Last updated: May 1, 2026
AUREA INVEST CORPORATION SRL ("MaktubSoft", "we", "us", or "our"), registered in Romania under RCS 45653638, is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Romanian Law No. 190/2018.
1. Data Controller
The data controller responsible for your personal data is:
- Company: AUREA INVEST CORPORATION SRL
- Trade Registry (RCS): 45653638
- Country: Romania
- Email: info@maktubsoft.com
- DPO Email: dpo@maktubsoft.com
- Phone: +40 785 180 645
2. Data Protection Officer (DPO)
We have appointed a Data Protection Officer. For any questions regarding the processing of your personal data or to exercise your rights, please contact our DPO at dpo@maktubsoft.com.
3. What Personal Data We Collect
We collect the following categories of personal data:
3.1 Data you provide directly
- Account data: name, email address, phone number, company name, password (hashed)
- Communication data: messages sent via the contact form, project request details, support messages
- Payment data: billing name, billing address (processed by Stripe — we do not store card numbers)
3.2 Data collected automatically
- Technical data: IP address, browser type and version, operating system, device type
- Usage data: pages visited, time spent on pages, referral source, click patterns
- Cookie data: session identifiers, language preferences (see our Cookie Policy)
3.3 Data from third parties
- Stripe: payment confirmation status, subscription status, last four digits of the card
4. Legal Basis for Processing (Article 6 GDPR)
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and invoices | Performance of a contract (Art. 6(1)(b)) |
| Responding to inquiries and support | Legitimate interest (Art. 6(1)(f)) |
| Sending service-related notifications | Performance of a contract (Art. 6(1)(b)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) |
| Website analytics and improvement | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
5. How We Use Your Data
- To create and manage your customer account
- To process orders, subscriptions, and payments via Stripe
- To provide customer support and respond to inquiries
- To send transactional emails (invoices, project updates, password resets)
- To improve our website, services, and user experience
- To comply with legal and regulatory obligations
- To protect against fraud and unauthorized access
6. Data Sharing and Third-Party Processors
We share your data only with trusted third-party processors who act on our behalf under Data Processing Agreements (DPAs):
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | EU-US Data Privacy Framework |
| Mailgun (Sinch) | Transactional email delivery | USA/EU | Standard Contractual Clauses |
| Hetzner Online GmbH | Server hosting | Germany (EU) | GDPR-compliant, ISO 27001 |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | USA/EU | EU-US Data Privacy Framework |
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
7. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA). When transferring data outside the EEA, we ensure appropriate safeguards are in place, including:
- EU-US Data Privacy Framework (for US-based processors certified under the framework)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Invoice and payment records | 10 years (Romanian fiscal law) |
| Contact form messages | 2 years |
| Project request data | Duration of project + 5 years |
| Server logs (IP, access) | 90 days |
| Cookie consent records | 13 months |
9. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access (Art. 15): Request a copy of all personal data we hold about you
- Right to rectification (Art. 16): Correct inaccurate or incomplete personal data
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to restrict processing (Art. 18): Limit how we use your data
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON)
- Right to object (Art. 21): Object to processing based on legitimate interests or direct marketing
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting lawfulness of prior processing
- Right not to be subject to automated decision-making (Art. 22): We do not use automated decision-making or profiling
To exercise your rights, you can:
- Use the Data & Privacy section in your customer portal
- Email our DPO at dpo@maktubsoft.com
We will respond to your request within 30 days. In complex cases, this may be extended by an additional 60 days, and we will inform you accordingly.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- TLS/SSL encryption for all data in transit
- Passwords stored using bcrypt hashing (never in plain text)
- Database encryption at rest
- Regular security updates and vulnerability patching
- Access control: only authorized personnel can access personal data
- DDoS protection via Cloudflare
- Server infrastructure hosted in Hetzner (Germany), ISO 27001 certified
11. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Romanian Data Protection Authority (ANSPDCP) within 72 hours of becoming aware of the breach (Art. 33 GDPR)
- Notify affected data subjects without undue delay if the breach poses a high risk to their rights (Art. 34 GDPR)
12. Children's Data
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at dpo@maktubsoft.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The "Last updated" date at the top indicates when the policy was last revised.
14. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
- Address: B-dul G-ral Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
- Phone: +40 318 059 211
- Website: www.dataprotection.ro
15. Contact Us
For any questions about this Privacy Policy or our data practices:
- Email: dpo@maktubsoft.com
- General: info@maktubsoft.com
- Phone: +40 785 180 645