How we process personal data

This policy explains what data we process, why, who we share it with, and what rights you have. Written in plain language, no jargon.

The Romanian-language version is the legally binding version. This English translation is provided for convenience.

Applicable framework. We process your data under Regulation (EU) 2016/679 (GDPR) and Romanian Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector. The competent supervisory authority is ANSPDCP (the Romanian National Supervisory Authority for Personal Data Processing) — see §8 for the complaint procedure.

1. Data controller

The controller of personal data for procese.online is Parma Digital SRL:

• VAT RO42128910
• Office Romania
• Contact [email protected]

Bookarest Digital SRL acts as a data processor for hosting, transport, and messaging, under contract. Bookarest does not use your data for its own purposes and does not disclose it beyond the sub-processors listed in §5.

2. Two data regimes

procese.online processes two distinct categories of data with different legal bases. We treat them separately in this policy.

2.1. Public court data (source: portal.just.ro)

This is data published by the Ministry of Justice on portal.just.ro: case numbers, courts, panels, hearing dates, parties, rulings. This data is public by law — see §3 — and does not belong to you as a user. We index it and serve it to you only if you actively subscribe to a specific case.

2.2. Your user data

This is data you provide or that we generate to operate your account: email, push device tokens, monitored cases, payments. This belongs to you and is fully protected under GDPR and Romanian law.

3. Legal basis for processing

3.1. For data from portal.just.ro

The legal basis is layered:

• GDPR art. 6(1)(e) — processing is necessary for the performance of a task carried out in the public interest (informing citizens about the activity of courts);
• GDPR art. 10 — for data on criminal convictions, processing is authorized by Member State law providing appropriate safeguards, namely:
  • Constitution of Romania, art. 127 — public hearings;
  • Law 304/2004 on judicial organization;
  • Law 544/2001 on free access to information of public interest, art. 2 (express classification of court activity as public-interest information).
• GDPR Recitals 50 and 73 — further processing for public-interest tasks is permitted without a new specific legal basis.

This position aligns with the case law of the Court of Justice of the European Union in C-398/15 Manni, which confirms that data published in public registers for legal certainty cannot be erased on "right to be forgotten" grounds automatically — public interest takes priority, subject to a case-by-case balancing test.

3.2. For your user data

The basis depends on the purpose:

• GDPR art. 6(1)(b) contract performance — for sign-in, account management, notification delivery, billing;
• GDPR art. 6(1)(c) legal obligation — for retaining invoices and financial records under Romanian law;
• GDPR art. 6(1)(f) legitimate interest — for infrastructure security, abuse prevention, and bug remediation.

We don't use consent as the primary basis for service operation. The only exceptions: push notifications (granted explicitly at install time via the OS) and any product newsletter (explicit opt-in).

4. Data we collect

4.1. About you

For each category of data we name the lawful basis from §3.2 — so you can see clearly why we collect it.

• Email — for magic-link sign-in and communication. Basis: GDPR art. 6(1)(b) contract performance.
• Push tokens (APNS for iOS, FCM for Android) — to deliver notifications to your device. Basis: GDPR art. 6(1)(b) contract performance; OS-level consent at install time (Law 506/2004 art. 4 for electronic communications).
• UI language and quiet hours — preferences stored at account level. Basis: GDPR art. 6(1)(b) contract performance.
• Monitored cases — the list of cases you watch and when you added them. Basis: GDPR art. 6(1)(b) contract performance.
• Payment data — Pro payment history (date, amount, status). Your card data never reaches us — it's processed exclusively by Revolut Business. Basis: GDPR art. 6(1)(b) contract performance; art. 6(1)(c) legal obligation for invoice retention.
• Technical logs — IP, user-agent, response times, retained for at most 30 days for debugging and abuse prevention. Basis: GDPR art. 6(1)(f) legitimate interest.

4.2. About public cases

• case numbers, court name, department, category, subject, stage;
• parties (names), procedural role;
• hearing dates, room, panel, published rulings;
• everything portal.just.ro publishes about that case.

Party names are shown only to users who have explicitly subscribed to that case. On the public calendar pages we display only court, time, room, case number, and subject — never party names. This is a voluntary restriction, stricter than the source portal.just.ro itself, in the spirit of data minimization.

4.3. What we DO NOT collect

• passwords (we use magic-link / OAuth);
• card or bank account data;
• social profile data beyond the email used at sign-in;
• tracking cookies for advertising (see §11);
• GPS location data;
• your contacts, photos, microphone — nothing outside the procese.online context.

