Privacy Policy

S.C. Nupsala EU S.R.L. understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits this website, www.nupsala-eu.com (“Our Site”), and will only collect and use personal data in ways that are described here, and in a manner consistent with Our obligations and your rights under EU Regulation 2016/679 (GDPR) and Romanian Law no. 506/2004 as amended by Law no. 235/2015.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of this Privacy Policy is deemed to occur upon your first use of Our Site. You will be required to read and formally accept this Privacy Policy when signing up for an Account. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.

1. Definitions and Interpretation

In this Policy, the following terms shall have the following meanings:


“Account”	An account required to access and/or use certain areas and features of Our Site.
“Cookie”	A small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in section 13 below and in Our Cookie Policy.
“Cookie Law”	The relevant parts of the EU ePrivacy Directive (2002/58/EC) as transposed into Romanian law by Law no. 506/2004 (as amended by Law no. 235/2015), together with GDPR (EU Regulation 2016/679).
“GDPR”	EU Regulation 2016/679 — the General Data Protection Regulation, directly applicable in Romania and all EU member states.
“ANSPDCP”	Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — the Romanian data protection supervisory authority. Contact: www.dataprotection.ro [email protected]
“Personal Data”	Any and all data that relates to an identifiable person who can be directly or indirectly identified from that data, as defined by GDPR Article 4(1).
“Processing”	Any operation performed on personal data, including collection, storage, use, disclosure, or deletion, as defined by GDPR Article 4(2).
“We/Us/Our”	S.C. Nupsala EU S.R.L., a company registered in Romania (CUI: RO50494326, Nr. Reg. Com.: J/2024019405001), whose registered address is Str. Lupului, nr. 57, Râșnov, jud. Brașov, Romania. We are the Data Controller for the purposes of GDPR.

2. Information About Us

Our Site is owned and operated by S.C. Nupsala EU S.R.L., the Data Controller for personal data processed through this Site.
1. CUI (Fiscal Code): RO50494326
2. Trade Register Number: J/2024019405001
3. Registered address (Sediul social): Str. Lupului, nr. 57, Râșnov, or. Râșnov, jud. Brașov, Romania
4. Working address (Punct de lucru): Str. Ghimbavului, nr. 80P, Hala B4, sat Cristian, comuna Cristian, jud. Brașov, Romania
5. Email: [email protected]
6. Telephone: +40 (752) 218 784 2.2
We are authorised to distribute veterinary medicinal products by the Direcția Sanitară Veterinară și pentru Siguranța Alimentelor Brașov — ANSVSA Authorisation Nr. 11 din 21.04.2026.
We have assessed Our obligations under GDPR Article 37 and determined that a Data Protection Officer (DPO) is not mandatory for Our current processing activities. All data protection enquiries should be directed to [email protected].

3. What Does This Policy Cover?

This Privacy Policy applies to your use of Our Site and describes how We collect, use, store, and share your personal data. Our Site may contain links to other websites. We have no control over how your data is collected, stored, or used by other websites and We advise you to check the privacy policies of any such websites before providing any data to them.

4. Your Rights

As a data subject, you have the following rights under GDPR. These rights are set out in full in section 11 below, together with how to exercise each one:

