1. Introduction

This Privacy Policy explains how personal data is collected, used, disclosed, stored, and protected by:

  • THE RAINBOWIDEA SRL, a limited liability company registered in Romania, having its registered address at Iasomiei St, 2, villa 15, Voluntari, Ilfov County, 077190, Romania, registered with the Romanian Trade Registry under no. J2019005332234, EU VAT ID: RO41963008 (hereinafter “ROSS”),

in connection with:

  • the website ross4global.com (the “Website”),
  • the online shop available at https://ross4global.com/shop-home/,
  • the broader business-to-business promotional merchandise platform operated by ROSS (the “Platform”), and
  • the products, software-enabled features, procurement tools, ordering functions, subscriptions, customization services, and related commercial services made available by ROSS from time to time (the “Services”).

This Privacy Policy should be read together with the ROSS Terms and Conditions.

ROSS is committed to processing personal data in accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), and applicable national data protection legislation.

2. Data subjects

The Website, Platform, and Services are intended for business-to-business use. However, ROSS processes personal data relating to natural persons acting on behalf of, or in connection with, a Customer, including:

  • employees, representatives, contractors, consultants of a Customer;
  • Authorized Users accessing or using the Platform or Services;
  • individuals identified in purchase orders, invoices, procurement workflows, delivery instructions, account records, or customer-support communications;
  • individuals identified in Customer Materials, customization instructions, recipient lists, shipment data, or other order-related information provided by or on behalf of a Customer;
  • prospective Customers, commercial leads, newsletter subscribers, marketing contacts, and business partners; and
  • visitors to the Website or Platform.

All above-mentioned natural persons are considered according to GDPR, data subjects.

3. Data Controller and Contact Details

For most processing activities connected with the operation of the Website, Platform, Services, accounts, orders, subscriptions, payments, invoicing, customer support, legal compliance, and business administration, the data controller is ROSS

Questions regarding this Privacy Policy or the processing of personal data by ROSS may be addressed to privacy@rainbowidea.com.

4. ROSS’s GDPR role: controller and processor

Depending on the processing activity, ROSS may act either as an independent controller or as a processor within the meaning of the GDPR.

ROSS acts as independent controller where it determines the purposes and means of processing personal data, including where personal data is processed for:

  • operation and administration of the Website, Platform, and Services;
  • account creation, authentication, access management, and account security;
  • Customer verification and B2B eligibility checks;
  • quotations, order administration, order fulfilment, subscription management, and customer support;
  • payment administration, invoicing, accounting, tax, and legal compliance;
  • delivery coordination and logistics administration;
  • supplier coordination, procurement management, and enterprise procurement workflows;
  • fraud prevention, sanctions screening, misuse prevention, and platform security;
  • management of disputes, complaints, returns, refunds, and claims;
  • marketing communications, where permitted by applicable law;
  • analytics, reporting, service improvement, and internal business administration; and
  • establishment, exercise, or defense of legal claims.

Where applicable, processing of personal data shall be subject to a data processing agreement (“DPA”) concluded between ROSS and the Customer where it processes personal data provided by or on behalf of a Customer solely for the purpose of fulfilling the Customer’s documented instructions, including personalization, customization, direct delivery to Customer-designated recipients, or similar order fulfilment activities. In such cases, the Customer acts as controller and ROSS as a processor, by processing the relevant personal data on behalf of the Customer.

5. Categories of personal data we collect

ROSS may collect and process the categories of personal data described below, depending on how the Website, Platform, and Services are used.

5.1 Business Contact Data

ROSS may process business contact data, including:

  • first name and last name;
  • business email address;
  • business telephone number;
  • job title, role, department, or function;
  • company name and registration details;
  • EU VAT numbers or, for non-EU Customers, TINs;
  • business address, billing address, and delivery address;
  • country, region, and language preference; and
  • communication preferences.

