invoice retention (10 years under Romanian accounting law).
  • Consent (Art. 6.1.a) — for analytics/marketing cookies and the newsletter (opt-in via the cookie banner).
  • Legitimate interest (Art. 6.1.f) — for spam prevention, fraud detection, and basic site analytics.

4. Who we share data with

We share strictly what each processor needs to do their job, under written agreements:

  • Netopia Payments (RO) — card payment processing
  • Oblio.eu (RO) — invoice issuance and storage
  • Supabase (EU region) — database hosting for orders, accounts, and chat
  • Cloudflare — site hosting, CDN, and DDoS protection
  • Resend (EU) — transactional email (order confirmations)
  • Romanian Post / private couriers — for shipment
  • Telegram — only the messages you send via the live chat are relayed to our internal support group

We never sell or rent your personal data to advertisers or data brokers.

5. Your GDPR rights

Under the GDPR you have the right to:

  • Access your data (Art. 15)
  • Correct inaccuracies (Art. 16)
  • Request deletion (Art. 17, subject to legal-retention obligations)
  • Restrict processing (Art. 18)
  • Portability — receive a copy in a structured machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time for consent-based processing (Art. 7)

To exercise any of these, email privacy@handpan.ro. We respond within 30 days.

You also have the right to lodge a complaint with the Romanian Data Protection Authority ANSPDCP: dataprotection.ro.

6. Data retention

  • Order + invoice data — 10 years (Romanian accounting law)
  • Account data — until you delete your account, then 30 days for backup rotation
  • Chat conversations — auto-deleted after 60 days of inactivity
  • Marketing consent + email — until you unsubscribe, then 30 days
  • Server logs — 30 days

7. Live chat

Our website includes a live chat for customer support. When you use it we collect:

  • Your email address (required to start a chat)
  • Your display name (optional)
  • The messages exchanged

Conversations are stored in our Supabase database and relayed to our support team via Telegram. They are automatically deleted after 60 days of inactivity. You can delete a conversation immediately via the "Delete my data" link inside the chat widget.

8. International transfers

All primary processing happens inside the EU/EEA. Cloudflare and Resend may route traffic and email through global infrastructure; both are certified under the EU-US Data Privacy Framework or operate under Standard Contractual Clauses where applicable.

9. Children

Our site is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has provided us data without parental consent, contact us and we will delete it.

10. Changes to this policy

We will update this policy when our processing changes. The "Last updated" date at the top reflects the most recent revision. Material changes are also announced via the cookie banner so you can re-review and re-consent.