GDPR | CityBox

CityBox – Privacy Policy

Operated by MEGA ENTERTAINMENT SRL

CUI: 49882448

Trade Registry Number: J2024007166406

Bucharest, Sector 3, Smârdan Street no. 16, 1st floor, apt. 1

Effective date: 18 September 2025

1) Data Controller

MEGA ENTERTAINMENT S.R.L. (hereinafter referred to as the “Controller”) places special importance on your personal data, constantly making efforts to ensure that the processing of data complies with the legal requirements in this field. To this end, we have prepared this commitment through which we undertake to respect the confidentiality of your personal data and explain what categories of personal data MEGA ENTERTAINMENT S.R.L. processes, how such data is used, and the purpose for which it is subject to processing operations.

This Policy only refers to the personal data that we process through our website and rental service (hereinafter referred to as the “Site” or “Platform”) when you interact with them.

We want to assure you that we have taken all necessary measures to ensure the confidentiality of your data, which is processed only by personnel of the Controller who have been previously trained and authorized regarding the processing of personal data and who are bound by strict confidentiality commitments.

Your data is processed by MEGA ENTERTAINMENT S.R.L. securely, and the Controller has implemented a series of technical and organizational measures appropriate to protect personal data against incidents such as destruction, loss, accidental or unlawful alteration, unauthorized use, disclosure, or access, especially when processing involves data transmission over a network, as well as against any other form of unlawful processing.

Identification details:

The operator that processes your personal data when you browse or interact with the platform is MEGA ENTERTAINMENT S.R.L., CUI: 49882448, Trade Registry Number: J2024007166406, address: Bucharest, Sector 3, Smârdan Street no. 16, 1st floor, apt. 1. For any questions regarding the protection of personal data, you are invited to submit a request to the above postal address or to the email address data.protection@citybox.ro. Persons submitting such requests to MEGA ENTERTAINMENT S.R.L. are asked to mention in the subject line of the email/envelope phrases such as “data protection,” “GDPR,” or “personal data,” to ensure that the requests are treated with priority.

In this capacity, you will receive a response within no more than 30 days from the communication of the request to MEGA ENTERTAINMENT S.R.L., with an extension of this term possible only in exceptional situations. In such cases, you will be properly informed.

2) Data Collected

Your browsing on the Site and interaction with it involves the processing of two categories of personal data, namely:

a. personal data you voluntarily disclose to the Controller, collected individually
b. data you provide involuntarily, simply by browsing our website/platform.

For the provision of CityBox services, the Controller may collect, based on the voluntary provision of the data subject, the following personal data:

Reservation and usage data: locker ID/size, booking code/access data, start/end time, extensions, price, payment status, and activity logs (e.g., opening/closing events, timestamps).
Contact data: email address and any details you provide when contacting customer support (e.g., name, phone number).
Payment data: payments are processed by our payment service provider. We receive confirmation of the transaction and the last four digits/transaction ID; we do not store full card details.
Technical and device data (online): IP address, browser/device information, and cookies/analytics (only with your consent – see Cookie Policy).
CCTV at lockers: video recordings covering locker entrances/corridors for safety and fraud prevention.

Access codes are generated for your session and stored securely with limited access; they become invalid after the rental ends or is canceled.

The Controller also processes technical data and browsing actions through cookies and similar technologies. For a detailed presentation, please see our Cookie Policy.

The Controller may store your personal data even after you have submitted a request for deletion, if the storage is carried out for one of the purposes provided in Article 17 of the GDPR, namely:

a. performance of a contract;

b. compliance with a legal obligation under EU or national law applicable to the Controller;

c. exercise of the right to freedom of expression and information;

d. protection of vital interests of the data subject;

e. performance of a task carried out in the public interest;

f. archiving in the public interest, scientific or historical research, or statistical purposes;

g. defense of the legitimate interests of the Controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject prevail, requiring the protection of personal data, especially when the data subject is a child;

h. the establishment, exercise, or defense of legal claims.

3) Purpose and Legal Basis of Data Processing

Your personal data is processed for the following purposes and on the following legal bases:

a. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) of Regulation (EU) No. 679/2016 of the European Parliament and of the Council of 27 April 2016), specifically for the purpose of ensuring the data subject’s access to the Platform and providing the services;

b. processing is carried out on the basis of the consent of the data subjects (Art. 6(1)(a) of Regulation (EU) No. 679/2016 of the European Parliament and of the Council of 27 April 2016), in the case of accepting cookies other than essential ones; in this case, the provision of your personal data is voluntary, and as the data subject, you have the right to withdraw your consent at any time for such data processing;

c. processing is necessary for the purposes of the legitimate interests pursued by the Controller (Art. 6(1)(f) of Regulation (EU) No. 679/2016 of the European Parliament and of the Council of 27 April 2016), for resolving any issues related to the content of the website or the services provided by the Controller, as well as for actions involving interaction with the online platform, and also to improve the user experience on the website;

d. processing is necessary for compliance with a legal obligation (for example, tax and archiving obligations) to which the Controller is subject – Art. 6(1)(c) of Regulation (EU) No. 679/2016 of the European Parliament and of the Council of 27 April 2016; in this case, refusal to provide your data will result in the Controller being unable to provide the services.