5.2 Account and authorized user data

Where an account is created or used on the Platform, ROSS may process:

  • username, account ID, and login credentials;
  • password or authentication data, stored encrypted;
  • account role, permissions, and access rights;
  • subscription type, including Start-up User, Scale-up or Enterprise Subscription Customer status;
  • account settings and preferences;
  • account activity, access logs, and security events;
  • order approvals, purchase requests, and procurement workflow actions; and
  • records of instructions, confirmations, and approvals submitted through the Platform.

5.3 Order, subscription, and transaction data

ROSS may process orders, subscriptions, and transactions data, including:

  • products viewed, selected, ordered, or purchased;
  • order history and quotation history;
  • product quantities, product specifications, customization details, and production instructions;
  • subscription plan, subscription term, subscription activation date, renewal status, and subscription benefits;
  • discount eligibility and pricing tier;
  • delivery details and shipment information;
  • billing and invoicing information;
  • purchase order details and procurement references;
  • payment confirmation data;
  • order status, returns, refunds, replacement records, and complaint records; and
  • correspondence and records relating to the relevant order or subscription.

5.4 Customer materials and customization data

Where products are customized, branded, personalized, or produced according to Customer specifications, ROSS may process Customer Materials and related data, including:

  • names, job titles, departments, event roles, employee identifiers, recipient names, or other personalization data included in Customer Materials;
  • branding guidelines, layout instructions, print files, proofs, mock-ups, samples, and approval records;
  • Customer confirmations and approvals relating to product specifications, artwork, spelling, positioning, colors, dimensions, quantities, delivery details, and other order requirements; and
  • related production, supplier, and fulfilment data.

5.5 Payment data

ROSS may process limited payment-related data, including:

  • payment method type;
  • payment status;
  • transaction confirmation, transaction ID, and payment reference;
  • card brand and partial card details if made available by the payment processor, such as last four digits;
  • payment failure, chargeback, or refund status; and
  • purchase order and credit approval information, where applicable.

ROSS does not store full card numbers, card verification codes, or equivalent full payment authentication data on its own systems. Your card details are processed by third-party payment providers, such as Stripe, based on Stripe’s Privacy Policy (https://stripe.com/en-ro/privacy).

5.6 Procurement system data

Where a Customer uses enterprise procurement systems, supplier-management systems, invoicing platforms, or similar systems, including SAP Ariba or Coupa (“Procurement Systems”), ROSS may process:

  • purchase order data;
  • supplier profile data;
  • procurement contact details;
  • invoice routing and approval information;
  • Customer billing profiles;
  • tax and procurement references;
  • system-generated identifiers;
  • order approval records;
  • communication and workflow data exchanged through Procurement Systems; and
  • other information required to configure, process, invoice, or administer orders through such Procurement Systems.

5.7 Delivery and recipient data

ROSS may process delivery and recipient data, including:

  • recipient name;
  • delivery address;
  • business contact details;
  • delivery instructions;
  • shipment status;
  • carrier tracking information;
  • customs, import, or export documentation where applicable; and
  • proof of delivery or delivery issue records.

Where the Customer provides personal data of recipients, including employees, event participants, clients, or other third parties, the Customer is responsible for ensuring that such data has been lawfully provided to ROSS.

5.8 Technical and usage data

ROSS may collect technical and usage data when individuals access or use the Website or Platform, including:

  • IP address;
  • browser type and version;
  • device type, operating system, and device identifiers;
  • time zone, approximate location, and language settings;
  • pages visited, links clicked, interactions, session duration, and navigation paths;
  • login events, access logs, and error logs;
  • cookie identifiers and similar tracking identifiers; and
  • information generated through security, analytics, performance, or diagnostic tools.

5.9 Communication and support data

ROSS may process communication and support data, including:

  • messages submitted through forms, email, chat, or customer-support channels;
  • enquiries, requests, complaints, or claims;
  • customer-support tickets and correspondence history;
  • feedback, survey responses, or service reviews;
  • call or meeting notes, where applicable; and
  • records of notices, instructions, approvals, or confirmations.

