Privacy Policy

Privacy & Personal Data Protection and Cookie Policy

A. Privacy and Data Protection Policy

1. Introduction

XTREME MASK UP (the "Company”, "we”, "us”, "our”) respects your privacy and is committed to protect and process your personal data fairly and transparently, in accordance with the provisions of EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR/the Regulation”). All your personal details and information belong to you and we acknowledge and respect that.

Since visiting

/ ("Website”, "Online Store”) and accessing our online store services (registration, orders) implies collection and processing of your personal data, we have developed and hereby make available to you our Privacy & Personal Data Protection and Cookies Policy ("Privacy Policy”) in order for you to fully understand what data do we collect and when, how and why we use it, to whom do we disclose personal data and how we keep it secure alongside other relevant information. Within this Privacy Policy you can also find information on your rights as data subject and how can you exercise them.

Before accessing, browsing or otherwise using this Site please read carefully this Privacy Policy alongside our Terms & Conditions.

Our Website may contain links to third party websites and services. Please remember that when you use a link to go from our Website to another website or when you request a service from a third party, this Privacy Policy no longer applies and you shall be subject to the third party’s privacy policy.

If anything is unclear to you or should you require more information on any section of this Privacy Policy, please feel free to contact us using the details below.

In order for you to browse this Privacy Policy more easily, please find below a glossary of the relevant legal terms/notions and their definitions/explanations:




EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The entire text of the Regulation is available at




Personal data

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data subject

an identified or identifiable natural person whose personal data is processed.


means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Joint controllers

two or more controllers that jointly determine the purposes and means of processing.


a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.


a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.


Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Online identifiers

internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags provided by data subject devices, applications, tools and protocols. These may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them.


any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

2. Who We Are and How to Contact Us

This Website, all the available online services (e.g. personal shopping etc.) and thus all related data processing activities are jointly operated and carried out by the following entities from the XTREME MASK UP Group of companies as joint controllers:

  1. Mainly by XTREME MASK UP RETAIL RO S.R.L., daughter company registered and functioning under Romanian laws, with headquarters in Istanbul , Bucharest, 6th District, 26Z Timisoara Blvd., Office 3B-2, 3rd Floor, duly registered with the Trade Registry Office attached to the Bucharest Tribunal under no. J40/9674/2009, having fiscal registration and VAT no. RO 26054330, for all operations related to the conclusion and execution of the distance sale agreement (orders, shipment etc.);
  2. In subsidiary by XTREME MASK UP MAĞAZACILIK HIZMETLERI TIC. A.Ş., mother company and sole shareholder of XTREME  MASK UP RETAIL RO S.R.L, registered and functioning under Turkish laws, with headquarters in Turkey,  Mehmet NESİH Özmen mh. Köknar sokak aydın han zemin kat 18/z101 MERTER-GÜNGÖREN / İstanbul, Turkey for marketing and profiling purposes.

If you have any questions about this Privacy Policy or want to exercise any of your rights set out in this Privacy Policy, please contact us by one of the following means:

3. What Personal Data Do We Collect & When We Collect It 

3.1. Personal data that XTREME MASK UP collects. Depending upon your interaction with our Website and on the services you choose to use, we can collect the following personal data about you:

(i) Personal Data we obtain directly from you:

• Name and Surname

• Billing and Delivery Address(es)

• Email Address(es) (personal or professional)

• Phone Number(s) (personal or professional)

• Shopping and Purchase information (order number, purchased items, related messages and communications, delivery and return status, order history)

• Payment details (payment status, preferred payment method)

• Account Password and Login details, account ID

• Date of Birth

• Gender

• Shopping preferences or details (category of products you are interested in e.g. ladies wear, style of interest etc.)

• Your interactions with our Customer Relationship Management (any online of phone requests, return requests, complaints etc.)

