How is the Pactroom platform fee calculated?

Pactroom uses a volume-tiered model. Fees start at 4.9% for smaller projects and decrease as deal size increases, dropping as low as 1.19% for deals over $250,000.

Do I need a monthly subscription to use Pactroom?

No. Pactroom is purely pay-as-you-go with no monthly fees. You only pay when you complete deals.

Are my video files safe before the client pays?

Yes. Pactroom uses automatic watermarking. Clients can preview watermarked versions, but clean files only unlock after full payment.

Privacy Policy | Pactroom

Effective Date: January 8, 2026

Version: 1.0

1. Introduction and Scope

1.1 Controller Information

This Privacy Policy describes how RitSea SRL ("Pactroom," "we," "us," or "our"), a Romanian limited liability company, collects, uses, processes, stores, and discloses your personal data when you use our platform and services.

Data Controller Details:

Legal Name: RitSea SRL
Registration Number: J2025055174005
Registered Address: Constanța, Romania
VAT Number: RO52211370
Website: https://pactroom.com
Email: support@pactroom.com

1.2 Legal Framework

This Privacy Policy complies with:

EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
Romanian Law 190/2018 on data protection measures
ePrivacy Directive - Directive 2002/58/EC (as amended)
Romanian Law 506/2004 on personal data processing
Romanian Law 365/2002 on electronic commerce
Applicable EU and Romanian consumer protection laws

1.3 Scope of Application

This Privacy Policy applies to:

All users of pactroom.com and subdomains
Mobile applications (iOS and Android)
API services and developer tools
All related services, features, and communications
Personal data collected from visitors, users, and third parties

Geographic Scope: This policy applies to data processing activities:

Within the European Economic Area (EEA)
Affecting individuals located in the EEA
Related to offering services to EEA residents
Conducted by our establishment in Romania

1.4 Policy Updates

We may update this Privacy Policy to reflect:

Changes in data processing practices
Legal or regulatory requirements
New features or services
Industry best practices
Security enhancements

Notice of Material Changes:

Email notification to registered users (30 days' advance notice)
Prominent notice on platform homepage
Updated "Last Updated" date at top of this document
For EU users: 30-day notice period before changes take effect

Your Acceptance: Continued use of our Service after changes take effect constitutes acceptance of the updated Privacy Policy.

1.5 Language and Interpretation

This Privacy Policy is drafted in English. In case of conflict between translations, the English version prevails except where local law requires otherwise.

2. Personal Data We Collect

2.1 Information You Provide Directly

2.1.1 Account Registration Data

When you create an account, we collect:

Mandatory Information:

Full legal name (first and last name)
Email address
Password (stored as cryptographic hash only)
Country of residence
Account type (individual, business, agency)
Date of birth (for age verification)
Phone number (for security verification)

Optional Information:

Professional title or role
Company name and registration details
Website or portfolio URL
Profile photo or avatar
Bio or professional description
Social media profiles
Languages spoken
Time zone preference

Business Account Additional Data:

Business legal name and structure
Business registration number
VAT/Tax identification number
Business address
Authorized representatives' details
Business licenses or certifications

2.1.2 Identity Verification Data

For account verification and fraud prevention:

Government-issued identification documents (passport, national ID, driver's license)
Proof of address documents (utility bills, bank statements)
Facial recognition data for identity matching
Selfie photographs for verification
Business incorporation documents
Professional licenses or credentials

Retention: Verification documents retained for 5 years after account closure per anti-money laundering requirements.

Processing Basis: Legal obligation (AML/KYC compliance) and contract performance.

2.1.3 Payment and Financial Data

For payment processing and tax compliance:

Collected Directly:

Bank account details (IBAN, account number, routing number)
Billing address
Tax identification numbers (SSN, EIN, VAT number)
Payout preferences and schedules
Currency preferences

Collected by Stripe (Payment Processor):

Payment card details (number, expiry, CVV)
Cardholder name and billing address
Transaction authorization data
Fraud detection signals
Payment method tokens

Critical Notice: Pactroom NEVER stores raw payment card data. All card information is collected and stored exclusively by Stripe, Inc., our PCI-DSS compliant payment processor. We receive only tokenized references and last 4 digits for display purposes.

Stripe's Privacy: Your payment data is subject to Stripe's Privacy Policy available at https://stripe.com/privacy

2.1.4 User-Generated Content

Content you create, upload, or transmit:

Project descriptions and requirements
Creative work files (documents, images, videos, audio)
Comments, feedback, and reviews
Messages and communications with other users
Contract terms and negotiations
Communication logs and transaction records
Portfolio items and work samples
Profile content and descriptions

Metadata: File metadata including creation date, author information, geolocation data (if embedded), device information, and edit history.

2.1.5 Communications

Communications with us or through our platform:

Support ticket submissions and responses
Email correspondence with our team
Phone call recordings (with notice and consent)
Chat transcripts with customer service
Survey responses and feedback
Newsletter subscriptions and preferences
Marketing communication preferences
Platform notifications and alerts

2.2 Information Collected Automatically

2.2.1 Device and Technical Information

When you access our Service:

Device Data:

Device type, model, and manufacturer
Operating system and version
Browser type and version
Screen resolution and orientation
Device identifiers (IDFA, Android ID, device fingerprint)
Mobile network information
App version and build number

Connection Data:

IP address (full or truncated)
Internet Service Provider (ISP)
Connection type (WiFi, cellular, etc.)
Network quality and performance metrics
Approximate geographic location (country, city, region)

Technical Data:

Cookies and similar tracking technologies (see Section 9)
Session IDs and authentication tokens
API access tokens and keys
Cache data and local storage
Error logs and crash reports
Performance metrics and load times

