Legal

Privacy Policy

This policy explains what personal data is processed through the bitus.ro website and through engagements operated by NIȚU B. BOGDAN-CRISTIAN PFA (the “controller”), why it is processed, how long it is kept, and what rights you have over it. The document follows Regulation (EU) 2016/679 (GDPR) and Romanian Law 190/2018.

1. Data controller and contact

  • Legal name: NIȚU B. BOGDAN-CRISTIAN PERSOANĂ FIZICĂ AUTORIZATĂ (Romanian sole proprietorship)
  • Tax ID (CUI): 48622571
  • Trade Registry no.: F40/5906/2023
  • EU VAT: RO50521803
  • Registered office: B-dul Bucureștii Noi 136, ground floor, ap. 5, Sector 1, Bucharest, 012366, Romania
  • Privacy contact: [email protected]

No Data Protection Officer (DPO) has been appointed. The controller’s activity does not fall within the categories under GDPR art. 37 (public authority, large-scale monitoring, or large-scale processing of special-category data).

2. What data we process and why

Data category Source Purpose Legal basis Retention
Name, email, company, free-text message Contact form / direct email Reply to enquiry; pre-contractual steps GDPR art. 6(1)(b) (pre-contractual) / art. 6(1)(f) (legitimate interest) 12 months from last communication
IP address, user agent, server access logs Web server logs Security, abuse prevention, troubleshooting GDPR art. 6(1)(f) (legitimate interest) 30 days
Client invoicing data (company name, VAT no., address, amount) Service contract Issuing invoices and accounting obligations GDPR art. 6(1)(b) (contract) / art. 6(1)(c) (tax-law obligation) 10 years per Romanian Tax Code

Each processing operation rests on an explicit legal basis from GDPR art. 6, listed in the table above. We do not process special-category data (health, political opinions, etc.) through this site. Consent is not used as a general basis — we ask for consent only where law expressly requires it (for example, if we ever add a marketing email list).

4. Recipients (processors and third parties)

Data may be accessed, strictly within the stated purpose, by:

  • The site’s hosting provider (EU-based — disclosed on request via email);
  • The email provider (EU-based — disclosed on request via email);
  • The PFA’s authorised accountant, for invoicing data;
  • The Romanian Tax Authority (ANAF) and Trade Registry (ONRC), for legal obligations;
  • Payment processors (if used for invoice payments);
  • Public authorities, only on formal legal request.

We do not sell or share personal data with third parties for marketing purposes.

5. Transfers outside the EEA

We do not transfer personal data outside the European Economic Area (EEA). If such a transfer becomes necessary in the future, we will update this policy and ensure adequate safeguards (Standard Contractual Clauses, European Commission adequacy decisions).

6. How long we keep data

Retention periods are listed in the section 2 table. When a period ends, data is deleted or anonymised, except where law requires longer retention (e.g., tax records).

7. Your rights

Under the GDPR you have the following rights:

  • Right of access — to know what data we process about you and receive a copy;
  • Right to rectification — to correct inaccurate or incomplete data;
  • Right to erasure (“right to be forgotten”) — under GDPR art. 17;
  • Right to restriction of processing — under GDPR art. 18;
  • Right to data portability — to receive your data in a structured, machine-readable format;
  • Right to object — to processing based on legitimate interest;
  • Right to withdraw consent — when processing relies on consent;
  • Right not to be subject to automated decisions — including profiling (we do not use such mechanisms).

To exercise any of these rights, write to [email protected]. We respond within 30 days from receipt of the request.

You also have the right to file a complaint with the Romanian Data Protection Authority (ANSPDCP) — B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest 010336 · [email protected] · +40 318 059 211 · dataprotection.ro.

8. Automated decisions and profiling

We do not make automated decisions producing legal effects on you and do not use profiling mechanisms (GDPR art. 22).

9. Children’s data

The site and services are aimed exclusively at professionals (B2B) and are not directed at minors under 16. We do not knowingly collect data about minors. If you identify a situation where a minor has submitted data through this site, please let us know so we can delete it.

10. Changes to this policy

This policy may be updated from time to time. The current version applies from the date displayed at the top of the page (“Last updated”). For significant changes we will announce visibly on the site or by email.

11. Privacy contact

For any question about the processing of personal data through this site, write to [email protected]. We respond within the timelines mentioned above.