We are fully aware that the GDPR merely provides a modernized compliance legal framework based on responsibility for the protection of personal data.
The processing of your data is necessary to provide you with the products/services you require. In this respect, we are taking several security measures to protect you online. One of the measures we are taking to ensure transparency and proportionality toward you is to eliminate the unnecessary collection of personal data and minimize the data we collect. Therefore, we only request the information we need and store it to improve your experience.
All information provided in this policy, the processes and the analyzes performed are complete, accurate, and correct, fully reflecting the organization’s activity in terms of personal data processing and storage.
The Company is an information technology company whose main business is connected to software development. LOKOFOOD also operates activities relating to the development and management of a technology platform enabling economic operators of food establishments such as restaurants, cafes, confectioner’s shops, etc., in different cities, located in different areas, to enroll, list and offer their products and/or services through the use of a website/platform and/or mobile application, on the basis of an agreed trade agreement with the Company (hereinafter referred to as “Traders”). The Company has thus developed the LOKOFOOD platform, which provides the necessary technology framework for the online interaction between Traders’ offer and Users’ requests, which can be completed by placing Orders and entering into a contract for the products and services ordered between Trader and User directly.
Information about us: EXPRESSOFT TECHNOLOGY SRL, a legal entity governed by the Romanian law, with its registered office in Bucharest, 73-81 Bucharest-Ploieşti Ave., office no. 1, 4th floor, sector 1, registered with the Trade Register under no. J40/1167/1991, tax number RO1581947, hereinafter Expressoft. E-mail address: email@example.com. The title, copyright, and intellectual property rights over LOKOFOOD belong to Expressoft. SOFTWARE PRODUCT and related documentation are protected by the Romanian Copyright Act and international copyright treaties. Expressoft is a provider of information technology services, does not provide food or other services that do not concern its profile.
Contact form found in the Contact section of the platform www.lokofood.com or in the LOKOFOOD application in each user’s account.
www.lokofood.com and the LOKOFOOD application, hereinafter the Website, is owned by Expressoft Technology SRL and is operated under the LOKOFOOD trademark.
As required by Regulation No 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the “Regulation”), LOKOFOOD is bound to process safely and only for the specified purposes, the personal data you provide us about you via the Website.
Please note that signing up on the Website and/or placing orders is only allowed for persons over 16 years of age.
- the processing of your personal data collected by us through the Website and your use of the Website. The Website may contain links to other websites. Please be aware that we have no control over how your data are collected, stored, or processed by other websites and we recommend that you check the privacy policies of such third party websites prior to submitting any data thereto.
2. What personal data do we process, on the basis of which legal bases, for what purpose and for how long?
2.1 What data do we process?
Depending on how you use the Website, we collect certain personal and non-personal data about you as follows:
- Data collected according to the Cookies Policy that we advise you to read here, which include: IP address; version and type of web browser, type of operating system and a list of URLs starting with the initialization website, your activity on the Website, and the website you are heading to when you leave the Website. In general, except for the IP address, these data are not personal data in their own right.
- When you create an account on our Website, you send us: identification data: e-mail address, phone number, surname and first name, age.
- On your personal page (My account) you can add additional information, such as: mobile phone number, landline number, date of birth, delivery addresses, alternative e-mail address.
- When placing an order on the Website, you provide us information such as: desired product, identification data such as: surname and first name, delivery address (and/or other location data), invoicing details, payment method, phone number. When requesting a fiscal invoice, we also process data such as serial number and ID number and/or bank data.
2.2 What are the purposes for processing?
In general, the purpose of personal data processing is to provide the LOKOFOOD services to your benefit, such as executing an order placed by you on the Website, improving Website experience for you and other visitors, including the purchases you make online and the general purpose of improving our services/products.
In particular, we will use your personal data to:
- Provide and manage your account on the Website;
- Provide and manage access to the Website;
- Individualize and customize your experience on the Website;
- Provide the services and supply the products listed on LOKOFOOD to your benefit; this may include, as appropriate, the following:
- Create and manage the account on the Website;
- Process orders, including picking up, validating, sending products to the address you indicate and invoicing them;
- Handle claims/complaints, cancellations or issues of any kind relating to an order, the goods or services purchased;
- Return products in accordance with legal provisions (other than food as applicable);
- Repay the value of the products in accordance with legal provisions;
- Provide support services, including answering your questions about your orders or the LOKOFOOD goods and services;
- Individualize and customize the services and provide the products listed on LOKOFOOD to your benefit; we always want to offer you the best online shopping experience. To do so, we may collect and use certain information about your buyer behavior or invite you to complete satisfaction questionnaires after an order is completed or to post comments in this respect on LOKOFOOD;
- Reply to your e-mails;
- Supply materials for which you have given your consent, if any;
- Any other specific purpose for which you have expressly given your consent, if any;
- For marketing, as follows:
We want to keep you updated on the best offers for the products/services you are interested in. In this respect, we may send you any type of message (such as: e-mail/SMS/telephone/mobile push/webpush/etc.) containing general and thematic information, information on products similar to or complementary to those you have purchased, information on offers or promotions, information on products added in the “Account/My Cart” section or “Account/ or you have shown interest in purchasing them section, as well as other commercial communication such as market research and opinion surveys, and we can display tailored recommendations on the Website. In order to provide you with information of interest to you, we may use certain data regarding your buyer behavior (e.g., products viewed/purchased) to create a profile for you. We always ensure that such processing is carried out in compliance with your rights and freedoms and that the decisions taken on the basis thereof have no legal effect on you and do not similarly affect you to any significant extent.
