Privacy Policy

1. Introduction

S.C. NORTEC BLANC S.R.L., Tax ID (CUI) RO41773828, Trade Register No. J03/2526/2019 (hereinafter "Contera", "we", "us") respects your data confidentiality and is committed to protecting the personal data we collect and process. This Privacy Policy explains what data we collect, how we use it and what rights you have as a user.

This policy complies with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and applicable Romanian data protection legislation.

2. Data Controller

Data controller: S.C. NORTEC BLANC S.R.L.
Registered office: 257 BIS, Ciofrângeni village, Argeș county, Romania
Tax ID (CUI): RO41773828
Trade Register No.: J03/2526/2019
Email: contact@contera.ro
Website: https://contera.ro

3. Data We Collect

3.1 Data Provided Directly

• Identification data: name, surname, email address, phone number
• Company data: Tax ID (CUI), company name, registered office, NACE code
• Accounting data: imported CSV files, invoices, balance sheets, journals
• Authentication data: password (stored encrypted), ANAF OAuth2 tokens, Open Banking sessions
• Banking data (with explicit consent): account balances, transactions (amount, date, counterparty, description), IBANs, account names — obtained via Open Banking (PSD2)
• WhatsApp data: phone number, messages exchanged with our AI assistant (Max) via WhatsApp, message delivery and read status

3.2 Automatically Collected Data

• Technical data: IP address, browser type, operating system, screen resolution
• Usage data: pages visited, features accessed, session duration
• Cookies: as per our Cookie Policy

3.3 Data from Third-Party Sources

• Public ANAF data: company information, public financial statements, VAT status
• SmartBill/Oblio data: invoices and clients synchronized with user consent

4. Purpose and Legal Basis for Processing

5. How We Protect Your Data

• AES-256 encryption — all data is encrypted in transit (TLS 1.3) and at rest
• EU storage — infrastructure is hosted in data centers in Frankfurt, Germany
• Per-company isolation — ANAF tokens, banking sessions and accounting data are isolated at the organization level
• Administrative audit log — actions performed by our staff on user accounts (administrative API calls) are written to a tamper-evident log (admin_audit_log) that records: administrator ID, IP address, user-agent, HTTP method, path, redacted payload samples (passwords, tokens and cookies are stripped automatically), status and latency. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — security and abuse detection. Retention follows our internal security policy and is reviewed periodically.
• Daily backups — automated backups with 30-day retention
• Access control — secure authentication, session expiration, least privilege principle

6. Data Sharing — Categories of Recipients

We do not sell your personal data and do not share it for third-party marketing purposes. To deliver the Service we rely on processors (sub-processors) who handle data strictly under our instructions and data processing agreements (DPA), including Standard Contractual Clauses (SCCs) where transfers occur outside the EU. The categories of recipients are:

What we do NOT share: we do not share your detailed banking or accounting data with AI model providers, the WhatsApp platform or the analytics provider. To answer a question you ask Max, we send the AI model the relevant metadata (column structure, data types, and representative samples for the question's context). This data is not used to train the models.

On request, we will disclose the specific identity of each sub-processor, in line with Art. 15 GDPR. Write to us at contact@contera.ro.

Additionally, data may be disclosed to competent authorities upon lawful request.

7. WhatsApp Business Platform

Contera uses the WhatsApp Business Platform, operated by Meta Platforms, Inc., to provide our AI assistant (Max) via WhatsApp. This service enables:

• Account verification via one-time codes sent to your phone number
• Conversations with Max, our AI financial assistant
• Proactive notifications about tax deadlines, overdue invoices and ANAF alerts

Data shared with Meta: When you use WhatsApp to communicate with us, Meta processes your phone number, message content, delivery status and device metadata in accordance with WhatsApp's Privacy Policy. We do not transmit your financial, accounting or banking data through WhatsApp.

Opting out: you can disable WhatsApp for any of your companies from Settings → WhatsApp in the Platform. To completely remove your phone number from your account, contact us at contact@contera.ro. Opting out of WhatsApp does not affect your access to the Platform via the web application.

Message retention: WhatsApp conversation history is stored on our servers for the duration you use the Service. When you submit a deletion request (Article 17 GDPR) messages are erased within 30 days. Messages stored by Meta are subject to WhatsApp's own retention policies.

8. Data Retention

• Account data (name, email, phone): for as long as you use the Service
• Imported accounting data: for as long as you use the Service
• Banking data (balances, transactions): while the connection is active; on revocation, access ends immediately and previously synced data is kept together with the rest of your account data
• Invoices and accounting documents: 10 years (tax obligation under Article 58 of the Romanian Fiscal Code)
• WhatsApp conversation data: for as long as you use the Service
• Administrative audit log: per our internal security policy (legitimate interest)
• Cookies: as per our Cookie Policy

On request: under Article 17 GDPR you can request deletion of your data at any time. We process the request within a maximum of 30 days, in line with Article 12(3) GDPR.

Fiscal exception: invoices and accounting documents remain stored for 10 years under Article 58 of the Romanian Fiscal Code even after the account is deleted. These documents reflect the company's transactions, not your personal data in the narrow sense.

9. Your Rights (GDPR)

As a data subject, you have the following rights:

• Right of access — to know what data we hold about you
• Right to rectification — to correct inaccurate data
• Right to erasure — to request data deletion ("right to be forgotten")
• Right to restriction — to limit data processing
• Right to data portability — on request, we provide your data in a structured format (JSON/CSV) within a maximum of 30 days
• Right to object — to oppose processing based on legitimate interest
• Right to withdraw consent — at any time, without affecting the legality of prior processing

To exercise your rights, contact us at contact@contera.ro. We will respond within a maximum of 30 days under Article 12(3) GDPR.

10. International Transfers

The core storage of your data (database, backups, files) and optional analytics take place in the European Union.

Certain categories of sub-processors (AI models, payment processing, transactional email, the WhatsApp platform) may be located outside the EU, primarily in the United States. Transfers to these entities are made under the Standard Contractual Clauses (SCCs) approved by the European Commission through Implementing Decision (EU) 2021/914, supplemented where appropriate with additional technical measures (encryption in transit and at rest, per-account isolation, minimisation of transmitted data).

On request, we will disclose the specific identity of our sub-processors and evidence of the standard contractual clauses in place.

11. Supervisory Authority

If you believe that the processing of your data violates GDPR, you have the right to file a complaint with Romania's National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro

12. Changes

We reserve the right to update this Policy. Any significant changes will be communicated via email and/or in-Platform notification. The updated version will be published on this page with the date of the last modification.