GDPR Policy

Last updated: 29 September 2025

About us

TIRO-ALP Advertising S.R.L. (“we”, “us”, “our”) is the Data Controller for personal data processed through https://tiro-alp.com and related services.

Address: Str. Știrbei Vodă 154, Bl. 26A, Bucharest, Romania
Fiscal Code (CUI): 41754591 • Trade Registry: J40/13646/11.10.2019
Email: contact@tiro-alp.com

Data Protection Officer

Our company is not legally required to appoint a Data Protection Officer under Articles 37–39 of the GDPR. For any questions about data protection or this policy, please contact: contact@tiro-alp.com.

Categories of personal data we process

  • Contact data: name, email address, company (optional), phone number (optional), selected services, budget, timeline, message content, optional attachments and consent checkbox, when you submit a form via Contact Form 7. Submissions are emailed to us and stored in WordPress via Flamingo for lead management and backup.
  • Payment data: basic payment metadata (such as transaction ID, amount, currency, partial card details or payment method information) processed by Stripe Payments Europe Ltd. for online payments. We do not store full card numbers on our servers.
  • Technical and security logs: IP address, user agent, timestamps, requested URLs and related metadata generated by our servers to ensure availability, security, error diagnostics and abuse prevention.
  • Analytics data (only if you consent): anonymous or pseudonymous identifiers, pages visited, approximate location (based on IP), device/browser information, time on page and events, processed via Google Analytics 4 with IP anonymization enabled.
  • Communication data: email content and related metadata if you contact us directly via email or reply to our messages.
  • Cookie consent and preference data: your cookie choices (e.g. accept/deny categories), a consent ID, timestamp and related logs stored via the Complianz consent management plugin, to demonstrate that valid consent was obtained.

Purposes of processing

We process personal data for the following purposes:

  • To respond to your enquiries, provide quotes and deliver our services.
  • To manage client relationships and ongoing projects.
  • To operate, secure and improve our website and infrastructure (performance, diagnostics, abuse prevention).
  • To process online payments for our services via Stripe.
  • To comply with legal and accounting obligations (invoicing, bookkeeping, fraud prevention).
  • To perform analytics and improve user experience, only where you have consented to analytics cookies.
  • To record and demonstrate your cookie consent choices, as required by GDPR and ePrivacy rules.

Legal bases for processing

We rely on the following legal bases under Article 6 GDPR:

  • Contract – processing is necessary to take steps at your request prior to entering into a contract, or to perform a contract with you (e.g., responding to enquiries, providing quotes, delivering services).
  • Legitimate interests – to operate a secure and reliable website, protect our systems against abuse, defend our rights and interests, and improve our services.
  • Consent – for optional analytics (Google Analytics 4) and any marketing communications you explicitly opt into. You can withdraw your consent at any time.
  • Legal obligation – to comply with legal requirements such as tax, accounting and anti-fraud regulations, and to be able to demonstrate valid consent for non-essential cookies.

Processors and third-party services

We use trusted third-party service providers (“processors”) who process personal data on our behalf and only under our instructions, subject to appropriate contractual and security safeguards:

  • Hosting & infrastructure: ClausWeb and Contabo (servers located in the EU).
  • Forms & message storage: Contact Form 7 and Flamingo (WordPress plugins used to collect and store form submissions).
  • Email delivery: email services configured within our hosting environment to send and receive communications.
  • Online payments: Stripe Payments Europe Ltd., which processes payment data securely and may perform fraud checks.
  • Analytics: Google Analytics 4 by Google LLC, configured with IP anonymization and used only if you consent to analytics cookies.
  • Cookie consent management: Complianz, which provides the cookie banner and stores your consent status, consent ID and log entries to prove that consent was obtained in a compliant way.

All processors are required to implement appropriate technical and organizational measures to protect personal data and to process it in accordance with GDPR and our documented instructions.

International data transfers

Some of our processors, such as Stripe and Google, may transfer data outside the European Economic Area (EEA), in particular to the United States. Where such transfers occur, they are based on appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent mechanisms approved under GDPR.

We do not intentionally conduct any other international transfers of personal data. If our practices change, we will update this policy accordingly.

Data retention

We retain personal data only for as long as necessary for the purposes described above or as required by law:

  • Contact form submissions (stored via Flamingo): typically up to 24 months, or longer where needed for ongoing projects or legal reasons.
  • Contractual and accounting records: retained as required by law, usually between 5–10 years.
  • Technical and security logs: typically up to 12 months, unless longer retention is needed for security investigations.
  • Analytics data: up to 24 months, and only if you have consented to analytics cookies.
  • Cookie consent logs (Complianz): retained for as long as necessary to demonstrate valid consent, typically aligned with the lifetime of the relevant cookies and legal requirements.
  • Payment-related records via Stripe: retained in line with Stripe’s legal and regulatory obligations.

When data is no longer needed, it is deleted or anonymised in a secure manner.

Your rights under GDPR

As a data subject, you have the following rights, subject to applicable law:

  • Right of access – to obtain confirmation whether we process your personal data and receive a copy of such data.
  • Right to rectification – to have inaccurate or incomplete personal data corrected.
  • Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain circumstances.
  • Right to restriction – to request restriction of processing in specific cases (e.g., while a complaint is being investigated).
  • Right to data portability – to receive personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller where technically feasible.
  • Right to object – to object, on grounds relating to your particular situation, to processing based on legitimate interests, including profiling related to such interests.
  • Right to withdraw consent – where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at contact@tiro-alp.com. We may need to verify your identity before responding to your request. We aim to respond within 30 calendar days, in accordance with Article 12(3) GDPR.

Automated decision-making and profiling

We do not carry out automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

Security measures

We apply appropriate technical and organizational measures to protect the confidentiality, integrity and availability of personal data, including but not limited to: HTTPS encryption, secure hosting environments, access controls, strong authentication practices, regular software updates, backup procedures and server-side logging and monitoring.

Complaints and supervisory authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In Romania, this is the:

National Supervisory Authority for Personal Data Processing (ANSPDCP)
Website: https://www.dataprotection.ro/

Changes to this GDPR Policy

We may update this GDPR Policy from time to time to reflect changes in our processing activities or legal requirements. The latest version and effective date will always be shown at the top of this page.

Contact

For any questions about this GDPR Policy or our data protection practices, please contact:
contact@tiro-alp.com

TIRO-ALP Demo Bot
Demo only · English