(ii) Data that we may collect automatically when you interact with this Website and our services, depending on your browser settings, 

• Online identifiers and other data such as:

  • IP Address – When visiting our Website we can collect an automatically populated IP address assigned to your device. An IP address is a unique number which allows a computer, group of computers or other internet connected device (such as your mobile phone or tablet) to browse the internet.
  • Device information (device type, operating system, software versions, configuration settings, internet connection details), including location data
  • Website usage, browsing history, shopping basket content – We can also record the time and date of your visit, the pages that were requested, the referring website (if provided) and your internet browser version.
  • Interaction with our e-mail newsletters through beacons/links that allow us to know if you have read the newsletter and can track you on our Website if you are logged in.
  • Cookie information (please see our Cookie Policy for details).

(iii) Information we may obtain from third parties:

• Social Media – Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you may give us permission to access information from those accounts or services such as (public profile information, your account ID, other information you have agreed to share).

3.2. We Do Not Purposely Collect:

(i) Credit or debit card information

Should you decide to pay for your order online, kindly be informed that your card data is collected and processed directly by the online payment processor and no such data is disclosed to us.

(ii) Personal Data of Children

XTREME MASK UP does not knowingly solicit personal data from children or send them requests for personal data. Although this Website can be accessed by visitors of all ages, we do not intentionally collect personal data from persons under the age of 18. As per our Terms & Conditions customers under the age of 18 are not allowed to create a user account or register for our e-mail newsletter. If you are under the age of 18, please do not try to use any of our services that implies collection of personal data.

In case a person under the age of 18 has registered a user account on our Website by using false information, we shall cancel the child’s account and delete the child’s personal data from our records, upon request from a parent or a legal guardian.

(iii) Special categories of data

XTREME MASK UP does not request you to provide information on your health, racial or ethnic origin, personal beliefs or sexual orientation. However, in case you may deliberately provide us with such details while communicating with us, soliciting our assistance or while submitting a complaint, we shall process such special category data in order to reply, assist you or otherwise settle your complaint.

3.3. When does XTREME MASK UP collect personal data? In general, we collect your data when you decide to interact with us. This could include visiting our Website, purchasing our products online, registering a user account, registering for our newsletter etc.

We collect personal data when you:

  • Visit, access or navigate through our Website;
  • Register a customer account through our Single Sign On ("SSO”) system that has been designed your satisfaction. The SSO enables you to register with the same ID and password through multiple XTREME MASK UP e-commerce platforms all over the countries where we carry e-commerce activities. In other words, one customer account will enable you to shop on any platform and send products to any location where XTREME MASK UP delivers, to track all orders you submitted on various platforms and prevents you from opening multiple accounts and remembering different passwords;
  • Update or modify you profile within your customer account;
  • Submit an order for purchasing our products;
  • Register to receive our e-mail newsletter and interact with our e-mail newsletters;
  • Contact us by telephone, email or online through our "Contact us” Section for any reason (order queries, complaints, website issues);
  • Choose to complete any surveys that we send to you for research purposes (although you are under no obligation to complete these);
  • From time to time, we may also get data about you from third parties, such as when you engage with us via social media. This could include other partners that we have run partnerships, competitions and events with.

4. For what purpose and based on which legal ground do we use your personal data

We use your personal data in several ways and for different purposes, including providing services that you have requested, offering you a personalized experience, processing your orders and requests and informing you about our products.

For a comprehensive, but easy to follow presentation of our purposes and legal grounds, please go through the tables below:





Legal ground

Your name and contact details (billing and delivery address, telephone number, e-mail address)

To process, confirm and fulfil your order, including confirming payment, updating you on the status of your order and shipping the order to you.

Performance of the distance sales contract we have concluded with you, as per article 6 paragraph (1) letter (b) GDPR.

Your name and billing address

Billing and accountancy record keeping.

To comply with our legal obligations, as per article 6 paragraph (1) letter (c) GDPR.

Your name and contact details, order information, payment details,

Refunds and returns.

Performance of the distance sales contract we have concluded with you, as per article 6 paragraph (1) letter (b) GDPR.


We may also have to comply with our legal obligations in record keeping, as per article 6 paragraph (1) letter (b) GDPR.

