Skip to content
Home » Privacy


Last modification – November 6th, 2020

Your personal privacy is very important to us. Therefore our principles and procedures in the processing of personal data are conducted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”).

1. Definitions

Our data protection policy uses the terms used by the European legislator to adopt the General Data Protection Regulation (GDPR). In order to achieve this objective, we first explain the terminology used:

a) Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one that can be identified, directly or indirectly, especially by reference to an identifier such as a name, identification number, location data, an online identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or social factors of that natural person.

b) Data subject

The data subject is any identified or identifiable natural person whose personal data is processed by the data controller or data processor.

c) Processing

Processing is any operation or set of operations that is carried out with personal data or with personal data sets, whether or not by automatic means, such as collection, registration, organization, structuring, storage, adaptation or modification, retrieval, consultation, disclosure by transmission, dissemination or otherwise made available, alignment or combination, restriction, deletion or destruction.

d) Restriction of processing

The restriction of processing is the selection of stored personal data, in order to limit future processing.

e) Profiling

Profiling means any form of automatic processing of personal data consisting of the use of personal data to evaluate certain personal issues relating to a natural person, in particular to analyze or anticipate aspects regarding the performance of the natural person in the workplace, the situation economic, health, personal preferences, interests, behavior, location or travel.

f) Pseudonymization

Pseudonymization is the processing of personal data so that personal data can no longer be assigned to a particular data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to provide that personal data cannot be attributed to an identified or identifiable natural person.

g) Operator or controller responsible for processing

The controller or controller responsible for the processing is the natural or legal person, the public authority, the agency or another body which, alone or together with others, determines the purposes and the means of processing the personal data; where the purposes and means of such processing are laid down by Union or Member State law, the operator or specific criteria for its appointment may be provided for by Union or Member State law.

h) Authorized person – Processor

Authorized person – The processor is a natural or legal person, a public authority, an agency or other body that processes personal data on behalf of the operator.

i) Beneficiary

The beneficiary is a natural or legal person, a public authority, an agency or another body, to whom the personal data are disclosed, regardless of whether it is a third party or not. However, public authorities that may receive personal data in an investigation, in accordance with Union or Member State law, are not considered beneficiaries; the processing of this data by the respective public authorities must be in accordance with the applicable data protection rules in accordance with the purposes of processing.

j) Third parties

May have the status of a third person, a natural or legal person, a public authority, an agency or a body, other than the data subject, the operator, the authorized person, who, under the direct authority of the operator or the authorized person, is authorized to process data personal.

k) Consent

The consent of the data subject is any specific, informed and unambiguous indication of the data subject’s wishes by which he, by a statement or by a clear affirmative action, accepts the processing of personal data concerning it.

2. The principles that govern our privacy policy and the processing of personal data

 The principle of legality, fairness and transparency. This principle requires that personal data be processed legally, correctly and transparently in relation to the data subjects.

The purpose limitation principle. This principle requires that personal data must be collected only for the specified, explicit and legitimate purposes.

The principle of collecting the minimum data to reach the purpose for which the consent was obtained. According to this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The principle of keeping the data updated, which provides that the personal data are correct and are updated where necessary.

The principle of data storage strictly for the period for which the consent was obtained. 

This principle requires that personal data be kept in a form that allows the identification of the data subjects for the maximum period of time necessary to process the data.

The principle of providing the security of the data, so that they are complete, confidential and available.

The principle of responsibility. This principle establishes that the operator is responsible for complying with the principles listed in Article 5 (1) of the GDPR and must be able to demonstrate their observance.

3. Name and address of the website operator, within the meaning of the General Data Protection Regulation (GDPR)

Varzopov Mădălin PFA

Adress: Bucharest, 032327, No. 30A, 32-34 Ninsorii Alley, Building C1, T.S. 4, Room 2, Sector 3, România

Tel: +40 734 306 426



 4. Cookies

Our websites use cookies. Cookies are text files that are stored in a computer system through an Internet browser. Many websites and servers use cookies. Many cookies contain a code called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the Internet browser in which the cookie was stored. This allows websites and servers visited to differentiate the individual browser of the topic from other Internet browsers that contain other cookies. A particular Internet browser can be recognized and identified using the unique cookie ID.

By using cookies, we can provide users of this site with more user-friendly services, which would not be possible without the use of cookies.

Through a cookie, the information and offers on our site can be optimized according to the user. Cookies allow us, as mentioned above, to recognize the users of our website. The purpose of this recognition is to facilitate the use of our website. As an example, the website user does not have to enter access data every time the website is accessed, because the data has already been retrieved, and the cookie is stored in the user’s computer system. Another example is a shopping cart cookie in an online store. The online store remembers the items a customer has placed in the virtual shopping cart through a cookie.

The data subject may, at any time, prevent the use of cookies by our website through an appropriate Internet browser setting. In addition, cookies already set can be deleted at any time from your Internet browser. This is possible in all popular Internet browsers. If the data subject disables the setting of cookies in the Internet browser used, not all the features of our site can be fully used. To learn more about this topic, visit the Cookie Policy on the site.

5. Links

This website contains links to other sites. Jack’s Hats (Varzopov Madalin PFA) is not responsible for their privacy policy. We recommend you to consult legal terms and other information regarding the collection of personal information in advance. The rules set out in this text apply only to the information collected on this site.

