Privacy Policy | Nottral

Introduction

This Privacy Policy describes how Nottral ("we", "the company" or "the platform") collects, uses, stores, and protects your personal data when you use our services.

We comply with the General Data Protection Regulation (GDPR - EU 2016/679)
Transparency is our fundamental principle in data processing
Your data is protected with the highest security standards
You have full control over your personal information

Multi-Tenant Platform

Nottral operates as a multi-tenant platform, meaning we serve both individual users and businesses. Depending on how you interact with the platform, Nottral may act as a Data Controller (for your user account) or as a Data Processor (for data processed on behalf of businesses).

Data Controller Identity

Art. 13-14 GDPR

Under GDPR, the data controller is the entity that determines the purposes and means of processing personal data.

Controller Information

SC Nottral SRL
CUI: [in curs de inregistrare]
[Sediu social in curs de inregistrare], Bucuresti, Romania
[email protected]

GDPR Contact

GDPR Contact Department
[email protected]

For any questions regarding personal data processing, please contact our GDPR contact.

Nottral's Roles in Data Processing

Nottral as Controller

We are the controller for:

Platform user accounts
Authentication and security data
Billing and subscription data
Direct communications with users

Nottral as Processor

We act as a processor for:

Customer data managed by businesses using the platform
Appointments and services booked through businesses
Communications between businesses and their customers

Businesses as Controllers

Businesses using Nottral are independent controllers for their customer data. They determine the purposes of processing and are responsible for GDPR compliance in their relationship with customers.

Personal Data Collected

Art. 13-14 GDPR

We only collect data necessary for providing our services. Below are the categories of data collected:

Category	Data Types	Purpose	Legal Basis	Retention
Identification Data	First and last name, Username, Profile photo (optional)	Account creation and management	Contract performance	Account duration + 30 days
Contact Data	Email address, Phone number, Postal address (optional)	Communication and notifications	Contract performance	Account duration
Demographic Data	Date of birth, Gender (optional), Language preferences	Experience personalization	Consent	Until consent withdrawal
Technical Data	IP address (anonymized/hashed), Device and browser type, Operating system	Security and diagnostics	Legitimate interest	12 months
Transactional Data	Appointment history, Payments and invoices, Communications with businesses	Service delivery	Contract performance / Legal obligation	3 years / 10 years (tax documents)

Data Visibility for Businesses

When you make an appointment with a business, they will have access to:

First and last name
Username
Phone number
Appointment history with that business

Businesses do not have access to your email address or Nottral account billing data.

Processing Purposes

Art. 13-14 GDPR

We process personal data for the following specific purposes:

Service Delivery

Creating and managing accounts, processing appointments, facilitating communication between users and businesses.

Operational Communications

Sending appointment confirmations, status notifications, reminders, and important service updates.

Security and Protection

Fraud prevention, suspicious activity detection, account and platform infrastructure protection.

Service Improvement

Analyzing platform usage to improve features and user experience.

Legal Compliance

Meeting legal obligations, including tax and reporting requirements.

Marketing (with consent)

Sending offers and news about our services, only with your explicit consent.

Legal Basis for Processing

Art. 6 GDPR

We process personal data only when we have a valid legal basis:

Contract Performance Art. 6(1)(b)

Processing necessary for services you have requested.

Account creation
Appointment processing
Payment management

Consent Art. 6(1)(a)

When you have given us explicit permission for processing.

Marketing cookies
Newsletter
Optional demographic data

Legal Obligation Art. 6(1)(c)

When we are legally required to retain or provide data.

Tax documents
Authority responses
Mandatory reporting

Legitimate Interest Art. 6(1)(f)

When we have a justified interest that does not override your rights.

Platform security
Fraud prevention
Service improvement

Data Retention Period

Art. 13-14 GDPR

We retain personal data only as long as necessary for the established purposes or as required by legal obligations:

Data Types	Retention	Purpose
Account data	Account duration + 30 days	Allowing account recovery in case of accidental deletion
Appointments and services	3 years from completion	Dispute resolution and statistics
Invoices and tax documents	10 years	Compliance with Romanian tax legislation
Security logs	12 months	Security incident investigation
Consent records	Until withdrawal + 3 years	Proof of granted consent

Data Deletion

When the retention period expires or upon your request, data is permanently deleted or irreversibly anonymized.

Your GDPR Rights

Art. 15-22 GDPR

GDPR grants you extensive rights over your personal data. Nottral facilitates exercising these rights through the privacy interface in your account.

Right of Access Art. 15

You can request a copy of all personal data we hold about you.

Right to Rectification Art. 16

You can correct inaccurate data or complete incomplete data directly from account settings.

Right to Erasure Art. 17

You can request deletion of personal data ("right to be forgotten"), except for data retained for legal reasons.

Right to Restriction Art. 18

You can request limitation of processing in certain circumstances.

Right to Portability Art. 20

You can receive data in a structured format or transfer it to another controller.

Right to Object Art. 21

You can object to processing based on our legitimate interest or for marketing purposes.

Right regarding Automated Decisions Art. 22

You have the right not to be subject to decisions based solely on automated processing.

