Privacy Policy
Last updated: March 25, 2026
This Privacy Policy describes how TIMIS RAZVAN VASILE PERSOANA FIZICA AUTORIZATA, CUI 53126043, trade register no. F2025051481008, with registered office at Strada Dionisie Roman, Nr. 3, Bl. A.1.1, Sc. 1, Et. 3, Ap. 26, Cluj-Napoca, Cluj County, Romania ("Provider", "we") collects, uses and protects your personal data when you use the PFA by Timis platform ("Service").
1. Data Controller
The data controller is:
TIMIS RAZVAN VASILE PERSOANA FIZICA AUTORIZATA
CUI: 53126043
Trade register no.: F2025051481008
Registered office: Strada Dionisie Roman, Nr. 3, Bl. A.1.1, Sc. 1, Et. 3, Ap. 26, Cluj-Napoca, Cluj County, Romania
Email: pfa@timis.dev
2. Data We Collect
2.1. Data provided directly by you
- Identification data: email address, name (if provided via Google/GitHub login)
- PFA data: CUI, PFA name, registered address, CAEN code, bank account (IBAN)
- Financial data: issued invoices (including client data), expenses, bank transactions, bank statements
- e-Factura data: data transmitted to/from ANAF through the SPV system
2.2. Data collected automatically
- Technical data: IP address, browser type, date and time of access
- Authentication data: authentication sessions, authentication method used
- Consent data: PFA account that accepted, email of the person who accepted, date of Terms accepted, IP address and date of acceptance
- Usage analytics data: page views, device type, browser type, operating system, country/region (derived from IP, IP is not stored). Analytics data is stored in the EU (Frankfurt) by our analytics provider PostHog.
- Session recordings: To improve the user experience, we collect recordings of usage sessions exclusively on public pages (landing page, login, terms, contact). Recordings include interface interactions (clicks, scrolls, page navigation). All form inputs are automatically masked. Session recordings are not associated with user accounts and are stored in the EU (Frankfurt) by PostHog.
2.3. Cookies
We use only strictly necessary functional cookies for authentication, account preferences and CSRF protection. These cookies do not require consent pursuant to art. 4(5) of Law 506/2004, as they are essential for providing the Service requested by the User. We do not use third-party tracking or advertising cookies. Anonymous usage analytics are collected without cookies (see Section 2.2).
2.4. Data we do NOT collect
- We do not collect biometric data
- We do not collect location data
3. Purposes and Legal Bases for Processing
| Purpose | Legal basis (GDPR) | Data involved |
|---|---|---|
| Providing the Service (account, invoicing, expenses, journal) | Art. 6.1.b — contract performance | Identification data, PFA data, financial data |
| e-Factura transmission to ANAF | Art. 6.1.b — contract performance (at User's request) | Invoice data |
| Account security and fraud prevention | Art. 6.1.f — legitimate interest | Technical data, authentication data |
| Service communications (notifications, maintenance) | Art. 6.1.b — contract performance | |
| Artificial intelligence processing (assisting the User) | Art. 6.1.b — contract performance | Data required for AI features |
| Consent records (T&C, Privacy Policy) | Art. 6.1.c — legal obligation (GDPR art. 7.1) | Consent data |
| Service improvement (usage analytics and session recordings) | Art. 6.1.f — legitimate interest | Usage data (page views, device type, country), session recordings on public pages (interface interactions, with form inputs masked) |
4. Data Sharing
4.1. Sub-processors
We use the following sub-processors to provide the Service:
| Sub-processor | Service | Location | Data processed |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure and hosting | Germany (EU) | All application data |
| Mailgun (Sinch) | Email services | EU | Email addresses, email content |
| Anthropic PBC | Artificial intelligence services | USA* | Data required for AI features |
| ANAF | e-Factura (SPV) | Romania | Invoice data |
| PostHog Inc. | Product analytics and session recordings | EU (Frankfurt) | Usage data (page views, device type, country), session recordings on public pages (with form inputs masked) |
| Google LLC | Document storage (Google Drive)** | USA* | Invoices and documents (at User's request) |
**Google Drive: optional integration, activated exclusively by the User. Data is transmitted only if the User configures Google Drive synchronization.
