Legal Document

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how CarpaThin Logic collects, uses and protects personal data in accordance with the General Data Protection Regulation (GDPR — EU 2016/679), Law 190/2018 on the implementation of GDPR in Romania, and other applicable national regulations.

1. Personal data controller

Your personal data is processed by:

Legal name: Vasilache Claudiu-Gabriel Persoană Fizică Autorizată (Romanian sole trader — PFA)
Trade name: CarpaThin Logic
Tax Identification Number (CUI): 52647701
VAT Number: RO52647701 (VAT registered)
Trade Register Number: F2025038505000
Registered office: Iași, Str. Fântânilor nr. 43, bl. B14, ap. B39
Email: [email protected]
Phone: +40 332 633 588

For the purposes of this policy, CarpaThin Logic acts as the data controller for data collected through the website and for the direct contractual relationship with Clients. In the course of providing outsourced IT services, we may act as a data processor for Client data, on the basis of a separately signed Data Processing Agreement.

2. Personal data collected

We collect and process the following categories of personal data:

2.1. Data you provide directly to us

Through the contact and quote request form: first name and last name, company name, email address, phone number, your message, any information about the IT infrastructure you describe to us.
Through direct email or phone: any information you voluntarily provide in your communications with us.
Through service contracting: identification data of the company and contact person, invoicing data, electronic or handwritten signature on the contract.

2.2. Data collected automatically when you visit the site

Technical data: IP address, browser type, operating system, device, screen resolution, time zone, browser language;
Usage data: pages visited, visit duration, traffic sources (referrer), interactions with the site;
Data through cookies: in accordance with the separate Cookie Policy.

2.3. Data collected during service provision

When we provide IT services to Clients (remote support, email migration, backup, cybersecurity), we may have technical access to:

Email addresses and email content (in the context of migration or troubleshooting);
System configurations, technical logs, service passwords (managed through Keeper);
Data about users in the Client's infrastructure (names, accounts, access rights);
Any business data stored in the monitored systems.

For this data, CarpaThin Logic acts as a data processor on behalf of the Client, in accordance with a Data Processing Agreement (DPA) signed as an annex to the main Contract.

2.4. Special categories of data

We do not intentionally collect sensitive data (racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, sexual life or sexual orientation, criminal convictions). If such data accidentally appears in communications with us, it will be deleted.

3. Purposes of processing and legal basis

We process your personal data for the following purposes:

Purpose of processing	Legal basis (GDPR)	Storage duration
Response to information or quote requests via contact form	Art. 6(1)(b) — pre-contractual measures at your request; Art. 6(1)(f) — legitimate interest in responding	12 months from the last communication, if no contract is signed
Execution of service contracts	Art. 6(1)(b) — performance of contract	Duration of contract + 3 years after termination (statute of limitations)
Invoicing and accounting obligations	Art. 6(1)(c) — legal obligation (Fiscal Code)	10 years according to Accounting Law 82/1991
Response to legal requests, audits, litigation	Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — defence of rights	For the necessary duration
Site traffic analysis (Google Analytics)	Art. 6(1)(a) — consent through cookie banner	Maximum 14 months (GA4 setting)
Site security (technical logs, attack prevention)	Art. 6(1)(f) — legitimate interest in IT security	Maximum 6 months

4. Recipients of data — with whom we share information

Your data may be shared with:

4.1. Data processors (sub-processors)

For operational functioning, we work with the following sub-processors, each with their own protection measures:

Google Ireland Limited — Google Analytics, for site traffic analysis (with US transfer, in accordance with section 6);
Google Ireland Limited — Google Fonts, for font delivery (without cookies, but with IP collection at load time);
Cloudflare, Inc. — for the delivery of the Font Awesome library through CDN.

In the course of providing services to Clients, we may involve additional sub-processors (Microsoft Azure, Bitdefender, Veeam, Keeper Security, N-able, Amazon Web Services), as specified in the Data Processing Agreement (DPA) signed with each Client.

All sub-processors operate under written agreements that include confidentiality obligations and technical protection measures in accordance with GDPR standards (standard contractual clauses).

4.2. Public authorities and judicial bodies

We may disclose personal data to competent authorities when required by Romanian law (for example, in the context of a criminal investigation, fiscal audits, or court orders).

4.3. Professional advisors

In certain situations, we may share data with lawyers, accountants or auditors, within the strictly necessary limits and under confidentiality obligations.

4.4. Acquirers in case of merger or acquisition

In the unlikely event of a merger, acquisition or sale of assets, data may be transferred to the buyer, with prior notice to all data subjects.

