← Back to Plantly

Legal

Privacy Policy

Effective June 2, 2026

1. Who We Are

The plant marketplace at plantly.ro (“Plantly”) is operated by URUNDEAD LABS S.R.L., a Romanian limited liability company. URUNDEAD LABS S.R.L. is the Data Controller for the personal data processed about you in connection with your use of Plantly, as defined in Article 4(7) of the General Data Protection Regulation (GDPR).

  • Legal entity: URUNDEAD LABS S.R.L.
  • Trade Register: J2026034271001 · CUI: 54762154
  • Registered office: Strada Pitar Moș, Nr. 27, Etaj 5, Ap. 17 (La Cabinet Avocat Stanciu-Burileanu Bogdan), Sectorul 1, București, 010452, România
  • Data protection contact: privacy@plantly.ro

References to “Plantly”, “we”, or “us” in this Policy mean URUNDEAD LABS S.R.L. acting in its capacity as operator of the platform and Data Controller.

2. Data We Collect

2.1 Account & Registration Data

When you register, we collect:

  • Username, email address, hashed password
  • First name, last name (optional but improves trust)
  • Delivery address (used for local marketplace matching)
  • Phone number (optional)
  • Date and version of Terms of Service acceptance (legal record)

2.2 Listing & Transaction Data

  • Post titles, descriptions, prices, category selections
  • Photos you upload (stored in our object storage)
  • Conversation messages between buyers and sellers
  • Favourite lists

2.3 Usage & Behavioural Data

To improve the platform and personalise your experience, we automatically collect usage events including:

  • Pages visited, search queries, sort and filter selections
  • Listings you view and how long you spend on them
  • Photos you browse within a listing
  • Listings you save (favourite) or unsave
  • Messages sent and conversations opened
  • Posts you create, edit, or delete
  • Profile views

Each event includes a session identifier (randomly generated per browser tab, stored in sessionStorage), the URL of the page, and a timestamp. If you are logged in, events are linked to your account. Anonymous events (pre-login) are linked only to the session identifier.

2.4 Technical Data

  • IP address and approximate geolocation (country/city level)
  • Browser type, version, operating system
  • Referring URL
  • HTTP request logs (retained for up to 30 days for security purposes)

3. How We Use Your Data

PurposeLegal basis (GDPR)
Provide and maintain the marketplaceContract performance (Art. 6(1)(b))
Account authentication and securityContract performance; Legitimate interests (Art. 6(1)(f))
Record Terms acceptance for legal complianceLegal obligation (Art. 6(1)(c))
Improve platform features and UXLegitimate interests (Art. 6(1)(f))
Analytics and usage statisticsConsent at signup (Art. 6(1)(a))
Fraud and abuse preventionLegitimate interests (Art. 6(1)(f))
Respond to support requestsContract performance (Art. 6(1)(b))

4. Data Retention

  • Account data — retained for the life of your account, plus up to 30 days after deletion (to allow for recovery in case of accidental deletion).
  • Behavioural / event data — retained for 24 months on a rolling basis, then aggregated or deleted.
  • Messages — retained until both parties delete the conversation, then permanently removed.
  • Security logs — 30 days.
  • Terms acceptance records — retained for 7 years to comply with legal record-keeping obligations.

5. Data Sharing

We do not sell your personal data to third parties.

We may share data with:

  • Infrastructure providers — cloud hosting (servers, object storage, database) under strict data processing agreements.
  • Other users — your username and listing details are visible to all users. Your address is only used for internal matching and is never displayed publicly.
  • Law enforcement — where required by a valid legal request, court order, or to protect the safety of users.

6. Cookies & Local Storage

Plantly uses the following client-side storage:

  • localStorage — stores your authentication token (JWT) so you remain logged in between sessions. This data does not expire automatically; clearing your browser storage or logging out removes it.
  • sessionStorage — stores a random session identifier used to group your in-tab events together. This is cleared automatically when you close the tab.

We do not use third-party tracking cookies or advertising networks. All analytics are first-party and collected directly by Plantly servers.

7. Your Rights (GDPR)

Under the General Data Protection Regulation you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure (“right to be forgotten”) — request deletion of your data. Some data may be retained for legal compliance (e.g., Terms acceptance records).
  • Restriction — ask us to restrict processing of your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests, including behavioural analytics.
  • Withdraw consent — you may withdraw consent for analytics at any time by contacting us. This will not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email privacy@plantly.ro. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in Romania: ANSPDCP).

8. Data Security

We protect your data using industry-standard measures including TLS encryption in transit, bcrypt password hashing, network firewalls, and access control. Despite our best efforts, no system is completely secure. If we become aware of a data breach that affects you, we will notify you in accordance with applicable law.

9. Children's Privacy

Plantly is not directed at children under 18. We do not knowingly collect data from children. If you believe a child has created an account, please contact us at privacy@plantly.ro and we will promptly delete the account and associated data.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified by email or by a prominent in-app notice. The “Effective” date at the top of this page reflects the latest revision.

In this revision (effective June 2, 2026): the Data Controller has been formally identified as URUNDEAD LABS S.R.L. (see §1). No processing purpose, legal basis, retention period, or data subject right has changed; this revision satisfies the controller-identification requirement of GDPR art. 13(1)(a).

11. Contact & DPO

For privacy-related questions or to exercise your rights:

  • Data Controller: URUNDEAD LABS S.R.L.
  • Trade Register: J2026034271001 · CUI: 54762154
  • Postal address: Strada Pitar Moș, Nr. 27, Etaj 5, Ap. 17 (La Cabinet Avocat Stanciu-Burileanu Bogdan), Sectorul 1, București, 010452, România
  • Email: privacy@plantly.ro
Terms of Service← Back to Plantly