Privacy Policy

1. Data Controller

SC Nextera Concept SRL, CUI 51687708, Reg. Com. J2025029525006, with registered office at Strada Mărgelelor nr. 16, Bragadiru, Ilfov, Romania. Contact email: contact@diggyparty.ro.

2. Categories of Personal Data Collected

When you make a booking through our platform, we collect the following personal data:

• Full name — to identify you as the booking holder
• Email address — to send booking confirmations, QR codes, and cancellation/rescheduling communications
• Phone number — to contact you regarding your booking if necessary
• Payment reference (Netopia transaction ID) — to process and verify your advance payment
• Billing data (address, city, county, country and, for legal entities, company name, CUI/VAT, trade registry number and registered address) — collected only when you request an invoice, in order to issue the fiscal invoice
• Birthday child's age — collected for Event bookings, to check that the booked slot's age range is appropriate and to provide the illuminated age digit displayed next to the cake
• Special notes (optional) — any information you choose to enter, including dietary requirements or allergies. We treat allergy-related information as health data (GDPR Art. 9) and process it only on the basis of your explicit consent, given by filling in the field
• A record of the consents you have given (internal rules, GDPR, parental supervision, photo/video) together with the timestamp on which each consent was given, in order to demonstrate compliance
• Technical metadata (IP address, browser/user-agent, timestamps) processed by our hosting provider in server logs, for security, fraud-prevention and operational purposes

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Art. 6(1):

• Contract performance (Art. 6(1)(b)) — processing is necessary to fulfill your booking request, send confirmations, and manage cancellations or rescheduling
• Legal obligation (Art. 6(1)(c)) — we retain payment records and fiscal invoices as required by Romanian fiscal/accounting legislation
• Consent (Art. 6(1)(a) and, for health-related notes, Art. 9(2)(a)) — for marketing cookies/pixels and for any allergy or health-related information you choose to enter in the special notes field
• Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention and the technical operation of the platform (server logs)

4. Purposes of Processing

Your personal data is processed for the following purposes:

• Creating and managing your booking (confirmation, QR code generation, check-in)
• Processing advance and final payments via Netopia MobilPay
• Sending transactional emails (booking confirmation, cancellation, rescheduling, final payment link)
• Issuing and storing fiscal invoices through our invoicing provider, when you request an invoice
• Recording the consents you have given so that we can demonstrate compliance with GDPR
• Compliance with legal and fiscal obligations

5. Data Retention Periods

We retain your personal data for the following periods:

• Booking data (name, email, phone, special notes, birthday child's age, consents): retained for the duration necessary to fulfill the booking and for a configurable period thereafter (minimum 30 days), then anonymised by our automated data-retention job
• Payment records: retained for the period required by Romanian fiscal legislation (typically 10 years)
• Fiscal invoices and the billing data they contain: retained for 10 years, as required by Romanian accounting and fiscal legislation
• QR code tokens: automatically expire 24 hours after the booked slot ends
• Server logs and technical metadata: retained by our hosting provider for short operational periods, as defined in their data-processing agreement

6. Third-Party Processors

We share your personal data with the following third-party processors, who process data on our behalf under appropriate data processing agreements:

• Netopia Payments S.R.L. (MobilPay) — payment processing. Your name, email, phone, and payment amount are transmitted to process the advance and final payments
• SC OBLIO SOFTWARE SRL (Oblio.eu) — fiscal invoicing. When you request an invoice, your name, email, phone, billing address and (for legal entities) company name, CUI/VAT and trade registry data, together with the booking reference and amount, are transmitted to Oblio so that the fiscal invoice can be issued, stored and reported as required by Romanian law. Legal basis: legal obligation (Art. 6(1)(c) GDPR)
• Amazon Web Services (AWS SES) — email delivery. Your email address is used to send transactional emails (confirmations, cancellations, final payment link, invoice)
• Neon (database hosting) — your booking data is stored in a PostgreSQL database hosted by Neon
• Vercel Inc. — application hosting and serverless compute. All requests to the platform transit Vercel's infrastructure; server logs and platform telemetry may temporarily contain technical metadata (IP address, user-agent, timestamps) for security and operational purposes
• Meta Platforms Ireland Ltd. (Facebook Pixel) — advertising measurement. Only set if you consent via the cookie banner; collects pseudonymous browser identifiers (IP address, browser data, page views, conversion events) to measure ad effectiveness on Facebook and Instagram. Legal basis: consent (Art. 6(1)(a) GDPR)
• TikTok Technology Ltd. (TikTok Pixel) — advertising measurement. Only set if you consent via the cookie banner; collects pseudonymous browser identifiers (IP address, browser data, page views, conversion events) to measure ad effectiveness on TikTok. Legal basis: consent (Art. 6(1)(a) GDPR)

7. International Data Transfers

Some of our third-party processors (AWS, Neon, Vercel, Meta, TikTok) may process data outside the European Economic Area (EEA). Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure your data receives an adequate level of protection. Netopia and Oblio are established in Romania and process data within the EEA.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access — you can request a copy of the personal data we hold about you
• Right to rectification — you can request correction of inaccurate data
• Right to erasure — you can request deletion of your personal data, subject to legal retention obligations
• Right to restriction of processing — you can request that we limit how we use your data
• Right to data portability — you can request your data in a structured, machine-readable format
• Right to object — you can object to the processing of your personal data

To exercise any of these rights, please contact us at contact@diggyparty.ro.

9. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.