Skip to content
Menu
Features Pricing
Log in Create a form

GDPR Policy

Last updated: 9 April 2026

1. Our commitment to data protection

Entales is a platform operated by PIESE ROBOTICA COMPETII SRL that fully complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR).

This policy describes the measures we take to ensure GDPR compliance and to protect our users' data.

2. Data controller

The controller of personal data collected through the Entales Platform is:

3. Data protection contact

For any questions regarding the protection of personal data, you can contact our data protection officer at:

[email protected]

We will respond to all requests within a maximum of 30 calendar days.

4. Categories of personal data processed

We process the following categories of personal data:

a) Data of Platform users (form creators):

  • Identification data: email address, name (if provided).
  • Authentication data: password (stored exclusively in hashed form, bcrypt).
  • Billing data: name/company name, address, VAT number (for legal entities).
  • Technical data: IP address, user agent, access timestamps.

b) Data of respondents (people who fill in forms):

  • Form responses (content depends on what the form creator asks).
  • Technical data: IP address, user agent, submission timestamp.

Important: For form responses, Entales acts as a data processor on behalf of the form creator, who is the data controller of the data collected through their forms. The form creator is responsible for having the appropriate legal basis for collecting data through their forms.

5. Legal basis for processing (Art. 6 GDPR)

We process personal data on the basis of the following legal grounds provided by Art. 6 of the GDPR:

  • Art. 6(1)(a), Consent of the data subject:

    For sending marketing communications by email. Consent can be withdrawn at any time.

  • Art. 6(1)(b), Performance of a contract:

    For providing the Entales service (creating and managing accounts, processing forms, responses and payments).

  • Art. 6(1)(c), Legal obligation:

    For fulfilling tax and accounting obligations (retaining invoices for 10 years under Romanian law).

  • Art. 6(1)(f), Legitimate interest:

    For ensuring platform security, preventing fraud and improving the service based on aggregated usage data.

6. Technical and organizational security measures

We implement the following measures to protect personal data:

Technical measures:

  • Encryption in transit: all communications are encrypted via HTTPS/TLS (minimum TLS 1.2).
  • Password encryption: passwords are stored exclusively as bcrypt hashes (never in plain text).
  • Restricted access: access to infrastructure and databases is limited to authorized personnel, through multi-factor authentication.
  • Data isolation: each user's data is logically isolated. One user cannot access another user's data.
  • Encrypted backups: database backups are encrypted and stored in separate locations.
  • Monitoring: access logs and automatic alerting for suspicious activities.

Organizational measures:

  • Data minimization principle: we collect only strictly necessary data.
  • Storage limitation principle: data is deleted at the end of the retention period.
  • Periodic review of security measures.

7. International data transfers

Personal data is processed and stored exclusively within the European Union / European Economic Area (EU/EEA).

Our infrastructure providers (Railway, Cloudflare, Netopia) have servers and operations in the EU/EEA. We do not transfer personal data to countries outside the EU/EEA without adequate safeguards.

If, in the future, a transfer outside the EU/EEA becomes necessary, we will ensure an adequate level of protection through the mechanisms provided by GDPR (standard contractual clauses, adequacy decisions of the European Commission, etc.) and will update this policy accordingly.

8. Data subject rights (Art. 15-22 GDPR)

Under GDPR, every data subject has the following rights:

Right of access (Art. 15)

You can request confirmation of data processing and a copy of your data.

Right to rectification (Art. 16)

You can request the correction of inaccurate data or the completion of incomplete data.

Right to erasure (Art. 17)

You can request the deletion of your data ("right to be forgotten"), except for data retained due to legal obligations.

Right to restriction of processing (Art. 18)

You can request the limitation of processing in certain situations (e.g., you contest the accuracy of the data).

Right to data portability (Art. 20)

You can receive your data in a structured, commonly used and machine-readable format (JSON/CSV).

Right to object (Art. 21)

You can object to processing based on legitimate interest, including profiling.

Right not to be subject to automated decision-making (Art. 22)

Entales does not make decisions based solely on automated processing that produce legal effects.

To exercise any of these rights, send an email to [email protected]. We will respond within a maximum of 30 days.

9. Security breaches

In accordance with Art. 33 and Art. 34 of the GDPR, in the event of a security breach affecting personal data:

  • ANSPDCP notification: we will notify the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR.
  • Data subject notification: if the breach poses a high risk to the rights and freedoms of natural persons, we will notify affected data subjects without undue delay, in accordance with Art. 34 GDPR.
  • Incident documentation: we will document all security breaches, including their effects and corrective measures taken, in an internal incident register.

10. Supervisory authority

If you believe that the processing of your data violates GDPR, you have the right to file a complaint with:

Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

11. Updates to this policy

This GDPR policy may be updated periodically to reflect changes in our practices or applicable legislation. In the case of significant changes, we will notify users by email and through a notification in the Platform interface.

We recommend checking this page periodically to stay up to date with the latest version of the policy.