Privacy policy

Version 1.0 — 6 May 2026

RomânăEnglish

Summary

Data controller: reclamepenet, a brand operated by PFA Victor Grosu (registration in progress). Tax residency: Romania. Applicable jurisdiction: European Union. For any request concerning your personal data, write to privacy@reclamepenet.ro.

This policy is a layered notice. On this page you will find the high-level categories of data we process, the purposes, the legal basis, and the functional categories of providers we work with. For the exact list of sub-processors — with their names, the jurisdiction of each, and the applicable DPA — see the dedicated sub-processor list. This approach follows guidelines 03/2019 of the European Data Protection Board (EDPB) on transparency and proportionality in notices given under article 13 of Regulation (EU) 2016/679 (GDPR).

Audience: reclamepenet is a professional ad-creative generator; the service is intended exclusively for adults (18+) and for users authorized to act on behalf of an economic activity (PFA, SRL, freelancer, agency). We do not knowingly collect data about minors.

What data we collect

We group the data we process into five functional categories. For each category we indicate what it contains and why we have it; for who processes it technically, see the sub-processor list.

a) Account and authentication

When you create a reclamepenet account, we store your email address as the primary identifier. Authentication is done via magic-link (a single-use link sent by email) or via OAuth (Google or Facebook), in which case we receive from the OAuth provider only your email address and an opaque identifier of your account — we do not receive your password and we do not receive your friends list, photos, or any other profile data. We associate your account with an internal workspace_id so that all your projects and credits are strictly isolated in your own space (multi-tenant architecture with row-level isolation in the database). On each magic-link issuance, we record the IP address from which it was requested, exclusively to prevent link-theft abuse (IP-binding); that value expires together with the link.

b) Product usage

As you use the platform, we store metadata about your projects: the URL of the product you are analyzing (when you choose the automated ingestion flow), the data you enter manually about a product or a business when you opt for the manual flow or the “local business” flow, the configuration of each ad variant (language, preselected voice, tone, background, length), its state in the draft → rendering → preview → accepted state machine, and other relevant operational events (for example, re-generation requests). We also store the MP3 and MP4 files generated on demand, for the duration set out in the Retention and deletion section.

Significant administrative actions — accepting a variant, granting AI download consent, modifying the account, deleting a project, validating a payment — are written to an internal audit log (audit_log) with a timestamp, the actor, and a hash of the event. This log does not contain the content of your messages; only facts about what happened and when.

c) Payments

Payments for credit packs are handled entirely by Paddle, acting as Merchant of Record. This means Paddle is the direct contractual party for the payment transaction, issues the invoice, collects the VAT applicable in your jurisdiction, and manages intra-EU tax compliance. Your payment instrument data (card number, security code, bank account) is collected and stored directly by Paddle — reclamepenet does not receive it, does not see it, and cannot access it.

What reclamepenet receives from Paddle is limited to transaction metadata: the transaction ID, the amount, the currency, the time, the status (success/failure/disputed), the billing country, and the last four digits of the payment instrument — all strictly necessary to grant you the credits you purchased, to issue corresponding invoices, and to be able to respond to a dispute. Paddle is named explicitly in this policy (an exception to the general rule that we describe vendors by category) precisely because its Merchant-of-Record role creates a direct contractual relationship with you, which must be fully transparent.

d) Operational telemetry

To operate the platform safely, we collect technical telemetry exclusively server-side: runtime errors (stack traces, error code, the path of the failed request), product analytics events (actions such as “project created”, “variant accepted”, “credit consumed”), and performance metrics (latencies, success rates of calls to our sub-processors).

These events are tagged with distinctId = workspace_id — an opaque identifier of your workspace, not your email address and not a cross-site identifier. We do not run analytics SDKs in the browser and we do not place tracking pixels. We do not correlate our telemetry with your profile on other sites and we do not share it with third-party marketing networks.

e) Cookies and browser-side storage

We use a narrow set of strictly necessary cookies (session token, CSRF token, anti-abuse challenge cookie). Full details about each cookie, its purpose, retention, and the consent withdrawal mechanism are in the cookies policy.

Why we use them — legal basis

For each processing category we rely on one of the bases set out in article 6(1) of the GDPR. The bases do not stack arbitrarily — for a given processing there is one principal basis, indicated below.

  • Performance of a contract — article 6(1)(b) GDPR: all core product functionality, from creating an account and managing the workspace to generating ad variants, delivering the final files, and maintaining your project history. Without these processings we cannot deliver the service you have chosen to use.
  • Legitimate interest — article 6(1)(f) GDPR: infrastructure security (intrusion detection, rate-limiting, anti-bot protection), fraud prevention (for example, detection of stolen cards or abusive chargeback patterns), audit logging for operational integrity, abandoned-cart recovery (a single transactional email if you started a generation and did not complete it, with a simple unsubscribe option). For each of these processings we have carried out a balancing test between our legitimate interest and your rights; you can request a copy of that assessment at privacy@reclamepenet.ro.
  • Consent — article 6(1)(a) GDPR: non-essential cookies, when any exist. As of the date of this policy there are no non-essential cookies — but if we introduce any (for example, opt-in analytics), we will request explicit consent through a banner, with symmetrical refusal.
  • Legal obligation — article 6(1)(c) GDPR: keeping invoices and related financial records for the minimum period required by Romanian Accounting Law no. 82/1991 article 25 (10 years) and by the Romanian Fiscal Code. This obligation prevails over any request for full deletion, in line with article 17(3)(b) GDPR.

With whom we share — sub-processor categories

In performing the contract we use a narrow set of specialized sub-processors. In line with the layered notice approach set out in article 13 GDPR and EDPB guidelines 03/2019, we list here only the functional categories; the exact names, the jurisdiction of each, and the applicable DPA are on the dedicated page.

