Notă de informare privind prelucrarea datelor cu caracter personal
Conformă cu Regulamentul (UE) 2016/679 („GDPR”) și Legea nr. 190/2018.
Versiune document: 1.0 · Data ultimei actualizări: 01.05.2026. Pentru sesizări sau exercitarea drepturilor: contact@imaginariumkids.ro.
Verantwortlicher
Imaginariumkids is the trade name of the workplace operated by SC IMAGINARIUM KIDS S.R.L. (“the controller”), with the following identification details:
- Name: SC IMAGINARIUM KIDS S.R.L.
- Unique registration code (CUI): 52492380
- Trade Register number: J2025069086002
- Registered office: Iași County, Iași Municipality, Mihail Galino Street, no. 35
- Workplace (“Imaginariumkids”): Silk District, Calea Chișinăului 22, Iași
- Contact e-mail for GDPR requests: contact@imaginariumkids.ro
For any questions about personal data processing you can write to the e-mail address above or send your request in writing to the workplace address.
Nützliche Definitionen
- “Personal data” = any information relating to an identified or identifiable natural person (e.g. name, surname, e-mail, phone, date of birth, image).
- “Data subject” = the natural person whose data are processed (parent / guardian, minor, visitor).
- “Processing” = any operation on data: collection, recording, organization, storage, alteration, consultation, use, transmission, deletion, etc.
- “Controller” = the legal entity that determines the purposes and means of processing (in this case, SC IMAGINARIUM KIDS S.R.L.).
- “Processor” = the natural or legal person that processes data on behalf of the controller (IT providers, accounting, courier, e-mail, etc.).
- “ANSPDCP” = the Romanian National Supervisory Authority for Personal Data Processing.
Welche Datenkategorien wir verarbeiten
The controller processes data received directly from the data subject (website forms, reception, phone, e-mail) or resulting from interaction with services (visits, purchases, events).
- Identification data of parent / guardian: name, surname, date of birth, handwritten (digital) signature.
- Contact data: e-mail address, phone number.
- Data about accompanied minors: name, surname, date of birth and, where applicable, particulars explicitly stated in writing by the parent (known allergies, conditions requiring special care).
- Visit data: date / time of access, session duration, areas frequented, any reported incidents.
- Booking and party data: organizer name, number of guests, chosen menu, any notes.
- Billing data (when an invoice is issued): client name / company name, tax ID / personal ID (as applicable), billing address.
- Image data: recordings from surveillance systems (CCTV) and, separately, promotional photos / videos (only with specific consent).
- Technical data collected by the site: IP address, device type, browser, pages visited, visit duration (see “Cookies” section).
Verarbeitung von Daten Minderjähriger
Minors' data are provided by the parent / legal guardian and are processed strictly for carrying out activities, the minor's safety on site and fulfilment of the controller's legal obligations.
- Minors cannot complete the consent form alone; any consent is given by the parent / legal guardian.
- Special health data (allergies, conditions) are processed only if the parent brings them to the controller's attention in writing and solely to provide necessary support.
- Minors' images for promotional purposes (social networks, advertising materials) are used only on the basis of the parent's express consent in the participation agreement form; this consent may be withdrawn at any time on written request.
- If a parent requests deletion of a minor's data, the controller will proceed within a reasonable time, subject to minimum retention required by legal obligations (e.g. record of signed agreements).
Zwecke und Rechtsgrundlagen
Each processing has a clear purpose and a legal basis among those provided in Art. 6(1) GDPR. The table below summarizes the main situations.
- Participation agreement and site access — to allow the minor's entry and document the parent's acceptance. Basis: Art. 6(1)(b) GDPR (performance of contract / pre-contractual steps).
- Bookings, events, parties — to organize and confirm the service. Basis: Art. 6(1)(b) GDPR.
- Service communications (confirmations, schedule changes, answers to questions) — Basis: Art. 6(1)(b) and (f) GDPR (legitimate interests of the controller to deliver the contracted service).
- Video surveillance system (CCTV) in public areas — for visitor safety and asset protection. Basis: Art. 6(1)(f) GDPR (legitimate interest), with information via clearly displayed pictograms.
- Promotional photos / videos (website, Google, YouTube, Facebook, Instagram, TikTok) — Basis: Art. 6(1)(a) GDPR (consent expressed through the agreement form).
- Issuing invoices, accounting records, tax reporting — Basis: Art. 6(1)(c) GDPR (legal obligation, Tax Code, Accounting Law no. 82/1991).
- Handling complaints, defending rights in court or before authorities — Basis: Art. 6(1)(f) GDPR (legitimate interest).
- Direct marketing (newsletter, offers, promotions) — Basis: Art. 6(1)(a) GDPR (separate express consent). This processing is not carried out without the specific checkbox in the form.
Empfänger der Daten
Data are accessed only by authorized controller staff. For certain operations, the controller works with processors that process data under Art. 28 GDPR compliant contracts.
- IT service providers (hosting, e-mail, management systems — including the Flow Manager platform used for play-area client records).
