Privacy policy
Contents
In plain English
Each section ends with a plain-English summary in a grey box. The full legal text sits right above it.
This Privacy Policy explains how NEVEROVER SRL collects, uses, shares, and protects your personal data when you shop with us, browse neverover.com, or contact us. We keep it plain and specific. If anything is unclear, email our privacy team at privacy@neverover.com and we'll explain.
1. Who we are
NEVEROVER SRL is the data controller for the personal data described in this policy. That means we decide why and how your data is processed, and we are accountable for it under the GDPR, the UK GDPR, and Romanian data-protection law.
| Controller | NEVEROVER SRL, trading as Neverover® |
|---|---|
| Registered office | Șoseaua Mihai Bravu nr. 199, 021323 Bucharest, Romania |
| VAT | RO42708372 |
| CUI | 42708372 |
| Trade Register | J2020007244409 |
| Privacy contact | privacy@neverover.com |
| General support | support@neverover.com |
We handle every privacy request in writing so there's a clear record. Please send data-protection questions and requests to privacy@neverover.com rather than our general support inbox, so they reach the right people quickly. We have not appointed a statutory Data Protection Officer, as our processing does not trigger that requirement, but the privacy team above is your single point of contact for everything in this policy.
Basically
NEVEROVER SRL, a Romanian company, decides how your data is used and is responsible for it. Reach our privacy team at privacy@neverover.com.
2. Scope
This policy covers personal data we process when you:
- visit or browse neverover.com and our related storefronts;
- create an account or place an order;
- sign up for our newsletter, SMS, or other marketing;
- contact us for support or interact with us on social media;
- take part in a survey, review, promotion, or competition.
It applies to shoppers and visitors worldwide. Where the GDPR, UK GDPR, the California Consumer Privacy Act, or another regional law gives you extra rights, we call that out in a clearly labelled block. Our products and services are aimed at adults; see Section 18 on children.
Some services we link to — payment providers, social platforms, shipping carriers — have their own privacy policies. This policy covers our processing as controller, not theirs. Where one of these providers acts as an independent controller of your data (for example, a social platform using data it collects directly from you), that activity is governed by their policy, and we flag those relationships in Section 10.
Basically
This policy covers everything we do with your data across our store. Where you live can give you extra rights, and we flag those.
3. How this policy works
We've written this in plain language. Each section ends with a short "Basically" recap in a grey box, and the full detail sits above it. Where a right or rule only applies to certain shoppers, you'll see a labelled block such as "If you're in the EU / UK" or "California residents."
This Privacy Policy sits alongside two related documents:
- Our Terms of Service, which govern your use of the store and your purchases.
- Our Cookie Policy, which explains the cookies, pixels, and similar technologies we use and how to control them.
If there's ever a conflict between this policy and a specific notice we give you at the point we collect data (for example, a notice on a competition form), that specific notice applies to that collection.
Basically
Read this with our Terms and our Cookie Policy. Every section has a plain-English summary at the bottom.
4. Personal data we collect
We collect only what we need to run the store, fulfil your orders, and improve what we do. Depending on how you use neverover.com, that includes:
- Identity and contact data — your name, email address, and the delivery and billing details you give us. If you add a phone number for delivery updates, we store it; note that we run support by email and do not operate a phone line.
- Account credentials — your username, a securely hashed password, and the unique identifiers that secure your account.
- Orders and purchase history — what you bought, prices paid, order dates, and records of returns, exchanges, and refunds.
- Payment data — your payment is processed by our payment provider. Card numbers are tokenized and held by the processor, not by us; we never see or store your full card details. We keep limited records such as the payment method type, the last four digits, and the transaction result.
- Delivery and address data — shipping and billing addresses, delivery instructions, and carrier tracking information.
- Communications and support — the emails, contact-form messages, reviews, and survey responses you send us, and our replies.
- Marketing preferences and engagement — whether you've opted in to email or SMS, your preferences, and how you interact with our messages (for example, opens and clicks).
