Privacy Policy

Privacy Policy

Preamble

This Privacy Policy describes how SECURITY 53 QUANTUM S.R.L. processes personal data in connection with its website and services, in accordance with Regulation (EU) 2016/679 (“GDPR”), Law no. 190/2018, Law no. 506/2004, and other applicable data protection legislation. We are committed to processing personal data lawfully, fairly and transparently.

Effective date of this version: 16.06.2026.

1. Who We Are (Data Controller)

This Privacy Policy explains how SECURITY 53 QUANTUM S.R.L., a Romanian limited liability company with registered office in Sat Șelimbăr, Comuna Șelimbăr, Str. Petre Alexandrescu nr. 1A, Sibiu County, Romania, registered with the Trade Register kept by the Tribunal of Sibiu under no. J2026037546009, sole registration code (CUI) 54863868, European Unique Identifier (EUID) ROONRC.J2026037546009, e-mail: office@security53.com (“Security53”, “we”, “us”), processes personal data in connection with the website security53.com (the “Website”) and our AI automation services (the “Services”).

For the processing described in this Policy, Security53 acts as data controller within the meaning of the GDPR. We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under Art. 37 GDPR; all privacy-related inquiries can be addressed to the contact details above and will be handled by our management.

Controller vs. processor – important. Where we design and operate automation systems on behalf of our business clients (for example, systems that process messages, e-mails, calendar events, or contact data belonging to a client's own customers and staff), we act as a data processor (persoană împuternicită) on behalf of that client, who is the data controller. That processing is governed by the data processing agreement (DPA) concluded with the relevant client and by that client's own privacy policy – not by this Policy. If your personal data is processed through a system that we operate for one of our clients, please direct your privacy requests to that client (the controller); we will assist them in responding as required by the GDPR. This Policy governs only the processing for which Security53 itself decides the purposes and means.

2. The Personal Data We Process, Purposes and Legal Bases

a) Website visitors. We process technical data such as IP address, browser and device information, pages visited, referral source, interactions, and approximate location derived from the IP address, collected through server logs and, where applicable and consented to, analytics tools. Purposes: operating, securing and improving the Website, preventing abuse, and producing aggregate statistics. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR) in operating a secure and functional website; and, for non-essential cookies and similar technologies, your consent (Art. 6(1)(a) GDPR and Art. 4 of Law no. 506/2004), as described in Section 7.

b) Contact and call bookings. When you contact us by e-mail, through a form, or by booking a call, we process your name, e-mail address, telephone number (if provided), company name and role, and the content of your message or request. Purposes: responding to your inquiry, scheduling and conducting the call, and pre-contractual discussions. Legal basis: steps taken at your request prior to entering into a contract (Art. 6(1)(b) GDPR) and our legitimate interest in business development and managing inquiries (Art. 6(1)(f) GDPR).

c) Clients and client representatives. When a company becomes our client, we process identification and contact data of its representatives and contact persons (name, role, business e-mail, telephone), contractual and correspondence data, access and onboarding information, and billing data. Purposes: concluding and performing the contract, onboarding (including configuring authorized access to the client's third-party accounts), service administration and support, invoicing and accounting, and exercising or defending legal claims. Legal bases: performance of the contract or pre-contractual steps (Art. 6(1)(b) GDPR); compliance with legal obligations, in particular accounting, tax and invoicing legislation, including the RO e-Factura system (Art. 6(1)(c) GDPR); and our legitimate interest in managing the client relationship and protecting our rights (Art. 6(1)(f) GDPR).

d) Marketing communications. If you are a client or have requested information from us, we may send you communications about our services to your business contact details, based on our legitimate interest in direct marketing toward business contacts (Art. 6(1)(f) GDPR) or, where required by Law no. 506/2004, based on your prior consent. You may opt out at any time, free of charge, via the unsubscribe link or by contacting us; we will then stop sending such communications.

e) Suppliers and partners. We process contact and contractual data of representatives of our suppliers and partners for the purpose of concluding and performing contracts and complying with legal obligations (Art. 6(1)(b) and (c) GDPR).

f) Legal compliance and defense of claims. We may process the above data as necessary to comply with legal obligations to which we are subject and to establish, exercise or defend legal claims (Art. 6(1)(c) and Art. 6(1)(f) GDPR; Art. 9(2)(f) GDPR where special categories are unavoidably involved).