2.2.2 Usage Data and Analytics

Information about how you use our Service:

Navigation Data:

Pages visited and time spent on each page
Click paths and user flows
Features used and frequency of use
Search queries and filters applied
Content viewed and interactions
Files uploaded/downloaded (metadata only)
Transaction history and patterns

Engagement Metrics:

Login frequency and session duration
Active vs. inactive periods
Feature adoption and usage patterns
Conversion funnels and drop-off points
A/B test assignments and outcomes
Email open rates and click-through rates
Notification engagement rates

Platform Activity:

Projects created, active, and completed
Transactions initiated and completed
Proposals sent and received
Messages sent and response times
Reviews given and received
Disputes opened and resolutions
Account settings changes

2.2.3 Location Data

We collect location information through:

Approximate Location (Always):

Derived from IP address (city/region level)
Used for fraud prevention and service delivery
Cannot be disabled while using Service

Precise Location (With Consent):

GPS coordinates from mobile devices
WiFi access point information
Cell tower triangulation data
Used only if you grant device-level permission
Can be disabled in device settings

Location Usage:

Fraud detection and prevention
Compliance with geographic restrictions
Local content and currency display
Performance optimization (CDN routing)
Analytics and service improvement

2.3 Information from Third Parties

2.3.1 Payment Processor Data

From Stripe, Inc.:

Payment transaction outcomes (success/failure)
Fraud risk scores and signals
Chargeback and dispute information
Account verification status
Payout processing status
Last 4 digits of payment methods
Payment method country and brand

2.3.2 Social Media and OAuth Providers

If you connect social accounts:

Profile information (name, photo, email)
Public profile data
Friend/connection lists (with permission)
OAuth tokens and refresh tokens

Providers: Google, Facebook, LinkedIn, Apple (as available)

Your Control: You can disconnect social accounts anytime in account settings.

2.3.3 Identity Verification Services

From third-party verification providers:

Identity verification results
Document authenticity checks
Facial recognition match scores
Fraud risk assessments
Watchlist and sanctions screening results
Adverse media checks

Providers: We use industry-standard KYC/AML verification services.

2.3.4 Business Intelligence and Data Enrichment

From public and commercial sources:

Company information and registration data
Professional credentials verification
Public social media profiles
Business credit information (with consent)
Industry classification data
Company size and employee counts

2.3.5 Other Users

Information other users provide about you:

Reviews and ratings
Testimonials and references
Dispute submissions and evidence
Reported Terms violations
Shared communications and files

2.4 Sensitive Personal Data

We Do Not Intentionally Collect Sensitive Data. Under GDPR Article 9, "sensitive" or "special category" data includes:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data for unique identification
Health data
Sex life or sexual orientation data

Limited Exceptions:

Biometric Data: Facial recognition for identity verification (with explicit consent)
Health Data: Only if you voluntarily include in communications (we request you not do this)

If You Provide Sensitive Data: By voluntarily providing sensitive data in User Content, communications, or profile information, you explicitly consent to our processing of such data for the purposes described in this policy.

Our Request: Please do not include sensitive personal data in your content, communications, or profile unless absolutely necessary and with full understanding of the implications.

2.5 Children's Data

Age Restriction: Our Service is intended for users aged 18 and older. We do not knowingly collect personal data from children under 18 (or the age of majority in your jurisdiction).

Parental Controls: If you are a parent or guardian and believe your child has provided us with personal data, contact us at support@pactroom.com. We will delete the data promptly upon verification.

Verification: We use age verification measures including:

Self-declaration during registration
Identity document verification
Behavioral analysis and risk signals

Discovery: If we discover we have collected data from a child without proper consent, we will delete it within 30 days.

3. Legal Bases for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

3.1 Contract Performance (Article 6(1)(b))

Processing necessary to perform our contract with you:

Creating and managing your account
Providing platform features and services
Facilitating transactions between users
Processing payments and payouts
Delivering customer support
Enforcing Terms of Service
Generating audit trails and evidence logs

Without This Processing: We cannot provide our Service to you.

3.2 Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

Identity verification (AML/KYC regulations)
Tax reporting and withholding (IRS, Romanian tax authorities)
Responding to law enforcement requests
Complying with court orders and subpoenas
Retaining records per legal retention requirements
Reporting illegal content (child exploitation, terrorism)
Sanctions and watchlist screening

Applicable Laws:

EU Anti-Money Laundering Directives (4th and 5th)
Romanian Law 129/2019 (AML/CTF)
US Foreign Account Tax Compliance Act (FATCA)
Romanian Fiscal Code
EU eIDAS Regulation
Various data retention laws

3.3 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests (or third-party interests), where not overridden by your rights:

Fraud Prevention and Security:

Detecting and preventing fraud, abuse, and Terms violations
Monitoring for suspicious activity and security threats
Protecting platform integrity and user safety
Preventing money laundering and terrorist financing
Account security and unauthorized access prevention

Balancing Test: Fraud prevention protects all users and is essential to platform operation. Risk to your rights is minimal as we use privacy-preserving techniques.

Service Improvement:

Analyzing usage patterns and user behavior
A/B testing new features and improvements
Performance monitoring and optimization
Bug detection and resolution
Product development and innovation

Balancing Test: Improvements benefit all users. We minimize data collection and use aggregated/anonymized data where possible.

Business Operations:

Communicating service updates and changes
Managing customer relationships
Internal record-keeping and auditing
Business analytics and reporting
Mergers, acquisitions, and corporate transactions

Balancing Test: Necessary for business sustainability that enables continued service provision. Processing is proportionate and minimized.