- Device, network, and online-activity data — IP address, device and browser type, operating system, approximate (coarse) location derived from your IP, and how you navigate and use our site, collected through cookies and similar technologies.
- Inferences and segments — preferences and audience segments we build from your browsing and purchase behaviour (for example, the product categories you favour) to make marketing more relevant.
- User content — reviews, photos, comments, or other content you choose to post on our store or tag us in.
We do not seek to collect special-category data (such as health, biometric, or political data) and ask that you don't send it to us. The only data California law treats as "sensitive" that we routinely handle is your account login in combination with your password, which we use solely to secure your account.
Basically
We collect your contact and order details, how you use the site, and your marketing preferences. Your full card number stays with the payment processor, never with us.
5. Where we get your data
We get personal data from three places:
- Directly from you — when you create an account, place an order, sign up for marketing, post a review, enter a promotion, or contact us.
- Automatically — from your device as you use our site, through cookies, pixels, and server logs (see our Cookie Policy).
- From third parties — our payment provider confirms whether a payment succeeded, shipping carriers send delivery updates, and advertising and analytics partners tell us how you interacted with our ads. We may also receive data if you engage with us through a social platform.
Basically
Most of your data comes straight from you. The rest is collected automatically as you browse, or shared by our payment, shipping, and advertising partners.
6. Why we process your data
We use your personal data to:
- Fulfil your orders — take payment, arrange delivery, and handle returns, exchanges, and refunds.
- Run your account — create and maintain your profile, and let you track orders and start returns.
- Provide support — answer your questions and resolve issues by email.
- Send marketing you've asked for — newsletters, SMS, and offers, and measure how they perform.
- Personalise and improve — tailor recommendations and content, and analyse how the store is used so we can make it better and faster.
- Keep things secure — detect and prevent fraud, abuse, and unauthorised access.
- Meet our legal duties — comply with Romanian fiscal, accounting, and consumer law, and respond to lawful requests from authorities.
The table in Section 7 maps each of these purposes to the legal basis we rely on, the data it uses, and how long we keep it, so you can see exactly how the pieces fit together.
Basically
We use your data to get your order to you, run your account, support you, send marketing you opted into, improve the store, prevent fraud, and meet the law.
7. Our legal bases
Whenever we process personal data, we rely on a lawful basis to do it. The basis depends on the purpose.
If you're in the EU / UK
Under the GDPR and UK GDPR we rely on the following legal bases, mapped to each purpose, the data we use, and how long we keep it:
| Purpose | Legal basis | Main data used | Retention |
|---|---|---|---|
| Order fulfilment & delivery | Contract — Art. 6(1)(b) | Identity, contact, delivery, order data | Life of the order, then archived in tax records for 10 years |
| Payment & fraud screening | Contract — Art. 6(1)(b); legitimate interests — Art. 6(1)(f) for fraud checks | Payment metadata (type, last 4, result), device & IP signals | With the transaction record — 10 years for the financial parts |
| Account management | Contract — Art. 6(1)(b) | Identity, credentials, purchase history | Until you delete your account, or after 3 years of inactivity |
| Customer support | Legitimate interests — Art. 6(1)(f) | Communications, order references, identity | Up to 3 years after your query is resolved |
| Email & SMS marketing | Consent — Art. 6(1)(a) | Contact data, marketing preferences, engagement | Until you unsubscribe or withdraw consent |
| Analytics & site improvement | Consent — Art. 6(1)(a) for non-essential analytics cookies | Device, network, and online-activity data | For the life of each cookie — typically up to 2 years |
| Advertising & retargeting | Consent — Art. 6(1)(a) | Device identifiers, pixels, inferences and segments | Cookie-based — typically 3 months to 2 years |
| Fraud prevention & security | Legitimate interests — Art. 6(1)(f) | Device identifiers, IP address, network activity | As long as needed for the security/audit purpose |
| Legal & fiscal compliance | Legal obligation — Art. 6(1)(c) | Identity, order history, invoicing details | 10 years, as required by Romanian accounting and fiscal law |
Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms, and you can object at any time (see Section 14). Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before you did so.
