APP Legal
← Back to Home

Privacy Policy

Last updated: March 25, 2026

1. Data Controller

The controller of your personal data and the owner of the website www.applegal.ro (the "Website") is APP Legal (Adina Popescu – Cabinet de Avocat), established and operating under the laws of Romania based on the Decision of the Bucharest Bar Council no. 578 dated 17.03.2026, with registered office in Bucharest, 10 Doamna Ghica Str., District 2, Romania, having tax identification number 42198869, e-mail address office@applegal.ro ("APP Legal", "we", "us", "our").

The purpose of this privacy policy (the "Privacy Policy") is to inform Website visitors regarding the collection, use, disclosure, protection, or any other processing of personal data that we collect through the Website.

APP Legal processes your personal data in full compliance with Regulation (EU) 2016/679, as well as with any other applicable legislation in Romania.

2. What Data We Collect and the Purpose of Processing

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, contact details, position, or other factors specific to their physical, economic, cultural, or social identity.

We collect different categories of personal data depending on how you interact with us:

Contact form respondents: When you fill out the contact form hosted on Microsoft Forms, we collect the information you provide in order to respond to your request, including your name, e-mail address, company name, unique registration code, Trade Registry registration number, position, and information about your current legal setup.

Clients under a legal mandate: During an active mandate, we may further process corporate documents, financial information, identification documents, phone numbers, and other materials relevant to the subject matter of the legal assistance contract and the execution of the mandate. Also, during the mandate, we may collect and process personal data about our clients, their affiliates, their representatives, or their relevant staff members. Please note that if you provide information about third parties, you must have informed them about this Privacy Policy and established a legal basis for sharing their data with us.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds, in accordance with Article 6 of Regulation (EU) 2016/679:

Contractual necessity (Art. 6 para. (1) letter b) – to respond to the contact form, schedule consultations, and provide services under a signed legal assistance contract.

Legal obligation (Art. 6 para. (1) letter c) – to comply with legal requirements, including tax, accounting, and professional regulatory obligations in Romania.

Legitimate interest (Art. 6 para. (1) letter f) – to maintain the security of our Website (via Cloudflare), to assess whether a potential collaboration is mutually suitable, and to communicate with you about our services.

Consent (Art. 6 para. (1) letter a) – where applicable, for any processing not covered by the grounds above. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

4. Data Retention Period

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Contact form data (no mandate): Data collected through the contact form, if we do not initiate a mandate – maximum 2 (two) years from the date of your submission of the data to us.

Engagement records: Data collected within a signed legal assistance contract – for the entire duration of the contract execution and for another 10 (ten) years after the termination of the contract.

5. Data Disclosure to Third Parties

We use a limited number of third-party service providers who may process personal data on our behalf. Each has been carefully selected with regard to data protection:

Microsoft 365 (Forms, Bookings, Teams, OneDrive, Outlook) – data collection from the contact form, scheduling, communications, and document storage. Microsoft operates within the EU Data Boundary, meaning your data is stored and processed within the European Union. Please consult the Microsoft 365 data privacy policy.

Cloudflare (United States of America, with processing in the EU) – hosting, DNS, security, and access control. Cloudflare processes limited technical data (IP addresses, access logs) to deliver and secure the Website. Please consult the Cloudflare data privacy policy.

Inherently, through the use of global technological solutions (e.g., cloud security infrastructure), certain technical data may be transferred or accessed outside the European Economic Area (EEA). Such transfers are made exclusively to entities that ensure an adequate level of protection (for example, to Cloudflare's infrastructure in the United States), recognized by European Commission adequacy decisions (such as the EU-US Data Privacy Framework) or by implementing appropriate safeguards (e.g., Standard Contractual Clauses).

Furthermore, we may disclose your data to public authorities, courts of law, or external collaborators (accounting experts, tax consultants, IT consultants, translators, other legal specialists), strictly to the extent necessary to fulfil our legal obligations or the entrusted mandate, these entities being bound by strict confidentiality obligations.

6. Your Rights as a Data Subject

In accordance with Regulation (EU) 2016/679, as a data subject, you have the following rights regarding your personal data:

a) Right to be informed (Art. 13 and Art. 14): The right to be informed in a concise, transparent, and easily accessible manner about how your data is processed.

b) Right of access (Art. 15): The right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and detailed information regarding the processing.

c) Right to rectification (Art. 16): The right to obtain, without undue delay, the rectification of inaccurate personal data or to have incomplete personal data completed.

d) Right to erasure (“right to be forgotten”) (Art. 17): The right to obtain the erasure of personal data concerning you under certain conditions provided by law (e.g., the data is no longer necessary for the initial purposes, consent has been withdrawn).

e) Right to restriction of processing (Art. 18): The right to request the limitation of the processing of your data in specific situations (e.g., you contest the accuracy of the data or the lawfulness of the processing).

f) Right to data portability (Art. 20): The right to receive the personal data you have provided in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller.

g) Right to object (Art. 21): The right to object at any time, on grounds relating to your particular situation, to the processing of your data, including profiling, especially when the processing is based on a legitimate interest.

h) Right not to be subject to automated decision-making, including profiling (Art. 22): The right to request and obtain human intervention on our part, to express your point of view and to contest the decision.

i) Right to withdraw consent (Art. 7 para. (3)): The right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (applicable only to processing based exclusively on consent).

j) Right to lodge a complaint with a supervisory authority (Art. 77): The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) or another competent authority if you consider that the processing infringes your rights.

To exercise any of these rights, please contact us at office@applegal.ro. We will respond to your request without undue delay and, in any event, within 1 (one) month of receipt of the request.

To the extent you consider that your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in Romania:

National Supervisory Authority for Personal Data Processing (ANSPDCP)
Website: www.dataprotection.ro
Address: 28-30 G-ral Gheorghe Magheru Blvd., District 1, Bucharest, postal code 010336, Romania

7. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS), access controls via Cloudflare Zero Trust, and storage within the Microsoft 365 EU Data Boundary infrastructure. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Any changes will be reflected by updating the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Continued use of the Website after the publication of changes constitutes your acceptance of them.

9. Contact

For any questions or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

E-mail: office@applegal.ro
Website: www.applegal.ro