Privacy Policy

1. Data Controller

The data controller for your personal data is The Investor-Ready Architect, a legal advisory practice operated as a sole proprietorship under Romanian law.

The Investor-Ready Architect
Email: privacy@applegal.ro
Website: www.applegal.ro

2. What Data We Collect

We collect different categories of personal data depending on how you interact with us:

Website visitors: When you access our Website, Cloudflare (our hosting and security provider) may collect technical data such as your IP address, browser type, and access timestamps for security and performance purposes. We do not use cookies for tracking or analytics. Cloudflare Zero Trust may collect your email address if you authenticate via the one-time pin access gate.

Intake questionnaire respondents: When you submit the intake form hosted on Microsoft Forms, we collect the information you provide, including your name, email address, company name, CUI (unique identification code), Trade Registry number, role, company stage, funding details, and information about your current legal setup.

Consultation participants: When you book a Fit Call through Microsoft Bookings, we collect your name, email address, and any information you provide during the scheduling process. Calls are conducted via Microsoft Teams.

Clients under engagement: During an active engagement, we may additionally process corporate documents, financial information, cap table data, governance records, and other materials relevant to the scope of the engagement letter. Payment data (such as card details) is collected and processed directly by Stripe; we do not store payment card information.

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 of the GDPR:

Contractual necessity (Art. 6(1)(b)) — to respond to your intake submission, schedule consultations, and perform services under a signed engagement letter.

Legal obligation (Art. 6(1)(c)) — to comply with Romanian fiscal, tax, and professional regulatory requirements, including invoicing through SmartBill and e-Factura reporting.

Legitimate interest (Art. 6(1)(f)) — to maintain the security of our Website (via Cloudflare), to assess whether a prospective engagement is a mutual fit, and to communicate with you about our services.

Consent (Art. 6(1)(a)) — where applicable, for any processing not covered by the bases above. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Third-Party Processors

We use a limited number of third-party service providers who may process personal data on our behalf. Each has been selected with data protection in mind:

Microsoft 365 (Forms, Bookings, Teams, OneDrive, Outlook) — intake data collection, scheduling, communications, and document storage. Microsoft operates under the EU Data Boundary, meaning your data is stored and processed within the European Union.

Stripe (Ireland) — payment processing. Stripe acts as an independent data controller for payment card data. See Stripe's Privacy Policy.

SmartBill (Romania) — invoicing and Romanian fiscal compliance (e-Factura, ANAF reporting). Data is processed and stored in Romania.

Cloudflare (United States, with EU processing) — website hosting, DNS, security, and access control. Cloudflare processes limited technical data (IP addresses, access logs) to deliver and secure the Website. See Cloudflare's Privacy Policy.

5. International Data Transfers

Your data is primarily stored and processed within the European Union. Where data is transferred outside the EEA (for example, to Cloudflare infrastructure in the United States), such transfers are protected by appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision, as applicable.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Intake data (no engagement): If we do not enter into an engagement, your intake submission and any Fit Call notes are deleted within 90 days of our last communication.

Engagement records: Client files, work product, and related correspondence are retained for 5 years following the conclusion of the engagement, in accordance with Romanian professional obligations for lawyers.

Fiscal records: Invoices and financial records are retained for 10 years as required by Romanian fiscal legislation.

7. Your Rights

Under the GDPR, you have the following rights with respect to your personal data: the right of access (Art. 15), the right to rectification (Art. 16), the right to erasure (Art. 17), the right to restriction of processing (Art. 18), the right to data portability (Art. 20), and the right to object to processing (Art. 21).

To exercise any of these rights, please contact us at privacy@applegal.ro. We will respond to your request within 30 days.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Romanian supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — www.dataprotection.ro.

8. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS), access controls via Cloudflare Zero Trust, and storage within Microsoft 365's EU Data Boundary infrastructure. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be reflected by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Website following the posting of changes constitutes your acknowledgment of those changes.