Privacy Policy

This Privacy Policy explains how STRAVIAZ IMPACT S.R.L. ("we", "us", "our"), trading as GetCompliant, processes personal data when you visit getcompliant.website (the "Service"). We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR") and applicable Romanian national privacy law.

1. Data Controller

The controller of personal data processed through the Service is:

2. Personal Data We Process

2.1 Scan Submissions

When you submit a URL through the scan form on the Service, we record the URL itself, the IP address from which the submission was made, the User-Agent string of your browser, and the submission timestamp. The URL is processed to produce a compliance scan report; the IP address and User-Agent are processed for abuse prevention and rate limiting.

2.2 Language and Country Inference

To deliver the Service in your preferred language, we read the CF-IPCountry HTTP header provided by Cloudflare and the Accept-Language header sent by your browser. We do not store precise geolocation data.

2.3 Communications

If you contact us by email or through any web form, we process the information you provide, including your email address and the content of your message.

2.4 Purchases

If you purchase a Report, payment processing is performed by Stripe, Inc. (see Section 5). We receive a transaction reference, your billing email, and the amount paid. We do not store full payment card details.

2.5 Cookies

We set a small number of strictly necessary cookies. See our Cookies Policy for details.

3. Purposes of Processing and Legal Bases

We process your personal data for the following purposes of processing, under the corresponding GDPR legal bases:

Purpose	Legal basis (GDPR Article)
Delivering the requested scan and Report	Performance of a contract (Art. 6(1)(b))
Detecting and preventing abuse of the Service	Legitimate interests (Art. 6(1)(f))
Responding to your communications	Performance of a contract or legitimate interests (Art. 6(1)(b) or (f))
Issuing invoices and fulfilling accounting obligations	Legal obligation (Art. 6(1)(c))
Improving the Service through anonymised analysis	Legitimate interests (Art. 6(1)(f))
Sending marketing communications	Consent (Art. 6(1)(a))

Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests do not override your fundamental rights. You may object to such processing at any time by contacting us at hello@getcompliant.website.

4. Retention

Category	Retention period
Scan results and associated metadata	24 months from the scan date
Transaction records and invoices	10 years (Romanian fiscal law)
Email correspondence	36 months
Server access logs	30 days
Marketing contact data (after objection)	Deleted within 30 days of request

5. Recipients of the Data and Sub-processors

We share personal data only with the following recipients of the data — sub-processors that provide infrastructure or operational services strictly necessary for delivery of the Service. Current sub-processors:

Sub-processor	Purpose	Location of processing
Cloudflare, Inc.	DNS resolution, edge caching, DDoS protection	Global edge, EU data centres prioritised
Resend Inc.	Transactional email delivery	European Union and United States
Stripe Payments Europe, Ltd.	Payment processing	European Union and United States

Each sub-processor is bound by a Data Processing Agreement consistent with Articles 28 and 46 of the GDPR. We do not sell, rent, or otherwise disclose personal data to third parties for their own marketing purposes.

6. International Transfers

Where personal data is transferred outside the European Economic Area (for example, to Stripe or Resend infrastructure in the United States), we rely on the European Commission's Standard Contractual Clauses adopted under Decision (EU) 2021/914. Where the recipient is certified under the EU-U.S. Data Privacy Framework, we additionally rely on the adequacy decision issued by the European Commission on 10 July 2023 (C(2023) 4745). Supplementary technical and organisational measures are applied where required following the assessment described in the Schrems II judgment (Case C-311/18).

7. Your Rights

Under the GDPR, you have the right to access your personal data, the right to rectify it, the right to erasure, the right to restrict processing, the right to data portability, the right to object to processing, and the right to withdraw consent at any time where consent is the legal basis. In detail:

• Right to access the personal data we process about you (Art. 15)
• Right to rectify inaccurate or incomplete personal data (Art. 16)
• Right to erasure of your personal data (Art. 17, "right to be forgotten")
• Right to restrict processing under certain conditions (Art. 18)
• Right to data portability in a structured, commonly used format (Art. 20)
• Right to object to processing based on legitimate interests or for direct marketing (Art. 21)
• Right to withdraw consent at any time, where consent is the legal basis, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3))
• Right not to be subject to a decision based solely on automated processing that produces legal effects (Art. 22). See Section 9.

To exercise any of these rights, contact us at hello@getcompliant.website. We respond within thirty (30) days of receipt of a valid request. We may ask you for additional information to verify your identity before disclosing personal data.

If you believe our processing infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The Romanian supervisory authority is:

8. Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including transport-layer encryption (TLS 1.2 or higher), least-privilege access controls, encryption of data at rest where supported by the underlying infrastructure, and regular review of security controls.

9. Automated Decision-Making

The Service produces an automated technical score for the submitted URL based on the presence or absence of specific compliance signals. This score is a technical assessment of the website itself, not of any individual, and does not by itself produce legal effects or significantly affect any natural person within the meaning of Article 22(1) of the GDPR. If you nonetheless consider that the assessment has affected you, you may contact us at hello@getcompliant.website for human review.

10. Children

The Service is intended for business and professional use. It is not directed at individuals under the age of sixteen (16) and we do not knowingly process personal data of children. If you believe a child has provided us with personal data, contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective" date at the top of this Policy indicates when the current version was published. Where changes are material, we will provide reasonable advance notice by email or by a prominent notice on the Service.

12. Contact

For any privacy-related question or to exercise any of the rights described above, write to: