Skip to content
factcurier
RO

Privacy Policy

Last updated: March 17, 2026

I. Preliminary Information

factcurier SRL (hereinafter "factcurier" or "the Controller"), CUI 49620528, J25/108/2024, registered at Str. Antonini 17, Drobeta-Turnu Severin, Mehedinți, Romania, operates the factcurier.ro and app.factcurier.ro platforms.

factcurier processes personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation, including Romanian Law no. 190/2018 on GDPR implementation measures.

This policy may be updated periodically. Continued use of the platform after publication of changes constitutes acceptance of the new version. If you do not agree with this privacy policy, please do not use our services.

Data protection contact: [email protected] | Contact form

II. Definitions

  • GDPR — Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
  • Controllerfactcurier SRL, the entity determining the purposes and means of data processing
  • Data subject — any identifiable natural person whose data is processed
  • Personal data — any information relating to an identified or identifiable natural person
  • Processing — any operation performed on personal data: collection, storage, use, transmission, deletion
  • Consent — a freely given, specific, informed and unambiguous indication of your agreement to the processing of your data

III. Personal Data Collected

We collect the following categories of personal data:

  • Identification data: name, email address
  • Authentication data: Google, Apple, or email magic link account (we do not store passwords — authentication is performed via OAuth or unique verification links)
  • Company data: company name, CUI (tax ID), registered address, ONRC registration number, CAEN code
  • Accounting documents: invoices, receipts, bank statements, fiscal receipts uploaded by the user or received via email
  • Communication data: messages exchanged with the assigned accountant through the platform
  • Technical data: IP address, browser type, operating system, device — collected automatically for functionality and security
  • Mobile app data: push notification token (Firebase Cloud Messaging), document photos taken with the device camera — only with explicitly granted permissions
  • Temporary accounts: name and email provided at registration, stored temporarily (30 days) for platform exploration, automatically deleted upon expiration if the account is not activated

IV. Processing Purposes and Legal Basis

For clients:

  • Contract performance (Art. 6(1)(b) GDPR) — providing accounting, registered office, and ONRC services. Refusal to provide necessary data prevents service delivery.
  • Legal obligation (Art. 6(1)(c) GDPR) — compliance with Romanian tax and accounting legislation, including the Accounting Law no. 82/1991, the Tax Code (Law 227/2015), eFactura and SAF-T obligations.
  • Legitimate interest (Art. 6(1)(f) GDPR) — platform improvement, fraud prevention, anomaly detection, infrastructure security.
  • Consent (Art. 6(1)(a) GDPR) — marketing communications, if you have explicitly opted in. You may withdraw consent at any time.

For visitors:

  • Website usage analytics (Google Analytics with consent + Cloudflare Web Analytics without cookies)
  • Display preferences (visual theme, language — stored locally in the browser)

V. Personal Data from Public Registers (Art. 14 GDPR)

In addition to data provided directly by users, factcurier processes personal data obtained indirectly from public government registers, as part of the company search functionality available on this website.

Categories of data processed

  • Names of individuals holding positions within companies (directors, shareholders, auditors, founders, managers)
  • Role held within the company

Data source

The National Trade Register Office (ONRC), via the open data portal data.gov.ro, and the National Agency for Fiscal Administration (ANAF).

Legal basis

Legitimate interest (Art. 6(1)(f) GDPR) — displaying data from public registers enables company verification for informed commercial decisions (due diligence), contributing to business environment transparency. The data is already public through official registers, and our processing is strictly limited to names and roles, without including personal addresses, phone numbers, or other contact details.

Your rights

  • Right to object (Art. 21 GDPR) — you may request that we stop processing your data from public registers, on grounds relating to your particular situation. We will assess the request in accordance with European case law (including CJEU C-398/15).
  • Right of access (Art. 15 GDPR) — you may request confirmation of processing and a copy of the data.
  • Right to rectification (Art. 16 GDPR) — if the displayed data is inaccurate, we will correct or update it.

To exercise these rights: [email protected]

VI. AI Processing

We use AI systems for automatic classification, data extraction, and triage of accounting documents. AI processes documents exclusively to prepare the information needed by the CECCAR-certified accountant who reviews and approves everything.

The immutable rule: no tax declaration is submitted to ANAF without prior review and approval by a CECCAR-certified accountant. No automated decisions with legal effects are made without human intervention, in accordance with Art. 22 GDPR.

