What we do with your data. Short version: we protect it.
We do not sell your data. We do not share it with third parties for marketing. We use it only for what is written here, nothing else.
Last updated: May 2026
Data controller
The data controller is STEFAN SERBAN INVESTITII IMOBILIARE SRL, tax ID (CUI) 49663952, registered office in Pitești, Argeș County, Romania, registered with the Trade Registry Office at the Argeș Tribunal.
Commercial brand: High-Up LABS
Data Protection Officer (DPO): Serban Stefanita Madalin
DPO contact: business@highuplabs.ro
Legal framework
This privacy policy is drafted in accordance with:
- Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR)
- Romanian Law no. 190/2018 on GDPR implementation measures
- Romanian Law no. 506/2004 on personal data processing in electronic communications
- Romanian Law no. 365/2002 on electronic commerce
What data we collect
We collect only the data necessary to provide our services and operate the website:
3.1 Data you provide directly
- Full name (from application or contact form)
- Email address
- Phone number (optional)
- Company name and tax ID
- Online store URL
- Authentication data (email and password, stored encrypted via Supabase Auth)
- Messages sent via contact form or WhatsApp
3.2 Data collected automatically
- IP address (anonymized for analytics)
- Browser and device type
- Pages visited and visit duration
- Traffic source (referrer)
- Cookie data (details in Cookie Policy at https://www.highuplabs.ro/en/cookies)
3.3 Data from third-party platforms
- Meta Pixel: conversion events (PageView, Lead, Purchase) collected from Client's website, with consent
- Google Analytics: anonymized traffic and behavior data
- Meta Ads API and Google Ads API: campaign performance data (impressions, clicks, conversions, costs) accessed as the Client's data processor
Purpose and legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Service delivery | Art. 6(1)(b) - Contract performance |
| Service-related communication and support | Art. 6(1)(f) - Legitimate interest |
| Website analysis and improvement | Art. 6(1)(a) - Consent |
| Meta Pixel and conversion tracking | Art. 6(1)(a) - Consent |
| Invoicing and accounting | Art. 6(1)(c) - Legal obligation |
| Response to legal requests | Art. 6(1)(c) - Legal obligation |
Data recipients
We do not sell or share your personal data with third parties for marketing purposes. Data may be accessed only by:
- Supabase Inc. (processor): database hosting and authentication, EU servers (Ireland, eu-west-1)
- Vercel Inc. (processor): site hosting, EU servers
- Meta Platforms Ireland Ltd. (independent controller): if you accepted marketing cookies, via Meta Pixel
- Google Ireland Ltd. (processor/independent controller): Google Analytics (anonymized data), Google Ads API
- Resend Inc. (processor): transactional email delivery
- Public authorities: only upon legal request, per applicable legislation
International data transfers
Personal data is stored on Supabase servers in European Union data centers (Dublin, Ireland).
Certain data may be transferred to the US through our processors (Vercel, Resend). These transfers are protected by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission, per Art. 46 GDPR.
Meta Platforms and Google operate under their own GDPR-compliant data transfer policies. Details at meta.com/privacy and privacy.google.com.
Data retention periods
| Data category | Retention period |
|---|---|
| Account data (authentication) | Duration of active account + 30 days after deletion |
| Contractual data (name, company, tax ID) | Contract duration + 3 years (archiving obligation) |
| Invoices and financial data | 10 years (per Romanian Accounting Law no. 82/1991) |
| Contact form data | 1 year from last contact |
| Analytics and cookie data | Per cookie duration (see Cookie Policy) |
| Server logs | 90 days |
After the retention period expires, data is permanently deleted or irreversibly anonymized.
Your rights under GDPR
Under Regulation (EU) 2016/679, you have the following rights:
- Right of access (Art. 15): you may request a copy of the personal data we hold about you
- Right to rectification (Art. 16): you may request correction of inaccurate or incomplete data
- Right to erasure (Art. 17): you may request deletion of your personal data, except data required by legal obligations
- Right to restriction (Art. 18): you may request limitation of processing in certain situations
- Right to data portability (Art. 20): you may receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21): you may object to processing based on legitimate interest
- Right to withdraw consent (Art. 7): you may withdraw consent at any time, without affecting the lawfulness of prior processing
- Right not to be subject to automated decisions (Art. 22): we do not use automated decision-making or profiling with legal effects
To exercise any right, write to business@highuplabs.ro. We acknowledge receipt within 3 business days and respond fully within 30 calendar days, per Art. 12(3) GDPR.
Data security
We implement appropriate technical and organizational measures to protect personal data, per Art. 32 GDPR:
- HTTPS/TLS encryption for all data transmissions
- Passwords stored with bcrypt hash via Supabase Auth
- Row Level Security (RLS) on Supabase database
- JWT token authentication, no server-side sessions
- Role-based access control (admin/client)
- Automatic daily backups with 7-day retention
Cookies
We use cookies only with your explicit consent, through the cookie banner displayed on your first visit. Full details about cookie types, purposes, and how to control them are available in our Cookie Policy at https://www.highuplabs.ro/en/cookies.
Minors
High-Up LABS services are intended exclusively for legal entities and authorized individuals. We do not knowingly collect personal data from anyone under 16. If you notice that a minor has sent us personal data, write to business@highuplabs.ro and it will be deleted without delay.
Policy changes
STEFAN SERBAN INVESTITII IMOBILIARE SRL reserves the right to update this privacy policy. Changes are published on this page with the update date. For substantial changes, we will notify users by email or through an on-site notification.
Complaints
If you believe your data is being processed incorrectly or your rights have not been respected, you have the right to file a complaint with:
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
- Website: www.dataprotection.ro
- Email: anspdcp@dataprotection.ro
- Address: B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, Romania
Before filing with ANSPDCP, we invite you to write to us at business@highuplabs.ro. Most situations are resolved directly, in a shorter time.