5.10 Marketing data

ROSS may process marketing-related data, including:

  • marketing preferences;
  • newsletter subscription status;
  • consent records;
  • unsubscribe records;
  • event participation or campaign interaction data;
  • business development communications; and
  • engagement data relating to marketing emails, where permitted by applicable law.

6. Sources of personal data

ROSS may collect personal data from:

  • account creation, checkout, quotation, subscription, or order forms on the Website and Platform;
  • the Customer, including through its employees, contractors, procurement teams, finance teams, marketing teams, or other representatives;
  • Authorized Users;
  • Customer Materials, order specifications, delivery files, recipient lists, and purchase orders;
  • Procurement Systems, including Ariba, Coupa, or similar systems;
  • payment providers, including Stripe;
  • logistics providers, suppliers, manufacturers, decorators, and subcontractors;
  • professional advisers, banks, accounting providers, tax advisers, legal advisers, or auditors;
  • publicly available business sources, such as company websites, trade registries, business directories, or professional networks;
  • contact forms, chatbots and/or newsletter subscription forms; and
  • cookies, server logs, analytics tools, security tools, and similar technologies.

7. Purposes of processing

As data controller, ROSS processes personal data for the following purposes:

7.1 To Provide and operate the website, platform, and services

This includes enabling access to the Website and Platform, maintaining accounts, authenticating Authorized Users, providing SaaS-based features, operating procurement tools, managing catalogue access, providing subscription benefits, and supporting ordinary platform functionality.

7.2 To Manage customers, accounts, and b2b eligibility

This includes creating and administering Customer accounts, verifying business capacity, confirming company details, managing account permissions, identifying Authorized Users, and preventing consumer or unauthorized use where the Platform is intended for B2B use.

7.3 To Process quotations, orders, and subscriptions

This includes preparing quotations, processing orders, confirming product availability, managing subscription plans, applying subscription-based pricing benefits, handling order approvals, processing purchase requests, managing production requirements, and administering confirmed orders.

7.4 To Customize and fulfil product orders

This includes processing Customer Materials, artwork, logos, branding elements, personalization data, specifications, proofs, mock-ups, production files, supplier instructions, manufacturing data, and approval records required to produce customized or branded products.

7.5 To Process payments, invoices, and accounting records

This includes administering checkout, confirming payments, processing refunds, issuing invoices, managing purchase orders, maintaining accounting records, handling VAT, tax, audit, and financial reporting obligations, and managing overdue or disputed payments.

7.6 To deliver products

This includes arranging shipment, providing delivery information to logistics partners, tracking shipments, managing customs or delivery issues, confirming delivery, and resolving delivery-related complaints.

7.7 To support Procurement System workflows

This includes onboarding Customers to Procurement Systems, processing purchase orders, invoice routing, supplier-management information, approval workflows, Customer procurement references, and system-related communications.

7.8 To communicate with Customers and Authorized Users

This includes responding to enquiries, providing customer support, sending order updates, requesting approvals, notifying Customers about account, subscription, payment, delivery, or service matters, and managing complaints or claims.

7.9 To improve, secure, and develop the Website, Platform, and Services

This includes troubleshooting, analytics, usage analysis, service development, internal reporting, security monitoring, fraud prevention, misuse detection, performance improvement, testing, debugging, and protecting the integrity of the Website, Platform, and Services.

7.10 To send marketing communications

This includes sending newsletters, promotional updates, product information, service announcements, event invitations, and similar B2B marketing communications, where permitted by consent, legitimate interest, or applicable law.

7.11 To comply with legal obligations and enforce rights

This includes complying with tax, accounting, corporate, sanctions, anti-fraud, legal, regulatory, and record-keeping obligations, responding to lawful requests, enforcing the Terms and Conditions, managing disputes, and establishing, exercising, or defending legal claims.

8. Legal bases for processing

ROSS relies on one or more of the following legal bases under the GDPR, depending on the relevant processing activity.

