PRIVACY POLICY
ORYNTECH SRL | Version 1.0 | Effective Date: May 13, 2026
IMPORTANT: This Privacy Policy describes how ORYNTECH SRL collects, uses, stores, discloses, and protects personal data when you visit our website, use our Services, or interact with our Platform in any capacity. ORYNTECH SRL is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR), Romanian Law no. 190/2018 implementing the GDPR, and Law no. 506/2004 on electronic communications privacy. Please read this policy carefully. By accessing our website or using our Services, you acknowledge that you have read and understood this Privacy Policy. This Policy must be read together with our Terms of Use, our Cookie Policy, and (for Clients) our Data Processing Agreement.
1. Data Controller Identity
The data controller responsible for the processing of your personal data is:
| Field | Details |
|---|---|
| Company Name | ORYNTECH SRL |
| CUI (Tax ID) | 54180636 |
| Trade Registry | J16/15026/2026 |
| EUID | ROONRC.J16.15026.2026 |
| Registered Address | Municipiul Craiova, Str. Aristizza Romanescu, Nr. 7C, Corp C3, Spatiile 1, 2, 5, 6, Judet Dolj, Romania |
| oryntechai@gmail.com | |
| Phone | +40745612017 |
| Website | www.oryntech.ai |
| Supervisory Authority | ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) — www.dataprotection.ro |
ORYNTECH SRL has determined that it is not currently required to designate a Data Protection Officer (DPO) under Art. 37 GDPR, as it does not engage in large-scale systematic monitoring of individuals or large-scale processing of special categories of data as its core activity. Any data protection enquiries may be directed to oryntechai@gmail.com. ORYNTECH SRL will reassess this designation periodically and as its operations evolve.
2. Our Dual Role: Controller and Processor
2.1 Data Controller
ORYNTECH SRL acts as a data controller in respect of: (i) personal data of its own Clients, prospects, and website visitors; and (ii) data collected for marketing, billing, account management, and internal operations. In this capacity, we determine the purposes and means of processing and bear full responsibility for GDPR compliance.
2.2 Data Processor
ORYNTECH SRL acts as a data processor when our Clients (acting as data controllers) instruct us to process personal data belonging to the Clients' own customers, leads, or contacts within our Platform. In this capacity, we process data only on documented instructions from the Client. The terms governing this processing relationship are set out in the Data Processing Agreement (DPA), provided to each Client at the time of subscription and forming part of the Contractual Framework.
Clients are solely responsible for the lawfulness of their own data collection, for ensuring they have a valid legal basis under Art. 6 GDPR for all personal data transferred to ORYNTECH SRL for processing, and for providing adequate privacy notices to their own data subjects. Clients shall not upload personal data to the Platform without the legal basis required to do so under applicable law.
3. What Personal Data We Collect
3.1 Data You Provide Directly
As a Client, prospect, or website visitor, you may provide us with the following categories of personal data:
- Identity data: full name, company name, job title, CUI / VAT number, trade registry information.
- Contact data: email address, phone number, billing address, postal address.
- Financial and billing data: invoice information, billing details. Payment card data is processed exclusively by Stripe, Inc. — ORYNTECH SRL does not store, access, or process full payment card numbers at any time.
- Account credentials: username, hashed password, authentication tokens.
- Communication data: messages, support tickets, enquiries, demo requests, feedback, or any other communication submitted to us by email, web form, chat, or phone.
- Contractual data: business information provided during service configuration, onboarding, and system setup, including details about your business, target audience, services offered, and operational preferences.
- Pre-sales qualification data: when you submit a consultation or strategy session request, we may collect: the type of products or services you sell; your current and target marketing and acquisition channels; your country of operation; your available investment budget range; your business website URL; a written description of your business and offer; indicators of your current and target monthly revenue; a description of your main business challenges and obstacles; your preferred implementation timeline; your motivation level (1–10 scale); how you found us; your preferred consultation date and time; and your stated commitment to attending the scheduled session.
- Consent and compliance records: the timestamp of your acceptance of our Terms of Use and Privacy Policy, the exact text of the consent presented to you at the time, the version numbers of the relevant documents, the form identifier, and (where available from standard HTTP headers) the IP address from which consent was submitted. These records are maintained for compliance purposes under Art. 7(1) GDPR.
3.2 Data Collected Automatically
When you interact with our website or Platform, we automatically collect:
- Technical data: IP address, browser type and version, device type, operating system, screen resolution, language, timezone.
- Usage and behavioural data: pages visited, time on page, click behaviour, navigation paths, referral source, session duration, features accessed within the Platform.