Marketing and Growth:

Sending relevant marketing communications (with opt-out)
Personalizing user experience
Recommending relevant features or projects
Market research and competitive analysis

Balancing Test: Marketing supports business viability. You can opt out easily, and we respect Do Not Track signals.

Legal Claims:

Establishing, exercising, or defending legal claims
Investigating and responding to complaints
Litigation and dispute resolution
Regulatory compliance and audits

Balancing Test: Essential for protecting our legal rights and those of other users.

3.4 Consent (Article 6(1)(a))

Processing based on your explicit, freely-given consent:

Marketing emails and promotional communications
Non-essential cookies and tracking (see Section 9)
Precise location data collection
Facial biometric data for verification
Processing sensitive personal data (if voluntarily provided)
Third-party data sharing beyond what's necessary
Optional features requiring additional data

Your Rights:

Consent can be withdrawn at any time
Withdrawal does not affect prior processing
Easy withdrawal mechanisms provided (opt-out links, account settings)
No negative consequences for withdrawal

How to Withdraw: Email support@pactroom.com or use account settings toggles.

3.5 Vital Interests (Article 6(1)(d))

Rarely used, but processing may be necessary to protect vital interests:

Emergency medical situations
Preventing serious harm or danger to life
Child protection and safeguarding

3.6 Public Interest (Article 6(1)(e))

Not typically applicable to our processing, but may apply for:

Cooperation with regulatory authorities
Public safety investigations
Compliance with regulatory inquiries

4. How We Use Your Personal Data

4.1 Core Service Provision

Account Management:

Creating and maintaining your account
Authentication and access control
Profile management and customization
Account recovery and password resets
Subscription and billing management
Account security and verification

Platform Functionality:

Facilitating connections between creators, clients, and agencies
Processing and routing payments through Stripe
File storage, encryption, and watermarking
Project workflow and collaboration tools
Contract creation and digital signatures
Messaging and communication systems
Search and discovery features
Review and rating systems

Transaction Processing:

Coordinating payment flows between parties
Calculating and collecting platform fees
Generating invoices and receipts
Managing multi-party payment splits
Facilitating automated refund requests initiated by users
Providing transaction logs for external dispute handling

4.2 Security and Fraud Prevention

Account Security:

Monitoring login patterns and anomalies
Detecting unauthorized access attempts
Multi-factor authentication (when enabled)
Session management and token validation
Device fingerprinting and recognition
Password strength enforcement

Fraud Detection:

Identifying fake accounts and bot activity
Detecting payment fraud and chargebacks
Monitoring for Terms of Service violations
Identifying money laundering patterns
Sanctions and watchlist screening
Chargeback fraud prevention
Identity theft detection

Platform Integrity:

Content moderation and abuse detection
Spam and malicious content filtering
Intellectual property infringement detection
Review fraud and manipulation detection
Rate limiting and abuse prevention

4.3 Legal and Regulatory Compliance

Identity Verification:

KYC (Know Your Customer) verification
AML (Anti-Money Laundering) screening
Age verification and eligibility checks
Business entity verification
Professional credential verification

Tax Compliance:

Collecting tax identification numbers
Generating tax forms (1099, 1042-S, etc.)
Reporting to tax authorities as required
Withholding tax where applicable
VAT/GST collection and remittance

Legal Obligations:

Responding to legal process (subpoenas, court orders)
Cooperating with law enforcement
Reporting illegal content (CSAM, terrorism)
Maintaining legally required records
Regulatory reporting and audits

4.4 Communication and Support

Customer Support:

Responding to inquiries and support tickets
Troubleshooting technical issues
Providing technical assistance for account issues
Furnishing evidence logs for user-managed disputes
Processing feedback and suggestions

Service Communications:

Account notifications and alerts
Transaction confirmations and receipts
Security alerts and warnings
Policy and Terms updates
Service disruption notifications
Legal notices and disclosures

Marketing Communications (With Opt-Out):

Product updates and new features
Tips and best practices
Platform newsletters
Promotional offers and campaigns
Event invitations and webinars
User surveys and research requests

4.5 Analytics and Improvement

Usage Analytics:

Understanding how users interact with our platform
Identifying popular features and pain points
Measuring engagement and retention
Analyzing conversion funnels
Tracking feature adoption
Monitoring performance and errors

Product Development:

Prioritizing new features and improvements
A/B testing designs and workflows
Personalizing user experience
Optimizing search and recommendations
Improving algorithms and automation
Developing new services

Business Intelligence:

Market analysis and trends
Competitive benchmarking
Financial reporting and forecasting
Strategic planning and decisions
Investor reporting (aggregated only)

4.6 Personalization and Recommendations

Content Personalization:

Customizing platform interface and layout
Displaying relevant projects and opportunities
Recommending creators or clients
Personalizing search results
Tailoring notification preferences

Machine Learning:

Training models for better matching
Improving fraud detection accuracy
Enhancing content moderation
Optimizing payment routing
Predicting transaction outcomes

Important: Automated decision-making that produces legal or similarly significant effects requires additional safeguards (see Section 5.7).

4.7 Marketing and Growth

Platform Marketing:

Promoting our services to potential users
Retargeting campaigns (with consent)
Social media advertising
Content marketing and SEO
Partnership and affiliate programs

User Acquisition:

Referral programs and incentives
Ambassador and influencer partnerships
Event sponsorships and participation
PR and media relations

4.8 Corporate Transactions

Business Transfers:

Due diligence for mergers or acquisitions
Asset sales or transfers
Bankruptcy or insolvency proceedings
Corporate restructuring
Investor reporting (aggregated/anonymized)

Data Room Access: In M&A transactions, potential buyers may access pseudonymized or aggregated data under strict confidentiality agreements.

