Privacy Policy
Last updated: 14 July 2026 · Version 3.0
This policy explains what personal data we process, where it comes from, why we use it, who may receive it, the criteria used to retain it, and your rights.
1. Data controller
The controller is TMTRG S.R.L., whose registered office is at JUD. TIMIŞ, MUN. TIMIŞOARA, BLD. 3 AUGUST 1919, NR.9, CAMERA 1, AP.2C, România, registered with the Trade Register under number J2026037309006, CUI 54845632.
Use the contact address below for questions or to exercise your rights. We do not claim that a Data Protection Officer has been appointed unless one is formally named and published.
2. Data we process
Depending on the features you use, we may process:
- account data: name, email, language, time zone, phone number, and other preferences you provide;
- authentication data: an Argon2id password hash, sessions, sign-in indicators, and, if 2FA is enabled, a TOTP secret encrypted at rest with Fernet;
- technical and security data: IP address, User-Agent, request times and routes, response codes, and events needed for debugging, audits, and abuse prevention;
- billing data: customer type, name or company name, address, phone, CUI, Trade Register number, and identifiers received from Stripe or FGO. We do not store full card details;
- data in contact, support, feedback, and transactional messages;
- consent, theme, language, and local sign-in hint preferences stored on your device;
- data about people named in public sources, such as directors, shareholders, liquidators, representatives, or published business contacts.
Information about legal entities is generally not personal data. Names, contact details, and other information about individuals connected to a company may nevertheless be personal data and is treated accordingly.
3. Purposes and legal bases
The legal basis depends on the operation and the role in which we act.
| Purpose | Data | Stated basis |
|---|---|---|
| Creating the account and providing the Services | Account and authentication data | Contract performance or steps requested by the user |
| Payments, invoices, and fiscal records | Profile, payment, and billing data | Contract and statutory tax or accounting obligations |
| Security, fraud prevention, debugging, and legal defence | Technical logs and authentication data | Legitimate interests, legal obligation, or legal defence as applicable |
| Transactional account and security messages | Account and authentication data | Contract performance or steps requested by the user |
| Optional marketing or newsletter | Email, name, and preference | Consent, which may be withdrawn at any time |
| Optional audience measurement | Usage data and consent signals | Consent, which may be withdrawn at any time |
| Aggregating and presenting public company information | Register and public-source data | Legitimate interests, with an assessment of the impact on individuals |
| Support and request handling | Message and contact details | Contract, legitimate interests, or legal obligation depending on the request |
The precise legitimate-interest assessment, treatment of operational tools, and controller/processor roles must be reviewed periodically and legally validated.
4. Data sources
- directly from the user through the account, forms, orders, or communications;
- generated through use of the Platform and its security controls;
- from Stripe, FGO, and other providers involved in payment or invoicing;
- from ONRC, ANAF, Monitorul Oficial (Official Gazette of Romania), Portal Just, SEAP/SICAP, and other official registers or publications;
- from public websites and discovery or verification services, including Google Places when that feature is used.
5. Recipients and service providers
Access is limited to what is necessary for the relevant purpose. Recipient categories may include:
We do not sell or rent user account data. Exports of public company data remain subject to the plan, the Terms, and the rights of individuals.
- authorized staff and contractors within their assigned role;
- infrastructure and hosting providers;
- transactional email providers;
- Stripe for payments and subscriptions and FGO for invoicing;
- Sentry for error and performance monitoring and Cloudflare Turnstile for form protection when configured;
- Google Tag Manager, Google Fonts, Google Maps, and Google Places depending on the page, configuration, and feature used;
- public authorities where a legal obligation or valid legal request applies;
- lawyers, accountants, or auditors where necessary for compliance or legal defence.
6. International transfers
Processing location depends on active infrastructure and providers. Some external services, including Google, Stripe, Cloudflare, or Sentry services, may involve access or transfer outside the EEA.
