Privacy Policy

Last updated: April 5, 2026

Versiunea în limba română

1. Introduction

S.C. NORTEC BLANC S.R.L., Tax ID (CUI) RO41773828, Trade Register No. J03/2526/2019 (hereinafter "Contera", "we", "us") respects your data confidentiality and is committed to protecting the personal data we collect and process. This Privacy Policy explains what data we collect, how we use it and what rights you have as a user.

This policy complies with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and applicable Romanian data protection legislation.

2. Data Controller

Data controller: S.C. NORTEC BLANC S.R.L.
Headquarters: Romania
Tax ID (CUI): RO41773828
Email: contact@contera.ro
Website: https://contera.ro

3. Data We Collect

3.1 Data Provided Directly

  • Identification data: name, surname, email address, phone number
  • Company data: Tax ID (CUI), company name, registered office, NACE code
  • Accounting data: imported CSV files, invoices, balance sheets, journals
  • Authentication data: password (stored encrypted), ANAF OAuth2 tokens, Open Banking sessions
  • Banking data (with explicit consent): account balances, transactions (amount, date, counterparty, description), IBANs, account names — obtained via Open Banking (PSD2)
  • WhatsApp data: phone number, messages exchanged with our AI assistant (Max) via WhatsApp, message delivery and read status

3.2 Automatically Collected Data

  • Technical data: IP address, browser type, operating system, screen resolution
  • Usage data: pages visited, features accessed, session duration
  • Cookies: as per our Cookie Policy

3.3 Data from Third-Party Sources

  • Public ANAF data: company information, public financial statements, VAT status
  • SmartBill/Oblio data: invoices and clients synchronized with user consent

4. Purpose and Legal Basis for Processing

PurposeLegal Basis
Service provision (chatbot, dashboard, reports)Contract performance
Account creation and managementContract performance
ANAF connection (e-Invoice, SPV)Explicit consent
Bank account connection via Open Banking — access to balances and transactionsExplicit consent
Service communications (updates, notifications)Legitimate interest
Marketing communications (newsletter, offers)Consent
WhatsApp messaging (verification codes, AI assistant conversations, notifications)Consent / Contract performance
Platform improvement (analytics)Legitimate interest
Legal compliance (invoicing, taxation)Legal obligation

5. How We Protect Your Data

  • AES-256 encryption — all data is encrypted in transit (TLS 1.3) and at rest
  • EU storage — infrastructure is hosted in data centers in Frankfurt, Germany
  • Per-company isolation — ANAF tokens, banking sessions and accounting data are isolated at the organization level
  • Audit logging — every action on the Platform is logged for traceability
  • Daily backups — automated backups with 30-day retention
  • Access control — secure authentication, session expiration, least privilege principle

6. Data Sharing

We do not sell or share your personal data with third parties for marketing purposes. Data may only be shared in the following situations:

  • Infrastructure providers — hosting services, databases, CDN (all within EU/EEA)
  • Payment processors — for subscription processing
  • ANAF — at the explicit request of the user (e-Invoice, SPV)
  • Enable Banking OÜ — licensed AISP (Account Information Service Provider) under PSD2, for accessing bank data through Open Banking at the explicit request of the user. Enable Banking processes data exclusively for the purpose of establishing the technical connection with the bank and does not use it for any other purposes.
  • Meta Platforms, Inc. (WhatsApp) — we use the WhatsApp Business Platform to communicate with users (verification codes, AI assistant conversations and notifications). When you interact with us via WhatsApp, your phone number and message content are processed by Meta Platforms, Inc. in accordance with WhatsApp's Privacy Policy. We do not share your financial, accounting or banking data through WhatsApp.
  • Legal obligations — at the request of competent authorities, in accordance with the law

7. WhatsApp Business Platform

Contera uses the WhatsApp Business Platform, operated by Meta Platforms, Inc., to provide our AI assistant (Max) via WhatsApp. This service enables:

  • Account verification via one-time codes sent to your phone number
  • Conversations with Max, our AI financial assistant
  • Proactive notifications about tax deadlines, overdue invoices and ANAF alerts

Data shared with Meta: When you use WhatsApp to communicate with us, Meta processes your phone number, message content, delivery status and device metadata in accordance with WhatsApp's Privacy Policy. We do not transmit your financial, accounting or banking data through WhatsApp.

Opting out: You may stop receiving WhatsApp messages at any time by sending "STOP" in the conversation or by disconnecting WhatsApp from your account settings in the Platform. Opting out of WhatsApp does not affect your access to the Platform via the web application.

Message retention: WhatsApp conversation history is stored on our servers for the duration of your subscription + 30 days after account closure, in line with our general data retention policy. Messages stored by Meta are subject to WhatsApp's own retention policies.

8. Data Retention

  • Account data: during the subscription + 30 days after closure
  • Imported accounting data: during the subscription + 30 days
  • Banking data (balances, transactions): during the active connection + 30 days after revocation
  • Billing data: 10 years (tax obligation under the Romanian Fiscal Code)
  • WhatsApp conversation data: during the subscription + 30 days
  • Audit logs: 2 years
  • Cookies: as per our Cookie Policy

9. Your Rights (GDPR)

As a data subject, you have the following rights:

  • Right of access — to know what data we hold about you
  • Right to rectification — to correct inaccurate data
  • Right to erasure — to request data deletion ("right to be forgotten")
  • Right to restriction — to limit data processing
  • Right to data portability — to receive data in a structured format
  • Right to object — to oppose processing based on legitimate interest
  • Right to withdraw consent — at any time, without affecting the legality of prior processing

To exercise your rights, contact us at contact@contera.ro. We will respond within a maximum of 30 days.

10. International Transfers

Your data is stored and processed exclusively within the European Union. We do not transfer personal data outside the EU/EEA. Should a transfer become necessary (for example, for a service provider), it will be made exclusively on the basis of standard contractual clauses approved by the European Commission.

11. Supervisory Authority

If you believe that the processing of your data violates GDPR, you have the right to file a complaint with Romania's National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro

12. Changes

We reserve the right to update this Policy. Any significant changes will be communicated via email and/or in-Platform notification. The updated version will be published on this page with the date of the last modification.

13. Contact

For questions or requests regarding your personal data:
Email: contact@contera.ro
S.C. NORTEC BLANC S.R.L. — Romania