MEDIA DESIGN Studio Laborator Colaborari Contact
Acceseaza programul ANTREPRENOR START pentru avantaje comerciale exclusive.
Ai nevoie de suport? Suna: +40 744 933 131

Media Design Legal

Privacy Policy

How we collect, use, share, and protect your personal data.

1. Data controller

The controller of personal data collected through the MediaDesign.ro website is:

MEDIA DESIGN S.R.L.
VAT id: RO22252840
Trade Register no.: J31/624/2007
Registered office: Str. Lt. Col. Pretorian Nr. 3, Bl. N116, Sc. A, Ap. 7, Zalău, Sălaj county, postal code 450131, Romania
Email: contact@mediadesignro.ro
Phone: +40 744 933 131

2. Data Protection Officer contact

For any question regarding the processing of your personal data, you can contact us at contact@mediadesignro.ro or through the dedicated DPO page.

3. What data we collect

Depending on how you interact with the website, we may collect the following categories of data:

3.1 Identification and contact data

  • first + last name (contact form, client portal);
  • email address (contact form, newsletter, client portal);
  • phone number (contact form, optional);
  • company name + job title (B2B form, service offer).

3.2 Site interaction data

  • IP address (automatically recorded by the server, partially anonymized);
  • user agent + browser (server logs);
  • pages visited + duration (Google Analytics 4, with consent);
  • traffic source + UTM (with consent);
  • cookies and similar technologies (see the Cookie Policy).

3.3 Content data voluntarily submitted

  • messages written in contact forms, tickets, comments;
  • files uploaded to the client portal (graphics, briefs);
  • information about your projects (requirements, budget, target).

3.4 Account data

  • username, hashed password (bcrypt);
  • communication preferences (newsletter opt-in / opt-out);
  • portal activity history (audit log).

4. Legal basis for processing

We process your data on the following legal bases under GDPR Art. 6:

  • Consent (Art. 6(1)(a)) — for non-essential cookies, newsletter, marketing communications.
  • Performance of a contract (Art. 6(1)(b)) — for contracted services (web design, SEO, marketing, hosting), management of the client account.
  • Legal obligation (Art. 6(1)(c)) — for invoice issuance (Romanian Tax Code), ANAF reporting, retention of accounting documents for 10 years.
  • Legitimate interest (Art. 6(1)(f)) — for site security (server logs), fraud prevention, anonymous traffic analysis.

5. Processing purposes

  • providing requested services (design, development, SEO, marketing);
  • responding to questions and offer requests;
  • managing the client account and portal;
  • invoicing and collection;
  • compliance with fiscal and legal obligations;
  • improving the site and services (anonymous analytics);
  • direct marketing with consent (newsletter, offers);
  • security and fraud prevention.

6. Data recipients

We may share your data with the following categories of recipients, each as a subprocessor with a signed DPA under GDPR Art. 28:

6.1 Technical subprocessors

  • Hosting: Cloudflare Inc. (CDN + DNS + WAF) — EU + US servers;
  • Transactional email: internal SMTP provider + Postmark/Mailgun (system notifications);
  • Backup: encrypted storage on own servers + cloud backup.

6.2 Marketing subprocessors (with consent)

  • Google Analytics 4 (Google Ireland Limited) — anonymized traffic analysis;
  • Google Ads (Google Ireland Limited) — ad conversions;
  • Meta Ads (Meta Ireland Limited) — Facebook + Instagram conversions;
  • LinkedIn Ads (LinkedIn Ireland) — B2B conversions;
  • HubSpot CRM Free (HubSpot Ireland) — B2B lead management.

6.3 Operational subprocessors

  • Smartbill (Intelligent IT SRL) — electronic invoicing, ANAF e-Factura;
  • Stripe / Netopia (upon activation) — payment processing;
  • PFA / SRL collaborators (designers, copywriters) — with DPA + public list (see Subprocessors page in Phase 2).

6.4 Authorities and institutions

We may disclose data at the request of competent authorities (ANAF, ANSPDCP, courts) within the limits of legal obligations.

7. International transfers

Some of our subprocessors (Google, Meta, LinkedIn) are established or have servers outside the European Economic Area (EEA), including in the USA. Transfers are protected by:

  • Standard Contractual Clauses approved by EU Commission Decision 2021/914;
  • EU-US Data Privacy Framework — for providers certified under the new post-Schrems II framework;
  • Transfer Impact Assessment per EDPB Recommendation 01/2020.