In principle, we base our marketing communications mentioned above on your prior consent. You can change your mind and withdraw your consent at any time by:
- accessing the unsubscribe link displayed in messages you receive from us;
- contacting LOKOFOOD using the contact details described above; In certain situations, we can base our marketing activities on our legitimate interest in promoting and developing our business. In any situation where we use information about you for a legitimate interest of ours, we take care and all necessary measures to ensure that your fundamental rights and freedoms are not affected. However, you may at any time ask us, by the means described above, to stop processing your personal data for marketing purposes and to comply with your request.
- To defend our legitimate interests. There may be situations where we will use or transmit personal data to protect our rights and business. These may include:
- measures to protect the Website and its users from cyber-attacks;
- measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
- measures to manage the various risks;
- the exercise of rights, including before state authorities, such as courts of law;
- To comply with our legal obligations.
2.3 What is the basis for the data processing?
The general reason for the above-mentioned personal data processing is the conclusion and performance of the contract (or an order) between LOKOFOOD and you, but in some cases the reason may also be a legal obligation we have or our legitimate interest in defending our business, being understood that we make sure that all measures we take guarantee a balance between our interests and your fundamental rights and freedoms.
In the cases expressly shown in relation to marketing activities, we base our processing on your prior consent, if we carry out such activities.
Where the basis for processing is a legal obligation, we generally base our processing on the legal provisions such as the obligation to secure goods and values laid down by the applicable law in this area, the obligations provided by the tax and / or accounting legislation, including with regard to the archiving obligations.
The processing of personal data is not related to other recording systems.
2.4 How long do we retain your personal data?
As a general rule, we will not store your data longer than necessary, depending on the purpose and basis for which we process them.
Therefore, we will store your personal data according to the following criteria and the categories of personal data affected:
- As long as you have an account on our Website; you may request us to delete certain information or close your account at any time and we will respond to such requests, subject to certain information being retained after the account is closed, where the applicable law or our legitimate interests require to do so;
- as long as we are bound by the legal provisions;
- during the conclusion and performance of the contract (or of one or more orders placed on the basis thereof) between LOKOFOOD and you, and a period of three years thereafter, or if necessary, until the performance of all rights and obligations arising therefrom;
- according to the cookies policy available here;
- for the duration for which you have given consent if processing is based on consent.
3. The rights you enjoy as a result of personal data processing
According to the Regulation, you benefit from the following rights under the circumstances of the processing grounds:
- the right to be informed regarding your personal data processed by LOKOFOOD;
- the right of access. You have the right to obtain from LOKOFOOD confirmation that they are processing your personal data, and if so, access to such data and information such as the purposes of the processing, the categories of data processed, the recipients or categories of recipients, the storage period or where not possible the criteria to determine this period;
- the right to rectify inaccurate personal data or complete them (please contact us in this respect);
- the right to deletion (“the right to be forgotten”) by LOKOFOOD of personal data in accordance with the applicable legal provisions;
- the right to restriction of processing, which may be exercised in one of the following cases:
- you challenge the accuracy of the data, the restriction being valid for a period that allows the Company to check the accuracy of the data;
- the processing is illegal, but you do not want to delete the personal data processed;
- LOKOFOOD no longer needs the personal data processed, but you need them to acknowledge, exercise or defend a right in court;
- you have opposed the processing of personal data, the restriction being valid for the period of time during which it is verified that the legitimate interests of LOKOFOOD do not affect your rights.
