Privacy Policy

Table of Contents

1. General Provisions
2. Details About Our Company
3. Processed Data. Purpose, Duration, and Legal Basis of Processing
4. Sensitive Data Processed. Purpose, Duration, and Legal Basis of Processing
5. Mechanisms and Use of Automated Decision-Making Systems
6. Disclosure and Further Use of Your Data
7. How We Collect Data
8. Information Security
9. Transfer of Your Data Outside the European Economic Area
10. Your Rights Over Personal Data
11. Children’s Privacy
12. Policy Principles
13. Changes


1. General Provisions

1.1 The confidentiality of personal data is one of the main concerns of S.C. ABI ROPLATI S.R.L. (hereinafter the “Company”). Accordingly, we aim to ensure the highest standards of confidentiality, integrity, and transparency regarding the personal data we process in our activity.

1.2 Since, in the course of our activity, it is necessary to process a series of personal data in line with the specifics of our business, we wish to assure you that such processing will take place in compliance with the principles of transparency and personal data security. This Privacy Policy is intended to help you understand what data we collect, why we collect it, and what we do with it.

1.3 Our data protection policy and practices focus on the proper and lawful processing, sharing, and storage of personal information, as well as ensuring confidentiality, integrity, and availability.

1.4 All users have free access to the website www.rpay.eu, subject to compliance with this Privacy Policy. Our website complies with the General Data Protection Regulation – GDPR (Regulation (EU) 2016/679).


2. Details About Our Company

2.1 ABI ROPLATI SRL is a Romanian company, headquartered in Hunedoara, Calea Zărandului 55 B, Deva County, registered with the Trade Register under no. J20/66/2014, Tax Identification Code 32710782, contact address office@rpay.eu.

2.2 The Company acts as the controller of personal data collected through the website www.rpay.eu (hereinafter the “Website”).

2.3 The Controller is obliged to manage, in secure conditions and solely for the specified purposes, the personal data provided by the Website’s users.


3. Processed Data. Purpose, Duration, and Legal Basis of Processing

Processed Data – Purpose – Retention Period – Legal Basis – Storage Location – Transfer

3.1.1 Web server logs
– Ensuring IT network security
– 6 months
– Compliance with legal obligations — GDPR Article 6(1)(c)
– Electronic format, cloud
– Yes, in the cloud

3.1.2 Cookies*
(see our Cookie Policy for details)

3.2 Email and any other identifying data contained therein
– To respond to questions and messages we receive and to maintain correspondence records
– Only as long as necessary
– Necessary for the performance of a contract or to take steps at your request prior to entering into a contract — GDPR Article 6(1)(b)
– Electronic format, cloud
– Yes, in the cloud

3.3 Phone number + data provided during the conversation
– To respond to questions and messages we receive and to maintain correspondence records
– (duration tied to the purpose)
– Your consent — GDPR Article 6(1)(a)
– Electronic format, on server
– No

3.4 All information provided in postal communications
– To respond to questions and messages we receive and to maintain correspondence records
– As long as necessary, applied in conjunction with our legal obligations
– Necessary for the performance of a contract or to take steps at your request prior to entering into a contract — GDPR Article 6(1)(b)
– Physical format, locked cabinet
– No

3.5 First name, last name, email
– To send the newsletter
– Until unsubscribed
– Your consent — GDPR Article 6(1)(a)
– Electronic format, cloud
– Yes, in the cloud

3.6 First name, last name, email, phone
– Registering and administering accounts on our website to allow you to access the history of purchased services and invoices, and your favorites list
– Only as long as necessary / until account deletion
– Your consent — GDPR Article 6(1)(a)
– Electronic format, cloud
– Yes, in the cloud

3.7 First name, last name, home address, email, phone, billing data, company name – unique identification code and Trade Register number
– To identify the contracting party and to contact you; to fulfill our contractual obligations, including sending receipts, invoices, and order confirmations
– Six years from the end of the financial year in which you placed the order, in accordance with the Fiscal Code
– Necessary for the performance of a contract — GDPR Article 6(1)(b)
– Electronic format, cloud
– Yes, in the cloud

*3.1.2 For more information about cookies, please see our Cookie Policy.

3.8 Criteria for Determining Retention Periods

Data will be stored for the minimum period necessary to fulfill the purpose, taking into account:
– the purpose and use of your information now and in the future (e.g., whether continued storage is needed to meet our contractual obligations to you or to contact you in the future);
– whether we have a legal obligation to continue processing your information (such as record-keeping obligations imposed by applicable laws or regulations);
– whether we have any other lawful basis to continue processing (such as your consent);
– the levels of risk, cost, and responsibility involved in retaining the information.

