Mergi la conținut

Privacy Policy

Version v2 · Updated 4 July 2026

Versiunea în română

1. Data controller

SC UPSTART TECH SRL, headquartered in Romania, operates this website. For any questions about your data, write to us at privacy@emailfirma.ro.

2. What data we collect

  • Account: email, name, phone (encrypted at rest), the domain you purchased.
  • Billing details (B2B): company name, fiscal code (CIF), trade registry number (J/F), address.
  • Marketing attribution (with consent): UTM, gclid, fbclid, referrer, cookie identifiers from the advertising platforms (_fbp, _fbc, li_fat_id), IP address and user agent captured at the moment of conversion, the conversion value and currency. This information is linked to your account once you register or pay.
  • Technical browsing data: pages visited, device, country. The IP address is used to infer the country on each request; it is stored only for conversion events (registration, payment) — for the rest of the anonymous visits we do not keep it.

3. Why we use it

  • To provide the service (contract).
  • To send you transactional notifications (legitimate interest).
  • For analytics and attribution (consent — you can withdraw at any time).
  • For conversion measurement and ad optimisation: with your consent, we send conversion events (registration, payment) to Meta, Google Ads and LinkedIn, both through browser pixels and server-to-server (Conversion API). To increase the match rate, we also send a set of contact data — email, phone, first name, last name, city, countryirreversibly hashed with SHA-256, never in plain text. The cookie identifiers and the IP travel unchanged, per the platforms' technical requirements.
  • To comply with tax and accounting obligations (legal obligation, 5-year retention).

4. Sub-processors

We process data through Stripe (payments), Google Workspace (inboxes), cyberFolks — formerly MXHost (domains), Cloudflare (DNS), Postmark (email), Sherweb (provisioning), Railway (hosting). For analytics and error monitoring: Plausible, PostHog, Sentry. For marketing (only with your consent): Meta Platforms, Google Ads, LinkedIn. The full list, the data shared and their jurisdictions are in Sub-processors.

For transfers to the USA (Meta, Google, LinkedIn, Stripe, Postmark, Railway, Sentry) we rely on the EU-US Data Privacy Framework and, where applicable, on Standard Contractual Clauses (SCC) approved by the European Commission.

5. Your rights

  • Access: download all your data from dashboard → Settings → Data & GDPR.
  • Rectification: change your profile data from the dashboard.
  • Erasure: delete your account from dashboard → Settings → Data & GDPR (financial data is kept for 5 years, in accordance with the law).
  • Withdrawing marketing consent: turn off the "Marketing" category in dashboard → Settings → Data & GDPR or in the cookie banner. Future server-to-server submissions and browser pixels stop immediately. In addition, we immediately anonymise the IP, the user agent and the cookie identifiers (_fbp, _fbc, li_fat_id) already stored in our attribution rows — we keep only the visitor→account link for product analytics. Events already sent cannot be recalled from the platforms, but you can exercise your rights directly with each of them (the links are on the Sub-processors page).
  • Objection and restriction: write to us.
  • Complaint to ANSPDCP (the Romanian supervisory authority): dataprotection.ro.

6. Retention

Account data — for the lifetime of the account; when the account is deleted, personal data (name, email, phone) is anonymised immediately. Financial data (invoices, subscriptions) — 5 years, in accordance with the financial-accounting legislation. Anonymous touchpoints — 14 months. Conversion events sent to the advertising platforms are kept in a local audit log; the marketing identifiers inside them (IP, user agent, cookie identifiers) are anonymised immediately when consent is withdrawn or the account is deleted. Retention at Meta / Google / LinkedIn is governed by their own policies.

7. WhatsApp Business service

If your company activates the WhatsApp Business service through emailfirma, we process additional data needed to relay the messages between you and your customers.

  • What we collect: the content of your customers' messages, their phone numbers and the WhatsApp Business Account (WABA) metadata — account and phone-number identifiers, template status.
  • Purpose: solely to deliver the messaging your company activated — receiving and sending messages from the dashboard. We do not use this data for other purposes and we do not sell it.
  • Who sees it: your company (the operator of the conversations), Meta Platforms — the processor behind the WhatsApp Business Platform — and emailfirma for operation and support.
  • Retention: messages and metadata are kept for the duration the service is active for the company; we delete them on request, following the WhatsApp data deletion page (in Romanian).

Customer responsibility: the company connecting WhatsApp Business is responsible for obtaining the consent (opt-in) of its own customers before messaging them. For end-customer data, emailfirma acts in the role of data processor, while the company remains the data controller.