5. Data Sharing and Disclosure

5.1 No Sale of Personal Data

Critical Commitment: We DO NOT sell your personal data to third parties for monetary consideration. We do not operate a data brokerage business.

California Notice: Under CCPA, we do not "sell" personal information as defined by the statute.

5.2 Sharing with Other Users

Public Profile Information:

Visible to all platform users:

Display name and profile photo
Professional title and bio
Portfolio items and work samples
Public reviews and ratings
General location (city/country)
Member since date
Verified badges and credentials

Transaction Partners:

Shared with users you transact with:

Full name and contact information
Transaction history between you
Payment information (partial, for invoicing)
Tax identification (if required for transaction)
Communications and project files
Delivery addresses (if applicable)

Your Control: Adjust privacy settings in your account to limit public visibility.

5.3 Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf under strict contractual obligations:

5.3.1 Payment Processing

Stripe, Inc. (USA - Adequate protection via Standard Contractual Clauses)

Purpose: Payment processing, fraud detection, payout distribution, identity verification
Data Shared: Payment methods, transaction amounts, billing information, identity verification data
Privacy Policy: https://stripe.com/privacy
Relationship: Data Processor
Security: PCI-DSS Level 1 certified

5.3.2 Cloud Infrastructure

Google Cloud Platform (Europe-West1 - Belgium)

Purpose: Data storage, computing, database (Firestore), authentication (Firebase)
Data Shared: All platform data (encrypted at rest and in transit)
Privacy Policy: https://cloud.google.com/privacy
Relationship: Data Processor
Certifications: ISO 27001, SOC 2 Type II, GDPR compliant
Data Location: EU (Europe-West1)

Cloudflare, Inc. (USA/Global)

Purpose: CDN, DDoS protection, performance optimization
Data Shared: IP addresses, HTTP requests, cached content
Privacy Policy: https://www.cloudflare.com/privacy
Relationship: Data Processor
Security: SOC 2 Type II certified

5.3.3 Communication Services

SendGrid (Twilio) & Formspree

Purpose: Transactional emails, contact form submissions
Data Shared: Email addresses, names, message content

5.3.4 Identity Verification

Stripe Identity

Purpose: Identity verification, fraud prevention, compliance
Data Shared: ID documents, biometric data, personal information
Compliance: Regulated financial services provider

5.3.5 Analytics

Google Analytics

Purpose: Traffic analysis, user behavior (anonymized IP)
Data Shared: Usage data, technical information, pseudonymized identifiers

5.3.6 Customer Support

Help Desk Software (Various)

Purpose: Support ticket management, customer communications
Data Shared: Contact information, support inquiries, account data
Used Services: [Specify: Zendesk, Intercom, etc.]

5.4 Legal and Regulatory Disclosures

We may disclose your data when required or permitted by law:

Legal Obligations:

Court orders and subpoenas
Law enforcement requests (with valid legal process)
Regulatory investigations and audits
Tax authority requests
National security requests (to extent legally required)

Legal Process Standards:

We review all requests for legal validity
We object to overbroad or inappropriate requests
We notify users when legally permitted
We publish transparency reports (aggregated statistics)
We require written legal process (no informal requests)

Public Safety:

Child exploitation (CSAM) - reported to NCMEC and authorities
Imminent threat of serious harm or danger
Terrorism-related content
Human trafficking

Rights Protection:

Enforcing our Terms of Service
Detecting and preventing fraud
Protecting our intellectual property
Defending legal claims and litigation
Preventing misuse of our services

5.5 Business Transfers

In connection with corporate transactions:

Mergers, acquisitions, or asset sales
Bankruptcy or insolvency proceedings
Corporate restructuring
Financing or investment rounds

Your Data: May be transferred to successor entity under terms no less protective than this Privacy Policy.

Notice: We will notify you via email and platform notice before transfer if materially different practices will apply.

5.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or pseudonymized data that cannot reasonably identify you:

Industry reports and benchmarks
Research and academic studies
Investor and public relations materials
Market analysis and trends
Platform statistics and metrics

Standards: Data is anonymized using industry-standard techniques ensuring re-identification risk is minimal per GDPR recital 26 standards.

5.7 With Your Consent

We may share data with third parties when you explicitly consent:

Social media sharing features
Third-party integrations you enable
Referral programs
Public testimonials and case studies
Partner features and co-marketing

Withdrawal: You can withdraw consent anytime in account settings or by contacting us.

5.8 No Sharing with Data Brokers

We do not share your personal data with:

Data brokers or aggregators
Lead generation companies
List rental services
Marketing database companies
Third-party ad networks (except legitimate advertising as disclosed)

6. International Data Transfers

6.1 Data Storage Locations

Primary Storage: European Union (Google Cloud Europe-West1)

Backup Storage: European Union

Processor Locations: Some service providers (like Stripe or Cloudflare) are based in or transfer data to:

United States

6.2 Adequate Protection Mechanisms

For transfers outside the EEA, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs):

EU Commission-approved SCCs (2021 updated version)
Legally binding data transfer agreements
Enforceable rights for data subjects

Additional Safeguards:

Technical measures (encryption, pseudonymization)
Organizational measures (access controls, policies)

6.3 US Data Transfers

Post-Schrems II Compliance:

Following the invalidation of Privacy Shield (Schrems II decision), we:

Use updated SCCs for all US transfers
Minimize data transfers where possible

Service Providers in USA:

Stripe, Inc. (payment processing) - SCCs + encryption
Cloudflare (CDN) - SCCs + limited data transfer

6.4 Your Rights Regarding International Transfers

You have the right to:

Request information about safeguards for your data transfers
Object to transfers lacking adequate protection
Request copy of SCCs we've implemented

Contact: For transfer-related inquiries: support@pactroom.com

7. Data Retention

7.1 Retention Principles

We retain personal data only as long as necessary for:

The purposes for which it was collected
Legal, regulatory, or contractual requirements
Establishing or defending legal claims
Legitimate business needs

Minimization: We regularly review and delete data no longer needed.