3.9 If We Receive Information About You by Mistake

If we mistakenly receive information about you from a third party and/or we have no legal basis to process it, we will delete your information.

3.10 Payment Processing

After you place an order on our website, you will need to pay for the goods or services ordered. To process your payment, we use third-party payment processors:ING BANK N.V. AMSTERDAM SUCURSALA BUCUREȘTI AND PAYU ROMÂNIA
These processors collect, use, and process your information, including payment information, in accordance with their privacy policies. You can access ING’s privacy policy here: https://ing.ro/ing-in-romania/informatii-utile/protectie-date-personale.
ING is located in Romania. Information related to processing your payment is stored within the EEA on servers of ING BANK N.V. AMSTERDAM SUCURSALA BUCUREȘTI AND PAYU ROMÂNIAin Romania.


4. Sensitive Data Processed. Purpose, Duration, and Legal Basis of Processing

The website www.rpay.eu does not collect sensitive personal data.


5. Mechanisms and Use of Automated Decision-Making Systems

5.1 We use automated decision-making mechanisms on our website. We do not consider that this has legal effects on you or similarly significantly affects you.

You have the right to object to our use of automated decision-making and profiling as described in this section. You can do so by opting out of cookies and similar technologies, as described in the relevant section of this Privacy Policy. If you do not want us to process your real IP address (usually the IP assigned by your Internet Service Provider) when you visit our site, you may use a Virtual Private Network (VPN) or a free service.

You can learn more about the use of cookies and similar technologies (including the legal basis for their use) and how to opt out in our Cookie Policy.

5.2 Automated Decision-Making

Automated decision-making refers to decisions made by technological means (by a machine) without human involvement.

Use of Automated Decision-Making for Advertising
We automate the display of ads featuring our products and services on other websites you visit through the use of cookies.
Logic involved: automatically showing ads to people who visited our site increases advertising efficiency and is more economical for us than manual display or other methods.
Significance and anticipated consequences: cookies will be used to recognize that you visited our site in order to show you ads (unless you have blocked such cookies) and will collect information about your online behavior.
How to object: you can block these types of cookies using your browser settings. For more details, see our Cookie Policy.


6. Disclosure and Further Use of Your Data

This section sets out the circumstances in which we will disclose your data to third parties and any additional purposes for which we use your data.

6.1 Disclosure of Your Data to Service Providers

6.1.1 We use a number of service providers essential to our business operations who process your information for and on our behalf, namely:
– Telephony service providers
– Email service providers
– IT service providers
– Website developers
– Marketing service providers
– Email marketing provider

6.1.2 Your information will be shared with these service providers where necessary to provide the service you have requested, whether that request is accessing our website or ordering goods and services from us.

6.1.3 We do not publicly disclose the identity of our service providers for security and competitiveness reasons. If you nevertheless require further information about their identity, please contact us directly at office@rpay.eu and we will provide such information where you have a legitimate reason to request it.

Legal bases for processing:
a) Consent — the data subject has given consent for one or more specific purposes;
b) Contract performance / pre-contractual steps — necessary for the performance of a contract to which the data subject is party or to take steps at the data subject’s request prior to entering into a contract;
c) Legal obligation — necessary for compliance with a legal obligation to which the controller is subject;
d) Legitimate interests — necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject (especially where the data subject is a child).

6.2 Disclosure of Your Information to Other Third Parties

6.2.1 We will disclose your information to third parties in certain circumstances, as set out below.

I. Providing information to third parties such as Google Inc. and Facebook. Google collects information via Google Analytics on our website. Google and Facebook use this information, including IP addresses and cookie information, for various purposes such as improving the quality of our services and your browsing experience. Information is collected by Google and Facebook on an anonymous basis.
Legal basis: our legitimate interests — GDPR Article 6(1)(f).
Legitimate interest: improving the quality of our services.

II. Sharing your information with third parties that are connected with or assist in the operation of our business where necessary. Such third parties include consultants, affiliates, business partners, independent contractors, and insurers.
Legal basis: our legitimate interests — GDPR Article 6(1)(f).
Legitimate interest: effective operation and management of our business.

Business partners are located in (Romania/European Union).

6.2.2 We do not disclose the identity of all other third parties with whom we may share information for security and competitive reasons. If you nonetheless want additional information about such third parties, please contact us via the contact form (link to contact form) or by email (contact email). We will provide such information where you have a legitimate reason and only if we have actually shared information with such third parties.

