Arcane Tech
Legal document

Privacy Policy

Version in force since June 16, 2026.

This document explains how we collect, use and protect personal data through the arcanetech.eu and arcanetech.ro domains (which serve the same site identically) and through contractual engagements with Arcane Tech SRL, in accordance with Regulation (EU) 2016/679 (GDPR) and Romanian Law No. 190/2018.

1. The data controller

The controller of personal data is Arcane Tech SRL, with its registered office at Strada Avrig no. 11-19, bl. 15, et. 3, ap. 7, postal code 310147, Arad, Arad County, Romania, registered with the Trade Register under number J2024/02376/2024, EUID ROONRC.J2024023761001, sole registration code (CUI) 50575080, share capital 200 RON.

2. The categories of data we process

We process strictly the minimum necessary for each purpose. Depending on how you interact with us, we may process:

  • Identification and contact data: first name, last name, email address, phone number, company name, role, collected through the contact and booking forms.
  • The content of communications: the messages and attachments sent by email or through forms, as well as the history of correspondence related to a project.
  • Contractual and billing data: legal name, CUI, registered office, IBAN, the issued invoice, only for active clients.
  • Technical data collected automatically: the anonymized IP address, the browser agent, the pages visited, the time of access, and the error and security logs.
  • Consent data: records of the choices expressed in the cookie banner, kept as proof of consent.

We do not process special categories of data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). Please do not send us such information through forms or by email.

3. Automatic language detection and the IP address

The site is available in Romanian and English. In order to present content in the appropriate language without asking you, on your first visit we transiently read your IP address, on the server, solely to derive the country you are visiting from and to choose between Romanian and English. The IP address is processed only at that moment, in memory: it is not stored, it is not recorded in logs for this purpose, it is not used to create profiles and it does not allow you to be tracked.

The legal basis for this processing is legitimate interest, under Article 6(1)(f) of Regulation (EU) 2016/679 (GDPR), consisting in presenting content in the appropriate language, with a minimal impact on privacy. The chosen language is then remembered through the strictly functional "NEXT_LOCALE" cookie, which lasts 12 months, so that detection is not repeated on every visit. No consent wall is shown for language, because the cookie is functional rather than tracking. You can change the language at any time from the switcher in the site header, and your explicit choice takes precedence over automatic detection. Details about the language cookie are described in our cookie policy.

4. The purposes and legal bases of processing

Data is processed solely for the following purposes:

  • Responding to commercial requests, contact and booking forms, basis: Article 6(1)(b) GDPR (pre-contractual measures at the request of the data subject).
  • Performing service contracts with clients, basis: Article 6(1)(b) GDPR.
  • Complying with legal obligations in accounting, tax and archiving matters, basis: Article 6(1)(c) GDPR (Accounting Law No. 82/1991, the Tax Code, Government Emergency Ordinance 28/1999).
  • Site security and fraud prevention, technical logs and rate-limiting, basis: Article 6(1)(f) GDPR (legitimate interest).
  • Automatic language selection based on the country derived from the IP address, basis: Article 6(1)(f) GDPR (the legitimate interest of presenting content in the appropriate language), without storing the IP address.
  • Functional, analytics and marketing cookies, basis: Article 6(1)(a) GDPR (explicit consent, expressed through the cookie banner, withdrawable at any time). The "NEXT_LOCALE" language cookie is strictly functional and does not require consent.

5. Recipients and processors

We do not sell or rent personal data. We share it only with contractually appointed processors, in accordance with Article 28 GDPR, on the basis of written data processing agreements (DPAs):

  • Transactional SMTP provider for the delivery of notification and confirmation emails. The data is limited to the email address and the content of the message, with retention of a maximum of 30 days in the provider's logs.
  • Hosting provider (European VPS) for hosting the application. The servers run within the European Economic Area, with no transfer of data outside the EEA.
  • Authorized accounting processors for issuing invoices, keeping documents and tax reporting.
  • Public authorities, only upon express request, in accordance with the law (tax authorities, judicial bodies, ANSPDCP).

6. International transfers

All processing takes place within the European Economic Area. We do not transfer personal data to third countries. If, in the future, a strategic provider requires processing outside the EEA, we will implement the safeguards provided in Article 46 GDPR (Standard Contractual Clauses) and will publicly update this policy before any actual transfer.

7. Retention periods

  • Messages received through forms, with no contractual follow-up: a maximum of 12 months from receipt.
  • Contractual and financial data: 10 years from the issue of the accounting document, in accordance with Article 25 of Law No. 82/1991.
  • Security and access logs: a maximum of 90 days, with automatic rotation.
  • Records of consent for cookies: 13 months or until consent is withdrawn.
  • Language preference ("NEXT_LOCALE" cookie): 12 months from the last visit. The IP address used for detection is not kept.

8. The rights of data subjects

As a data subject, you have the following rights:

  • Access (Article 15), to find out what data we process and to receive a copy.
  • Rectification (Article 16), to correct inaccurate or incomplete data.
  • Erasure (Article 17), the “right to be forgotten”, within the limits of legal obligations.
  • Restriction (Article 18) and objection (Article 21) to processing, including objection to processing based on legitimate interest.
  • Portability (Article 20), to receive your data in a structured format.
  • Withdrawal of consent, at any time, without retroactive effect on processing already carried out (Article 7(3) GDPR).
  • Complaint to the supervisory authority ANSPDCP (the Romanian Data Protection Authority), B-dul G-ral Gheorghe Magheru no. 28–30, Sector 1, postal code 010336, Bucharest.

Requests should be sent to dpo@arcanetech.ro. We respond within a maximum of 30 calendar days from receipt of the request. To identify you, we may ask for additional data, strictly necessary to verify your identity.

Send a GDPR rights request

9. Data security

We apply appropriate technical and organizational measures, in accordance with Article 32 GDPR: TLS 1.2 minimum encryption for all transmissions, secure hashing for sensitive identifiers in logs, role-based access separation, audit logs, daily backups with controlled retention, annual staff training in data protection, and periodic risk assessments.

10. Incident notification

In the event of a security breach that poses a risk to the rights of data subjects, we notify ANSPDCP within a maximum of 72 hours (Article 33) and directly inform the affected persons, without undue delay (Article 34), where the breach gives rise to a high risk.

11. Data about minors

The site is not intended for persons under 16. We do not knowingly collect data about minors. If you identify that a minor has sent us data, write to dpo@arcanetech.ro and we will delete that data promptly.

12. Changes to the policy

We reserve the right to update this policy to reflect legislative, operational or technological changes. The current version, marked with the date of the last update, is always available on this page. Substantial changes are notified by email to persons with an active account or recent correspondence.

13. Contact

For any question about this policy or about how your data is processed: the contact form, email dpo@arcanetech.ro or phone +40 741 526 332.