Right	What it means	How to exercise it
Right to be informed (Art. 13–14)	To know what data We collect, why, and how it is used.	This Privacy Policy fulfils this obligation.
Right of access (Art. 15)	To receive a copy of the personal data We hold about you.	Email [email protected] — we will respond within 30 days, free of charge.
Right to rectification (Art. 16)	To have inaccurate or incomplete personal data corrected.	Contact Us at [email protected] or update your Account directly.
Right to erasure (Art. 17)	To request deletion of your personal data (‘right to be forgotten’), where no legal basis to retain it exists.	Email [email protected]. Note: some data must be retained for legal compliance.
Right to restriction (Art. 18)	To request that We temporarily stop processing your data while a complaint or query is resolved.	Contact Us at [email protected].
Right to data portability (Art. 20)	To receive your personal data in a structured, machine-readable format for reuse elsewhere.	Email [email protected].
Right to object (Art. 21)	To object to processing based on legitimate interests, including direct marketing.	Contact Us at [email protected] or use the unsubscribe link in any marketing email.
Rights re: automated decisions (Art. 22)	Not to be subject to decisions made solely by automated processing that significantly affect you.	We do not carry out automated decision-making or profiling that produces legal effects.
Right to withdraw consent (Art. 7(3))	To withdraw consent at any time where consent is the lawful basis for processing.	Use the unsubscribe link in emails, or contact [email protected].
Right to lodge a complaint (Art. 77)	To complain to the Romanian supervisory authority (ANSPDCP) at any time.	ANSPDCP: www.dataprotection.ro [email protected]

If you have any concern about Our use of your personal data, please contact Us at [email protected]. If We are unable to resolve the issue, you have the right to lodge a complaint with the ANSPDCP at any time — www.dataprotection.ro.

5. What Data Do We Collect?

Depending upon your use of Our Site, We may collect some or all of the following personal and non-personal data:

Category	Data collected	Source
Identity data	Full name, job title, profession	Provided by you on registration or order
Business data	Company or practice name, professional licence number	Provided by you on registration
Contact data	Email address, telephone number, delivery and billing address	Provided by you on registration or order
Professional data	Veterinary or medical registration details, licence category	Provided by you — required for regulated product purchase
Animal data	Information about the animals in your care (species, condition)	Provided by you when relevant to an order
Financial data	Payment card details (processed directly by Stripe — not stored by Us), transaction history	Generated during order process
Technical data	IP address, browser type and version, operating system, device type	Collected automatically via Our Site
Usage data	Pages visited, time on site, referring URLs, exit URLs, click paths	Collected automatically via analytics tools
Cookie data	See Our Cookie Policy	Set by Our Site and third-party services
Marketing preferences	Whether you have opted in to marketing communications	Provided by you on registration or via email preferences

We do not collect any special category personal data (as defined by GDPR Article 9) relating to humans — such as health, racial or ethnic origin, political opinions, or biometric data. Animal health data linked to your professional account is not considered special category data under GDPR.

6. How Do We Use Your Data?

All personal data is processed lawfully, fairly, and transparently in accordance with GDPR. We will always have a lawful basis for processing. The table below sets out each purpose for which We process personal data, the data used, the lawful basis, and the retention period.

Processing Purpose	Data Used	Lawful Basis (GDPR Art. 6)	Retention
Account creation and management	Name, email, company name, profession, password (hashed)	Art. 6(1)(b) — performance of a contract	3 years after last login or order
Order processing and fulfilment	Name, address, contact details, payment info, order history	Art. 6(1)(b) — performance of a contract	7 years (Romanian accounting law obligation)
Delivery of Goods	Name, delivery address, telephone number	Art. 6(1)(b) — performance of a contract	Duration of delivery + 6 months
Payment processing	Payment card data (via Stripe — not stored by Us)	Art. 6(1)(b) — performance of a contract	Transaction records: 7 years
Customer support and enquiries	Name, email, content of enquiry	Art. 6(1)(f) — legitimate interests (responding to customers)	2 years after last interaction
Sending transactional emails (order, dispatch, account notices)	Name, email	Art. 6(1)(b) — performance of a contract	Duration of account + 1 year
Direct marketing emails (if opted in)	Name, email, preferences	Art. 6(1)(a) — consent	Until consent is withdrawn
Site analytics (Google Analytics)	Anonymised IP, pages visited, session data	Art. 6(1)(f) — legitimate interests (improving Our Site)	13 months (Google Analytics default)
Fraud prevention and site security	IP address, browser data, session data	Art. 6(1)(f) — legitimate interests (security)	6 months
Legal compliance (e.g. ANSVSA audit, tax records)	Order data, customer details	Art. 6(1)(c) — legal obligation	As required by applicable law (min. 5–7 years)
Veterinary Medicines Directorate reporting	Order data for prescription products	Art. 6(1)(c) — legal obligation (ANSVSA / EU veterinary law)	As required by ANSVSA regulations