8.1 Performance of a contract or pre-contractual steps

ROSS processes personal data where necessary to enter into or perform a contract with the Customer, including to create accounts, provide quotations, process orders, administer subscriptions, fulfil product orders, provide Services, manage delivery, and provide customer support.

8.2 Legal obligation

ROSS processes personal data where necessary to comply with legal obligations, including accounting, tax, invoicing, audit, company law, regulatory, sanctions, fraud-prevention, and legal record-keeping obligations.

8.3 Legitimate interests

ROSS processes personal data where necessary for its legitimate interests or those of a third party, provided that such interests are not overridden by the interests, rights, or freedoms of the relevant individual. Such legitimate interests may include:

  • operating and improving the Website, Platform, and Services;
  • managing B2B customer relationships;
  • processing business communications;
  • preventing fraud, misuse, unauthorized access, and security incidents;
  • managing supplier, logistics, and procurement relationships;
  • maintaining business records;
  • enforcing the Terms and Conditions;
  • handling complaints, claims, disputes, and debt recovery;
  • conducting internal reporting and analytics; and
  • sending certain B2B marketing communications where permitted by applicable law.

8.4 Consent

ROSS may rely on consent where required or appropriate, including for certain marketing communications, non-essential cookies, analytics technologies, or similar activities. Where processing is based on consent, the individual may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

9. Payment processing

ROSS may use third-party payment providers, including Stripe, to process online payments. Payment providers may process payment data as independent controllers or processors, depending on their role and the relevant payment activity.

ROSS does not intentionally store full card details. Payment card information is submitted directly to or processed by the relevant payment provider. ROSS may receive limited payment confirmation data, such as transaction status, payment references, partial card information, and fraud or chargeback information.

Customers and Authorized Users should review the applicable payment provider’s privacy notice and terms for information about how payment data is processed by that provider.

10. Disclosing of personal data

ROSS may disclose personal data to the following categories of recipients where necessary for the purposes described in this Privacy Policy:

  • payment providers, such as Stripe;
  • banks, payment processors, and financial institutions;
  • suppliers, manufacturers, decorators, printers, distributors, and subcontractors;
  • logistics providers, carriers, customs brokers, and delivery partners;
  • hosting providers, cloud infrastructure providers, IT support providers, cybersecurity providers, and software vendors;
  • CRM, customer-support, analytics, communication, and business productivity providers;
  • Procurement Systems, including Ariba, Coupa, and similar systems, where applicable;
  • professional advisers, including lawyers, accountants, auditors, tax advisers, and consultants;
  • public authorities, regulators, courts, law enforcement authorities, tax authorities, or government bodies, where required by law or necessary to protect legal rights;
  • insurers, banks, investors, acquirers, or transaction advisers in connection with business restructuring, financing, merger, acquisition, or sale processes; and
  • other third parties where the Customer has instructed or authorized such disclosure.

ROSS will not sell your personal data.

11. Suppliers and sub-processors

Where ROSS acts as a processor on behalf of a Customer, ROSS may use sub-processors to support order fulfilment, customization, delivery, hosting, technical support, payment administration, or other processing activities. ROSS shall ensure that sub-processors engaged for processor activities are subject to appropriate contractual obligations, including data protection obligations required under the GDPR where applicable.

Where ROSS acts as an independent controller, it may engage service providers, suppliers, and professional advisers as recipients or processors in accordance with applicable data protection law.

12. International data transfers

ROSS may process or transfer personal data outside the European Economic Area (“EEA”) where necessary for the operation of the Website, Platform, or Services, including where Customers, suppliers, logistics providers, software providers, payment providers, Procurement Systems, or other service providers are located outside the EEA.

Where personal data is transferred outside the EEA, ROSS shall take steps designed to ensure that the transfer is made in accordance with the GDPR. These safeguards may include:

  • transfer to a country that benefits from an adequacy decision issued by the European Commission;
  • Standard Contractual Clauses adopted by the European Commission;
  • transfer impact assessments and supplementary measures, where required;
  • contractual, technical, and organizational safeguards; or
  • another lawful transfer mechanism available under the GDPR.