- the right to data portability, based on the right to data portability you have the right to receive a copy of the personal data concerning you and which you have provided to LOKOFOOD in a structured, commonly used and machine readable format, and you have the right to request transmission of these data to another operator, without obstacles from LOKOFOOD, when the processing is carried out with your consent, for the performance or conclusion of a contract to which you are party or where processing is carried out by automated means;
- the right to oppose to the processing of personal data - at any time, you have the right to oppose, for justified and legitimate reasons related to the particular situation, that personal data be processed, insofar as the legal conditions are met;
- the right not to be subject of an individual decision, according to which you have the right to request and obtain the withdrawal, cancellation or re-evaluation of any decision based solely on automated processing (including profiling) which produces legal effects or affects you in a similar manner, to a significant extent;
- the right to go to court or the national supervisory authority for the processing of personal data. You have the right to lodge a complaint with the supervisory authority: National Supervisory Authority for the Processing of Personal Data, 28-30 General Gheorghe Magheru Blvd., Sector 1, postcode 010336, Bucharest, Romania, phone: +40.318.059.211, +40.318.059.212, fax: +40.318.059.602, e-mail: firstname.lastname@example.org. You are also recognized the right to go to court.
With regard to the rights related to automated decision-making and profiling, LOKOFOOD does not take decisions based on an automated decision-making process with respect to you, based on the personal data covered by this processing.
To exercise these rights, the user can send a written, dated, and signed request to email@example.com.
The exercise of the rights provided in Law 679 / 2016 (GDPR) is entirely incumbent on the controller who is legally bound to designate a person in charge with the processing of personal data within the organization. This person will develop a set of technical and organizational measures to secure the processing of data and is required to inform the controller with respect to the nature of the processing processes, types of information and how these processes are carried out within the organization. The controller has the responsibility and obligation to ensure that such measures are implemented, that there is no risk of security breaches or information leakage, and that the legislation in force regarding the data processing and the rights of data subjects is complied with. The person in charge can be contacted at firstname.lastname@example.org.
Please contact us for any request, question or matter related to the way we process your personal data, or send a written, dated and signed request to exercise your rights under Regulation No 679/2016, to Expressoft Technoloy SRL, with head office in Bucharest, 73-81 Bucharest-Ploiesti Ave., office 1, 4th floor, sector 1, or at e-mail address: email@example.com . You are also recognized the right go to court.
If you request the deletion of data, please note that this is an irreversible process and if you wish to use the LOKOFOOD services again we will need your new consent to collect and process these data.
The maximum time limit for solving the requests sent to LOKOFOOD shall be 30 days. This may be extended once, in accordance with the Regulation.
4. Recipients of the Personal Data Processed
In general, the personal data we collect are intended for use by LOKOFOOD (our own employees; suppliers and their employees) and its partners on the Website to whom you place orders, and only as an exception are communicated to other recipients. TO STAY UP TO DATE ON HOW LOKOFOOD PARTNERS FROM WHOM YOU ORDER PRODUCTS BY PLACING ORDERS ON LOKOFOOD PROCESS YOUR PERSONAL DATA, WE RECOMMEND YOU ACCESS THE PERSONAL DATA PROCESSING POLICY SECTION ON THEIR WEBSITES.
In this way, LOKOFOOD may contract third parties as part of the activity of supplying services to you. These may be: providers of accounting/financial/legal services or generally provided by such professionals, marketing services, customer satisfaction analysis services, IT service providers, telephone service providers, call center integrated solution providers, order management solution providers, bank service providers and payment processors, couriers, carriers, search engines, etc. In some cases, we may provide them with all or some of your personal data. We shall not provide the data without making sure that they are strictly necessary for the purpose for which they are transferred, and the transfer is accompanied by security guarantees in accordance with the legal requirements of the Regulation for the transfer to the agents/third parties.
In some cases, we may transfer your data to other persons when we have a legal obligation to do so. Or when we are in the course of a judicial procedure, to defend our rights.
We can also transmit your personal data to the public authorities (Prosecutor’s Office, Police, courts of law and other competent state bodies), on the basis and within the limits of the legal provisions or following duly justified requests.
Despite the protection measures taken to protect your personal data, we state that the transmission of information via the Internet in general or via public networks is not entirely secure and there is a risk for the data to be viewed and used by unauthorized third parties.
LOKOFOOD does not transfer your personal data to third states or international organizations. If LOKOFOOD decides to do so, then this will be made only with LOKOFOOD and, as applicable, the person empowered by the same, complying with the provisions of the Regulation.
5. Refusal to Give Us Personal Data
If you choose not to provide us with the personal data collected through the Website, which are required for the purposes mentioned above, except for marketing purposes, we shall not be able to supply your orders and to provide the services and/or products required by you and to put at your disposal certain sections/services on the Website, such as the account creation and administration section/service available on the Website, but you will be able to use other sections of the Website without restrictions.
6. Security of Personal Data Processing
The processing of personal data shall be carried out in compliance with the appropriate technical and organizational measures intended to protect data against accidental or unlawful destruction, to prevent loss, alteration, disclosure, unauthorized access, or misuse of personal data, by applying internal and operational procedures for the collection and storage of personal data in accordance with the Regulation.