Your name, contact details, account ID order information and status, payment details (for registered customers)

Customer support and general assistance (answering any questions or complaints)

Performance of the distance sales contract we have concluded with you, as per article 6 paragraph (1) letter (b) GDPR.


In case you have not submitted an order or registered an account, it is our legitimate interest to assist you in any matter regarding our products, Website and services.

Your name and contact details (for unregistered customers)

Your name and contact details

To register your user account and gather necessary data for processing future order from customers.

Performance of the service provision contract we have concluded with you and pre-contractual approaches at your request before concluding the distance sales contract, as per article 6 paragraph (1) letter (b) GDPR.

Password and login information

To verify your identity when you access your account or to contact you to perform security checks.

It is our legitimate interest, as per article 6 paragraph (1) letter (f) GDPR, to verify your identity and to ensure that services are provided to the correct person.

Your name and contact details

In the detection and prevention of fraud or other crimes.

It is our legitimate interest to protect XTREME against fraud and it is also our legal duty to report crimes.

Your name and contact details

To invite you to complete a survey where you have purchased goods on this Website. We may use third parties to send you these surveys and compile responses.

It is our legitimate interest to monitor and further improve the quality of our products and services.

Your payment details

For purposes of fulfilling your order, confirm and receipt your payment, updating the order and payment status of your order and shipping the order to you.

We’ve got to do this to perform our contract with you and our contracts with partners and suppliers who work with us to provide a service to you.

Date of birth

To verify and your age and the fact that you are not a person under the age of 18..

It is our legitimate interest to verify that you have the capacity to conclude a contract with us.


To show you products or the section of the Website dedicated to your gender.

It is our legitimate interest to showcase you XTREME products that could be more relevant to you.

Your name and e-mail and or telephone number, your saved preferences in language and country for registered customers as enabled by SSO system

For marketing purposes such as to send you email and SMS with promotions and offers for XTREME MASK UP goods, as per your preferences.

Your consent, when choosing to subscribe to our newsletter. You are free to unsubscribe from receiving these marketing communications at any time.

Where we have collected your contact details in the process of a sale of our product, XTREME MASK UP shall have compliant permission as per the provisions of the Directive 2002/58/EC on privacy and electronic communications to send you marketing e-mails. We shall send you e-mails to market only XTREME MASK UP products. You shall be able to opt-out from receiving these emails when we first collect your contact details and you shall be able to unsubscribe in every subsequent communication from us.

Your activity on the Website

To monitor and improve the services and the Website, by observing browsing activity and session replays.


Analytical purposes, for understanding and improving our Website performances.

Your consent to cookies. Please see our section on Cookies and our Cookie Policy for more details. You can withdraw your consent and manage your cookie settings at any time.

Your device information, preferences and cookies provided when you browse our website

To tailor your experience online and show you personalized Website pages (in combination with other information you have provided us or our third parties) so that we can offer you goods, services, promotions and offers that we think you will be interested in.

Your consent to cookies. Please see our section on Cookies and our Cookie Policy for more details. You can withdraw your consent and manage your cookie settings at any time.

Data gathered by Advertising Cookies, advertising technologies and other online identifiers, search history, accessed content on our Website.

To target our advertising banners, more precisely to show you XTREME MASK UP advertising on Social Media platforms or on other websites you use.


We use for such purpose several digital marketing networks, ad exchanges and advertising technologies such as advertising cookies, web beacons, pixels, online identifiers, ad tags, including specific services offered by sites and Social Media such as Facebook’s Custom Audience service.

The XTREME MASK UP banners and ads you may see will be based on your activity on our Website (search history and accessed content) or on XTREME MASK UP banners and ads that you have clicked/accessed before.

We will do this only if you have consented to the use of advertising cookies on our Website. Please see our Cookie Policy for more details. You can withdraw your consent and manage your cookie settings at any time.

Your name, gender, Website activity, shopping habits and preferences as resulted from cookies and online identifiers, social media accounts information

Profiling purposes


To combine the information that we collect directly from you with any information that we obtain from third parties to whom you have given your consent to pass that data onto us, (such as the Social Media platforms) in order to create a profile of shopping behavior and to classify our customers into segments, using shopping habits information regarding your personal or professional interests, demographics, experiences with our products and contact preferences.