Where GDPR Chapter V applies, a transfer must rely on an adequacy decision, Standard Contractual Clauses, or another appropriate legal mechanism.
This policy does not guarantee that all services are hosted exclusively in the EU. The provider list, roles, and transfer safeguards require a maintained inventory and periodic legal review.
7. Retention criteria
We do not publish fixed periods that are not supported by a verified technical policy. We retain data only as long as needed for its purpose, the contract, security, a legal obligation, or legal defence.
The period depends on the data type, sensitivity, risk, account activity, limitation periods, and tax or accounting requirements.
- active profile data is retained until the account is deleted;
- sessions are retained until configured expiry, sign-out, revocation, or account deletion;
- technical and security logs are retained only as long as needed for detection, investigation, audit, or legal defence;
- invoices and fiscal records are retained for the period required by law, with the link to the active profile removed or pseudonymized where possible;
- communications are retained as long as needed to resolve the request and meet related obligations or claims;
- consent preferences remain until changed or cleared; evidence of a choice may be retained where required by law;
- public company data follows source refresh cycles; contact-removal requests are retained as needed to keep suppression effective.
8. Your rights
Subject to the GDPR's conditions, you may have the following rights:
For a general personal-data request, write to the contact address. We will respond within the applicable statutory period and may request information needed to verify identity.
The separate form below is only for removing or restricting a phone number displayed from public sources. It is not a complete portal for account-data exports or every GDPR request.
You may complain to ANSPDCP, the Romanian supervisory authority, or another competent authority.
- access to personal data and processing information;
- correction of inaccurate data;
- erasure where the legal conditions are met;
- restriction in the cases provided by law;
- portability for eligible data and processing;
- objection to processing based on legitimate interests;
- withdrawal of consent without affecting earlier processing;
- rights concerning solely automated decisions with legal effects; the Platform does not make such decisions about user accounts.
[email protected] · Public phone-number removal or restriction form · ANSPDCP website
9. Security
We apply measures proportionate to the verified function and risk, including:
- Argon2id password hashes and TOTP secrets encrypted at rest with Fernet;
- an HttpOnly session cookie and a separate CSRF cookie, both SameSite=Lax and Secure in production;
- role-based access controls, CSRF checks, and rate limits on relevant flows;
- audit logs for administrative actions and operational error monitoring.
No measure removes all risk. This policy does not promise absolute security, a fixed TLS version, a particular backup frequency, or a contractual incident-notice deadline.
10. Cookies and similar technologies
Details about cookies, local storage, GTM, Sentry, and external browser resources are set out in the Cookie Policy.
11. Public company and individual data
The Platform aggregates public information from ONRC, ANAF, Monitorul Oficial (Official Gazette of Romania), Portal Just, SEAP/SICAP, websites, and verification services. A public source can still create privacy risk when data about individuals is aggregated, ranked, monitored, or exported.
People named in the data may request access, correction, objection, or erasure where the law allows. A final correction to a register may also require a request to the issuing source.
Valid contact-removal or restriction requests must be applied to caches and later flows to the extent the Platform controls those displays.
12. Children
The service is not intended for anyone under 16. We do not intentionally invite them to create accounts.
13. Account deletion
The account and access are deleted immediately when the user confirms deletion.
Any active Stripe subscription is cancelled immediately, not at the end of the period. Remaining paid access ends at that point; mandatory refund rights are unaffected.
If invoices or fiscal records exist, we retain only the records required by law, without an active account profile. The link is removed or pseudonymized to the extent permitted and necessary.
Deleting an account does not automatically erase a company's data or records about people obtained from public sources. Those records use a separate correction, objection, or suppression process.
14. Changes
We may update this policy for legal, technical, or operational changes. The current version and date appear here, and material changes are communicated by reasonable means.
15. Contact
Use the address below for data-protection questions or to exercise a right.
This policy describes the implementation known at publication. Legal bases, providers, transfers, and retention periods must be validated against the operational inventory and by legal review.