- Cookie and tracking identifiers: as described in detail in our Cookie Policy at www.oryntech.ai.
- Log data: server logs, access timestamps, error reports, API call records, security event logs.
3.3 Data Received From Third Parties
In limited cases, we may receive personal data about you from third parties, including: (i) authentication providers when you choose to log in via Google, Facebook, or other identity providers; (ii) payment processors (Stripe) for billing reconciliation purposes; (iii) advertising platforms (Meta, Google) where you have interacted with our advertising and consented to the relevant tracking; (iv) public business registries (e.g. ONRC) for verification of corporate identity for B2B Clients.
3.4 Special Categories of Personal Data
ORYNTECH SRL does not intentionally collect or process special categories of personal data as defined under Art. 9 GDPR (including health data, biometric data, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, or trade union membership). Clients must not upload special category data to the Platform without first obtaining the explicit consent of the data subjects concerned and notifying ORYNTECH SRL in writing. Any such data inadvertently submitted will be deleted as soon as we become aware of it, without prejudice to the Client's responsibility under the DPA.
4. Purposes and Legal Bases for Processing
We process personal data only where we have a valid legal basis under Art. 6 GDPR. The table below sets out our processing activities, their purposes, and applicable legal bases:
| Processing Activity | Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Account creation and management | Providing Platform access and managing the Client relationship | Art. 6(1)(b) — Contract |
| Service delivery and configuration | Delivering, configuring, and maintaining Services under the Subscription Plan | Art. 6(1)(b) — Contract |
| Payment processing and billing | Processing payments via Stripe and issuing invoices | Art. 6(1)(b) — Contract |
| Technical support | Responding to support requests and resolving issues | Art. 6(1)(b) — Contract |
| Business qualification and consultation request | Collecting and processing pre-sales qualification and business assessment data submitted via consultation request forms (e.g. the Elite Strategy Session) | Art. 6(1)(b) — Pre-contractual measures |
| Pre-contractual contact (demo, sales) | Responding to demo requests, sales enquiries, prospect communications | Art. 6(1)(b) — Pre-contractual measures + Art. 6(1)(a) — Consent for marketing |
| Invoicing and financial records | Retaining invoices and accounting records — minimum 10 years under Law no. 82/1991 | Art. 6(1)(c) — Legal Obligation |
| Regulatory compliance (ANSPDCP, ANAF) | Responding to lawful requests from regulators and tax authorities | Art. 6(1)(c) — Legal Obligation |
| Marketing to existing Clients | Sending product updates, offers, and similar service communications to existing Clients | Art. 6(1)(f) — Legitimate Interest (with opt-out per Art. 21 GDPR) |
| Marketing to prospects | Sending promotional emails to prospects who have requested such communications | Art. 6(1)(a) — Consent (with right to withdraw) |
| Website analytics | Understanding website usage to improve content and performance | Art. 6(1)(f) — Legitimate Interest (essential analytics) / Art. 6(1)(a) — Consent (non-essential) |
| Cookie-based advertising | Targeted advertising via Meta and Google Ads | Art. 6(1)(a) — Consent |
| Security and fraud prevention | Protecting the Platform and detecting abusive use | Art. 6(1)(f) — Legitimate Interest |
| Defence of legal claims | Establishing, exercising, or defending legal claims | Art. 6(1)(f) — Legitimate Interest |
NOTE on Legitimate Interest. Where we rely on Legitimate Interest as a legal basis, we have conducted a balancing test (LIA — Legitimate Interest Assessment) and determined that our interests do not override your rights and freedoms. You have the right to object to processing based on Legitimate Interest at any time, in particular for direct marketing purposes (see Section 8).
5. AI Processing and Absence of Model Training
The Platform includes AI-driven features such as conversational AI agents, voice agents, content generation, and workflow AI. These features rely on third-party AI service providers operating under strict data processing agreements with ORYNTECH SRL.
In accordance with Section 6.4 of our Terms of Use, ORYNTECH SRL expressly commits that:
- Personal data and content uploaded or processed by Clients through the Platform ("Client Content") will not be used to train, retrain, or improve any AI model, whether ORYNTECH SRL's own or any third party's, without the Client's prior, explicit, written consent;
- Where Zero Data Retention agreements are technically available with the AI sub-processors used by our underlying platform infrastructure provider, those agreements are configured to ensure that Client prompts and responses are not retained beyond the duration strictly necessary to deliver the response;
- ORYNTECH SRL does not sell, license, or otherwise commercialise Client personal data or Client Content to any third party for AI training, advertising profiling, or any other purpose;
- Aggregated, anonymised statistics that cannot reasonably be linked back to any identified or identifiable individual may be used by ORYNTECH SRL for service improvement, capacity planning, and similar internal purposes.
