CHIMTITAN

Privacy Policy

Last updated: 2026-05-24

1. Who we are

The data controller is Chimtitan S.R.L., a Romanian legal entity registered at B-dul Basarabia, Nr. 248A, Bucuresti, Sector 3, 030352, Romania.

2. What we collect and why

The Site is a B2B catalog. There is no online ordering, no payment processing, no user registration, no newsletter and no recruitment flow. The only personal-data flows are described below.

2.1 Contact form

When you submit our contact form we collect name, email address, optional phone number, and the content of your message. We use it solely to respond to your enquiry and, where relevant, to continue a pre-contractual commercial relationship. Legal basis: GDPR Art. 6(1)(b) — pre-contractual measures at the request of the data subject — and 6(1)(f) — legitimate interest in communicating with B2B prospects.

2.2 Cookies and analytics

The Site uses strictly necessary cookies and the following anonymized analytics services:

  • Google Analytics 4 (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) — aggregate traffic, pages visited, traffic sources. IP addresses are anonymized by Google before storage.
  • Microsoft Clarity (Microsoft Corp., One Microsoft Way, Redmond, WA 98052, USA) — anonymized interactions (clicks, scroll, JavaScript errors, problem sessions). Clarity does not record input field contents and automatically masks PII shown on screen.

On the first visit we show a banner where you can refuse analytics cookies. Continued browsing or clicking "I understand" is consent within the meaning of GDPR Art. 4(11) read together with Art. 4(5) of Romanian Law 506/2004 on electronic communications. Clicking "Refuse" disables GA4 and Clarity from the next page load and stores the choice in localStorage.

3. Recipients of the data

The data is processed by Chimtitan S.R.L. as controller and the following processors (GDPR Art. 28):

  • Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) — hosts the web application and stores server technical logs.
  • Google Ireland Limited — operates Google Analytics 4 (aggregated, IP-anonymized telemetry).
  • Microsoft Corporation — operates Microsoft Clarity (anonymized sessions).
  • Resend Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA) — delivers contact-form messages to our email inbox.

Vercel, Google (US), Microsoft (US) and Resend may process data outside the EEA. Transfers are covered by the European Commission's Standard Contractual Clauses (Decision 2021/914) and, for Google and Microsoft, by the EU-US Data Privacy Framework certification (adequacy Decision 2023/1795).

4. Retention

  • Contact form messages: up to 3 years from last interaction, to continue the commercial relationship and to enforce any potential right within the general limitation period (Art. 2517 Romanian Civil Code).
  • Google Analytics 4 cookies: maximum 14 months (configured to the minimum retention offered by GA4).
  • Microsoft Clarity cookies: approximately 1 year, per the service default.
  • Server technical logs: up to 90 days.
  • Banner consent choice: stored in your device's localStorage until you clear it.

5. Your rights

Under GDPR and Romanian Law 190/2018 you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) and to withdraw consent at any time (Art. 7(3)), without affecting the lawfulness of prior processing.

To exercise these rights, email vanzari@chimtitan.ro with the subject "GDPR Request". We will respond within 30 days (GDPR Art. 12(3)), with a possible 60-day extension for complex matters.

You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, Bucharest, 010336, phone +40 318 059 211, dataprotection.ro.

6. How to opt out of analytics cookies

  • Click "Refuse" on the consent banner shown on your first visit.
  • Clear cookies and localStorage in your browser's privacy / history settings and reload the page — the banner will reappear.
  • Install Google's official opt-out add-on: tools.google.com/dlpage/gaoptout.

7. Security

We apply reasonable technical and organizational measures: HTTPS in transit, restricted database access, audit logging of administrative actions, and internal training. If a high-risk personal data breach occurs we will notify ANSPDCP within 72 hours (GDPR Art. 33) and affected data subjects without undue delay.

8. Changes

We may update this policy as our processes or legal requirements evolve. The current version is always published on this page with the revision date. Material changes will be announced at least 30 days in advance, by display on the home page.