6. Collection of general data and information

Our website collects a series of general information and data when an automatic user or system requests it. This general data and information is stored in the server log files.

Generally, the collected we collect are:

(1) name and surname

(2) contact address and delivery address

(3) phone number

(4) the types of browser and versions used;

(5) the operating system used;

(6) the website from which a system of access to our website arrives (the so-called references);

(7) the date and time of access;

(8) Internet protocol address (IP address);

(9) Internet service provider of the access system;

(10) any other similar data and information that may be used in the case of attacks on our computer systems.

This data and general information are required for:

(1) the correct provision of the content of the site;

(2) optimizing the content of the site;

(3) placing an order;

(4) providing the authorities with the information necessary for the investigation in the event of a cyber attack.

Therefore, we analyze data and statistical information anonymously, in order to increase our data security and security and to ensure an optimal level of protection of the personal data we process. The anonymous data of the server log files are stored separately from all the personal data provided.

Our website allows fast electronic contact and direct communication with us through an email address (e-mail address). If a data subject contacts us by e-mail or through a contact form, the transmitted personal data is automatically stored. Such personal data voluntarily transmitted by data subjects are stored for the purpose of processing or contacting that person.

In order to be able to execute on time and in accordance with our obligations, your personal data will be disclosed to our trusted contractual partners, carefully select:

  • the provider of the data storage service on external servers located in Romania;
  • the provider of accounting services;
  • the provider of communications and e-mail correspondence services;
  • the provider of mobile telephony services that helps us keep in touch with you, located in Romania;
  • couriers with whom we have concluded a contractual relationship;
  • online payment service processors.

Under the legal obligation, your personal data necessary for the preparation of payment documents will be provided to our contractual partners who provide us with IT services and will be used to submit tax and accounting returns to the tax authorities.

7. The period for which the personal data will be stored

The criteria used to establish the period of storage of personal data are defined by the purpose of the collection and the legal basis (3 years from the date of placing the last order is the limitation period). After the expiry of the respective period, the corresponding data are deleted, if they are no longer necessary for the execution or conclusion of a contract, or if the data subject has not consented to the storage of this data for a certain period of time.

8. Security of personal data

This website takes all the necessary security measures to protect the personal information of our users. When filling in personal data on our site, the information will be protected both offline and online. All personal information will be processed through secure pages that use the SSL encryption system, marked with a padlock symbol in the browser bar.

9. Rights of the data subjects


Once you have consented and become a data subject, you have the right to be informed about everything that happens to your personal data, what it is used for, access it, modify it, and even revoke consent for a particular organization. At the same time, you have the right to access your personal data whenever you want.


Based on this right you can request information regarding all aspects regarding your personal data, collected by the operator (whether your data is processed or not, where they come from, who processes them, for what purpose, for what period of time, where they are stored). Also based on this right you can request a “copy” of personal information, which have been processed.


You can request the rectification, modification of your personal data processed by the operator, after the operator, through internal procedures has verified your identity.


Another important right is to erase (or forget) data. The general principle is that a person has the right to request the erasure of personal data. This right is not an absolute one, which means that there are circumstances in which the data will not be erased at the request of the data subject. For example, if the personal data are used for complying with a legal obligation or for the safety of public health, for scientific research then the right to delete the data may be denied to the data subject.


According to the GDPR, a person has the right to restrict the processing of personal data under various circumstances. For example, a data subject may restrict the processing of personal data when he or she thinks they are inaccurate. In this case, the person will be able to restrict the processing of the data until their accuracy is verified. Another case of data processing restriction is the time when the data subject objects to the processing.


You also have the right to data porting. In the absence of other contractual conditions (of which you should be informed before consenting to data processing) you can move your data from one provider to another in an easy and fast way.


This right includes: the right to oppose processing and the right to oppose the automatic decision-making process and the creation of profiles.


This right wants to defend the people of certain decisions with potential negative that could be taken without human intervention. The GDPR defines the creation of profiles as any automated form of processing in order to evaluate certain personal aspects of the individual, such as job performance, health, personal preferences, economic situation, location and others. If an organization uses profile creation, it must take certain security measures. For example, to use correct mathematical or statistical procedures, personal data to be secured, measures to allow anomalies to be corrected with a minimum risk of errors. Remember, the automated decision-making process should never be applied to a child.


By a manifestation of will symmetrical to the one by which you gave your consent, you will be able to withdraw it at any time, and we will take this withdrawal into account.

When exercising any of these rights, if there are no legal impediments, we will comply with the provisions of the GDPR Regulation, operating those requested by the data subject and informing the data subject about the steps taken.

All these rights can be exercised by a simple request addressed to Varzopov Madalin PFA, as an operator, at our headquarters or at the email address:

10. Final provisions

By entering into this Agreement, the user confirms that it has acquainted itself with these Personal Data Protection Rules.

If necessary, Mădălin Varzopov PFA may update these Personal Data Protection Rules. The current version of the Privacy policy will always be available on the website If a significant change occurs within these Privacy policy in regard to the manners of handling personal data, the user will be informed by a notification published in a visible manner regarding the implementation of such changes.