5. How long we keep data

We keep personal data only for as long as necessary for the purpose for which it was collected, or for as long as the law requires. Specific terms are indicated in the table in section 3.

After these terms expire, the data is securely deleted or irreversibly anonymised.

6. Data transfer outside the European Economic Area (EEA)

Certain data may be transferred outside the EEA, in particular to the United States of America, through our sub-processors:

Google LLC (USA) — for Google Analytics. The transfer is made under the EU-U.S. Data Privacy Framework, with Google certified accordingly. For details: policies.google.com/privacy;
Cloudflare, Inc. (USA) — for CDN. Cloudflare adheres to the Data Privacy Framework. For details: cloudflare.com/privacypolicy;
Microsoft Corporation (USA) — if we use Microsoft 365 (subject to verification). Microsoft adheres to the Data Privacy Framework.

All transfers are carried out with adequate safeguards in accordance with article 46 GDPR (standard contractual clauses or certification under the Data Privacy Framework).

7. Your rights under GDPR

As a data subject, you have the following rights which you can exercise at any time, free of charge (under the conditions of the law):

The right of access (art. 15 GDPR): to find out what personal data we process about you and to receive a copy thereof;
The right to rectification (art. 16 GDPR): to request the correction of inaccurate data or completion of incomplete data;
The right to erasure — "the right to be forgotten" (art. 17 GDPR): to request the deletion of data under certain conditions (e.g., data is no longer necessary for the purpose of collection, you have withdrawn your consent, processing is unlawful);
The right to restriction of processing (art. 18 GDPR): to request the limitation of processing in certain situations (e.g., you contest the accuracy of the data during the verification period);
The right to data portability (art. 20 GDPR): to receive the data in a structured, commonly used and machine-readable format, or to transmit it to another controller;
The right to object (art. 21 GDPR): to object to processing based on legitimate interest or for direct marketing;
The right to withdraw your consent (art. 7(3) GDPR): at any time, without this withdrawal affecting the lawfulness of prior processing;
The right not to be subject to automated decision-making (art. 22 GDPR): we do not use profiling or automated decisions with legal effect on you;
The right to lodge a complaint with the supervisory authority — in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Bucharest, sector 1, [email protected].

How to exercise your rights: send a written request to [email protected], clearly indicating the right you wish to exercise. We will respond within a maximum of 30 calendar days (or longer if the request is complex, in which case we will inform you about the extension).

To confirm your identity, we may request additional information. This step is necessary to avoid the disclosure of data to unauthorised persons.

8. Data security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, accidental disclosure, modification or destruction. These include:

Encryption of data in transit through HTTPS/TLS;
Multi-factor authentication (MFA) for access to systems containing data;
Strict access policies based on the "least privilege" principle (minimum necessary privilege);
Regular and encrypted backups of critical data;
Active monitoring of systems and access logs (audit logs);
Antivirus and EDR protection on all systems;
Confidentiality agreements (NDAs) signed with all employees and subcontractors;
Periodic training of staff on security and data protection;
Documented security incident response plan.

9. Notification in case of security incident

In case of a security incident involving personal data (data breach), CarpaThin Logic undertakes to:

Notify the supervisory authority (ANSPDCP) within a maximum of 72 hours of finding the incident, in accordance with article 33 GDPR;
Notify data subjects without undue delay, if the incident has a high impact on their rights and freedoms (art. 34 GDPR);
Document each incident in the internal incident register.

10. Cookies and similar technologies

The use of cookies on our site is described in detail in the separate Cookie Policy, which is an integral part of this Privacy Policy.

11. Marketing and commercial communications

Currently, CarpaThin Logic does not send newsletters, direct marketing communications or other forms of advertising. We communicate with you exclusively in connection with the requests you address to us or in the course of executing active contracts.

12. Children's data

Our services are addressed exclusively to legal entities (B2B) and natural persons over 18 years of age. We do not intentionally collect data about children under 16 years of age. If we become aware that we have received such data, we will delete it without delay.

13. Modification of the privacy policy

This policy may be updated periodically to reflect changes in our practices, in legislation or in the technology used. The current version is always published on this page, with the date of the last update at the end.

Significant changes affecting the processing of your data will be communicated to you proactively (via email if we are in a contractual relationship, or through a prominent notice on the site).

14. Contact

For any questions, requests or to exercise your GDPR rights, you can contact us:

Email: [email protected]
Phone: +40 332 633 588
Address: Iași, Str. Fântânilor nr. 43, bl. B14, ap. B39

Updated version: 30 April 2026.
This policy applies to all users of the website and clients of CarpaThin Logic.