Privacy Policy

Last updated: 15 March 2025

1. Data Controller

TDACRM Solutions SRL, registered in Romania, with its registered office at Str. Ion Câmpineanu nr. 23, Sector 1, Bucharest, Romania, Tax ID (CUI): RO45930062, Trade Register No.: J2022006628406, is the data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter: "GDPR").

Data Protection Officer (DPO) / Contact:
Email: denis@tdacrm.ro
Phone: +40 740 267 964
Address: Str. Ion Câmpineanu nr. 23, Sector 1, Bucharest, Romania

2. Scope and Applicability

This Privacy Policy applies to all personal data processed by TDACRM Solutions SRL in connection with:

• The use of our website https://tdacrm.ro and its English version at https://tdacrm.ro/en/
• The provision of our services (Bitrix24 implementation, integrations, licenses, support, custom applications)
• Pre-contractual and contractual communications
• Any other interaction with our company

3. Categories of Personal Data We Collect

3.1 Data you provide directly

• Identity data: first name, last name
• Contact data: email address, phone number
• Professional data: company name, job title, VAT number (for B2B clients)
• Communication content: messages submitted through the contact form, service requests, project requirements
• Contractual data: billing address, bank account details (for invoicing purposes)

3.2 Data collected automatically

• Technical data: IP address, browser type and version, operating system, referring URL
• Usage data: pages visited, time spent on pages, click patterns, session duration
• Cookie data: preference settings (theme, cookie consent) — see Section 9 and our Cookie Policy

3.3 Data we do NOT collect

We do not collect special categories of personal data (Article 9 GDPR) such as health data, racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data.

4. Purposes and Legal Bases for Processing

Where processing is based on legitimate interests (Art. 6(1)(f)), we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request information about this assessment by contacting us.

5. Data Retention Periods

• Contact form inquiries: 3 years from the date of last interaction or last correspondence
• Contractual data and invoices: 10 years as required by Romanian Tax Code (Law 227/2015) and accounting regulations
• Technical logs and security data: 6 months from collection
• Analytics data (Google Analytics): 14 months (Google's default retention period)
• Newsletter / marketing consent: until you withdraw your consent
• Cookie preferences: stored in your browser's localStorage until you clear it or change your preferences

After the retention period expires, data is securely deleted or anonymized so that it can no longer be linked to you.

6. Recipients and Third-Party Processors

Your personal data may be shared with the following categories of recipients, each bound by appropriate contractual safeguards (Data Processing Agreements where applicable):

6.1 Infrastructure and hosting

• Cloudflare, Inc. (USA) — Website hosting via Cloudflare Pages, content delivery network (CDN), DDoS protection. Data transfers to the USA are based on Standard Contractual Clauses (SCCs) approved by the European Commission and Cloudflare's participation in the EU–US Data Privacy Framework. Cloudflare Privacy Policy.

6.2 Form processing and automation

• n8n (self-hosted) — Contact form submissions are forwarded via a webhook to our self-hosted n8n automation instance, hosted on a server within the European Union. This data is used solely to process and respond to your inquiry and is not shared with third parties.

6.3 Analytics (consent-based)

• Google Analytics 4 (Google LLC, USA) — If you accept analytics cookies, we use Google Analytics to understand how visitors interact with our website. IP addresses are anonymized. Google LLC is certified under the EU–US Data Privacy Framework. Google Privacy Policy. You may opt out using the Google Analytics Opt-out Browser Add-on.

6.4 Professional service providers

• Authorized accountants — for fulfillment of fiscal and accounting obligations under Romanian law; access is limited to the minimum necessary data.

6.5 Legal authorities

• Public authorities (e.g., ANAF — Romanian tax authority, courts) — only when required by applicable law, a court order, or regulatory request.

We never sell, rent, or transfer your personal data to third parties for their own marketing purposes.

7. International Data Transfers

Some of our service providers (Cloudflare, Google Analytics) may process personal data outside the European Economic Area (EEA). Such transfers are made on the basis of one or more of the following safeguards:

• Adequacy decisions issued by the European Commission
• EU–US Data Privacy Framework (DPF) certification
• Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR

You may request a copy of the applicable transfer safeguards by contacting us at denis@tdacrm.ro.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights, which you may exercise free of charge:

• Right of access (Art. 15): obtain confirmation of whether we process your personal data, and if so, receive a copy of it along with supplementary information about the processing.
• Right to rectification (Art. 16): request the correction of inaccurate or incomplete personal data we hold about you.
• Right to erasure / "right to be forgotten" (Art. 17): request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (and no other legal basis applies).
• Right to restriction of processing (Art. 18): request that we restrict the processing of your data in certain circumstances (e.g., while accuracy is contested, or while you object to processing).
• Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to object (Art. 21): object to processing based on legitimate interests (Art. 6(1)(f)), including profiling, and to processing for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw cookie consent, use the "🍪 Cookie Settings" button in the footer.
• Right not to be subject to automated decision-making (Art. 22): not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not engage in such processing.

How to exercise your rights

To exercise any of the above rights, submit a written request to:

• Email: denis@tdacrm.ro
• Post: TDACRM Solutions SRL, Str. Ion Câmpineanu nr. 23, Sector 1, Bucharest, Romania

We will respond within 30 calendar days of receiving your request. In cases of complexity or multiple requests, this period may be extended by a further two months, with prior notice. We may request proof of identity to verify your request.

9. Cookies

Our website uses cookies and similar tracking technologies. For detailed information on the types of cookies used, their purposes, storage periods, and how to manage your preferences, please refer to our Cookie Policy.

In summary:

• Essential cookies (no consent required): theme preference, cookie consent choice
• Analytics cookies (consent required): Google Analytics (_ga, _gid, _gat)

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or disclosure, including:

• HTTPS encryption for all data in transit (TLS 1.2+)
• Access controls and authentication requirements for internal systems
• Regular security reviews and updates
• Cloudflare DDoS protection and web application firewall

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, and affected individuals without undue delay where required.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority for data protection. In Romania, this is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru nr. 28–30, Sector 1, Bucharest, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro

You also have the right to lodge a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement, pursuant to Article 77 GDPR.

12. Links to Third-Party Websites

Our website may contain links to third-party websites (e.g., Bitrix24 partner portal, ANPC). This Privacy Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. The updated version will be published on this page with the date of modification. Where changes are material, we will provide notice through our website. We encourage you to review this page periodically.

The current version of this Privacy Policy supersedes all previous versions.