Basically
We process your data to deliver your order (contract), to obey tax and consumer law (legal obligation), to market with your permission (consent), and to run and protect the store (legitimate interests) — the table shows which basis covers what, and for how long.
8. Marketing and consent
We only send you marketing email or SMS if you've opted in, or where the law otherwise allows us to contact an existing customer about similar products. Every message gives you a simple way out.
- Email — click "unsubscribe" in any marketing email, or email privacy@neverover.com.
- SMS — reply STOP to any marketing text to opt out.
- Withdraw consent — you can change your mind at any time. Withdrawing consent doesn't affect messages we already sent or the lawfulness of earlier processing.
Opting out of marketing won't stop essential service messages, such as order confirmations, shipping updates, and returns information, which we send to run your purchase.
Basically
You're in control of marketing. Unsubscribe from any email, reply STOP to any text, and we stop. You'll still get order and delivery updates.
9. Cookies and tracking
We use cookies, pixels, local storage, and similar technologies to keep the store working, remember your preferences, measure traffic, and (with your consent where required) show you relevant ads. You control non-essential cookies through our preference centre and your browser.
For the full detail — what each cookie does, who sets it, how long it lasts, and how to change your choices — see our Cookie Policy.
Basically
We use cookies and similar tech to run the store and, with your permission, to advertise. The full breakdown is in our Cookie Policy.
10. Who we share your data with
We never sell your personal data for money. We share it only with the service providers that help us run the store, and only as needed. Each processor acts under a written data processing agreement and may use your data only on our documented instructions. The table below names each provider, what it does for us, and where it hosts data.
| Provider | Role | Location |
|---|---|---|
| Shopify | Store platform and hosting | Canada & United States |
| Shopify Payments / Stripe | Card processing, tokenization, and payment fraud prevention | United States |
| Klaviyo | Email and SMS marketing and customer segmentation | United States |
| Meta | Advertising, retargeting pixels, and audience measurement | United States |
| GA4 analytics and Google Ads conversion tracking | United States | |
| TikTok & Pinterest | Social advertising and measurement of ad effectiveness | United States |
| Shipping carriers | Delivery and tracking — DHL, GLS, FedEx; Sameday and Cargus in Romania | EU & global |
Some of these partners — in particular Meta, Google, TikTok, and Pinterest — may act as independent controllers for some of the advertising and analytics data they collect through our pixels; in that case their own privacy policies also apply, and you control this through consent (see our Cookie Policy). We may also disclose data to professional advisers (such as accountants and lawyers), and to courts, regulators, or law-enforcement bodies where the law requires it or to protect our rights. If our business is restructured, sold, or merged, data may transfer to the new owner under this policy.
Basically
We don't sell your data. We share it with vetted providers — hosting (Shopify), payments (Stripe), email (Klaviyo), ads (Meta, Google, TikTok, Pinterest), and shipping — each bound by a contract and named above with its role and location.
11. International transfers
Some of our providers are based outside Romania, including in the United States and Canada. When we transfer your data abroad, we make sure it stays protected by an approved safeguard.
If you're in the EU / UK
When we transfer personal data outside the EEA or the UK, we rely on a lawful transfer mechanism, matched to each provider:
| Transfer | Safeguard we rely on |
|---|---|
| Shopify core infrastructure (Canada) | European Commission adequacy decision for Canada |
| Shopify, Stripe, Klaviyo, Meta, Google, TikTok, Pinterest (United States) | EU–US Data Privacy Framework where the provider is certified, otherwise the European Commission's Standard Contractual Clauses (SCCs) |
| Transfers originating in the UK | The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, plus the UK extension to the Data Privacy Framework where it applies |
| International carrier legs | SCCs where needed, or the Art. 49 derogation that the transfer is necessary to perform your delivery contract |
Where we rely on SCCs, we also assess whether extra measures are needed for the destination country, and we apply them where appropriate. You can ask us for more detail on the safeguards for a specific transfer, or a copy of the relevant clauses, by emailing privacy@neverover.com.