6.2.3 We may disclose your information to a prospective or actual buyer or seller in the context of a business sale or purchase, merger, or a similar (prospective or actual) event.
Legal basis: legitimate interests — GDPR Article 6(1)(f).
Legitimate interest: enabling such a transaction by allowing access to information to a prospective buyer, seller, or similar party.

6.3 Disclosure and Use of Your Information for Legal Reasons

Reporting potential criminal acts or threats to public safety to a competent authority.

If we suspect criminal or potentially criminal behavior, we may, in certain circumstances, need to contact a competent authority such as the police. This may occur, for example, if we suspect fraud or a cybercrime, or if we receive threats or malicious communications against us or third parties. Generally, we will only process your information for this purpose if you have been involved in or affected by such an incident in some way.
Legal basis: our legitimate interests — GDPR Article 6(1)(f).
Legitimate interest: preventing crime or suspected criminal activity (such as fraud).

Enforcing or potentially enforcing our legal rights

We will use your information in connection with the enforcement or potential enforcement of our legal rights, including, for example, sharing information with debt collection agencies if you do not pay sums due when contractually obliged to do so. Our legal rights may be contractual (where we have a contract with you) or non-contractual (such as rights under copyright or tort law).
Legal basis: our legitimate interests — GDPR Article 6(1)(f).
Legitimate interest: enforcing our legal rights and taking steps to secure them.

In connection with a dispute or legal or potential legal proceedings

We may need to use your information if we are involved in a dispute with you or a third party, for example to resolve the dispute, or as part of mediation, arbitration, court proceedings, or similar processes.
Legal basis: our legitimate interests — GDPR Article 6(1)(f).
Legitimate interest: resolving disputes or potential disputes.

Ongoing compliance with laws, regulations, and other legal requirements

We will use and process your information to comply with legal obligations to which we are subject. For example, we may need to disclose your information pursuant to a court order or subpoena, if we receive one.
Legal basis: compliance with a legal obligation — GDPR Article 6(1)(c).
Legal obligation: obligations to disclose information established under domestic or international legal instruments (e.g., an international agreement signed by Romania).
Legal basis (additionally, where applicable): our legitimate interests — GDPR Article 6(1)(f).
Legitimate interest: where the obligations arise under the laws of another country and have not been incorporated into Romanian law, we have a legitimate interest in complying with those obligations.


7. How We Collect Data

7.1 We collect your personal data directly from you, for example when you send us an email requesting an offer/information, when you provide your data for concluding a contract, or when you sign up for the newsletter.

7.2 We also collect your personal data automatically. When you use our services on the Company’s website, we collect information via cookies and by logging your activity. For more information on the use of cookies, please see our Cookie Policy.


8. Information Security

8.1 We take appropriate technical and organizational measures to secure your information and protect it against unauthorized or unlawful use and against accidental loss or destruction, including:
– sharing and granting access to your data to the minimum extent necessary, subject to confidentiality obligations where applicable, and anonymizing data wherever possible;
– using secure servers for information storage;
– verifying the identity of any person requesting access to information before granting access;
– using Secure Sockets Layer (SSL) to encrypt any information you send through forms on our website;
– transferring your data only via closed systems or encrypted data transfers.

8.2 Sending Information to Us by Email

8.2.1 Transmission of information over the internet is not entirely secure and, if you send us information over the internet (by email or otherwise), you do so entirely at your own risk.
8.2.2 We cannot be responsible for any costs, loss of profit, reputational damage, damages, liabilities, or any other form of loss or harm you may suffer as a result of your decision to transmit information by such means.


9. Transfer of Your Data Outside the European Economic Area (“EEA”)

Data transfers outside the EEA

We may transfer data to providers located in the United States of America. For such transfers, we rely on the European Commission’s Adequacy Decision for the EU–US Data Privacy Framework (DPF) of 10 July 2023 (Decision (EU) 2023/1795). For providers not certified under the DPF, we use Standard Contractual Clauses (SCCs) and, where necessary, additional security measures.

Main providers: Google LLC (Analytics/Ads) — DPF certified; Meta Platforms Ireland/Meta Platforms Inc. (ads/remarketing); [hosting/CDN name] (EU). Up-to-date details on DPF certifications can be found on the program’s official website and in the provider’s privacy policy.