7. The processing of personal data within the organization is subject to a number of technical and organizational measures to secure them. These measures are intended to protect information at the level of the organization against security incidents or unauthorized processing.
At the level of the organization, the following security measures have been taken to reduce risks:
- SSL certificate – is intended to secure the exchange of information via the Internet. It encrypts information before it circulates over the Internet. Encrypted information can only be decrypted by the server to which it is addressed. This ensures that information sent to an online website/platform will not be stolen, intercepted, processed. Information about bank cards, passwords and in general any information that is intended to remain private in terms of its nature, as defined by the law, is secured by this certificate.
- The SSL certificate of the LOKOFOOD online platform is also used to secure e-mails in such a way that the personal data of customers circulate in a secure environment and regulated by a range of security measures ensuring the confidentiality of information.
- Automatic back-up – set to a time interval to guarantee information and for all customers to be confident that the information and preferences provided by them do not disappear and are not destroyed, lost, or incorrect in the event of a server failure.
- Anti-spam and antivirus filters that prevent malicious content or viruses from infiltrating which can process the data in an unauthorized manner or transmit them to other entities or persons who have not obtained the data subject’s consent.
- Protecting the customer profile content by introducing a more complex password generation rule. Asking the customer, on creating the account, to provide a password meeting a higher complexity criterion (alphanumeric + special characters);
- Securing modules and scripts that communicate inside the platform. Constantly checking the functionality of the elements involved in customer-server, server-customer interaction.
- Checking and improving modules to keep them up-to-date to prevent vulnerabilities. This measure prevents the identification of vulnerabilities at global level in the platforms used, 0-day vulnerabilities that may intercept data exchange and implicitly personal data in customer’s interactions with the platform or of the process manager with the customer and the platform.
- Classifying the types of access by the process manager – administration groups, the possibility to add or delete certain rights on a user with full access – customizing access as needed.
- Protecting with password the device from which the process owner performs the data processing, to prevent unauthorized interference.
- Firewall – software and hardware installed in the server location of the company that provides online platform hosting, designed to protect the server and network equipment from cyber-attacks, unauthorized intrusion, installation of malicious software that may endanger platform users’ personal data. The firewall blocks the access of unauthorized persons to the information stored on Internet connected equipment.
- Access to the data processing systems where personal data is processed is only possible after the authorized person has been successfully identified and authenticated (e.g., with username and password or chip/PIN card), using the best security measures. In absence of an authorization, access shall be denied.
- All access attempts, both successful and rejected, are logged (user ID, computer, IP address used) and archived in a format according to audit rules for 3 months. To detect any misuse, the server performs repeated, random checks;
- Access is blocked after repeated incorrect authentication attempts.
- Regularly checking the platform’s vulnerabilities which might allow for the retrieval of information and personal data. Hosting has security measures and solutions that recurrently scans the processed files and the flow of data circulating inside the platform;
- Fighting the risks of security breaches by taking technical and organizational precautions by securing the platform and constantly upgrading it with stable versions.
- Securing with password the equipment that has direct access to the order table and customer delivery/invoicing data to prevent unauthorized access and implicitly any unauthorized interference by unapproved persons.
- Destruction of documents which are no longer required (notes, erroneous invoices, etc.) using a document destroyer at the disposal of the process manager;
- Removing the human factor risk by prohibiting the processing of information outside the secured platform, except for the drawing up shipping notes in the courier’s platform, which is also a secure environment;
- Adopting security measures without differentiating between types of customers (new/existing/potential);
- Adopting an internal policy to check processes and processing on placing the product for delivery or on receiving information about an order or a possible offer;
- Avoiding customer differentiation by means of mechanisms that can positively or negatively profile a data subject. For this reason, we do not require any personal data related to sexual orientation, sexual interests, gender, religion, membership to movements or groups, etc. Customers are free to order and choose what they desire. With this measure, we believe that we respect the integrity of the person and avoid any track of analysis/profiling based on such criteria.
- Informing customers about the procedure for delivery, return and processing of orders;
- Training the process manager on the risks of processing personal data outside the online platform.
- Training the process manager on the need for notification in case of a major security incident.
- Training the process manager on managing situations that may occur when processing data within the platform (errors, errors in use).
- Training the process manager on the use of the information he/she processes and awareness of the nature of the personal information;
- Forbidding the processing of data outside the platform by managing orders directly in the platform user interface, without any need to process data in other unsecured and vulnerable environments.
The process manager shall be regularly trained on:
- The principles of data protection, including technical and organizational measures,
- The requirement to keep data secrecy and confidentiality with regard to the organization’s secrets and business secrecy, including the transactions carried out;
- Proper, careful use of data, data media and other documents;
- Telecommunications secrecy;
- Other specific confidentiality obligations, where necessary;