1. Who we are — the Controller
The data controller responsible for your personal data is:
Herbs Fusion SRL (trading as Meridian Advisory)
Registered office: Str. Ceahlău 24, Voluntari, Ilfov, 077190, Romania
Trade Register no.: J23/6579/2021 · Sole registration code (CUI): 45107350 · VAT: RO45107350
Email: hello@gomeridian.eu
We have not appointed a statutory Data Protection Officer (DPO) as we are not required to under Article 37 GDPR; however, you may direct all privacy queries to the email above. As we are established in the European Union (Romania), an Article 27 representative is not required.
2. Scope
This policy applies to personal data we process about visitors to this website, prospective and actual clients and their representatives, newsletter subscribers, and other individuals who contact us. It does not apply to third-party websites we link to.
3. The personal data we process
| Category | Examples | Source |
|---|---|---|
| Identity & contact data | Name, business email, telephone, company/brand name, role | You |
| Enquiry & commercial data | Approximate revenue, target markets, your message, product/formulation details you submit for a compliance screen | You |
| Order & transaction data | Products purchased, order value, billing details, payment confirmation (we do not store full card numbers) | You / payment provider |
| Technical & usage data | IP address, device and browser type, operating system, pages viewed, referring source, time stamps, interactions | Collected automatically via cookies (see §6) |
| Marketing preferences | Your consent choices and subscription status | You |
We do not intentionally collect special categories of data (Article 9 GDPR). Please do not send us such data unless strictly necessary.
4. Purposes and legal bases (Article 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Responding to enquiries and preparing quotes/proposals | Art. 6(1)(b) — pre-contractual steps at your request; and/or 6(1)(a) consent |
| Providing our services and performing your order | Art. 6(1)(b) — performance of a contract |
| Taking payment and keeping accounting/tax records | Art. 6(1)(c) — legal obligation (Romanian accounting and tax law) |
| Sending our newsletter/marketing (where you subscribe) | Art. 6(1)(a) — consent (withdrawable at any time) |
| Analytics cookies to measure and improve the site | Art. 6(1)(a) — consent |
| Advertising and remarketing cookies (Meta, Google, TikTok) | Art. 6(1)(a) — consent |
| Site security, fraud prevention, and defending legal claims | Art. 6(1)(f) — legitimate interests |
Where we rely on legitimate interests, we have balanced those interests against your rights; you may object at any time (see §10).
5. If you do not provide data
Identity and contact data are necessary to respond to you and to enter into and perform a contract. Without it we may be unable to provide our services. Analytics and marketing data are optional and depend on your consent.
6. Cookies, analytics and advertising
We use strictly necessary cookies to operate the site and process orders. We do not place analytics or advertising cookies until you give consent through our cookie banner. With your consent we use:
- Google Analytics 4 (Google Ireland Ltd.) — audience measurement and site improvement.
- Meta Pixel (Meta Platforms Ireland Ltd.) — advertising measurement and remarketing on Facebook and Instagram.
- Google Ads — conversion tracking and remarketing.
- TikTok Pixel (TikTok Technology Ltd.), where used — advertising measurement.
You can change or withdraw consent at any time via the cookie banner or the “Cookie settings” link in the footer, and via your browser settings. You may opt out of personalised advertising through Google Ads Settings, your Meta ad preferences, and youronlinechoices.eu. See our Cookie Policy for the full list, purposes and durations.
7. Who we share your data with (recipients & processors)
We disclose personal data only to trusted recipients who process it on our behalf under Article 28 GDPR data-processing agreements, or where required by law:
- Website and hosting: Shopify International Ltd.
- Analytics and advertising: Google, Meta, TikTok (subject to your consent)
- Payment processing: our payment service providers
- Email, CRM and communication tools
- Our vetted EU and international partners (regulatory, legal, customs and fulfillment specialists) strictly where needed to deliver your engagement
- Professional advisers, auditors, and public authorities where legally required
We do not sell your personal data.
8. International transfers
Because we operate a corridor between India and the European Union, and use service providers that may process data outside the European Economic Area (including in India and the United States), your data may be transferred internationally. Where this occurs, we rely on an adequacy decision where available, or on appropriate safeguards under Article 46 GDPR — principally the European Commission’s Standard Contractual Clauses — and supplementary measures where necessary. You may request a copy of the relevant safeguards by contacting us.
9. How long we keep your data (retention)
| Data | Retention period |
|---|---|
| Enquiries that do not become clients | Up to 24 months from last contact |
| Client engagement records | Duration of the engagement + up to 3 years (limitation periods) |
| Invoicing and accounting records | Up to 10 years (Romanian accounting law) |
| Newsletter data | Until you unsubscribe/withdraw consent |
| Cookie/analytics data | Per the durations in the Cookie Policy |
When no longer needed, data is securely deleted or anonymised.
10. Your rights
Subject to the conditions in the GDPR, you have the right to: (a) access your data; (b) rectification; (c) erasure (“right to be forgotten”); (d) restriction of processing; (e) data portability; (f) object to processing based on legitimate interests or to direct marketing; and (g) withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
To exercise any right, email hello@gomeridian.eu. We will respond within one month (extendable by two further months for complex requests). We may need to verify your identity.
You also have the right to lodge a complaint with a supervisory authority — in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, www.dataprotection.ro — or with the authority in your country of residence.
11. Automated decision-making
We do not carry out automated decision-making producing legal or similarly significant effects on you within the meaning of Article 22 GDPR.
12. Children
Our website and services are directed at businesses and professionals and are not intended for children. We do not knowingly collect data from anyone under 16.
13. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or alteration, including access controls, encryption in transit, and vendor due diligence. No transmission over the internet is completely secure, but we continually review our safeguards.
14. Changes to this policy
We may update this policy from time to time. The “last updated” date shows the current version, and we will highlight material changes on this page.
15. Contact
For any question about this policy or your personal data, contact hello@gomeridian.eu.