Privacy Policy

This policy describes how INITWIN collects, uses, stores and protects personal data when you visit our website, contact us, subscribe to our newsletter, or use digital services we provide (e.g. client portal). We comply with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law, including Romanian Law no. 190/2018.

We encourage you to read the related documents: Cookie Policy · Terms & Conditions.

1. Data controller

The controller of personal data is INITWIN (referred to below as "we", "the controller" or "the company").

• Privacy / contact email: contact@initwin.com
• Contact form: https://www.initwin.com/en/contact

For data protection requests, use the email address above with the subject "Data protection" or "GDPR". We respond within the time limits set by law (usually up to 30 days, with justified extension where permitted).

2. Scope

This policy applies to processing carried out through:

• the public INITWIN website (informational pages, blog, portfolio, services);
• contact forms and commercial enquiries;
• newsletter subscription;
• creation and use of user accounts (clients, partners, authorised staff);
• client portal (projects, documents, support tickets), where active;
• email or phone communications related to our services;
• cookies and similar technologies (details in the Cookie Policy).

This policy does not replace service contracts or data processing agreements (DPAs) with business clients. For custom software projects, additional instructions may apply to data processed on behalf of the client.

3. Categories of data processed

Depending on how you interact with us, we may process:

3.1. Identification and contact data

• first name, last name, company name;
• email address, phone number;
• job title / role in the company (for B2B contacts);
• postal address, tax ID (if you provide them for quotes or invoicing).

3.2. Data from forms and communications

• content of your contact form message;
• service of interest, estimated budget, timelines (if provided);
• email correspondence and internal notes related to your request.

3.3. Account and authentication data

• account email, password (stored encrypted, not in plain text);
• role and permissions in the platform;
• login history, sessions, password reset (where applicable);
• client profile data (projects, documents, tickets) — only for users with active access.

3.4. Newsletter and marketing

• subscriber email address;
• subscription date, source (site form, footer);
• communication preferences, if indicated;
• open/click statistics (if we use email marketing with tracking — only with consent where required).

3.5. Technical data and logging

• IP address, browser type, operating system, language;
• pages visited, time on site, traffic source (referrer);
• cookie identifiers (see cookie policy);
• server logs for security, troubleshooting and abuse prevention (access, errors, unauthorised attempts).

3.6. Data we do not usually request

We do not intentionally request special categories of data (health, ethnic origin, religious beliefs, etc.) through the public website. Please do not include such information in general contact messages unless strictly necessary for your request and you are informed about the processing.

4. Purposes and legal bases

We process data for the purposes below, on the indicated legal bases:

5. Recipients and processors

Data may be accessed, where strictly necessary, by:

• authorised INITWIN staff (sales, projects, support, IT administration);
• service providers (processors), e.g. hosting, transactional email, backup, monitoring, analytics tools (with consent), payment platforms (if applicable);
• public authorities, when required by law.

We enter into agreements with processors that impose confidentiality and security obligations in line with GDPR. An updated list of provider categories can be provided on request.

6. Transfers outside the EEA

We aim to use providers that process data in the European Union or in countries with an adequacy decision. If a provider processes data in the USA or other third countries, we rely on appropriate safeguards (Standard Contractual Clauses, Data Privacy Framework where applicable, or other mechanisms permitted by GDPR). You may request further information about transfers at the contact address above.

7. Retention period

We keep data only as long as necessary for the purposes for which it was collected:

• Contact enquiries without a contract: usually up to 24 months from the last interaction, then deletion or limited archiving;
• Contractual relationship: for the duration of the contract and thereafter as required by law (accounting, disputes) — usually 5–10 years for tax documents, under applicable law;
• User account: until account deletion or prolonged inactivity (e.g. 24 months), with prior notice where possible;
• Newsletter: until unsubscribe or withdrawal of consent;
• Technical logs: usually 30–90 days, except for security investigations;
• Cookie preferences: up to 12 months or until you change them (see cookie policy).

When retention periods expire, data is deleted, anonymised or securely archived.

8. Data security

We implement reasonable technical and organisational measures, including for example:

• encryption in transit (HTTPS/TLS) for the website;
• passwords stored with appropriate hashing algorithms;
• role-based access control in internal applications;
• CSRF protection and rate limiting for public forms;
• regular backups and monitoring;
• training for staff with access to data;

No system is 100% secure. If you suspect an issue with your account or your data, contact us immediately.

9. Your rights

As a data subject, you have the following rights (subject to legal limitations):

• Right to be informed and of access — to know what data we process and receive a copy;
• Rectification — correction of inaccurate or incomplete data;
• Erasure ("right to be forgotten") — under Art. 17 GDPR conditions;
• Restriction — limiting processing in certain situations;
• Portability — receiving data you provided, in a structured format, where applicable;
• Objection — to processing based on legitimate interest, including direct marketing;
• Withdrawal of consent — at any time, without affecting prior lawful processing;
• Complaint — to your supervisory authority (in Romania: ANSPDCP — www.dataprotection.ro.

To exercise your rights, send a request to contact@initwin.com. We may ask you to verify your identity to protect your data from unauthorised access.

10. Automated decisions and profiling

We do not make decisions with legal or similarly significant effect based solely on automated processing (including profiling) in connection with the public website. If we introduce such features in the future, we will update this policy and inform data subjects where required.

11. Minors

Our website and services are intended for people aged at least 16 (or the applicable digital consent age in your country). We do not knowingly collect data from minors without parental or legal guardian consent. If you learn that a minor provided data without consent, contact us for deletion.

12. Links to third-party sites

The site may contain links to external websites (partners, documentation, social networks). We are not responsible for the privacy practices of those sites. Review their policies before providing personal data.

13. Policy changes

We may update this policy to reflect legal, technical or business changes. The current version is published on this page with the update date in the header. For important changes, we may show a notice on the site or send information by email (for subscribers or clients, where applicable).

14. Contact

For any questions about data protection or exercising your rights:

• Email: contact@initwin.com
• Form: Contact

Related documents: Cookie Policy · Terms & Conditions Manage cookie preferences