Basically
When your data leaves the EU or UK, we protect it with approved safeguards: an adequacy decision for Canada, and the Data Privacy Framework or Standard Contractual Clauses (with the UK IDTA for UK transfers) for the US providers.
12. How long we keep your data
We keep personal data only as long as we need it for the purpose we collected it, or as long as the law requires. After that we delete or anonymise it. The Section 7 table sets out retention per purpose; the headline periods are:
| Order & tax records | 10 years, as required by Romanian accounting and fiscal law |
|---|---|
| Account data | Until you delete your account, or after 3 years of inactivity, whichever comes first |
| Marketing data | Until you unsubscribe or withdraw consent |
| Support communications | Up to 3 years after your query is resolved, to handle any follow-up or claims |
| Cookies & analytics | For the lifetime of each cookie — typically up to 2 years (see the Cookie Policy) |
Where we're required to keep records for tax or legal reasons, we retain the minimum needed even after you close your account, and we restrict access to those records to the compliance purpose alone.
Basically
We keep data only as long as needed. Order and tax records stay 10 years by Romanian law; account data goes when you delete it or after 3 years of inactivity; marketing data goes when you unsubscribe.
13. How we protect your data
We use technical and organisational measures to keep your data safe, including:
- Encryption in transit — SSL/TLS protects data moving between your browser and our store.
- Tokenized payments — card data is tokenized and handled by our payment processor; we never store full card numbers.
- Access controls — staff access is limited on a least-privilege basis, so only authorised people can see customer data, and provider access is governed by data processing agreements.
- Ongoing testing — we and our providers run security reviews and monitoring to guard against unauthorised access and breaches.
No system is completely secure, so we can't promise absolute security — but we work to protect your data. If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where the law requires, within 72 hours, and we will tell you directly where the breach is likely to result in a high risk to you.
Basically
We encrypt your data, keep card numbers off our systems, limit who can access data, and test our defences. If a serious breach happens, we notify the regulator within 72 hours and tell you when the risk to you is high.
14. Your GDPR rights
Depending on where you live, you have rights over your personal data. To exercise any of them, email privacy@neverover.com. We'll respond within the time the law allows — generally one month under the GDPR — and may need to verify your identity first. Using your rights is free, unless a request is manifestly unfounded or excessive.
If you're in the EU / UK
Under the GDPR and UK GDPR you have the right to:
- Access — get confirmation that we process your data and a copy of the personal data we hold about you.
- Rectification — have inaccurate or incomplete data corrected.
- Erasure — ask us to delete your data where there's no overriding reason to keep it (for example, our 10-year tax-record duty).
- Restriction — ask us to pause processing in certain cases, such as while you challenge accuracy.
- Portability — receive certain data in a structured, commonly used, machine-readable format, or have it sent to another provider.
- Object — object to processing based on legitimate interests, and to direct marketing at any time.
- Withdraw consent — withdraw any consent you gave, at any time, as easily as you gave it.
You also have the right to complain to a supervisory authority. In Romania that's the National Supervisory Authority for Personal Data Processing (ANSPDCP); in the UK it's the Information Commissioner's Office (ICO). We'd appreciate the chance to resolve things first, so please consider contacting us before you do.
Basically
You can access, correct, delete, restrict, port, or object to the use of your data, and withdraw consent. Email privacy@neverover.com, or complain to ANSPDCP (Romania) or the ICO (UK).
15. California privacy rights
If you live in California, the California Consumer Privacy Act, as amended by the CPRA, gives you specific rights, and the right to know which categories of personal information we collect and disclose.