Where We rely on legitimate interests as Our lawful basis, We have conducted a balancing test to ensure that Our interests do not override your fundamental rights and freedoms.
Where We rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent for marketing emails, use the unsubscribe link in any email or contact [email protected].
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

7. How and Where Do We Store Your Data?

We only keep your personal data for as long as is necessary for the purposes for which it was collected, as set out in the retention periods in section 6 above.
Your data is stored on secure servers located within the European Economic Area (EEA). We do not store personal data outside the EEA unless adequate safeguards are in place (see section 9 on International Transfers).
We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
1. Encrypted data transmission (HTTPS/TLS) across all pages of Our Site
2. Secure hosting infrastructure with restricted access controls
3. Password hashing — We never store passwords in plain text
4. Access limited to authorised personnel on a need-to-know basis
5. Regular review of our data processing activities and security measures
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, We will notify the ANSPDCP within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required by GDPR Article 34.

8. Do We Share Your Personal Data?

We do not sell your personal data to third parties. We may share your personal data with trusted third parties who act as data processors on Our behalf, or where required by law. The table below sets out all third parties with whom We may share your data, and the basis for doing so.

Third Party	Role	Data shared	Safeguard
Stripe Payments Europe Ltd	Payment processing	Name, billing address, card data (processed directly by Stripe — not stored by Us)	GDPR-compliant; SCCs; PCI-DSS certified
Delivery couriers (DPD, GLS, or equivalent EU carrier)	Goods delivery	Name, delivery address, telephone number	Data Processing Agreement in place
Google LLC (Google Analytics)	Website analytics	Anonymised IP, session data, device info	SCCs (EC Decision 2021/914); IP anonymisation enabled
Zoho Corporation B.V. (EU)	Live chat (SalesIQ), page analytics (Pagesense)	Chat messages, session identifiers	SCCs; Zoho EU DPA; data stored in Netherlands
Cloudflare Inc.	CDN, DDoS and bot protection	IP address, HTTP request metadata	SCCs; Cloudflare DPA
CookieYes Ltd	Cookie consent management	Consent records (timestamp, preferences, user ID)	GDPR-compliant; data stored in EU
WooCommerce / Automattic	E-commerce platform	Order data, customer data (stored in Our database)	GDPR-compliant; data stored on Our hosting server in EU
Mailchimp / Intuit Inc. (if used for email marketing)	Email marketing (opt-in only)	Name, email address	SCCs; Mailchimp DPA
ANSVSA / DSVSA Brașov	Regulatory compliance — veterinary medicines	Prescription order records as required	Legal obligation under Romanian veterinary law

All third-party data processors are subject to a Data Processing Agreement (DPA) or equivalent safeguard. They are only permitted to process your data for the specific purposes We instruct and may not use it for their own purposes.
We may compile anonymised, aggregate statistics about the use of Our Site (traffic, usage patterns, sales volumes). This data cannot identify you and may be shared with partners, investors, or affiliates.
We may be legally required to disclose your personal data to law enforcement, regulatory authorities (including ANSVSA or ANSPDCP), or courts in accordance with applicable law.

9. International Data Transfers

Some of the third-party services We use transfer personal data outside the European Economic Area (EEA) — in particular Google Analytics (USA), Cloudflare (USA), and potentially Zoho (India fallback). All such transfers are made subject to appropriate safeguards under GDPR Chapter V, specifically Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914.
For Google Analytics, We have enabled IP anonymisation. The last octet of your IP address is masked before any data is stored or processed by Google.
You can obtain a copy of the relevant SCCs and Data Processing Agreements from each provider’s website or by contacting Us at [email protected].
Full details of international transfers, including destinations and safeguards for each service, are set out in Our Cookie Policy (section 6).