*USA transfers: protected by Standard Contractual Clauses (SCC) per art. 46 GDPR. Per the AI provider's terms, data transmitted via API is not used for training models.
4.2. We do not sell data
We do not sell, rent or share your personal data with third parties for marketing or advertising purposes.
4.3. Legal disclosure
We may disclose data if required by law or court order.
5. International Data Transfers
5.1. Data is primarily stored and processed in the European Union (Germany — Hetzner).
5.2. For artificial intelligence features, required data is transmitted to Anthropic PBC (USA). For Google Drive synchronization (optional integration), documents are transmitted to Google LLC (USA). These transfers are protected by Standard Contractual Clauses (SCC) per art. 46 GDPR.
5.3. We do not transfer data to countries that do not provide an adequate level of protection without appropriate safeguards.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of the account |
| Financial data (invoices, expenses, journal) | Duration of the account |
| Bank statements and transactions | Duration of the account |
| Technical data (IP, browser type) | 12 months |
| Consent data | Duration of account + 5 years after closure (legal proof) |
| Sent emails | 12 months |
| Analytics data and session recordings | 24 months |
Upon account closure, the User has 30 days to export their data. Export is available in CSV format (for tabular data: invoices, expenses, journal register, clients) and PDF format (for individual invoices and journal register). After the 30-day period expires, all data will be permanently deleted, except consent data (retained 5 years after closure as legal proof per GDPR art. 7.1). The User is responsible for exporting and archiving their data in accordance with legal obligations before the 30-day period expires.
7. Your Rights
Under GDPR, you have the following rights:
- Right of access (art. 15) — you may request a copy of your data
- Right to rectification (art. 16) — you may correct inaccurate data
- Right to erasure (art. 17) — you may request deletion of your data (except data required by legal obligations)
- Right to restriction of processing (art. 18)
- Right to data portability (art. 20) — you may export your data in a structured format
- Right to object (art. 21) — you may object to processing based on legitimate interest
How to exercise your rights
Send a request to pfa@timis.dev. We will respond within 30 days.
Right to lodge a complaint
If you believe that data processing violates GDPR, you have the right to file a complaint with:
National Supervisory Authority for Personal Data Processing (ANSPDCP)
B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, Romania
Website: www.dataprotection.ro
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Secure connection for all communications
- Secure storage with restricted access
- Passwordless authentication (email link or Google/GitHub login)
- Role-based access control
- Automatic backups
- Access monitoring and logging
In case of a personal data security breach, the Provider will notify the competent supervisory authority (ANSPDCP) within 72 hours of becoming aware, in accordance with art. 33 GDPR. If the breach poses a high risk to the rights of data subjects, the Provider will also notify affected Users without undue delay, in accordance with art. 34 GDPR.
9. Automated Processing and Automated Decisions
9.1. The Service uses artificial intelligence (Anthropic PBC) to assist the User with features such as document processing, suggestions and classifications. Per the AI provider's terms, data transmitted via API is not used for training AI models.
9.2. The Service does not make automated decisions with legal or significant effects on the User, within the meaning of art. 22 GDPR. All AI processing results are presented as suggestions, and the final decision always belongs to the User.
10. Minors
The Service is not intended for persons under 18 years of age. We do not intentionally collect data from minors.
11. Policy Changes
11.1. We reserve the right to modify this Privacy Policy.
11.2. Changes will be notified at least 30 days before taking effect.
11.3. The current version will always be available at https://pfa.timis.dev/privacy.
12. Contact
For any questions or requests regarding your personal data:
Email: pfa@timis.dev — We respond within 5 business days.
Controller: TIMIS RAZVAN VASILE PERSOANA FIZICA AUTORIZATA, CUI 53126043, trade register no. F2025051481008, Strada Dionisie Roman, Nr. 3, Bl. A.1.1, Sc. 1, Et. 3, Ap. 26, Cluj-Napoca, Cluj County, Romania