7.2 Retention Periods by Data Type

7.2.1 Account Data

Active Accounts:

Retained for duration of account existence
Updated as you modify your information

Closed Accounts:

Most data deleted within 90 days of closure
Some data retained longer per legal requirements (see below)

7.2.2 Transaction Data

Financial Records: 7 years from transaction date

Rationale: Tax law requirements (Romanian Fiscal Code, IRS regulations)
Data: Transaction amounts, parties, dates, invoices, receipts

Contract Documents: 5 years from contract completion

Rationale: Statute of limitations for contract claims
Data: Agreements, terms, signatures, milestones

Payment Data:

Tokenized payment methods: Until you remove them or account closes
Transaction history: 7 years (tax compliance)
Raw card data: NEVER stored by us (Stripe only)

7.2.3 Identity Verification Data

Verification Documents: 5 years after account closure

Rationale: AML/KYC regulatory requirements (EU 5th AML Directive)
Data: ID documents, verification results, screening records

Biometric Data: Deleted 1 year after successful verification unless fraud suspected

Exception: Retained longer if required for fraud investigation

7.2.4 Communications

Support Tickets: 3 years from resolution

Rationale: Customer service quality, dispute evidence

User Messages: Deleted 90 days after account closure

Active accounts: Retained until manually deleted by user
Dispute-related: Retained 5 years from dispute resolution

Marketing Communications: Until opt-out, then deleted within 30 days

7.2.5 Usage and Analytics Data

Detailed Logs: 12 months

Includes: Access logs, usage patterns, technical data

Aggregated Analytics: Indefinitely (anonymized)

No personal identifiers retained

Error Logs: 90 days (unless needed for security investigation)

7.2.6 Legal and Compliance

Legal Claims: Duration of legal proceedings + 6 years

Rationale: Statute of limitations, appeal periods

Regulatory Requirements: As mandated by applicable law

Tax records: 7 years (Romanian/EU/US requirements)
AML records: 5 years (EU AML Directive)
Employment records: 50 years (if applicable)

7.2.7 Backups

System Backups: Maximum 12 months

Data in backups may persist for up to 12 months after deletion
Backups are encrypted and access-controlled
Purged according to backup retention schedule

7.3 Data Deletion

Secure Deletion Methods:

Overwriting data multiple times
Cryptographic erasure (deleting encryption keys)
Physical destruction of decommissioned media
Permanent deletion from active systems within 30 days
Backup deletion within 12 months

Exceptions to Deletion:

Data we're legally required to retain
Data necessary for ongoing disputes or claims
Aggregated/anonymized data (no longer personal data)
Data in archived backups (deleted per backup schedule)

7.4 Right to Erasure

You can request deletion of your data (see Section 8.4) subject to:

Legal retention requirements
Ongoing disputes or legal claims
Contract performance obligations
Legitimate business needs (narrowly construed)

Response: We will process deletion requests within 30 days or explain why data must be retained.

8. Your Privacy Rights (GDPR Chapter III)

8.1 Right of Access (Article 15)

You have the right to:

Confirm whether we process your personal data
Obtain copy of your personal data
Receive information about processing purposes, categories, recipients, retention periods

How to Exercise:

Email support@pactroom.com with "Data Access Request"
Use "Download My Data" feature in account settings
Verify your identity (security measure)

Response Time: Within 30 days (may extend to 60 days if complex)

Format: Machine-readable format (JSON, CSV) or PDF report

Fee: First request free; excessive requests may incur reasonable administrative fee

8.2 Right to Rectification (Article 16)

You have the right to:

Correct inaccurate personal data
Complete incomplete personal data

How to Exercise:

Update information directly in account settings
Email support@pactroom.com for data you cannot edit yourself

Response Time: Corrections made within 30 days

Notification: We will notify third parties we shared data with (unless impossible or disproportionate effort)

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion when:

Data no longer necessary for original purpose
You withdraw consent (where consent was basis)
You object and no overriding legitimate grounds exist
Data processed unlawfully
Legal obligation requires deletion
Data collected from child without proper consent

How to Exercise:

Email support@pactroom.com with "Deletion Request"
Use "Delete Account" feature (deletes most data)

Exceptions - We May Refuse If Data Necessary For:

Compliance with legal obligations
Establishment, exercise, or defense of legal claims
Public interest or official authority tasks
Archiving, research, or statistical purposes (with safeguards)

Response Time: 30 days to process or explain refusal

8.4 Right to Restriction of Processing (Article 18)

You have the right to restrict (but not delete) processing when:

You contest data accuracy (during verification period)
Processing is unlawful but you prefer restriction over deletion
We no longer need data but you need it for legal claims
You objected to processing (pending verification of override)

Effect: We will store but not further process restricted data (except with consent or for legal claims)

How to Exercise: Email support@pactroom.com with "Restriction Request"

Response Time: 30 days

8.5 Right to Data Portability (Article 20)

You have the right to:

Receive your personal data in structured, commonly used, machine-readable format
Transmit that data to another controller

Scope: Applies only to:

Data you provided to us
Processing based on consent or contract
Processing carried out by automated means

How to Exercise:

Use "Download My Data" feature
Email support@pactroom.com with "Portability Request"

Format: JSON, CSV, or XML (your choice)

Response Time: 30 days

8.6 Right to Object (Article 21)

8.6.1 General Right to Object

You have the right to object to processing based on:

Legitimate interests (Article 6(1)(f))
Public interest / official authority (Article 6(1)(e))

Effect: We must stop processing unless we demonstrate compelling legitimate grounds that override your interests.