Clients should be aware that their own end-users (the data subjects whose data they upload to the Platform) interact with AI-driven features at the Client's instruction. The Client, as data controller, is responsible for informing those end-users about the use of AI and for obtaining any consent required under applicable law.
6. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. Our general retention schedule is as follows:
| Category | Retention Period |
|---|---|
| Client account data (active) | Duration of Subscription Plan + 3 years post-termination (statute of limitations) |
| Financial records and invoices | 10 years (Law no. 82/1991 — Accounting Law) |
| Support communications | 3 years from the date of last communication |
| Marketing contact data (consented) | Until withdrawal of consent or 3 years of inactivity, whichever is shorter |
| Prospect data (demo requests, etc.) | 12 months from last contact, unless converted to Client |
| Website usage / analytics data | 26 months (Google Analytics default, configurable) |
| Cookie consent records | 3 years from date of consent (EDPB guidance) |
| Security and access logs | 12 months for routine logs; 5 years for incident-related logs |
| Data processed on behalf of Clients | As specified in the DPA; deleted or returned within 30 days of contract termination |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised, except where longer retention is required by law or is necessary for the establishment, exercise, or defence of legal claims.
7. Recipients and Data Transfers
7.1 Categories of Sub-Processors
ORYNTECH SRL uses the following categories of third-party service providers (sub-processors) who may process personal data on our behalf:
| Category | Role | Location | Safeguards |
|---|---|---|---|
| Payment processor | Payment processing and billing reconciliation (Stripe, Inc.) | USA (EU data stored in EEA) | EU-US Data Privacy Framework |
| Platform infrastructure provider | Hosting and operation of the integrated AI automation and CRM Platform | USA | Standard Contractual Clauses (SCCs) + Data Processing Agreement |
| AI model providers | Generative AI processing for conversational agents, voice agents, content AI | USA | SCCs + Zero Data Retention configurations where available at platform infrastructure level |
| Communications providers | SMS, voice telephony, email delivery infrastructure | USA / EEA | SCCs / EU-US Data Privacy Framework |
| Productivity and email tools | Internal email, calendar, document storage (Google Workspace) | USA / EEA | EU-US Data Privacy Framework |
| Advertising and analytics platforms | Website analytics, advertising attribution (Meta, Google) — only with consent | USA / EEA | EU-US Data Privacy Framework + consent |
Detailed sub-processor list. An updated list of sub-processors identifying each provider by name, address, and processing activity is provided to all active Clients as part of the Data Processing Agreement, in accordance with Art. 28 GDPR. Prospects, website visitors, and other interested data subjects may request the current list by contacting oryntechai@gmail.com. ORYNTECH SRL maintains an internal Record of Processing Activities under Art. 30 GDPR available to ANSPDCP upon lawful request.
We will notify Clients of any addition, replacement, or material change of sub-processors at least 15 calendar days in advance, in accordance with the DPA. Clients may object to a proposed sub-processor change within 10 calendar days of notice; if no satisfactory resolution is reached, the Client may terminate the affected Services in accordance with the DPA.
7.2 International Data Transfers
Some sub-processors are located in third countries (outside the EEA), including the United States. All such transfers are made in compliance with Chapter V GDPR, using one or more of the following mechanisms: (i) adequacy decisions adopted by the European Commission; (ii) Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914); or (iii) the EU-US Data Privacy Framework, where the recipient is certified.
Where required by Schrems II case-law and EDPB Recommendations 01/2020, ORYNTECH SRL has conducted Transfer Impact Assessments (TIA) for transfers outside the EEA and implemented supplementary technical, contractual, and organisational measures where appropriate. A summary of these assessments is available to Clients upon written request.
7.3 Disclosure to Authorities
ORYNTECH SRL may disclose personal data to competent public authorities (ANSPDCP, ANAF, ANCOM, courts, law enforcement) where required to do so by applicable Romanian or EU law, or by a valid court order. We will notify the affected data subject of any such disclosure where legally permitted to do so, and we will challenge any request that we consider disproportionate or unlawful.