Third-party AI integrations (desktop app)

The factcurier desktop app allows you to connect your own subscription to third-party AI providers (OpenAI/ChatGPT, Anthropic/Claude, Google/Gemini) via the MCP (Model Context Protocol). When using these integrations:

  • Data is transmitted directly from your device to your chosen AI provider, under that provider's terms
  • factcurier does not intermediate, store, or access data processed by third-party AI providers
  • Your API keys and credentials are stored exclusively on your device
  • You are responsible for choosing which data you share with third-party AI providers

Push notifications (mobile apps)

The mobile apps use Firebase Cloud Messaging (FCM) for push notification delivery. The FCM token is stored on factcurier's servers and is used exclusively for delivering notifications related to your account activity. You can disable notifications from your device settings at any time.

Camera (mobile apps)

Camera access is explicitly requested and used exclusively for photographing documents (invoices, receipts). Images are processed by factcurier's AI for data extraction and are transmitted to your assigned accountant. We do not access the photo gallery or other files on your device.

VII. Data Transfer to Third Parties

Personal data may be transmitted to the following categories of recipients:

  • CECCAR-certified accountant assigned to your contract — for document review and approval
  • ANAF (Romanian tax authority) — for filing tax declarations, eFactura, and SAF-T, as required by law
  • ONRC (Trade Register) — for trade register operations (registration, modifications, dissolution)
  • Infrastructure providers — Hetzner Online GmbH (Germany) for servers, Cloudflare Inc. for CDN, DNS, and email routing, Google Firebase (mobile push notifications) — under standard contractual clauses
  • Third-party AI providers (desktop app only, at the User's initiative) — OpenAI, Anthropic, Google — data is transmitted directly from your device, factcurier does not intermediate the transfer
  • Public authorities — upon explicit legal request

We do not sell, rent, or share data with third parties for advertising or marketing purposes. All contracts with infrastructure providers include GDPR-compliant data protection clauses.

VIII. Security and Storage

We implement the following security measures:

  • All data is stored exclusively on servers within the European Union (Hetzner, Germany)
  • Encryption in transit (TLS 1.3) and at rest
  • Role-based access control on each contract (owner, accountant, viewer)
  • Immutable audit trail — every document, message, and action is recorded in a history that cannot be modified or deleted
  • Data minimization — we collect only necessary, adequate, and relevant data
  • Access restricted to authorized personnel with confidentiality obligations
  • End-to-end encryption (E2EE) of messages and documents within the platform — even in the event of unauthorized server access, encrypted content remains inaccessible

Despite preventive measures, no system is perfect. In the event of a security incident, we follow strict notification procedures in accordance with Art. 33-34 GDPR.

IX. Retention Period

Personal data is retained only as long as necessary:

  • Accounting documents: 10 years per the Accounting Law no. 82/1991 and OMF 2634/2015
  • Tax documents: 5 years per the Fiscal Procedure Code
  • Account data: for the duration of the contractual relationship + 30 days after deletion request
  • Technical data: maximum 12 months

Upon expiration of the retention period, data is permanently deleted or anonymized. Deleting your account does not automatically delete personal data under legal retention obligations — an explicit request is required.

X. Your Rights

Under Art. 15-21 GDPR, you have the following rights:

  • Right of access — confirmation of processing and access to your personal data
  • Right to rectification — correction of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — deletion of data when no longer necessary for the original purpose
  • Right to restriction of processing
  • Right to data portability — receiving your data in a structured, commonly used format
  • Right to object — including to marketing communications
  • Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

These rights may be limited in specific situations provided by law (for example, legal obligations to retain accounting documents).

To exercise your rights, contact us. We will respond within 30 days.

You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), dataprotection.ro.

XI. Cookies and Local Storage

This site uses the following storage mechanisms:

  • theme — visual theme preference (light/dark), stored in the browser's localStorage
  • cookie-consent — your analytics cookie choice (accepted/declined), stored in localStorage
  • Google Analytics (GA4) — analytics cookies (_ga, _gid) set only after explicit consent. Collects anonymized data about site usage (pages visited, session duration, country). Does not collect personally identifiable data. You can decline these cookies via the banner shown on your first visit.

Cloudflare Web Analytics additionally operates without cookies and without collecting personal data.

If you are logged into the factcurier app, a functional cookie (fc_user) set by the app may be read by this site to personalize the browsing experience. This cookie is strictly necessary and does not require consent.

XII. Policy Changes

We reserve the right to update this privacy policy. Significant changes will be communicated via email or platform notification at least 15 days before taking effect. The date of the last update is displayed at the top of this page.