How to Exercise: Email support@pactroom.com with "Objection to Processing"

8.6.2 Absolute Right to Object

You have the absolute right to object to:

Direct marketing at any time (we must stop immediately)
Profiling related to direct marketing

How to Exercise:

Click "Unsubscribe" in marketing emails
Adjust preferences in account settings
Email support@pactroom.com

Response: Immediate (marketing stops within 24-48 hours)

8.7 Rights Related to Automated Decision-Making (Article 22)

Right: Not to be subject to decisions based solely on automated processing producing legal or similarly significant effects.

Our Practices:

We do not make fully automated decisions with legal/significant effects
Fraud detection uses automation but with human review before account termination
Payment processing automated but no adverse decision without review
Content moderation automated but significant actions reviewed by humans

If We Implement Automated Decision-Making:

We will notify you
Obtain explicit consent (where required)
Provide meaningful information about logic involved
Allow you to request human intervention
Enable you to express your point of view
Allow you to contest the decision

8.8 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent:

You can withdraw consent at any time
Withdrawal is as easy as giving consent
Withdrawal does not affect prior processing
We will inform you of consequences before collection

How to Exercise:

Account settings toggles
Unsubscribe links
Email support@pactroom.com
Deny cookie consent via cookie banner

8.9 Right to Lodge Complaint (Article 77)

You have the right to file a complaint with a supervisory authority, particularly:

In your EU member state of residence
Your place of work
Place of alleged infringement

Romanian Supervisory Authority:

Name: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Website: https://www.dataprotection.ro
Email: anspdcp@dataprotection.ro
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, România

Other EU Authorities: List available at https://edpb.europa.eu/about-edpb/about-edpb/members_en

Our Commitment: We encourage you to contact us first so we can address your concerns directly.

8.10 Exercising Your Rights

Verification: We may request identity verification to prevent unauthorized disclosures.
No Discrimination: Exercising rights does not result in discriminatory treatment.
Free of Charge: First request free; excessive requests may incur reasonable administrative fee.
Response Times: Standard 30 days; Complex cases up to 60 days (with explanation); Urgent cases expedited where possible.
Refusals: If we refuse a request, we will explain why and inform you of your right to complain to supervisory authority.
Authorized Agents: You may designate an authorized agent to exercise rights on your behalf (requires verification).

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files stored on your device when you visit websites. They enable websites to remember your actions and preferences.

Similar Technologies:

Local Storage: HTML5 storage in your browser
Session Storage: Temporary browser storage
Pixels/Beacons: Tiny images tracking email opens or page views
Device Fingerprinting: Identifying devices by configuration
SDKs: Mobile app tracking libraries

9.2 Types of Cookies We Use

9.2.1 Strictly Necessary Cookies (No Consent Required)

Essential for platform functionality:

Session cookies: Keep you logged in
Security cookies: Prevent CSRF attacks, detect anomalies
Load balancing: Route traffic efficiently
Authentication tokens: Verify your identity

Legal Basis: Legitimate interest (essential for service)

Duration: Session (deleted when browser closes) or up to 30 days

Cannot Be Disabled: These are required for platform operation

9.2.2 Functional Cookies (Consent Required in EU)

Enhance your experience:

Preference cookies: Remember your settings (language, currency, display options)
Feature cookies: Enable optional features
Remembering choices: Form data, search history

Legal Basis: Consent

Duration: Up to 12 months

Your Control: Can be disabled via cookie settings (may affect functionality)

9.2.3 Analytics Cookies (Consent Required)

Help us understand usage:

Google Analytics: Traffic analysis, user behavior (anonymized IP)
Product Analytics: Feature usage, conversion tracking
Error Tracking: Crash reports, bug detection
Performance Monitoring: Load times, API performance

Legal Basis: Consent

Duration: Up to 24 months

Your Control: Can opt out via:

Cookie settings on our site
Browser settings (Do Not Track)
Google Analytics Opt-out Browser Add-on
Privacy-focused browser extensions

9.2.4 Marketing Cookies (Consent Required)

For advertising and personalization:

Retargeting pixels: Show relevant ads on other sites
Conversion tracking: Measure ad campaign effectiveness
Social media pixels: Facebook, LinkedIn, Twitter tracking
Affiliate tracking: Credit referrals

Legal Basis: Consent

Duration: Up to 24 months

Your Control: Can opt out via:

Cookie settings on our site
Browser privacy settings
Industry opt-out tools (NAI, DAA)
Social media ad preferences

9.3 Third-Party Cookies

We may allow third parties to set cookies:

Payment Processor: Stripe (fraud prevention, payment processing)
Analytics: Google Analytics, Mixpanel
Support: Intercom, Zendesk (if embedded)
CDN: Cloudflare (performance)
Advertising: Google Ads, Facebook Pixel (with consent)

Important: Third-party cookies are governed by third parties' privacy policies, not this policy.