  • Cloud infrastructure and database — application hosting, relational database storage, and object storage (MP3, MP4, uploaded images). Data residency: European Union.
  • AI generation— generation of text scripts, voice synthesis, and avatar video rendering. All calls are server-side; there are no provider SDKs in your browser, and our content security policy (CSP) blocks direct browser calls to these providers’ domains.
  • Payment processing — Paddle, Merchant of Record (the only sub-processor named explicitly on this page, because its MoR role creates a direct contractual relationship with you).
  • Analytics and monitoring — exclusively server-side; no persistent browser-level identifiers, no tracking pixels, no cross-site behavioural profiling.
  • Transactional email — sending magic-links, payment confirmations, operational notifications, and the single abandoned-cart recovery email.
  • Captcha and anti-abuse — captcha-style challenges on public forms (for example, sign-in) to prevent automated attacks, without identifying the person.

For the full list with the name of each sub-processor, their jurisdiction, and the applicable DPA, see the sub-processor list.

Your rights

Under articles 15–22 of the GDPR, you have the following rights regarding personal data processed by reclamepenet. To exercise any of them, write to privacy@reclamepenet.ro or use the self-service panel indicated. We respond within a maximum of 30 days, in line with article 12(3) GDPR; the period may be extended by a further two months for complex requests, in which case we will let you know.

  • Right of access (article 15 GDPR) — you receive a full copy of the personal data processed by reclamepenet, in a structured format. Available through the self-service panel at /setari/confidentialitate (under construction). Until the panel is launched, write to privacy@reclamepenet.ro.
  • Right to rectification (article 16 GDPR) — you can update your account information directly from the account settings; for changes that are not accessible self-service, write to us by email.
  • Right to erasure(article 17 GDPR, the “right to be forgotten”) — you can request account deletion through self-service DSAR or by email. We apply a 30-day “soft delete” grace period (recoverable), then physically delete all data. Exception: payment and tax records are retained for the minimum period required by law, in line with article 17(3)(b) GDPR.
  • Right to restriction of processing (article 18 GDPR) and right to object (article 21 GDPR) — by email, with a 30-day response window.
  • Right to data portability (article 20 GDPR) — you can download all your personal data as a ZIP archive in structured JSON, through self-service DSAR or by email.
  • Right to a refund under our dedicated policy — see the refund policy for details about Re-Generation Credits and the statutory 14-day right of withdrawal under Romanian Government Emergency Ordinance 34/2014 for unused credit packs.
  • Right to lodge a complaint with the supervisory authority — in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP), https://www.dataprotection.ro/. We encourage you to contact us first — in many cases we can resolve the issue without escalation.

Retention and deletion

We apply a retention-minimization policy: each data category has a clear TTL (time-to-live), after which it is automatically deleted. The periods below are those applied at the date of this policy; changes will be reflected in subsequent versions.

  • Account data: throughout the active life of the account, plus 30 days of “soft delete” after closure — then physical deletion.
  • Generated MP4 — preview: 7 days from rendering. If you do not accept the variant within that window, the file is deleted automatically.
  • Generated MP4 — clean / accepted version: 90 days from acceptance; download your video and back it up locally if you want to keep it longer.
  • Internal pre-cleaning outputs: 48 hours, internal use only; used for technical debugging and not accessible through the user interface.
  • User-uploaded images (BYOA / “bring your own asset”): 30 days from upload.
  • Voice synthesis (MP3): 7 days.
  • Audit logs: 6 years — aligned with the accounting obligations of the Romanian Fiscal Code.
  • Payment records and invoices: 10 years, in line with article 25 of Romanian Accounting Law no. 82/1991.

International data transfers

We prioritize EU residency for every category of data we control — the primary database, user file storage, and most of our monitoring tooling are hosted in the EU. Some specialized sub-processors (in particular for AI generation and payment processing) are established in the United States. For those transfers we rely on the Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision 2021/914 of 4 June 2021, complemented, where appropriate, by Transfer Impact Assessments carried out under the methodology of EDPB Recommendation 01/2020 following the Schrems II ruling.

A redacted copy of the clauses and of our TIAs can be requested at privacy@reclamepenet.ro. For the jurisdiction of each sub-processor individually, see the sub-processor list.

Security

We apply technical and organizational measures proportional to the risks, in line with article 32 GDPR. Concretely: all calls to third-party providers are made exclusively server-side — our content security policy (CSP) blocks direct browser calls to sub-processor domains; data is transported encrypted over the internet (HTTPS / TLS 1.2 or higher); the database and user objects are stored in the EU; service access keys are rotated at most every 90 days; the continuous integration (CI) pipeline runs automated secret and vulnerable-dependency scanning before each deploy.

Changes to this policy

This is version 1.0, in force from 6 May 2026. We will update this policy whenever we introduce a new processing category, change a sub-processor with direct impact on you, or change a retention period. Minor changes (language clarifications, typographical corrections) are noted by a new “last updated” date, without separate notice. Material changes — any change to the purpose of processing or to the categories of data — trigger a notification email at least 30 days before the change comes into effect, and transactions in progress at that moment continue to be governed by the version applicable at the time they were entered into.

Contact

  • For DSAR requests (access, deletion, portability) and for any questions about your data: privacy@reclamepenet.ro.
  • Official postal address: pending publication (PFA Victor Grosu, registration in progress in Romania). It will be added here and in the site footer as soon as the tax registration is finalized.
  • Supervisory authority: the National Supervisory Authority for Personal Data Processing (ANSPDCP), https://www.dataprotection.ro/.