8. Retention period

We retain your data for the minimum duration necessary for the purposes for which they were collected:

  • Client account data: for the duration of the contractual relationship + 3 years after closure (general prescription period);
  • Invoicing data: 10 years (Romanian Tax Code Art. 53);
  • Contact data (forms): 2 years from the last interaction;
  • Marketing data (newsletter): until consent is withdrawn;
  • Server logs: 90 days;
  • Analytics / marketing cookies: max. 13 months (CNIL recommendation).

9. Your rights

As a data subject under GDPR, you have the following rights:

  • Access (Art. 15) — to receive a copy of the data we hold about you;
  • Rectification (Art. 16) — to correct inaccurate or incomplete data;
  • Erasure / "right to be forgotten" (Art. 17) — with the exceptions provided by law;
  • Restriction (Art. 18) — suspension of processing in certain situations;
  • Portability (Art. 20) — to receive data in a structured, machine-readable format;
  • Objection (Art. 21) — to object to processing based on legitimate interest or direct marketing;
  • Automated decisions (Art. 22) — not to be subject to a decision based solely on automated processing with legal effects; we do not use such decisions.

To exercise these rights, use the dedicated form. Additional details on the Data Subject Rights (GDPR) page.

9.1 Identity verification when exercising your rights (Art. 12(6) GDPR + EDPB 9/2022)

Under GDPR Art. 12(6) and EDPB Guidelines 9/2022 § 5.1, the identity-verification burden must be proportional to the sensitivity of the data requested. For every routine request against the categories of data we process (email, name, phone, analytics logs, invoices), identity is established via the signed-URL email confirmation (a one-time link with 72-hour expiry sent to the address provided in the request). We will NOT ask you for a government ID in those cases; demanding more identification than necessary would itself breach the data-minimisation principle (Art. 5(1)(c) GDPR).

Additional ID-document verification is reserved strictly for:

  • requests touching Art. 9 special categories — we do not currently process such data;
  • cases with fraud signals (e.g. mismatched country / IP / pattern, the email address appears in a known breach corpus);
  • an explicit administrator escalation, documented in writing and communicated to the requester with the reason for the escalation.

Whenever the verification level changes, we will communicate that transparently in the response and offer the law-permitted alternatives.

10. Automated decisions and profiling

We do not use decisions based solely on automated processing that produce legal effects on you. Google Analytics 4 traffic analysis is aggregated and anonymized; it does not individually profile users.

11. Data security

Under GDPR Art. 32, we implement appropriate technical and organizational measures to protect data:

  • HTTPS / TLS 1.3 encryption on all pages;
  • bcrypt-hashed passwords;
  • encrypted backups;
  • access restricted on a need-to-know basis + two-factor authentication for admins;
  • audit log for sensitive operations;
  • Web Application Firewall (Cloudflare WAF);
  • internal policies for handling personal data by collaborators.

12. Breach notification (Art. 33-34)

In case of a personal data breach with impact on you, we will notify you without undue delay (within technical limits) and report to ANSPDCP within 72 hours, per GDPR Art. 33-34.

13. Supervisory authority

If you believe the processing of your data violates GDPR, you have the right to file a complaint with:

Romanian Data Protection Supervisory Authority (ANSPDCP)
B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, postal code 010336, Romania
Phone: +40 318 059 211 / +40 318 059 212
Email: anspdcp@dataprotection.ro
Web: www.dataprotection.ro

14. Policy changes

This Privacy Policy may be modified whenever the way we process data or the applicable legal framework changes. The updated version is published on this page with the date of the latest update. If the change is significant, we will display a notification banner on the site on your first access after publication.

15. Contact

  • Email: contact@mediadesignro.ro
  • Phone: +40 744 933 131
  • Postal mail: Str. Lt. Col. Pretorian Nr. 3, Bl. N116, Sc. A, Ap. 7, Zalău, Sălaj county, postal code 450131, Romania

Last updated: 1 June 2026.

Newsletter

By submitting this form your data is processed by Media Design SRL to send you our occasional newsletter + share relevant updates, on the basis of GDPR Article 6(1)(a) + Article 12 Law 506/2004 -- explicit consent, for a period of until you unsubscribe (one click in any email). Your GDPR rights + full details in our Privacy Policy.

*

Aboneaza-te la newsletter-ul nostru si fii la curent cu cele mai recente tendinte in design digital.

"Sunt aici sa preiau greutatea organizarii de pe umerii tai. Rolul meu este sa armonizez munca tuturor acestor specialisti pentru ca proiectul tau sa fie livrat la timp si la standardele promise. Iti ofer garantia unei comunicari transparente si a unui parteneriat in care nu exista surprize neplacute."
Radu Project Manager