9.4 Cookie Consent Management

EU/EEA Users:

Cookie banner displayed on first visit
Granular consent options (essential, functional, analytics, marketing)
Easy withdrawal via cookie settings page
Consent recorded and stored per GDPR requirements

Non-EU Users:

Implied consent by continued use
Opt-out available via cookie settings

Your Choices:

Accept All: Enable all cookies
Reject Non-Essential: Only strictly necessary cookies
Customize: Select specific cookie categories
Change Anytime: Cookie settings link in footer

9.5 Managing Cookies

Browser Controls:

Chrome: Settings > Privacy > Cookies
Firefox: Options > Privacy > Cookies
Safari: Preferences > Privacy
Edge: Settings > Privacy > Cookies

Browser Settings Allow You To:

Block all cookies
Block third-party cookies only
Delete cookies after each session
View and delete existing cookies
Set exceptions for specific sites

Important: Blocking cookies may impair platform functionality.

9.6 Do Not Track (DNT)

We respect Do Not Track signals for:

Marketing cookies (disabled)
Analytics cookies (disabled or anonymized)

Not Affected by DNT:

Strictly necessary cookies
First-party functional cookies

Current Support: DNT is not a legal standard but we honor it as best practice.

9.7 Mobile App Tracking

Mobile Identifiers:

iOS: IDFA (Identifier for Advertisers) - requires consent per ATT framework
Android: AAID (Google Advertising ID) - can be reset or limited

Your Control:

iOS: Settings > Privacy > Tracking
Android: Settings > Google > Ads > Opt out of Ads Personalization

App Permissions:

We request only necessary permissions
You can revoke permissions in device settings
Analytics SDKs respect system-level privacy settings

10. Data Security

10.1 Security Commitment

We implement appropriate technical and organizational measures to protect personal data against:

Unauthorized access or disclosure
Accidental loss or destruction
Malicious attacks
Unlawful processing
Alteration or damage

Standard: We maintain security appropriate to the risk level and state of the art.

10.2 Technical Security Measures

Encryption:

Data in Transit: TLS 1.3 encryption for all data transfers
Data at Rest: AES-256 encryption for stored data
Database Encryption: Encrypted database fields for sensitive data
Backup Encryption: All backups encrypted

Access Controls:

Authentication: Strong password requirements, optional 2FA
Authorization: Role-based access control (RBAC)
Principle of Least Privilege: Employees access only necessary data
Session Management: Secure session tokens, automatic timeout

Network Security:

Firewall Protection: Multi-layer firewall architecture
DDoS Protection: Cloudflare DDoS mitigation
Intrusion Detection: Real-time monitoring and alerts
Penetration Testing: Regular security audits
Vulnerability Scanning: Automated and manual scans

Application Security:

Input Validation: Prevent injection attacks
Output Encoding: Prevent XSS attacks
CSRF Protection: Token-based CSRF prevention
SQL Injection Prevention: Parameterized queries
Dependency Management: Regular security updates
Code Reviews: Security-focused code review process

Infrastructure Security:

Google Cloud Platform: Enterprise-grade infrastructure security
Isolated Environments: Production, staging, development separation
Container Security: Hardened container images
Secrets Management: Encrypted key storage (Google Secret Manager)
Regular Backups: Automated encrypted backups

10.3 Organizational Security Measures

Employee Training:

Mandatory security awareness training
Regular privacy and data protection training
Phishing simulation exercises
Incident response training

Access Management:

Background checks for employees with data access
Confidentiality agreements for all staff
Immediate access revocation upon termination
Audit trails for data access

Vendor Management:

Due diligence on all service providers
Data Processing Agreements (DPAs) required
Regular vendor security assessments
Contractual security requirements

Policies and Procedures:

Information Security Policy
Data Breach Response Plan
Incident Management Procedures
Business Continuity Plan
Disaster Recovery Plan

10.4 Data Breach Response

Detection:

24/7 monitoring and alerting
Automated threat detection
Security information and event management (SIEM)

Response Plan:

Containment: Immediate action to stop breach
Assessment: Evaluate scope and impact
Notification: Notify affected parties and authorities
Remediation: Fix vulnerabilities and prevent recurrence
Documentation: Record all actions taken

GDPR Breach Notification:

To Supervisory Authority: Within 72 hours of becoming aware (Article 33)
To Affected Individuals: Without undue delay if high risk to rights (Article 34)
Content: Nature of breach, likely consequences, measures taken, contact information

Your Protection:

We will notify you promptly if your data is affected
We will advise on steps you can take to protect yourself
We will provide support and resources

10.5 User Responsibilities

You Are Responsible For:

Keeping your password confidential and secure
Using strong, unique passwords
Enabling two-factor authentication
Logging out of shared devices
Reporting suspicious activity immediately
Keeping your contact information current
Not sharing account credentials

We Are NOT Responsible For:

Breaches due to your credential sharing
Unauthorized access due to weak passwords
Phishing attacks targeting you directly
Device security on your end
Third-party service breaches (e.g., your email provider)

10.6 Limitations

No Absolute Security: Despite our measures, no system is 100% secure. We cannot guarantee absolute security.
User Risk: Using the Internet inherently involves risk of interception or misuse of data.
Third-Party Risk: We cannot control security of third-party services (Stripe, Google, etc.).
Your Acceptance: By using our Service, you acknowledge these limitations and assume inherent risks.

11. Children's Privacy

Age Restriction: Our Service is not intended for individuals under 18 years of age (or age of majority in their jurisdiction).

No Knowing Collection: We do not knowingly collect personal data from children under 18.

