HomeGDPR Compliance

    GDPR Compliance

    Effective Date: January 1, 2025

    This document outlines how TIMPIA S.R.L. complies with Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR). We are committed to protecting the privacy and rights of individuals whose personal data we process.

    1. Data Controller

    TIMPIA S.R.L.
    Registered Address: Mun. Brașov, Str. Zizinului, nr. 6, bl. 40, sc. A, et. 5, ap. 15, jud. Brașov, Romania
    VAT ID: RO52050273
    Trade Registry: J20/2504/2024
    Email: hello@timpia.ai

    As the data controller, we determine the purposes and means of processing personal data and are responsible for ensuring compliance with GDPR.

    2. Legal Basis for Processing

    Under GDPR Article 6, we process personal data based on the following lawful grounds:

    • Consent (Article 6(1)(a)): For marketing communications, newsletters, and non-essential cookies. Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time.
    • Contract Performance (Article 6(1)(b)): For processing necessary to provide our AI engineering, automation, and software development services pursuant to a contract with you.
    • Legitimate Interests (Article 6(1)(f)): For analytics, website security, fraud prevention, and improving our services, where such interests are not overridden by your fundamental rights and freedoms.
    • Legal Obligation (Article 6(1)(c)): For compliance with tax laws, accounting requirements, and other legal obligations under Romanian and EU law.

    3. Your Rights Under GDPR

    As a data subject, you have the following rights under GDPR:

    • Right of Access (Article 15): You may request confirmation of whether we process your personal data and obtain a copy of that data.
    • Right to Rectification (Article 16): You may request correction of inaccurate personal data or completion of incomplete data.
    • Right to Erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for continued processing ("right to be forgotten").
    • Right to Restriction (Article 18): You may request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.
    • Right to Data Portability (Article 20): You may receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
    • Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.
    • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

    To exercise any of these rights, please contact us at hello@timpia.ai. We will respond within 30 days as required by GDPR Article 12(3).

    4. International Data Transfers

    Some of our service providers are located outside the European Economic Area (EEA). When transferring personal data to such providers, we ensure appropriate safeguards are in place as required by GDPR Chapter V:

    • EU-US Data Privacy Framework: For transfers to certified US organizations.
    • Standard Contractual Clauses (SCCs): As adopted by the European Commission pursuant to Article 46(2)(c).
    • Adequacy Decisions: For transfers to countries with adequate data protection levels as determined by the European Commission.

    Our key service providers include Vercel (hosting), Stripe (payments), Google (analytics), and AI providers (OpenAI, Anthropic), all of which maintain GDPR-compliant data processing agreements.

    5. Data Protection Measures

    In accordance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

    • Encryption of personal data in transit (TLS/SSL) and at rest
    • Access controls and authentication mechanisms
    • Regular security assessments and penetration testing
    • Data minimization and pseudonymization where appropriate
    • Incident response procedures for potential data breaches

    6. Data Breach Notification

    In the event of a personal data breach, we will comply with GDPR Articles 33 and 34:

    • Notify the Romanian Data Protection Authority (ANSPDCP) within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
    • Communicate the breach to affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

    7. Supervisory Authority

    If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the supervisory authority. For Romania, this is:

    ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
    Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania
    Website: www.dataprotection.ro
    Email: anspdcp@dataprotection.ro

    8. Contact

    For any questions about our GDPR compliance or to exercise your data protection rights, please contact us at:
    hello@timpia.ai

    Terms of ServicePrivacy PolicyCookie Policy