In principal, this is based on your consent to cookies. Please see our Cookie Policy for more details. You can withdraw your consent and manage your cookie settings at any time.


Secondary it is also our legitimate interest to understand our customers and what will interest them for the best customer experience. These segments help us to understand our customers better. To the extent we receive data from third parties, this will be based on the permission you have given that third party to share your data with us.

Your name, contact details, order information, payment details, purchase history

Defending or fulfilling our rights in court (including the recovery of due amounts)

It is our legitimate interest to seek fulfillment of our rights and do defend ourselves in court against any complaints.

Your name, contact details and all other requested information

Providing the competent authorities and public institutions with the necessary information during official investigations/procedures.

Fulfilling our legal obligations.

5. To Whom Do We Disclose Your Data?

In order to provide our products and services to you, we share your data with XTREME MASK UP employees and several partners, as categorized below:

• XTREME MASK UP employees bound by duty of confidentiality from several departments (Online, Sales, Marketing, IT).

• Companies in the XTREME MASK UP group – all companies within the XTREME MASK UP group adhere to the same standards of data protection and have implemented adequate technical and organizational measures in order to ensure the security of the personal data.

• Partners that help us confirm your order by providing e-mail delivery services.

• Partners that help us get your orders to you by providing fulfillment services (warehouse, order packing and operating return) and shipment/delivery services.

• Partners that help us provide our Website and deliver our marketing and advertising to you, such as IT providers, marketing agencies, advertising partners and website hosts.

• To the extent required by law, search warrant or court order, to public authorities and institutions, judicial research bodies, judicial courts, if we are under a duty to disclose your personal data in order to comply with any legal obligation or if we are seeking defense or fulfillment of our rights in court.

• Companies approved by you, such as social media sites (if you choose to link your accounts to us), and payment service providers, if you choose to perform the payment through their payment service.

• In case we shall sell assets or transfer an area of the business to a new provider, it might be necessary for us to disclose your personal data to the prospective buyer or any third party who acquires our assets or to whom the business is transferred to.

We shall disclose to such partners only the data necessary for them to provide their services.

All our partners have undertaken to ensure and to protect the confidentiality of your data. We have concluded written contracts and data processing agreements with our Partners which provide assurances in relation to their adherence to European data security standards and to the implementation of adequate technical and organizational measures designed to protect your personal data. We do not, and shall not, sell any of your personal data to any third party.

6. Transfers to a third country

We are an international business, therefore we cannot exclude transfers of your personal data outside the European Economic Area (EEA).

When justified or necessary, we will transfer your personal data to partners/entities established or owning servers in third countries in a manner consistent with legal requirements, under the following permitted hypothesis:

  • the European Commission has issued a decision recognizing the adequate character of data protection in the envisaged third country or where the recipient is located in the US, it has to be a certified member of the EU-US Privacy Shield scheme;
  • the recipient has signed a contract based on "standard contractual clauses” approved by the European Commission, obliging them to protect your personal data, or
  • we have obtained your prior explicit consent for a certain transfer or for a set of transfers.

In all cases, however, any transfer of your personal data will be compliant with applicable data protection laws and standards.

Currently, we operate transfers of personal data for storage, logistic and marketing purposes to the following third countries:

  • Turkey – since the European Commission has no issued an adequacy decision in relation to the protection granted by the laws of Turkey to personal data, we perform the transfer based on Standard Contractual Clauses, as approved by the European Commission.
  • USA – we have ensured that all our partners/recipients located in the US are certified members of the EU-US Privacy Shield scheme, as approved by the European Commission.

You can obtain more details of the protection granted to your personal data in case of transfer outside the European Economic Area (including a sample copy of the standard contractual clauses) by contacting us using the details above.

7. Where Do We Store and For How Long Do We Keep Your Personal Data?

Your personal data is stored by XTREME on servers located in countries that are part of the European Economic Area (France and Germany) and also in Turkey.