10. Your Rights Over Personal Data

10.1 Subject to certain restrictions, you have the following rights regarding your data, which you can exercise by sending a written request to Calea Zărandului 55 B, Hunedoara, Deva County, or by email to office@rpay.eu:
– to request access to your information and information related to the use and processing of your information;
– to request the rectification or deletion of your data;
– to request restriction of the use of your data;
– to receive the information you have provided to us in a structured, commonly used, machine-readable format (e.g., a CSV file) and the right to transfer that information to another data controller (including a third-party controller);
– to object to the processing of your data for certain purposes (see “Your Right to Object to Processing for Certain Purposes” below);
– to withdraw your consent to our use of your data at any time where we rely on your consent. Please note that if you withdraw consent, this does not affect the lawfulness of the use and processing of your data based on your consent before its withdrawal.

10.2 You may also lodge a complaint regarding the processing of your data with the National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal), B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, 010336 Bucharest, Romania, www.dataprotection.ro, anspdcp@dataprotection.ro.

10.3 Verifying Your Identity When You Request Access

Where you request access to your information, we are legally required to use all reasonable measures to verify your identity before doing so. These measures are designed to protect your information and reduce the risk of identity fraud, identity theft, or general unauthorized access.

How we verify your identity

10.3.1 Where we have sufficient information about you on our database, we will try to verify your identity using that information. If this is not possible or we do not have sufficient information, we may request copies or certified copies of documents in order to verify your identity before granting access to your data. We will confirm the exact information we need in your specific circumstances if and when you make such a request.

10.4 Your Right to Object to Processing for Certain Purposes

You may exercise the following rights by writing to the Company’s registered address (Hunedoara, Calea Zărandului 55 B, Deva County) or by emailing office@rpay.eu:
– to object to our use or processing of information to perform a task in the public interest or for our legitimate interests, including analyzing or predicting your behavior based on your information; and
– to object to our use or processing of your data for direct marketing purposes (including any profiling related to such direct marketing).

10.5 You can also exercise your right to object to the use or processing of your data for direct marketing by:
– clicking the unsubscribe link at the bottom of any marketing email we send and following the instructions in your browser after clicking the link;
– sending an SMS reply containing only the word “UNSUBSCRIBE” to any marketing text message we send, or by accessing the link indicated in the SMS; or
– emailing office@rpay.eu requesting that we stop sending marketing communications or by including the words “UNSUBSCRIBE”.

10.6 For more information on how to object to the use of data collected via cookies and similar technologies, please see our Cookie Policy.


11. Children’s Privacy

11.1 We do not process data of children under the age of 16.

11.2 We may receive information relating to individuals under 16 through fraud or deception by a third party. If we become aware of this, once verified and where required by law, we will promptly obtain the legal guardian’s consent to use such information or, if we cannot obtain consent, we will delete the information from our servers. If you wish to notify us that we have received information about persons under 16, please do so by emailing office@rpay.eu.

11.3 Data of minors aged 16 to 18 are processed in accordance with Regulation 679/2016, only with the data subject’s consent.


12. Principles Underpinning Our Data Protection Policy

a) Personal data shall be processed lawfully, fairly, and transparently;
b) Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
c) Personal data collection shall be adequate, relevant, and limited to what is necessary in relation to the purposes;
d) Personal data shall be accurate and, where necessary, kept up to date;
e) All reasonable measures shall be taken to ensure that inaccurate data are deleted or rectified without delay;
f) Personal data shall be kept in a form permitting identification of data subjects for no longer than is necessary for the purposes of processing;
g) All personal data shall be kept confidential and stored in a manner ensuring appropriate security;
h) Personal data shall not be shared with third parties except where necessary for the provision of services under agreements;
i) Data subjects have the right to request access to, rectification and deletion of personal data, to object to or restrict processing, and to data portability.


13. Changes to Our Privacy Policy

13.1 We update and amend our Privacy Policy periodically.

13.2 Minor Changes to Our Privacy Policy

13.2.1 If we make minor changes, we will update the Privacy Policy with a new effective date at the beginning. Processing of your information will be governed by the practices set out in the new version as of its effective date.

13.3 Major Changes to Our Privacy Policy or to the Purposes for Which We Process Your Information

13.3.1 If we make major changes to our Privacy Policy or intend to use your data for a new purpose or one different from the purposes for which it was originally collected, we will notify you by email (where possible) or by posting a notice on our website.
13.3.2 We will provide information about the change, the purpose, and any other relevant details before using your information for the new purpose.
13.3.3 Where necessary, we will obtain your prior consent before using your information for a purpose different from the one for which it was originally collected.


Cookies