5. Sub-processors

To run the service we use the following sub-processors. All have contracts including GDPR clauses and, where applicable, Standard Contractual Clauses for international transfers (see §6).

• Bookarest Digital SRL (Romania) — technical platform (auth, messaging, sync).
• Hetzner Online GmbH (Germany, Falkenstein) — servers and compute infrastructure.
• Cloudflare, Inc. (US, with EU presence) — DNS, CDN, DDoS protection, edge compute for public pages.
• Sygnal (push notification broker) — relay between platform and Apple / Google systems.
• Apple Push Notification Service (APNS) (Apple Inc., US) — iOS push delivery.
• Google Firebase Cloud Messaging (FCM) (Google LLC, US) — Android push delivery.
• Resend (US) — transactional email delivery (magic link, confirmations, invoices).
• Revolut Business (UK / EU) — payment processing. Your card data does not reach us.

This list may be updated. Changes are announced at least 30 days in advance, by email to active accounts and in the app.

6. International transfers

Most data stays on EU servers (Hetzner Falkenstein, Germany). For push notification delivery and transactional email, technical data (device token, notification content, recipient email) transits through US-based services — Apple APNS, Google FCM, Resend, Cloudflare.

These transfers are made under Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914), providing safeguards equivalent to the EU level of protection.

7. Retention

• Your data — active account. For the duration of your account.
• Your data — deleted account. Fully deleted within at most 30 days (the time during which safety backups cycle out). After 30 days, only anonymized system logs may remain, in accordance with legal obligations (e.g., for fraud investigation or fiscal compliance).
• Invoices and fiscal documents. 10 years, per Romanian law (Fiscal Code, Accounting Law).
• Technical logs. Up to 30 days.
• Public case data. Retained while there are active subscribers. After the last subscriber unsubscribes from a case, we retain the data for another 30 days to allow re-subscription without history loss, after which the data is archived and then removed from the active database (procese.online schema). The primary source remains portal.just.ro.

8. Your rights

Under GDPR you have the following rights:

• Right of access (art. 15) — to know what data we hold about you. On request via email to [email protected] we send you a copy of your data.
• Right to rectification (art. 16) — to correct inaccurate data.
• Right to erasure (art. 17) — to have your data deleted. Implemented via "Delete account" in settings. For data from portal.just.ro, the right to erasure is subject to a balancing test between public interest and private interest (Manni jurisprudence).
• Right to restriction (art. 18).
• Right to portability (art. 20) — to receive your data in a structured, machine-readable format. On request via email.
• Right to object (art. 21) — especially for processing based on public interest or legitimate interest.
• Right not to be subject to automated decision-making (art. 22) — we don't make automated decisions with legal effect on you.

To exercise any right, write to [email protected]. We respond within at most 30 days.

Right to erasure — portal.just.ro data. For a request to remove a case's data from procese.online, we evaluate case by case the public interest versus the private interest of the data subject, in line with CJEU C-398/15 Manni. If we decide not to erase (e.g., for a case of ongoing public interest), we provide written reasoning and inform you of your right to lodge a complaint with the Romanian DPA.

Complaint to the supervisory authority. You have the right to lodge a complaint with ANSPDCP (the Romanian National Supervisory Authority for Personal Data Processing):

• Address B-dul G-ral Gheorghe Magheru nr. 28-30, sect. 1, Bucharest, Romania
• Email [email protected]
• Website www.dataprotection.ro

9. Security

Technical measures we apply:

• TLS connections for all traffic to and from our servers;
• cryptographically derived credentials, no plaintext password storage (for internal sessions);
• pseudonymized identities for participation in notification channels (the shadow identity model);
• administrative access limited to people who strictly need it to operate;
• encrypted backups with limited lifetime;
• security updates applied promptly to underlying infrastructure.

10. Breach notification

In the event of a security breach involving your personal data, we will notify the Romanian DPA within at most 72 hours of becoming aware, in accordance with GDPR art. 33. If the breach poses a high risk to your rights, we will also notify you directly under art. 34.

11. Cookies

procese.online uses a single technical cookie, procese_prefs, to remember your chosen theme and language across pages. We don't use tracking cookies, social network pixels, Google Ads remarketing, or other profiling tools.

For details, see the Cookie policy.

12. Changes to this policy

We may update this policy to reflect changes in the service or in legislation. Material changes are announced with 30 days' notice by email and in the app. Minor changes are reflected in the "Version" and "Updated" fields above. Old versions are kept for review on request.

13. Contact

For any question about data processing:

• Email [email protected]
• Controller Parma Digital SRL · VAT RO42128910 · Romania