How to Exercise Your Rights

You can exercise most rights directly from your account settings, "Privacy & Data" section. For complex requests, contact our GDPR contact.

We will respond to requests within 30 days, in accordance with GDPR Art. 12.3.

Protection of Minors

Art. 8 GDPR

We pay special attention to protecting children's and minors' data:

Our services are intended for persons aged 16 or older
For users under 16, parental or legal guardian consent is required
Parents can request deletion of their children's data by contacting us

Parental Consent

If you discover that a minor has used your email address to create an account without permission, please contact us immediately so we can take necessary action.

Data Security

Art. 32 GDPR

We implement technical and organizational measures to protect your data:

Technical Measures

Encryption in transit (TLS 1.3) and at rest (AES-256)
Two-factor authentication (2FA) available
Secure password hashes (bcrypt)
Automated monitoring and security alerting (Sentry + infrastructure monitoring)
Regular backups stored separately from primary production data, within the European Union

Organizational Measures

Data access limited based on "need-to-know" principle
Documented policies and procedures
Periodic security audits
Incident response plan

Security Breach Notification

In case of a data security breach that may affect your rights, we will notify you without undue delay and will notify the supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.

Cookies and Similar Technologies

ePrivacy Directive

We use cookies and similar technologies to improve your experience on the platform:

Necessary Cookies

Essential for platform operation. Cannot be disabled.

Authentication session
Security preferences
Cart/booking state

Analytics Cookies

Help us understand how you use the platform.

Pages visited
Time spent
Errors encountered

Preference Cookies

Remember your choices for a personalized experience.

Preferred language
Theme (light/dark)
Display preferences

You can change your cookie preferences at any time using the button below or through your browser settings.

International Transfers

Art. 44-49 GDPR

Your data is primarily stored and processed within the European Union:

Main servers are located in the EU (Germany and Netherlands)
For third-party services outside the EU, we ensure adequate safeguards exist
We use Standard Contractual Clauses (SCC) approved by the European Commission
We verify adequacy decisions for third countries

Third-Party Services Used

For specific functionality, we work with trusted providers:

Service	Purpose	Location	Safeguards
Stripe	Payment processing	EU/USA	Standard Contractual Clauses
MongoDB Atlas	Data storage	EU (Frankfurt)	EU storage
Resend	Email sending	USA	Standard Contractual Clauses

Data Sharing with Third Parties

Art. 13-14 GDPR

We do not sell your personal data. We share data only in the following circumstances:

Partner Businesses

When you make an appointment, the respective business receives data necessary to serve you (name, phone, appointment details).

Service Providers

Partners who help us operate the platform (hosting, email, payment processing), contractually bound to protect data.

Legal Obligations

When legally required (court orders, requests from competent authorities).

Rights Protection

To protect our rights, safety, or property, that of our users, or the public.

Data Visible to Businesses

First and last name
Username
Phone number
Appointment history with that business

Email and Nottral billing data are NOT shared with businesses.

Policy Changes

We may periodically update this Privacy Policy to reflect changes in our practices or legal requirements:

You will be notified by email about significant changes
Minor changes will be announced on the platform
The last update date is displayed at the beginning of the document
We encourage you to check this page periodically

Change Notification

For substantial changes affecting your rights, we will request acceptance of the new version before continuing to use the services.

Complaints and Contact

Art. 77 GDPR

If you have questions, concerns, or complaints about data processing, we encourage you to contact us:

GDPR Contact

[email protected]

First option for any privacy-related questions

General Contact

[email protected]

For general assistance and technical questions

Supervisory Authority

If you are not satisfied with our response, you have the right to file a complaint with the supervisory authority:

ANSPDCP — National Supervisory Authority for Personal Data Processing

28-30 G-ral. Gheorghe Magheru Blvd., Sector 1, Bucharest, Romania
+40 318 059 211
[email protected]
https://www.dataprotection.ro

Inainte de a derula

Prezentare Platforma

Datele Colectate

Sistem Multi-Tenant

Cum Folosim Datele

Controlul Tau

Drepturi GDPR

Multi-Tenant Platform

Controller Information

GDPR Contact

Nottral's Roles in Data Processing

Nottral as Controller

Nottral as Processor

Businesses as Controllers

Data Visibility for Businesses

Service Delivery

Operational Communications

Security and Protection

Service Improvement

Legal Compliance

Marketing (with consent)

Contract Performance Art. 6(1)(b)

Consent Art. 6(1)(a)

Legal Obligation Art. 6(1)(c)

Legitimate Interest Art. 6(1)(f)

Data Deletion

Right of Access Art. 15

Right to Rectification Art. 16

Right to Erasure Art. 17

Right to Restriction Art. 18

Right to Portability Art. 20

Right to Object Art. 21

Right regarding Automated Decisions Art. 22

How to Exercise Your Rights

Parental Consent

Technical Measures

Organizational Measures

Security Breach Notification

Necessary Cookies

Analytics Cookies

Preference Cookies

Third-Party Services Used

Partner Businesses

Service Providers

Legal Obligations

Rights Protection

Data Visible to Businesses

Change Notification

GDPR Contact

General Contact

Supervisory Authority

ANSPDCP — National Supervisory Authority for Personal Data Processing