10. What Happens If Our Business Changes Hands?

We may from time to time expand or reduce Our business and this may involve the sale or transfer of all or part of Our business. Any personal data that you have provided will, where relevant to any part of Our business being transferred, be transferred along with that part. The new owner or controlling party will be permitted to use that data only for the same purposes for which it was originally collected.
If any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

11. How Can You Control Your Data?

In addition to the rights set out in section 4, when you submit personal data via Our Site, you may be given options to restrict Our use of your data. In particular, you have strong controls over Our use of your data for direct marketing, including the ability to opt out of receiving marketing emails at any time.
To opt out of direct marketing, you may:
1. Click the unsubscribe link in any marketing email;
2. Update your preferences in your Account; or
3. Contact Us at [email protected].
EU residents may also register with national do-not-contact registries available in their country of residence to limit unsolicited marketing approaches. Please note that such registrations do not prevent marketing you have specifically consented to receive.
You may restrict Our use of Cookies at any time via Our cookie settings banner or by managing your browser settings. See Our Cookie Policy for full details.

12. How Can You Access Your Data?

You have the right to request a copy of any personal data We hold about you (a Subject Access Request). Under GDPR, this is free of charge and We will respond within 30 calendar days of receiving your request.
To submit a Subject Access Request, please contact Us at [email protected], clearly stating that you are making a Subject Access Request and providing sufficient information for Us to identify you and locate your data.
We may ask you to verify your identity before processing your request. This is to protect your data and ensure We do not disclose it to anyone other than you.

13. Our Use of Cookies

Our Site uses Cookies and similar technologies. First-party Cookies are placed directly by Us. Third-party Cookies are placed by external services including Google Analytics, Zoho SalesIQ, and Cloudflare. We obtain your explicit consent before placing any non-essential Cookies via Our cookie banner. For full details of all Cookies used on Our Site — including their names, purposes, providers, retention periods, and your consent options — please refer to Our Cookie Policy.

14. Contacting Us

For any questions about this Privacy Policy, to exercise any of your rights under GDPR, or to submit a Subject Access Request, please contact Us:

Email: [email protected]

Telephone: +40 (752) 218 784

Post: S.C. Nupsala EU S.R.L., Str. Ghimbavului, nr. 80P, Hala B4, sat Cristian, comuna Cristian, jud. Brașov, Romania

We will acknowledge your request within 5 working days and respond fully within 30 calendar days. If We need additional time (up to a further 60 days for complex requests), We will inform you within the initial 30-day period.

If you are not satisfied with Our response, or if you believe We are processing your personal data unlawfully, you have the right to lodge a complaint with the Romanian supervisory authority:

Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

Address: B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania

Website: www.dataprotection.ro

Email: [email protected]

15. Changes to Our Privacy Policy

We may change this Privacy Policy from time to time, for example if the law changes or if We change the way We process personal data. Any changes will be posted on this page with an updated date at the top. Where changes are material, We will notify you by email (if We hold your email address) or by a prominent notice on Our Site. We recommend that you check this page regularly to keep up-to-date.

Your continued use of Our Site after any changes constitutes acceptance of the revised Privacy Policy. If you do not agree with any changes, you must stop using Our Site.

16. Governing Law

This Privacy Policy is governed by and construed in accordance with Romanian law and EU law, including GDPR (EU Regulation 2016/679) and Romanian Law no. 506/2004 (as amended by Law no. 235/2015). Any disputes arising from or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the Romanian courts, without prejudice to your right to lodge a complaint with the ANSPDCP.

Product Categories

Veterinary Pharmaceutical Products

Biologics

Consumables

Cascade Use Products

Capital Equipment

Materials

Rehabilitation