Privacy Policy

This Privacy Policy explains how CAI Technology ("we", the controller) collects, processes, retains and protects your personal data when you visit caitech.eu or caitech.ro or interact with our services.

1. Data controller

CAI Technology — brand operated by CAI TECHNOLOGY S.R.L. (Tax ID 50512457, registered office: Romania), is the data controller under Regulation (EU) 2016/679 (GDPR).

Data protection contact: support@caitech.eu

2. Categories of data collected

2.1 Data you provide to us directly

• Contact form: name, email, free-text message, optionally company name.
• Newsletter: email address, optionally first name.
• Quote / consultation request: name, email, phone (optional), company, project description.
• Email/Telegram/WhatsApp communication: message contents, conversation identifiers.

2.2 Data collected automatically

• Technical data: IP address (anonymized), browser, OS, screen resolution, referer.
• Usage data: pages visited, session duration, clicks on external links.
• Cookies: see Cookie Policy. We use Plausible Analytics (self-hosted, GDPR-compliant by default, no cookies).

2.3 Data we do NOT collect

• No Google Analytics, Facebook Pixel, or other cross-site trackers.
• No special category data (health, religion, sexual orientation, etc.).
• No data purchased from third parties.
• No data sold to third parties.

3. Legal basis for processing

Purpose	GDPR legal basis
Quote, contact, consultation responses	Art. 6(1)(b) — contract / pre-contractual measures
Newsletter	Art. 6(1)(a) — explicit consent
Aggregate site usage statistics	Art. 6(1)(f) — legitimate interest, no third-party cookies
Tax & accounting compliance (invoices)	Art. 6(1)(c) — legal obligation
Defense before authorities	Art. 6(1)(f) — legitimate interest

4. Retention periods

• Prospect/contact correspondence: 24 months from last interaction, then automatic deletion.
• Newsletter: until unsubscribe; afterwards we keep email on a "do-not-contact" suppression list for 36 months (anti-respam).
• Contractual & fiscal data: 10 years per Romanian Law 82/1991 (accounting).
• Technical logs: 90 days, then automatic rotation.
• Erasure requests (Art. 17 GDPR): complete deletion within 30 days, except legal retention obligations.

5. Recipients and transfers

Data is processed by the CAI Technology team and the following sub-processors (all EU-resident or with adequate safeguards):

• EU hosting: our infrastructure in Romania and Frankfurt (DE). No extra-EU transfer for product data.
• Transactional email: own SMTP or EU provider (Mailgun-EU, Postmark-EU).
• 2-way messaging (optional): WhatsApp Cloud API (Meta — EU/US transfer with Standard Contractual Clauses) or Telegram Bot API.
• Payments (optional, for subscription clients): Stripe (Stripe Payments Europe — Ireland).

Full subprocessor list with registered office and DPA available on request. For non-EU transfers we apply Standard Contractual Clauses + supplementary technical measures (encryption in transit + at rest).

6. Data security

• TLS 1.3 mandatory for all connections.
• Encryption at rest on databases and backups (criptare standard).
• Centralized audit log of administrative access.
• Quarterly patching for all open-source components.
• Annual internal + external penetration testing (see AEGIS Pentest).
• Incident response: ANSPDCP notification within 72h per GDPR Art. 33 in case of breach.

7. Your rights (GDPR)

You have the rights to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), consent withdrawal (Art. 7(3)). See GDPR rights page.

8. Complaints

You may lodge a complaint with the Romanian Data Protection Authority (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Bucharest.

9. Changes to this policy

Material changes will be notified by email at least 30 days in advance. Current version identified by "Effective" date above.