California residents
In the past 12 months we have collected the following statutory categories of personal information, and "shared" some of them for cross-context behavioural advertising. We do not sell personal information for money.
| Category (CCPA/CPRA) | Collected | "Shared" for cross-context ads |
|---|---|---|
| Identifiers (name, email, postal address, IP, online/cookie IDs) | Yes | Yes — persistent and cookie identifiers, hashed email |
| Commercial information (products bought or considered, purchase history) | Yes | Yes — inferred shopping tendencies |
| Internet or other electronic network activity (browsing, interaction with ads) | Yes | Yes — behavioural events such as "viewed product" or "added to cart" |
| Geolocation data (coarse location from IP) | Yes | No |
| Audio, electronic, or visual information (reviews, user photos) | Yes, if you provide it | No |
| Inferences (preferences and audience segments) | Yes | Yes — segments built for ad targeting |
| Sensitive personal information (account login with password) | Yes | No — used only to secure your account |
You have the right to:
- Know and access — request the categories and specific pieces of personal information we've collected, used, sold, or shared about you.
- Delete — request deletion of your personal information, subject to legal exceptions.
- Correct — request correction of inaccurate personal information.
- Opt out of sale and sharing — opt out of the "sale" of your information or its "sharing" for cross-context behavioural advertising.
- Limit sensitive personal information — direct us to limit use of any sensitive personal information to what's needed to provide our services.
- Non-discrimination — we won't deny you service, charge different prices, or give you a lesser experience for exercising your rights.
- Authorized agents — you may use an authorized agent to make a request on your behalf.
We honour Global Privacy Control (GPC) signals as a valid request to opt out of sale and sharing. You can also use our Do Not Sell or Share My Personal Information page, or email privacy@neverover.com.
Basically
Californians can know, access, delete, and correct their data, opt out of sale and sharing, and limit sensitive data — with no penalty. The table shows what we collect and what we share for ads. We honour GPC and offer a Do Not Sell or Share link.
16. Other US state privacy rights
If you live in a US state with a comprehensive privacy law, you have rights over your personal data too.
If you're a US resident
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and Oregon (OCPA), among others, have the right to:
- Access — confirm whether we process your data and get a copy of it.
- Delete — request deletion of your personal data.
- Correct — request correction of inaccurate data.
- Opt out — opt out of targeted advertising, the sale of your data, and certain profiling. We honour Global Privacy Control as an opt-out signal here too.
- Appeal — appeal our decision if we deny your request, by emailing privacy@neverover.com.
Basically
Residents of Virginia, Colorado, Connecticut, Texas, Oregon, and similar states can access, delete, correct, and opt out of ad targeting and sale — and appeal if we say no.
17. Automated decisions and profiling
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.
We do use profiling for marketing — building segments from your browsing and purchase history to show you more relevant products and ads. Our fraud screening also uses automated signals, but a decision to cancel an order for suspected fraud involves human review. You can opt out of marketing profiling at any time by withdrawing marketing consent, using our preference centre, or emailing privacy@neverover.com.
Basically
No computer makes important decisions about you on its own. We profile only to make marketing relevant, and you can opt out anytime.
18. Children
Our store is meant for adults and is not directed to children. We don't knowingly collect personal data from children under 16 in the EU/EEA, or under 13 in the United States.
If you believe a child has given us personal data without the consent of a parent or guardian, email privacy@neverover.com and we'll delete it.
Basically
We don't knowingly collect data from children (under 16 in the EU, under 13 in the US). Tell us if a child has, and we'll remove it.
19. Changes to this policy
We may update this policy as our business, technology, or the law changes. When we do, we'll change the "last updated" date at the top. If the changes are significant, we'll give you clearer notice — for example, by email or a notice on the site. Please check back from time to time.
Basically
We update this policy when things change and flag the date. We'll tell you directly about big changes.
20. Contact us
For any privacy or data-protection question or request, contact our privacy team:
- Email — privacy@neverover.com
- Post — NEVEROVER SRL, Șoseaua Mihai Bravu nr. 199, 021323 Bucharest, Romania
For general help with orders, returns, or products, email support@neverover.com.
Basically
Privacy questions go to privacy@neverover.com; everything else to support@neverover.com.
All legal pages
Your privacy choices
Accessibility