Our mailing partner stores your personal data used for transmitting marketing e-mails and other communications (order confirmation etc.) on servers located in Vienna, Austria (member of the European Economic Area).

We process and retain personal data only for as long as is necessary to fulfill our purposes, contractual obligations and other legal obligations of storage / archiving, as the case may be.

We shall retain the data only for as long as is necessary and / or prescribed by law for that purpose. For example:

  • Data processed for concluding and performing the distances sales contract will be kept for the entire contractual period plus a maximum period of 3 years during which related rights should reach prescription/statute of limitation.
  • Data processed for user account purposes will be kept for as long as your account is valid. Your account shall be disabled and closed after a period of inactivity of 2 years calculated since the last log-in in that account. This means that personal data that is not subject to archiving or does not refer to an order (distance sales contract) shall be deleted after such period of inactivity. You will be able to register a new customer if your old one has been disabled.
  • Data processed for billing purposes and supporting accounting documents will be kept for a period of 5 up to 10 years, as the case may be, according to the Romanian accounting laws;
  • Data processed under your consent will be processed during the validity period of your consent or until you choose to withdraw your consent or the data is no longer necessary. We reserve the right to ask you periodically to renew your consent;
  • Data processed under our legitimate interest will be processed for a maximum period of 5 years, after which it will be anonymized and processed for statistical purposes.

In some circumstances, such as to meet our legal or regulatory obligations, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may hold on to your personal data after we’ve finished providing services to you, or for longer than our general retention policy.

8. What Are Your Rights as Data Subject?

You have the following rights in relation to the personal data we hold about you:

  • Your right to be informed about how your personal data is being used

You have the right to be provided with sufficient information, in a concise, transparent and easily understandable form, in order for you to gain insight and understanding of our processing activities and thus to ensure transparency of personal data use. For such informational purposes we have designed and made available to you this Privacy Policy.

This Privacy Policy will keep you informed about how we will use your personal data. All necessary details have been provided hereto, so please read it carefully.

  • Your right of access

In brief 

If you submit an access request to us, we shall confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data (along with certain other details).

In detail

Upon your request, we will confirm that we process your personal data and, if so, we will provide you with a copy of your personal data that is subject to our processing and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom personal data has been or is to be disclosed, in particular recipients from third countries or international organizations;
  4. where possible, the period for which personal data are to be stored or, if that is not possible, the criteria used to determine that period;
  5. the existence of the right to require the operator to rectify or erase personal data or to restrict the processing of personal data relating to the data subject or the right to object to processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where personal data are not collected from the data subject, any available information on their source;
  8. the existence of an automated decision-making process including the creation of profiles and, in those cases, relevant information on the logic used and the significance and expected consequences of such a processing for the data subject.

If we transfer your data outside of the European Economic Area or to an international organization you have the right to be informed of the appropriate safeguards applied.

The first copy of your personal data is provided free of charge. For additional specimens of the same personal data, we may charge a reasonable additional charge, taking into account the related administrative costs.

  • Your right to correct personal data

If the personal data that we hold about you is inaccurate or incomplete, you are entitled to have it corrected. You can personally do so by updating you user account information. If you do no want to personally update or you do not have a user account, you can submit a request and we shall perform the necessary changes.

If we’ve shared your personal data with others, we’ll let them know about the changes where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal data with so that you can contact them directly.

In order to keep personal data accurate, we may request you to reconfirm/renew your personal data from time to time.

  • Your right to delete personal data

In brief 

Also known as the "right to be forgotten”, this right enables you to request deletion of your personal data in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). We shall comply with your request unless we have a reason for keeping your personal data.

If we’ve shared your personal data with others, we shall let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we shall also inform you who we’ve shared your personal data with so that you can contact them directly.

