Skip to content

Legal

Privacy Policy

Last updated: 2026-05-07

1. Who is the data controller

The data controller is Bytecraft Media SRL, registered office Șos. Alexandria Nr. 86, Bl. L24, Sc. 1, Ap. 34, Sector 5, București, Romania, CUI 54481523, J2026024670003. Contact for privacy matters: fares@bytecraftmedia.eu.

2. What personal data we collect

We collect personal data in three contexts:

  • When you contact us (via the website contact form or by email): name, email address, company name (optional), and the contents of your message.
  • When you become a client: the above plus billing details (company name, registered address, VAT or fiscal ID, bank account) needed to issue invoices in compliance with Romanian fiscal law.
  • When you visit the website: limited technical data via first-party analytics (anonymous page views, referrer, country), see the Cookie Policy for details.

3. Lawful basis for processing

We process personal data on the following lawful bases under Article 6 of the GDPR:

  • Article 6(1)(b), performance of a contract: client billing data, project communications.
  • Article 6(1)(f), legitimate interest: replying to inbound enquiries, anonymous analytics to improve the site.
  • Article 6(1)(c), legal obligation: retaining invoices and fiscal records as required by Romanian tax law.
  • Article 6(1)(a), consent: any optional cookies that require consent (none currently set; the Cookie Policy stays in sync with what's actually deployed).

4. How long we keep your data

  • Contact-form messages: kept for 12 months from the date of last contact, then deleted unless the contact converted into a client engagement.
  • Client engagement records: kept for the duration of the engagement plus the period required by Romanian fiscal law for accounting documents (currently 10 years for invoices).
  • Anonymous analytics: aggregated, retained without personal identifiers per the Cookie Policy.

5. Who we share data with

We use the following third-party processors. Each is bound by a Data Processing Agreement (DPA):

  • Vercel Inc. (USA / EEA infrastructure), hosting and edge delivery. Data transfers covered under the EU–US Data Privacy Framework.
  • Cloudflare, Inc. (USA / EEA infrastructure), DNS, CDN, email routing, anti-spam (Turnstile).
  • Resend, Inc. (USA), transactional email delivery for contact-form submissions.
  • Cal.com, Inc. (USA / EEA infrastructure), scheduling widget embedded on the Contact page for meeting bookings. Only processes data you choose to enter when booking a slot.

We do not sell or rent personal data to anyone. We do not use personal data for advertising profiling.

6. Your rights under the GDPR

You have the following rights regarding your personal data:

  • Access (Art. 15), request a copy of the data we hold.
  • Rectification (Art. 16), correct inaccurate data.
  • Erasure (Art. 17), request deletion, subject to legal-retention obligations.
  • Restriction (Art. 18), restrict processing in specific circumstances.
  • Portability (Art. 20), receive data in a machine-readable format.
  • Objection (Art. 21), object to processing based on legitimate interest.
  • Withdrawal of consent (Art. 7(3)), where processing is based on consent, withdraw at any time without affecting prior lawful processing.

To exercise any right, contact fares@bytecraftmedia.eu. We respond within 30 days as required by Article 12(3) GDPR.

7. Right to complain

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București
Web: www.dataprotection.ro

8. International transfers

Some processors (Vercel, Cloudflare, Resend) operate infrastructure outside the EEA. These transfers rely on Standard Contractual Clauses (Module 2, Controller to Processor) under Article 46 GDPR, plus the EU–US Data Privacy Framework where applicable.

9. Security

We apply technical and organizational measures appropriate to the risk: TLS for all network traffic, encrypted at rest where the processor supports it, role-based access to client data limited to Bytecraft Media personnel actively working on the engagement.

10. Changes to this policy

Material changes to this policy will be communicated by email to active clients at least 30 days before taking effect, and reflected in the Last updated date at the top of this page.

11. Contact

Questions about this policy: fares@bytecraftmedia.eu.