As of the date of this Privacy Policy, adequacy decisions may apply to certain transfers to jurisdictions such as Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, Uruguay, and, for certified organizations only, the United States under the EU-U.S. Data Privacy Framework. Some adequacy decisions are limited, sector-specific, or subject to conditions, and ROSS will assess the applicable transfer mechanism at the time of transfer.

13. Data retention

ROSS retains personal data only for as long as necessary for the purposes for which it was collected, including for contractual, operational, legal, accounting, tax, audit, dispute-resolution, and legitimate business purposes.

Retention periods may vary depending on the category of data and the processing purpose:

  • account data is retained for as long as the Customer account remains active and for a reasonable period thereafter (i.e., generally for up to five (5) to ten (10) years where necessary to comply with Romanian accounting, tax, contractual limitation, audit, legal defense, and business-record obligations);
  • order, subscription, payment, invoicing, and accounting records are retained for the period required under applicable tax, accounting, and commercial laws (i.e., generally for five (5) years from 1 July of the year following the financial year to which the relevant records relate, unless a longer retention period applies, including for certain financial statements, audit records, disputes, investigations, or legal claims);
  • Customer Materials and customization records are retained for as long as necessary to fulfil the relevant order, manage re-orders, handle claims, and comply with legal or contractual obligations (i.e., generally for up to three (3) years after completion of the relevant order, unless a longer period is required due to an active dispute, legal obligation, or ongoing Customer relationship);
  • support and communication records are retained for as long as necessary to manage the request, maintain business records, and defend potential claims (i.e., generally for up to three (3) years after completion of the relevant order);
  • marketing data is retained until the relevant individual unsubscribes, withdraws consent, objects to processing, or the data is no longer required for marketing purposes;
  • technical logs and security records are retained for a limited period unless longer retention is required for security, fraud prevention, investigation, or legal purposes; and
  • data relating to disputes, claims, or legal proceedings may be retained for the duration of the relevant limitation period and until the matter is finally resolved.

Where personal data is no longer required, ROSS will delete, anonymize, or securely retain it in accordance with applicable law and internal retention practices.

14. Data security

ROSS implements appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction. These measures may include:

  • access controls and account permissions;
  • password protection and authentication measures;
  • secure hosting and infrastructure safeguards;
  • encryption where appropriate;
  • logging and monitoring of relevant systems;
  • internal confidentiality obligations;
  • supplier and service-provider due diligence;
  • data minimization and role-based access;
  • backup, recovery, and continuity measures where appropriate; and
  • incident response procedures.

No method of transmission over the internet or electronic storage is completely secure. Accordingly, ROSS cannot guarantee absolute security, however it will take reasonable measures designed to protect personal data in accordance with applicable law.

15. Personal data breaches

Where ROSS becomes aware of a personal data breach,

  • ROSS will promptly assess the nature, scope, cause, and likely consequences of the breach, including the categories and approximate volume of personal data concerned, the categories of affected individuals, the risk to the rights and freedoms of individuals, and the measures required to contain, mitigate, and remedy the breach;
  • ROSS will take appropriate technical and organizational steps to respond to the breach, which may include securing affected systems, limiting further unauthorized access or disclosure, recovering or restoring affected data where possible, investigating the incident, documenting relevant facts and remedial actions, and implementing measures designed to reduce the risk of recurrence;
  • ROSS will notify the competent supervisory authority without undue delay and, where applicable, communicate the breach to affected individuals.

Where ROSS acts as processor on behalf of a Customer, ROSS will notify the Customer without undue delay in accordance with the applicable DPA after becoming aware of the breach and will provide reasonable assistance to enable the Customer to comply with its own breach notification obligations under applicable data protection law.