In detail

You may ask us to delete your personal data and we will respond to your request without undue delay, if one of the following circumstances:

  1. Data is no longer required for the purposes for which it was collected or processed;
  2. You withdraw consent to the processing of your data when your data processing is based on your consent and there is no other legal basis on which to process your personal data;
  3. You oppose the processing of your data on our legitimate interest, including the creation of profiles based on this ground, or you oppose data processing for direct marketing purposes, including the creation of profiles for direct marketing purposes;
  4. Your data has been processed unlawfully;
  5. Personal data should be deleted to comply with a legal obligation under Union law or national law;
  6. Personal data have been collected in connection with the provision of information services to children and the basis of processing is consent.
  7. Unless this proves impossible or involves disproportionate efforts, we shall notify each recipient to whom your personal data has been disclosed for erasure purpose. Upon your request, we shall inform you of those recipients.
  8. We reserve the right to refuse deletion of your data when processing is required:
  9. For the exercise of the right to free expression and information;
  10. In order to comply with a legal obligation that applies to us as a personal data controller;
  11. For purposes of archiving in the public interest, scientific or historical research or for statistical purposes, insofar as the deletion of the data is likely to render impossible or seriously impair the achievement of the objectives of the processing;
  12. To establish, exercise or defend a right in court.


  • Your right to restrict us from using your data

In brief 

In certain circumstances (including where we use legitimate interests as set out below) you can ask us to stop processing your personal data or ask for us to limit the ways in which we process this data. However, we can refuse a request in some cases – we shall provide you with information explaining why we have refused your request if we do this.

In detail

You may ask us to block and restrict the processing of your personal data in one of the following circumstances:

  1. Contest the accuracy of the data – in this case, at your request, we will restrict the processing for the period we perform the necessary checks on the accuracy of your data;
  2. Data processing is illegal and you do not want to delete your data;
  3. We no longer need your data for processing, but processed data about you is necessary to establish, exercise or defend a right in court;
  4. You opposed the processing of your data under our legitimate interest, including the creation of profiles based on this basis – in this case, at your request, we will restrict the processing for the period in which we verify that our legitimate rights do not prevail over your rights.

If your data processing has been restricted, we shall only be able to store your data. Any other way of processing out of storage will be done only:

  • after obtaining your consent;
  • for finding, exercising or defending a right in court;
  • to protect the rights of another natural or legal person;
  • for reasons of public interest of the Union or of a Member State.

We will inform you before lifting any processing restriction as set out above.

Unless this proves impossible or involves disproportionate efforts, we will communicate to each recipient to whom your data has been disclosed restricting the processing of such data. At your request, we will inform you of those recipients.

  • Your right to data portability

You have the right to receive the data that concerns you and that you have provided us with in order to transmit such data to another controller, in the following circumstances:

  1. Your data processing is based on your consent or on a contract between us and you;
  2. Your data is processed by automatic means.

We will provide your personal data in a structured, commonly used and machine-readable format.

If technically feasible, you can request that your personal data be transmitted directly to the controller indicated by you.

  • Your right to object

You may request us not to further process your personal data for reasons relating to your particular circumstances and if the processing of your data is based on our legitimate interest. We will cease processing of your data unless we demonstrate that we have legitimate and compelling reasons that justify processing and those reasons prevail over your interests, rights and freedoms, or whether the purpose of the processing is to establish, exercise or defend a right in court.

In addition to the above, you may request that we no longer process your personal data for direct marketing purposes, including the creation of profiles related to that direct marketing.

  • Your rights in relation to automated decision-making and profiling

In brief 

You have the right not to be subject to a decision when it is based on automatic processing, including profiling and if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.

In detail

You have the right not to be subject to a decision when it is based on automatic processing, including not being profiled, if the automatic decision or profiling has legal effects or significantly affects you, except in the following cases:

  1. automatic decision is required to conclude or execute a contract between you and us;
  2. the automatic decision is authorized by European Union or national law applicable to XTREME MASK UP and also provides for appropriate measures to protect the legitimate rights, freedoms and interests of the data subject;
  3. Automatic decision is based on your express consent.

If the cases indicated in (a) and (c) above apply, you may request that you exercise the following correlative rights:

  • the right to obtain human intervention on our part;
  • the right to express your point of view;
  • the right to challenge the automatic decision.
  • Your right to withdraw consent

If we rely on your consent as our legal ground for processing your personal data, you are entitled to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of your personal data on the basis of your consent prior to its withdrawal.

