Privacy Notice

This Privacy Policy defines how personal data of users is collected, processed, used, and protected on the website of Thermoroom LLC (Identification Code: 405134448, Address: 37 Georgian-American Friendship Avenue, Tbilisi, Georgia) (https://trm.ge).

This document has been developed in accordance with the legislation of Georgia, in particular the Law of Georgia on Personal Data Protection.

Data Controller

The data controller responsible for the processing of personal data is Thermoroom LLC (Identification Code: 405134448).

Principles of Data Processing

Personal data is processed in accordance with the following principles:

  • Data is processed lawfully, fairly, transparently, and in a manner that respects the dignity of the data subject. Transparency obligations may be limited in cases provided by law.

  • Data is collected only for specific, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes.

  • Data processing is limited to what is necessary for achieving the intended legitimate purpose.

  • Data must be accurate, up-to-date, and corrected, deleted, or destroyed without undue delay if inaccurate.

  • Data is retained only for as long as necessary to achieve the processing purpose. After that, it shall be deleted, destroyed, or anonymized unless retention is required by law or justified by overriding public interest.

  • Appropriate technical and organizational measures are implemented to ensure data security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Legal Grounds for Processing

Personal data processing is permitted when at least one of the following legal bases applies:

  • The data subject has provided consent for one or more specific purposes;

  • Processing is necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract;

  • Processing is required by law;

  • Processing is necessary for compliance with legal obligations of the controller;

  • Data is publicly available or has been made public by the data subject;

  • Processing is necessary for legitimate interests of the controller or a third party, unless overridden by the rights of the data subject (including minors);

  • Processing is necessary to review and respond to the data subject’s request (e.g., to provide services).

Collection of Personal Data

The Company collects personal data when users:

  • Use the Company’s services;

  • Create an account;

  • Provide, update, or add information;

  • Interact with the Company;

  • Or through other lawful sources.

Electronic communications (sent or received) may be stored for security, legal protection, and quality control purposes.

Categories of Data Collected

1. Data Provided by the User

  • Identification data (name, surname, address, phone number, email, username);

  • Transaction-related data (financial details, delivery and payment information);

  • Data required for identification and verification as required by law.

2. Automatically Collected Data

  • Transaction data (amount, time, location, payment method);

  • Digital activity data (cart activity, search queries, language preferences);

  • Location data (e.g., IP address);

  • Usage statistics, traffic data, access times, logs.

3. Cookies and Similar Technologies

  • Pages visited, time spent, frequency of visits;

  • Click behavior;

  • User activity data;

  • User segmentation/category;

  • Device and browser data (OS, browser type, advertising ID, cookie data).

4. Data from Other Sources

  • Data obtained from third parties within the limits of applicable law.

Special Categories of Data

The Company does not process special categories of personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric or genetic data, etc.).

Purpose of Processing

Personal data is processed for the following purposes:

  • Purchase and delivery of products;

  • Performance of contractual obligations;

  • Handling customer complaints;

  • Approval of installment financing through partner financial institutions;

  • Compliance with legal obligations under Georgian law.

Providing personal data is mandatory for placing orders. Failure to provide required information may result in inability to process or deliver orders.

Data Retention

Data is retained only for as long as necessary to fulfill its purpose. Afterward, it is deleted, destroyed, or anonymized unless retention is required by law.

Maximum retention period: 50 years.

Disclosure of Data

Personal data may be disclosed only in cases предусмотренные by law, including:

  • National security and defense;

  • Public safety;

  • Crime detection and investigation;

  • Important financial or economic interests;

  • Protection of rights and freedoms of individuals;

  • Requests from authorized authorities.

Data may also be shared with partner companies when necessary for delivery, warranty, or service provision.

Data Subject Rights

Users have the right to:

  • Obtain confirmation of data processing and access related information (within 10 working days);

  • Access and receive copies of their personal data;

  • Request correction or update of inaccurate or incomplete data;

  • Request deletion or destruction of data;

  • Request restriction (blocking) of processing;

  • Withdraw consent at any time without justification.

Requests are processed within 10 working days.

The Company may refuse deletion or restriction if:

  • Processing is based on legal grounds;

  • Data is required for legal claims;

  • Processing is necessary for freedom of expression;

  • Processing serves public interest (archiving, research, statistics).

Minors

The Company does not process data of individuals under 16 years of age.

Processing of data of minors aged 16+ is allowed based on consent.

Cookies

The Company uses cookies and similar technologies stored during browser activity.

Marketing

Personal data is processed for marketing purposes only with consent.

Direct marketing processing is terminated within 7 working days upon request.

Data Security

The Company implements appropriate technical and organizational measures, including:

  • Pseudonymization;

  • Access control;

  • Information security systems (confidentiality, integrity, availability).

Data Protection Impact Assessment

Where processing poses high risks, the Company conducts a Data Protection Impact Assessment (DPIA) and implements mitigation measures.

Incident Notification

The Company records incidents and notifies the Personal Data Protection Service within 72 hours, unless the risk is minimal.

Complaints

Users may contact the Company or file complaints with:

  • Personal Data Protection Service

  • Courts or relevant administrative authorities

Third-Party Authentication

If users log in via Facebook or Google, email addresses are used in encrypted form and not stored or used directly unless provided separately or with consent.

Contact Information

For any questions or requests:

  • Phone: (+995) 32 219 25 30

  • Email: info@trm.ge