ROSS will maintain internal records of personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with GDPR accountability requirements

16. Cookies

ROSS may use cookies and similar technologies on the Website and Platform. Please review ROSS’s Cookie Declaration to find out which categories of cookies are used on the Website and Platform, understand their functionality and duration.

17. Analytics

ROSS may use analytics tools, including Google Analytics or similar technologies, to understand how users interact with the Website and Platform, improve performance, identify technical issues, and develop the Services.

Where required by applicable law, analytics cookies or similar technologies will be used only with consent. Analytics providers may process technical and usage data in accordance with their own privacy terms.

18. Marketing communications

ROSS may send B2B marketing communications, newsletters, promotional messages, product updates, event invitations, or service announcements where:

  • the recipient has provided consent;
  • ROSS has an existing business relationship with the Customer or relevant business contact and applicable law permits such communications;
  • the communication relates to similar products or services; or
  • another lawful basis is available under applicable law.

Recipients may unsubscribe from marketing communications at any time by using the unsubscribe link included in marketing emails or by contacting ROSS at ross@rainbowidea.com.

Service-related communications, order notifications, subscription notices, legal notices, security alerts, and transactional communications are not marketing communications and may continue to be sent where necessary for the Services or the contractual relationship.

19. Data subject rights

Subject to the conditions and limitations set out under the GDPR, individuals may have the following rights in relation to their personal data:

  • Right of access – to obtain confirmation as to whether ROSS processes personal data relating to them and to receive a copy of such data;
  • Right to rectification – to request correction of inaccurate or incomplete personal data;
  • Right to erasure – to request deletion of personal data in certain circumstances;
  • Right to restriction of processing – to request restriction of processing in certain circumstances;
  • Right to data portability – to receive certain personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where applicable;
  • Right to object – to object to processing based on legitimate interests, including profiling based on legitimate interests, and to object to direct marketing;
  • Right to withdraw consent – where processing is based on consent, to withdraw that consent at any time; and
  • Right not to be subject to certain automated decisions.

Right to file a complaint with the competent supervisory authority – Romanian National Supervisory Authority for Personal Data Processing – www.dataprotection.ro, another national competent data protection supervisory authority, or the supervisory authority in the EU Member State of their habitual residence, place of work, or place of the alleged infringement.

Data subject’s requests may be addressed to ROSS at privacy@rainbowidea.com. ROSS may need to verify the identity and authority of the person making the request before responding. Where the request concerns personal data processed by ROSS as processor on behalf of a Customer, ROSS may refer the request to the relevant Customer or assist the Customer in accordance with the applicable data processing agreement.

20. Customer responsibilities

Where a Customer provides personal data to ROSS, including personal data relating to Authorized Users, employees, contractors, representatives, recipients, event participants, clients, or other third parties, the Customer is responsible for ensuring that:

  • the personal data has been collected and provided lawfully;
  • an appropriate legal basis exists for the disclosure and processing;
  • all required notices have been provided to the relevant individuals;
  • all required consents or authorizations have been obtained, where applicable;
  • the data is accurate, complete, and up to date;
  • the Customer is entitled to instruct ROSS to process such data for the relevant order, customization, delivery, procurement, or Service purpose; and
  • Customer Materials do not unlawfully include personal data, third-party rights, or restricted content.

21. Third-party links and services

The Website or Platform may contain links to third-party websites, platforms, payment pages, Procurement Systems, logistics tracking pages, or other third-party services.

ROSS is not responsible for the privacy practices, notices, security, or content of third-party websites or services that are not operated by ROSS. Users should review the privacy policies of the relevant third parties before providing personal data to them.

22. Changes to this privacy policy

ROSS may amend or update this Privacy Policy from time to time to reflect changes made to the Website, Platform, and Services.

The updated version will be published on the Website or Platform with an updated date. Where required by applicable law, ROSS may provide additional notice or request consent.

Continued use of the Website, Platform, or Services after publication of an updated Privacy Policy will be subject to the updated version, without prejudice to any rights available under applicable law.