  • Your right to stop direct marketing

You are entitled to stop us from using your personal data for direct marketing purposes. You can do this by accessing the unsubscribe link at the bottom of our emails or by sending us a request.

  • Your right to lodge a complaint with the supervisory authority

You have the right to contact the National Supervisory Authority for Personal Data Processing of İstanbul("xtreme”) or the supervisory authority from your homeland or workplace if you believe the processing of your data is not in compliance with the applicable law.

  • Your right to seek judicial remedy

Without prejudice to any other administrative or non-judicial remedy, you have the right to pursue an effective judicial remedy against:

(i) a controller/processor that infringed the rights granted to you by the GDPR;

(ii) a legally binding decision of XTREME MASK UP or any other supervisory authority.

To the extent that you have suffered a moral or material damage as a result of GDPR infringement, you have the right to obtain compensation.


9. How You Can Exercise Your Rights as Data Subject and Our Data Subject Requests Procedure

Submitting a request.  For the exercise of any rights above, please submit your request in writing or by phone, using the contact details indicated above.

Identification of the applicant. In order to be able to properly address and manage your request, we urge you to identify yourself as completely as possible. In case we have reasonable doubts as to the identity of the applicant, we will ask for further information to confirm the alleged identity.

Response time. We will respond to your requests without undue delay, and in any case within one month from the receipt of the request. Insofar as your application is complex or we are in a position to process a large number of requests, we may reasonably postpone the delivery of your response for up to two months with your prior notice.

Providing our answer. We will provide you with our response and any requested information in electronic format, unless you request them to be provided in another format.

In case of refusal. In so far as we refuse to meet your request, we will inform you of the reasons which led to this decision and of the possibility to submit a complaint to XTREME MASK UP  or another competent supervisory authority and to apply for a judicial remedy.

Taxes. Exercising your rights as a data subject is free. However, to the extent that your claims are manifestly unfounded or excessive, especially by taking into account their repetitive character, we reserve the right to refuse the fulfillment of such requests.

10. Automated decision-making & Profiling

In order to provide you with speedy and customized services and to communicate with you efficiently, we might make some decisions about you in an automated way, without our staff intervention. Automated decision-making happens, for example, when we automatically registered your user account after you have inserted the required personal data, when we send you an order receipt confirmation or when we use your personal data for profiling.

You have the right not to be subject to a decision based solely on automated decision making, including profiling, which produces legal consequences for you or affects you in a similar significant way. However, this interdiction will not apply if the decision is necessary for the conclusion of a contract, is authorized by law, or it is based on your explicit consent. Nevertheless, our use of automated decision making is not designed or intended to significant affect you as an individual.

As regards profiling, we use it in order to customize adverts for you based on your previous interactions with our Website, purchase behaviors, the way you access our services and where you access our services from. In this way we can achieve sending you adverts that will correspond to your likes and interests. Also, most likely you will not be sent adverts of products that are not available in your area. You can choose to stop being profiled by opting-out of marketing cookies or by updating your cookie preferences if you have previously consented.

11. Confidentiality & Security

We are committed to keeping the personal data you provide to us secure and we will take adequate measures to protect your personal data from loss, misuse or alteration. We do not sell your personal data for any purpose.

We have implemented personal data security policies, rules and technical measures to protect the personal data that we have under our control from any potential threat such as:

  • unauthorized access;
  • improper use or disclosure;
  • unauthorized modification; and
  • unlawful destruction or accidental loss.

All of our employees and data processors (i.e. those who process your personal data on our behalf,), who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of your personal data.

The security of our data processing activities is ensured by the implementation of adequate technical safeguards such as pseudonymisation and encryption of personal data and regularly monitoring our servers and IT systems for possible vulnerabilities and attacks.

12. Other provisions

This Privacy Policy and the Cookies Policy have been last updated as off 08.11.2018 and are to be governed by the GDPR and Romanian laws, unless imperative provisions of your own national laws grant you extensive protection as a data subject and/or customer.