8. Your Data Subject Rights
Under the GDPR and Romanian Law no. 190/2018, you have the following rights with respect to your personal data. To exercise any of these rights, please submit a written request to oryntechai@gmail.com. We will respond within 30 calendar days of receiving your complete request (extendable by a further 60 days for complex or numerous requests, with prior notice within the first 30 days).
| Right | Description |
|---|---|
| Right of Access (Art. 15) | You may request a copy of the personal data we hold about you and information about how we process it. |
| Right to Rectification (Art. 16) | You may request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | You may request deletion of your personal data where we no longer have a lawful basis for processing it, subject to exceptions (legal obligations, defence of claims). |
| Right to Restriction (Art. 18) | You may request that we restrict processing of your data in certain circumstances. |
| Right to Data Portability (Art. 20) | Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format. |
| Right to Object (Art. 21) | You may object to processing based on legitimate interest, in particular for direct marketing purposes (absolute right). |
| Right to Withdraw Consent (Art. 7(3)) | Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. |
| Rights re: Automated Decisions (Art. 22) | You have the right to request human review of any automated decision producing legal effects or similarly significantly affecting you. |
| Right to Lodge a Complaint | You have the right to lodge a complaint with ANSPDCP (www.dataprotection.ro) or any other competent supervisory authority in the EU. |
To verify your identity before processing a rights request, we may request additional information sufficient to confirm that you are the data subject concerned. We will not charge a fee for handling rights requests, unless they are manifestly unfounded or excessive (in particular if repetitive), in which case we may charge a reasonable fee or refuse the request, in accordance with Art. 12(5) GDPR.
9. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on our website and Platform. Our Cookie Policy, published at www.oryntech.ai, provides detailed information about the specific cookies we use, their purposes, durations, providers, and how to manage your cookie preferences.
Non-essential cookies (including analytics, advertising, and third-party social media cookies) are placed only with your prior, informed, and freely given consent, expressed through our cookie consent banner. You may withdraw or modify your consent at any time through the cookie preferences interface accessible at the bottom of our website.
10. Security of Processing
ORYNTECH SRL implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or unlawful disclosure, in accordance with Art. 32 GDPR. These measures include:
- Data encryption at rest and in transit (TLS 1.2 or higher), using industry-standard cryptographic algorithms;
- Multi-factor authentication (MFA) for all internal access to administrative interfaces;
- Strict role-based access controls applied on a need-to-know basis;
- Regular review of access permissions and immediate revocation upon role change or termination;
- Use of cloud infrastructure provided by sub-processors holding recognised security certifications (e.g. ISO 27001, SOC 2);
- Audit logs for access to production systems and personal data;
- Zero Data Retention configurations applied at the level of our underlying platform infrastructure provider, where technically available with its AI sub-processors;
- Regular security assessments, vulnerability monitoring, and incident response procedures;
- Staff training on data protection and confidentiality obligations;
- Contractual confidentiality obligations imposed on all employees, contractors, and sub-processors with access to personal data.
In the event of a personal data breach within the meaning of Art. 4(12) GDPR, ORYNTECH SRL will: (i) notify affected Clients without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons; (ii) notify ANSPDCP within 72 hours of becoming aware of the breach, where required under Art. 33 GDPR; and (iii) take immediate containment, investigation, and remediation measures. Detailed breach notification procedures are set out in the SLA and the DPA.
11. Children's Data
Our Services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. The Platform is offered exclusively as a B2B service for Professionals (legal entities and self-employed natural persons acting in their professional capacity). If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we have received data relating to a child, please contact us at oryntechai@gmail.com.
12. Changes to This Privacy Policy
ORYNTECH SRL reserves the right to update or amend this Privacy Policy at any time to reflect changes in our processing activities, legal requirements, or business operations. For material changes, we will provide at least 30 days' advance written notice to active Clients by email. The updated Policy will be published at www.oryntech.ai with a revised effective date and version number. Where required by law, we will obtain renewed consent for any new processing activity that requires it.
The current version of this Policy is identified at the top of this document. Previous versions are available upon request.
13. Contact and Complaints
For all data protection enquiries, requests to exercise your rights, or complaints, please contact us at:
| Contact Detail | Information |
|---|---|
| Email (primary) | oryntechai@gmail.com |
| Phone | +40745612017 |
| Postal Address | Municipiul Craiova, Str. Aristizza Romanescu, Nr. 7C, Corp C3, Spatiile 1, 2, 5, 6, Judet Dolj, Romania |
| Website | www.oryntech.ai |
| Supervisory Authority | ANSPDCP — B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti — www.dataprotection.ro |
If you are not satisfied with our response to a data protection enquiry or complaint, you have the right to lodge a complaint with ANSPDCP (the Romanian supervisory authority) or with the supervisory authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
© 2026 ORYNTECH SRL | All rights reserved