4) Data Retention

Personal data processed is retained for a reasonable period depending on the purpose of processing, in line with legal data archiving requirements.
The Controller will process your data for the entire duration of contractual relations and thereafter, in compliance with its legal obligations. For example, financial-accounting documents are archived for 5 years from issuance. Additionally, locker activity logs and access codes are stored for up to 12 months after rental, unless required longer for investigations or legal requests, customer support correspondence is retained for up to 24 months after resolution, CCTV recordings are normally archived for 30 days, extended only if an investigation is ongoing and marketing data obtained with your consent is stored until you unsubscribe or withdraw consent.

With regard to the processing of data carried out on the basis of your consent as the legal ground for processing, we inform you that any such processing ceases at the time of withdrawal of your consent, this withdrawal not affecting the data processing carried out prior to the withdrawal of consent.

5) Recipients

Your data is processed within the territory of the European Union, through secure internal servers. However, through specific social media plugins (for example, Instagram, Facebook), acting as third-party recipients of the data, it is possible that your data processed in this context may also be transferred outside the European Union/European Economic Area and stored on servers located in third countries. In this regard, the Controller has implemented a series of necessary and appropriate measures to ensure compliant data processing.

The Controller undertakes that the collected data will be processed only in accordance with the declared purposes and will not make public, sell, lease, license, transfer, etc., in an unauthorized manner, the database containing information regarding the personal data of the data subjects to any third party not involved in fulfilling the declared purposes, except where the transfer/access/viewing, etc. is required by the competent authorities, in the cases provided by the regulations in force at the time of the event.

It is possible that your data may be disclosed to other companies that provide us with services and act as processors, such as providers of website maintenance, IT, marketing, delivery, legal services, etc.

These entities are carefully selected to ensure that they meet specific requirements regarding the protection of personal data. They have a limited ability to use your information for purposes other than providing services to us.

Apart from the disclosures described in this Privacy Policy, it is possible that we may transmit information to third parties to whom you consent or request us to make such disclosure.

6) Users’ Rights

Users have the following rights:

Right of access – means the right of the data subject to obtain confirmation from the Controller as to whether or not personal data concerning them is being processed and, if so, access to such data and information regarding the way in which the data is processed;
Right to rectification – the correction, without undue delay, of inaccurate personal data that is being processed, or the completion of such data where it is incomplete;
Right to erasure / right to deletion (“right to be forgotten”) – the right of the data subject to request that their personal data be deleted, without undue delay, where one of the following grounds applies: the data is no longer necessary for the purposes for which it was collected, consent is withdrawn and there is no other legal basis for processing, the data subject objects to the processing and there are no overriding legitimate grounds, the personal data has been unlawfully processed, the personal data must be erased for compliance with a legal obligation, or the personal data was collected in relation to the provision of information society services;
Right to restriction of processing – may be exercised where the data subject requests the limitation of the processing of their personal data, in which case the data will be used strictly for exercising the other legal rights of the data subject, including responding to any requests/complaints from them;
Right to data portability – the right to receive personal data in a structured, commonly used, and machine-readable format and the right to have that data transmitted directly to another controller, where processing is based on consent or the performance of a contract and is carried out by automated means, if technically feasible;
Right to object – the right of the data subject to object to the processing of personal data when the processing is necessary for the performance of a task carried out in the public interest or when it concerns a legitimate interest of the Controller;
Right not to be subject to automated individual decision-making – the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. However, this right cannot be exercised where the decision is necessary for entering into or performing a contract between the data subject and MEGA ENTERTAINMENT S.R.L., is authorized by applicable law to which the Controller is subject (provided that adequate safeguards are ensured for the rights, freedoms, and interests of the data subject), or is based on the data subject’s consent obtained in accordance with applicable legislation;
Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing – If the data subject believes that the above-mentioned rights have been violated, they may lodge a complaint with ANSPDCP: B-dul G-ral Gheorghe Magheru 28–30, 010336, Sector 1, Bucharest, www.dataprotection.ro.

7) Cookies and Similar Technologies

The CityBox Platform may use cookies and similar technologies to ensure proper service functioning, analyze traffic, and improve user experience. Data collected through cookies is anonymous and does not allow personal identification without explicit consent.

This Privacy Policy is complemented by the Cookie Policy.

9) Special Provisions for Minors

CityBox is intended for users over 18 years of age. We do not knowingly collect personal data of minors. If you believe a minor has provided personal data, please contact us so we can delete it.

10) Minors

CityBox is intended for users 18+. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to remove it.

11) Amendments to the Privacy Policy

We reserve the right to update this Privacy Policy at any time without notice. Any changes will be published on the platform and will take effect immediately unless otherwise specified.

12) Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website and will show the “Effective date” at the top.