This Privacy Policy and the Cookies Policy represents the formalization of the XTREME MASK UP compliance with GDPR and Romanian laws, as per 25th of May 2018.

To ensure that we keep you updated on how we use your personal data and that we comply with all relevant and applicable data protection legislation and recommendations/opinions issued by competent authorities in the data protection field, we will update this Privacy Policy from time to time to reflect any changes we undertake. In case of significant changes, we shall notify you by e-mail (if such data is available to us).

However, we recommend you to review this Privacy Policy including our Cookies Policy periodically.


B. Cookie Policy

We believe that cookies and tracking technologies such as pixels and beacons ("Cookies”) make your experience on our Website more personal and enjoyable. This Cookie Policy will explain to you exactly what they are, what cookies do we use and for what purposes.

1. What are cookies?

In short, cookies are small encrypted text files or pieces of software code that often include an unique identifier. They are stored on your device by a website such as ours. They gather various information about how you are using our Website.

Cookies can be split into the following main categories:

  • after their issuer:
    • First-party cookies – these are issued by the website you have accessed. Their main purpose is to enable the website you visit to memorize your preferences.
    • Third-party cookies – these are cookies that are set by a website other than the one you are on. If you visit a website and a separate operator sets a cookie through that website this would be a third-party cookie.
  • after their persistency:
    • Session cookies – these cookies are used during a browser session and will expire after you close it. They are used for purposes such as remembering what you have put in your shopping basket as you browse around a website.
    • Persistent cookies – these cookies are stored on a device in between browser sessions. This allows your preferences or actions across a website (or in some cases across different websites) to be remembered. They serve multiple purposes including remembering users’ preferences and choices when using a site or to target advertising.

2. What cookies do we use and for what purposes?

When you first access our Website you will be asked to consent to our use of Cookies as described below:

1. Functionality cookies – these cookies make our Website usable by providing functionality that will allow you to shop (page navigation, adding products to your basket etc.) Our site could not function properly without them, therefore this is the only type of cookies for which we do not require your consent.

2. Statystics/Analytical cookies – these cookies help us to understand how visitors interact with our Website. The information collected by these cookies is usually anonymous.

3. Advertising (marketing) cookies – these cookies allow us to personalize our adverts for you by showing you advertising that is relevant to your interest and shopping history. They can also track you through different websites and allow us to show you XTREME MASK UP  advertising banners on third party websites.

4. Other tracking technologies

–  Facebook Pixel Code

A piece of code that lets us measure, optimize and build audiences for our advertising campaigns. The Facebook pixel collects five types of data:

  • Http headers – Anything present in HTTP headers. HTTP headers are a standard web protocol sent between any browser request and any server on the Internet. HTTP headers include IP addresses, information about the web browser, page location, document, referrer and person using the website.
  • Pixel-specific data – This includes the pixel ID and Facebook cookie.
  • Button click data – This includes any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks.
  • Optional values – Developers and marketers can optionally choose to send additional information about the visit through custom data events. Example custom data events are conversion value, page type and more.
  • Form Field Names – This includes website field names such as "email”, "address” and "quantity” when a person purchases a product or service. The pixel does not capture field values unless an advertiser includes them as part of advanced matching or optional values.

– Criteo Code

This is used to track you through various selected website and provide you with personalized adverts when you visit such other websites. Banner advertising appears on selected websites with which we are affiliated and we use the information we have learned from cookies to tailor this advertising to things we think you will like, based, for example, on your browsing history.

– Google AdWords (doubleclick)

A tool used to perform paid search marketing activities like retargeting and conversion tracking via the Google browser.

– E-mail beacons

Tiny graphics files that contain a unique identifier that enable us to recognize when someone has opened an e-mail that we have sent them.

4. How can you manage or opt-out of cookies?

You can withdraw your consent and manage your cookie settings at any time by accessing the Manage Cookies section of our Website. Last but not least, please be aware you can set your browser to reject cookies or you can delete them yourself if you wish.

We hope that this Cookie Policy was comprehensive. Should you require further information, please do not hesitate to contact us using the contact details above.