Skip to content

Legal documents

Privacy Policy

Last updated: June 2, 2026

This is an informative English translation. The legally binding version is the Romanian original, which prevails in case of any discrepancy.

In short — what we do with your data

  • We collect only what is strictly necessary for the service to work.
  • We do NOT sell your data to anyone. Ever.
  • We do NOT use your data for advertising.
  • Your business data (products, clients, sales) belongs to you 100%.
  • You can export or delete it at any time.
  • We store everything in the EU, in accordance with GDPR.

1. Data controller

The controller of your personal data is IACOB MIHAI-ALBERTO PFA (Authorized Natural Person, CUI 54802933, ORC No. F2026028449007, professional office in Bucharest, Romania — full address on the invoice and upon request). Email: contact@albertoiacob.ro.

2. What data we collect

Account data: username, email, password (stored hashed with the scrypt algorithm via Better Auth — never in plaintext), name of the flower shop.

Data about your business: products, prices, costs, stock, clients (name, phone, email — if you enter them), sales, purchases, losses, categories. These are your operational data and are not accessed by us except in explicit situations (technical support, court order).

Automatic technical data: IP address (for rate limiting + security), browser type, pages visited, time spent on the page. These data are collected through server logs and (once enabled) consented cookies and analytics.

Payment data: we do NOT store card data. Payments will be processed by Stripe (once enabled), which is PCI-DSS Level 1 certified.

3. Why we use it (legal basis)

  • Providing the service (art. 6(1)(b) GDPR — contract performance): authentication, saving data, generating reports and invoices.
  • Security and abuse prevention (art. 6(1)(f) GDPR — legitimate interest): rate limiting, error monitoring, audit log.
  • Communication (art. 6(1)(b) or 6(1)(a) — consent for the newsletter): transactional emails (forgotten password, new invoice, expired subscription) are mandatory for the service to work. Marketing emails (news, offers) are opt-in and can be disabled at any time.
  • Invoicing and tax obligations (art. 6(1)(c) GDPR — legal obligation): issuing invoices in accordance with Tax Code Art. 319, VAT reporting in accordance with the law.

4. Who we share data with (sub-processors)

We use a minimal number of third-party services, chosen for GDPR compliance and EU infrastructure:

Sub-processorRoleLocation
Vercel Inc.Web hosting + CDN + edge functionsEU (Frankfurt) + global edge
Railway CorporationBackend hosting + PostgreSQL databaseEU (eu-west)
Brevo SASTransactional emails (account verification, password reset, team invitations)France (EU)
Functional Software, Inc. (Sentry)Application error monitoring — technical stack traces on legitimate interest; masked recording of the steps leading to an error only with “Analytics” consentEU (Frankfurt)
PostHog Inc.Aggregated behavior analytics (only with explicit cookie consent)EU (Frankfurt)
Vercel Blob StorageFlower shop image storage (logo, gallery)EU
GitHub Inc.Platform source code (NOT user data)EU/USA
Stripe Payments Europe Ltd. (planned)Subscription payment processingIreland (EU) / USA (DPA + SCCs)
Google / OpenStreetMap / Bing / Waze (optional)Embedded map on the flower shop’s public website — ONLY if the shop adds one, and ONLY after the visitor clicks “Load map” (click-to-load, no cookie before consent)Global (EU / USA)

With each active sub-processor we have a Data Processing Agreement (DPA) in accordance with art. 28 GDPR. For transfers to the USA (GitHub, Stripe — when enabled), we rely on Standard Contractual Clauses (SCCs) and the Data Privacy Framework, as applicable. The list of sub-processors may be updated — material changes will be communicated to you by email at least 30 days in advance.

5. How long we keep the data

  • Active account: for the duration of the subscription + 90 days after cancellation (to recover accounts closed by mistake).
  • Inactive accounts: accounts with prolonged inactivity (over 12 months without login) may be archived and subsequently deleted; we notify you in advance by email before any archiving or deletion.
  • Deletion request (GDPR Art. 17): the account immediately enters scheduled deletion, with a 90-day window for recovery (during which the account is inaccessible); after it expires, personal data is anonymized within no more than 30 days, except for data required by law (see below).
  • Tax invoices: 10 years in accordance with Tax Code Art. 25(4) — a legal obligation above and beyond GDPR. Personal data in invoices is anonymized after account deletion, but the tax record remains.
  • Server logs: 30 days.
  • Security audit log: 7 years (in accordance with the Tax Code for logs related to tax operations; the table is immutable at the Postgres level through REVOKE UPDATE/DELETE).

6. Your rights (GDPR)

Under GDPR, you have the following rights:

  • Access (art. 15) — to find out what data we hold about you.
  • Rectification (art. 16) — to correct inaccurate data.
  • Erasure / Right to be forgotten (art. 17) — to ask us to delete your data.
  • Restriction (art. 18) — to have us temporarily halt processing.
  • Portability (art. 20) — to receive your data in a structured format (JSON) so you can move it to another service.
  • Objection (art. 21) — to object to certain processing (e.g., marketing).
  • Complaint to ANSPDCP — the National Supervisory Authority for Personal Data Processing — dataprotection.ro

To exercise any right, write to us at contact@albertoiacob.ro. We respond within a maximum of 30 days (usually much faster). We do not charge a fee for reasonable requests.

See practical details in the GDPR guide.

7. Security

We apply reasonable technical and organizational measures:

  • HTTPS on all pages (HSTS preload enabled)
  • Strict Content Security Policy (CSP)
  • httpOnly + Secure + SameSite=Lax session cookies, managed by Better Auth
  • Passwords hashed with the scrypt algorithm via Better Auth
  • Cryptographically signed sessions via Better Auth (server-side validation, limited duration with idle timeout)
  • Durable rate limiting on sensitive endpoints (signin, signup, reset)
  • Strict data isolation between flower shops (per-account separation at the database level, on all tables containing business data, with no exceptions)
  • Database access restricted to a least-privilege application role (no administrative account, no bypassing of per-account isolation)
  • Automatic daily database backup, with the ability to restore to any point in the last 30 days

In the event of a data breach, we will notify you within a maximum of 72 hours in accordance with art. 33 GDPR and will also notify ANSPDCP if the incident poses a risk to your rights.

8. Cookies and tracking

We use strictly necessary cookies (authentication, security) and functional cookies (theme preference, language) — these do not require consent. Analytics and diagnostic cookies and technologies (PostHog + Sentry, hosted in the EU) are enabled only with your explicit consent, given from the banner. We do not use marketing tracking, advertising, or profiling. Full details + a table with each cookie in the Cookie Policy.

9. Children

The platform is intended for professionals (B2B). We do not intentionally collect data from persons under 16 years of age. If you notice that a minor has provided us with data, contact us so we can delete it immediately.

10. Changes

We will update this policy as the service evolves. Previous versions are archived. For significant changes we will notify you by email at least 30 days in advance.