Privacy Policy
Version 2.0 · Effective date: 22 March 2026
Compliant with Regulation (EU) 2016/679 (GDPR) and Law no. 190/2018
1. Controller Identity and Contact Details
NOIDEEA S.R.L.
Tax ID: RO 48069626
Registered office: Calea Vitan no. 242, Building C2, Ground Floor, Office 17, Sector 3, Postal Code 031301, Bucharest, Romania
General contact email: contact@statusdosar.ro
Data Protection Officer (DPO): dpo@statusdosar.ro
Competent supervisory authority: National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest; anspdcp@dataprotection.ro; www.dataprotection.ro.
2. Purposes, Legal Bases, Data Processed and Retention Period
2.1. Contract Performance (Art. 6(1)(b) GDPR)
Purpose: Account creation and management; authentication; provision of contracted services (case search, notifications, reports); invoice issuance; technical support.
Data processed: Email; password (stored encrypted); optionally: first name, last name, phone; billing data (address, Tax ID/Personal ID); monitored cases; usage history.
Retention: For the duration of the contract + 5 years after termination (for litigation management).
2.2. Legal Obligations (Art. 6(1)(c) GDPR)
Purpose: Issuance of fiscal documents, compliance with accounting obligations.
Data processed: Billing data and financial transaction data.
Retention: Minimum 10 years pursuant to Law no. 82/1991 on accounting (art. 25).
2.3. Legitimate Interest (Art. 6(1)(f) GDPR)
Purpose: Platform security and integrity; fraud prevention; security incident investigation; service improvement based on aggregate and anonymized statistics.
Data processed: IP address; access logs; session identifiers; device and browser data.
Retention: Maximum 12 months (security logs); anonymized statistical data — unlimited.
Balancing of interests: The Provider's legitimate interest in protecting the platform against attacks and abuse prevails, as the processing is limited to strictly necessary data and does not disproportionately affect the rights of data subjects.
2.4. Consent (Art. 6(1)(a) GDPR)
Purpose: Sending commercial communications (newsletter, news); storage of non-essential cookies.
Data processed: Email address; communication preferences.
Retention: Until consent is withdrawn.
Consent withdrawal: At any time, via the unsubscribe link in any received email, or by request to dpo@statusdosar.ro, without negative consequences on the service.
3. Special Nature of ECRIS Data
3.1. The Platform technically processes public information from the ECRIS system — including names of case parties — for the sole purpose of displaying them in an accessible format. This information is public by law and by its publication by the courts.
3.2. NOIDEEA S.R.L. does NOT store search results of Visitors (without accounts). Results are retrieved in real time and displayed without permanent retention. Cases explicitly saved by the Subscriber in their account are stored only for the duration of the account's existence.
3.3. NOIDEEA S.R.L. does NOT have the legal or technical authority to modify, delete or anonymize data from ECRIS. Persons requesting anonymization of their data from the courts portal should contact the processing court directly, following the procedure at portal.just.ro/SitePages/date.aspx.
4. Data Recipients
Data may be accessed by:
- Contabo GmbH (Germany) — cloud infrastructure / hosting provider, as data processor, based on a DPA pursuant to Art. 28 GDPR;
- Cloudflare, Inc. (USA, EEA → USA transfer based on DPF / SCC) — CDN, DDoS protection and DNS;
- LibraPay S.R.L. (Romania) — payment processor, exclusively for financial transactions;
- Resend, Inc. (USA, transfer based on SCC) — transactional email service provider, for sending notifications and alerts;
- Google LLC (USA, EEA → USA transfer based on DPF / SCC) — Google Analytics 4 for aggregate traffic statistics, with anonymized IP;
- Public authorities (ANAF, courts, ANSPDCP, CERT-RO), when disclosure is mandatory by law or upon legitimate request;
- External auditors, legal or accounting consultants, within the limits of their mandate.
NOIDEEA S.R.L. does NOT sell, assign or commercialize Users' personal data to third parties for marketing purposes.
5. Transfers Outside the EEA
If we use providers with infrastructure outside the EEA, the transfer is carried out exclusively based on one of the mechanisms from Chapter V GDPR: European Commission adequacy decision or standard contractual clauses (SCC). Details at dpo@statusdosar.ro.
6. Technical and Organizational Security Measures
We implement appropriate measures pursuant to Art. 32 GDPR:
- Encryption of data in transit (HTTPS/TLS 1.2+) and, where applicable, of stored data;
- Strict internal access control, based on the need-to-know principle (least privilege);
- Two-factor authentication (2FA) for staff access to critical systems;
- Monitoring and logging of system access, with periodic review;
- Periodic backups and documented disaster recovery procedures (DRP);
- Documented security incident response procedures (IRP);
- Periodic risk assessments and penetration tests.
Breach Notification:
In case of a security incident posing a risk to the rights of data subjects, NOIDEEA S.R.L. will notify ANSPDCP within max. 72 hours (Art. 33 GDPR) and will inform affected individuals if the incident poses a high risk (Art. 34 GDPR).
7. Rights of Data Subjects
Under GDPR, you benefit from:
Exercising your rights:
Requests to dpo@statusdosar.ro. Response time: 1 month (with possibility of extension to 3 months for complex requests). Requests are processed free of charge.
8. Special Regulations Regarding Minors' Data
Services are not intended for persons under 18 years of age. We do not intentionally collect data from minors. If we discover that such data has been collected, we will delete it immediately.
9. Updates
This policy may be updated periodically. Substantial changes are notified 30 days in advance by email.
Last updated: 22 March 2026
© 2026 NOIDEEA S.R.L. All rights reserved.