Parental Notice: If you are a parent or guardian and believe your child has provided us data:

Contact us immediately at support@pactroom.com
Provide proof of relationship and child's age
We will verify and delete the data promptly (within 30 days)

If We Discover: If we learn we have collected data from a child under 18:

We will delete it as soon as possible
We will terminate the account
We will not use or disclose the data

Verification: We implement age verification through:

Self-declaration at registration
Identity document verification (shows date of birth)
Behavioral signals and patterns

12. Additional Rights for Specific Jurisdictions

12.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know (Categories and Specific Pieces):

Categories of personal information collected
Categories of sources
Business purposes for collection
Categories of third parties we share with
Specific pieces of personal information we hold

Right to Delete: Request deletion of personal information (subject to exceptions)

Right to Correct: Request correction of inaccurate personal information

Right to Opt-Out: Opt out of "sale" or "sharing" of personal information

Note: We do not sell personal information for monetary consideration. If we engage in "sharing" for cross-context behavioral advertising, we will provide opt-out.

Right to Limit Use of Sensitive Personal Information: If we use sensitive PI for purposes beyond what's necessary

Note: We do not use sensitive PI beyond CCPA-permitted purposes

Right to Non-Discrimination: We will not discriminate for exercising CCPA rights

Authorized Agent: You may designate an authorized agent to exercise rights

How to Exercise:

Email support@pactroom.com
Call [PHONE_NUMBER] (toll-free)
Submit via our online form [URL]

Verification: We will verify your identity using information we already have

Response Time: 45 days (may extend to 90 days for complex requests)

Appeal: If we deny your request, you may appeal by contacting support@pactroom.com

California Shine the Light: You may request information about disclosure of personal information to third parties for direct marketing (once per year)

12.2 Virginia Residents (VCDPA)

Virginia residents have rights under the Virginia Consumer Data Protection Act:

Right to access personal data
Right to correct inaccuracies
Right to delete personal data
Right to obtain copy of personal data
Right to opt out of targeted advertising, sale, or profiling

How to Exercise: support@pactroom.com

Appeal Process: If we deny request, you may appeal within 30 days

12.3 Colorado Residents (CPA)

Similar rights as Virginia under Colorado Privacy Act, plus:

Right to opt out of profiling for decisions with legal or similarly significant effects

12.4 Connecticut, Utah, and Other US States

Similar privacy rights under state privacy laws. Contact support@pactroom.com for details.

12.5 Brazil Residents (LGPD)

If you are in Brazil, you have rights under Lei Geral de Proteção de Dados (LGPD):

Confirmation of processing
Access to data
Correction of incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion
Portability to another service provider
Information about sharing with third parties
Right to refuse processing based on consent
Right to revoke consent

Contact: support@pactroom.com or our LGPD representative

12.6 UK Residents (UK GDPR)

UK residents have rights under UK GDPR (essentially identical to EU GDPR):

All rights listed in Section 8
Right to complain to Information Commissioner's Office (ICO)

ICO Contact:

Website: https://ico.org.uk
Phone: 0303 123 1113

12.7 Other Jurisdictions

We comply with applicable data protection laws in all jurisdictions where we operate. Contact support@pactroom.com for jurisdiction-specific information.

13. Policy Updates and Changes

13.1 Right to Modify

We reserve the right to update this Privacy Policy at any time to reflect:

Changes in our data practices
New features or services
Legal or regulatory requirements
Industry best practices
User feedback

13.2 Material Changes

For material changes affecting how we use your personal data:

Email Notice: Sent to registered email 30 days before effective date
Platform Notice: Banner notification on login
Highlighted Changes: Summary of key changes provided

Material Changes Include:

New purposes for data processing
New categories of recipients
Changes to legal bases for processing
Significant changes to retention periods
Changes to international data transfers
Reduced user rights or protections

13.3 Non-Material Changes

For minor updates:

Updated "Last Updated" date at top of policy
Changes effective immediately upon posting
Examples: Clarifications, reorganization, updated contact info

13.4 Continued Use

Continued use after effective date of changes constitutes acceptance of updated policy.

If You Disagree: You may close your account before effective date.

13.5 Version History

Previous versions available at https://pactroom.com/privacy/archive or upon request.

14. Contact Information

14.1 General Privacy Inquiries

Email: support@pactroom.com
Mail: RitSea SRL, Constanța, Romania
Response Time: We aim to respond within 5 business days (GDPR requests within 30 days)

14.2 Data Protection Officer

Email: support@pactroom.com
Responsibilities: Overseeing data protection strategy and GDPR compliance, Handling data subject requests, Advising on data protection impact assessments, Cooperating with supervisory authorities, Acting as contact point for privacy concerns.

14.3 EU Representative

[IF REQUIRED UNDER GDPR ARTICLE 27 - TO BE COMPLETED]

Name: [EU_REPRESENTATIVE_NAME]
Address: [EU_REPRESENTATIVE_ADDRESS]
Email: [EU_REPRESENTATIVE_EMAIL]

14.4 Support and Questions

General Support: support@pactroom.com
Security Issues: support@pactroom.com
Legal Inquiries: legal@ritsea.com

15. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).
Controller: Entity determining purposes and means of processing (RitSea SRL).
Processor: Entity processing data on behalf of controller (our service providers).
Data Subject: Individual whose personal data is processed (you).
Consent: Freely given, specific, informed, and unambiguous indication of agreement.
Supervisory Authority: Independent public authority overseeing GDPR compliance.
Special Category Data: Sensitive personal data under GDPR Article 9 (race, health, biometrics, etc.).

16. Acknowledgment and Acceptance

By using our Service, you acknowledge that:

You have read and understood this Privacy Policy
You consent to collection, use, and disclosure as described
You understand your rights and how to exercise them
You accept the risks associated with Internet data transmission
You understand we process data in accordance with applicable law

Last Updated: January 8, 2026

Effective Date: January 8, 2026

Questions or Concerns? Contact support@pactroom.com

Exercise Your Rights: Email support@pactroom.com with your request

File a Complaint: Contact your local supervisory authority or Romanian ANSPDCP