- Financial-accounting service providers, partners for electronic invoicing (ANAF e-Invoice) and tax reporting.
- Online payment services and POS terminals (when payment is by card).
- Courier / postal services when necessary (e.g. sending documents).
- Lawyers, enforcement agents, experts when defending rights requires it.
- Public authorities when a legal obligation or official request requires transmission (police, prosecutor, ANAF, ANSPDCP, courts, etc.).
The controller does not sell or rent personal data to third parties for their own purposes. Data are not transferred to countries outside the European Economic Area unless appropriate safeguards exist under Art. 44-49 GDPR (standard contractual clauses, adequacy decision, etc.); in that case the data subject is informed in advance.
Speicherdauer
Retention periods are set according to purpose and applicable legal obligations.
- Signed participation agreement and mentioned minors' data: for the duration of active participation in activities, plus a reasonable period for defending rights (generally until the general limitation period of 3 years from the last visit, or a longer period imposed by law).
- CCTV video recordings: maximum 30 days, except when an official request or investigation requires longer retention.
- Accounting documents, invoices and supporting documents: 10 years from preparation date, under Accounting Law no. 82/1991, as amended.
- Direct marketing data (if consent exists): until consent withdrawal or, without interaction, maximum 3 years from last activity.
- Complaints and related correspondence: for the time needed to resolve and up to 3 more years after case closure.
- Cookies and technical site data: according to the cookies page table / consent expressed in the cookie banner.
Rechte der betroffenen Personen
As a data subject, you benefit from all rights under Art. 12-22 GDPR. These rights may be exercised free of charge by written request to contact@imaginariumkids.ro or in writing at the workplace address.
- Right of access (Art. 15 GDPR) — you can obtain confirmation of processing and a copy of the data.
- Right to rectification (Art. 16 GDPR) — you can request correction of inaccurate data or completion of incomplete data.
- Right to erasure (“right to be forgotten”, Art. 17 GDPR) — you can request deletion when processing is no longer necessary, when you withdraw consent and no other legal basis exists, etc.
- Right to restriction of processing (Art. 18 GDPR) — in cases provided by law.
- Right to data portability (Art. 20 GDPR) — for data you provided directly, processed by automated means, on the basis of consent or contract.
- Right to object (Art. 21 GDPR) — you can request cessation of processing based on legitimate interest, including total refusal of direct marketing.
- Right to withdraw consent (Art. 7 GDPR) — at any time, without affecting lawfulness of prior processing.
- Right not to be subject to a decision based solely on automated processing, including profiling (Art. 22 GDPR).
- Right to lodge a complaint with ANSPDCP (supervisory authority) — G-ral Gheorghe Magheru Blvd 28-30, sector 1, Bucharest, www.dataprotection.ro, anspdcp@dataprotection.ro.
- Right to address competent courts.
To respond correctly and avoid sending data to an unauthorized person, the controller may request confirmation of your identity (e.g. by comparing contact details in the request with those on record). The response is sent within one month of receiving the request; this period may be extended by up to two months for complex requests, in which case you will be informed in advance.
Automatisierte Entscheidungen und Profiling
The controller does not take decisions with legal effects or similarly significant effects on the data subject based solely on automated processing or profiling.
Certain internal operations may be automated (e.g. automatic invoice issuance, sending a confirmation e-mail) but do not constitute decisions within the meaning of Art. 22 GDPR.
Datensicherheit
The controller applies reasonable technical and organizational measures, proportionate to the nature of the data and processing risks, under Art. 32 GDPR.
- Restricted access to personal data, by account and password, only for authorized staff.
- Encrypted connections (HTTPS) for data transmission between site and server.
- Internal policies on handling documents with personal data, including secure destruction procedures.
- Logging and periodic review of access to systems containing personal data.
- Notification of authorities and, where applicable, data subjects when a high-impact security breach occurs (Art. 33-34 GDPR).
Beschwerde einreichen
If you believe processing of your data violates GDPR or other legal provisions, we encourage you to contact us first for an amicable resolution.
- Address for GDPR requests: contact@imaginariumkids.ro
- Workplace: Silk District, Calea Chișinăului 22, Iași — reception can take a written complaint.
- Supervisory authority: National Supervisory Authority for Personal Data Processing (ANSPDCP), G-ral Gheorghe Magheru Blvd 28-30, sector 1, Bucharest; www.dataprotection.ro; e-mail: anspdcp@dataprotection.ro.
Änderungen dieser Mitteilung
The controller may update this document at any time, especially when legislation, processing purposes or service providers change. The version in force is the one published on the site, with the last update date shown in the header.
When updates are significant for data subjects (e.g. new purposes, international transfers), the controller may inform the public by other reasonable means (site announcements, e-mail).
Această notă are caracter informativ și nu înlocuiește dispozițiile legale aplicabile. În cazul unor neclarități, precum și pentru exercitarea drepturilor prevăzute la art. 12-22 GDPR, vă rugăm să ne contactați la contact@imaginariumkids.ro.