We do not intentionally collect special categories of personal data (Art. 9 GDPR) through the Website, and we ask you not to submit such data through our forms. The Services are addressed exclusively to businesses; we do not knowingly process the personal data of persons under 18 in our capacity as controller.

3. Where the Data Comes From

We obtain personal data: (i) directly from you, when you visit the Website, contact us, book a call, or enter into a contract; (ii) from the company you represent, when you act as its representative or contact person; and (iii) automatically, through cookies and server logs, when you use the Website. Where we act as processor for a client, the personal data is provided by, or collected on behalf of, that client, as described in the applicable DPA.

4. Automated Decision-Making and Artificial Intelligence

In our capacity as data controller under this Policy, we do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.

Our Services involve AI systems that we configure and operate for our clients. Where such systems process personal data of a client's customers, the client is the controller responsible for the lawfulness of that processing, including any obligation to inform individuals that they are interacting with an AI system, in accordance with applicable law (including Regulation (EU) 2024/1689 – the AI Act). We support our clients in meeting these obligations through appropriate configuration and documentation.

5. Recipients of the Data

We disclose personal data only to the extent necessary, to the following categories of recipients: (i) IT infrastructure and hosting providers (e.g., European cloud and server providers); (ii) providers of software and productivity tools used in our operations (e.g., e-mail, scheduling, website platform, database and automation tooling); (iii) AI model providers, strictly to the extent inquiries or service operations involve them; (iv) accounting, legal, audit and other professional advisors; (v) payment and banking service providers; (vi) communication and messaging service providers; and (vii) public authorities, courts and bailiffs, where required by law (e.g., ANAF, ANSPDCP).

Providers that process personal data on our behalf act as processors and are bound by data processing agreements in accordance with Art. 28 GDPR. We do not sell personal data, and we do not disclose it to third parties for their own independent marketing purposes.

6. International Transfers

We host our core infrastructure within the European Economic Area (EEA). Some of our service providers (for example, certain AI model providers or communication platforms) may process personal data in the United States or other countries outside the EEA. Where personal data is transferred outside the EEA, we ensure an adequate level of protection through one or more of the following mechanisms: (i) an adequacy decision of the European Commission (including, where applicable, the EU–U.S. Data Privacy Framework for certified providers); or (ii) the Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, supplemented, where necessary, by additional technical and organizational safeguards. You may request information about these safeguards, and a copy where available, using the contact details in Section 1.

7. Retention Periods

We keep personal data only as long as necessary for the purposes for which it was collected, in particular: (i) contact and call-booking data of prospects who do not become clients: up to 2 (two) years from the last interaction; (ii) client relationship and contractual data: for the duration of the contract and thereafter for the applicable limitation period (in principle 3 years under the Civil Code, extended where a longer period is needed to establish, exercise or defend a legal claim); (iii) invoicing and accounting records: for the period required by Romanian accounting and tax legislation, in principle 10 (ten) years from the end of the financial year in which they were issued, pursuant to Law no. 82/1991 on accounting; (iv) marketing data: until you opt out or withdraw your consent; (v) server logs: up to 12 (twelve) months, unless a longer period is necessary for a specific security investigation. Upon expiry of the applicable period, personal data is deleted or irreversibly anonymized.

8. Cookies and Similar Technologies

The Website uses strictly necessary cookies (required for its basic operation, based on our legitimate interest) and, only with your prior consent, analytics and/or marketing cookies. When you first visit the Website, a cookie banner allows you to accept, reject, or customize the use of non-essential cookies; you can change your preferences at any time through the banner or your browser settings. Refusing non-essential cookies does not affect your ability to browse the Website. Details of the specific cookies used, their providers and storage durations are available in the cookie settings on the Website.

9. Security of Processing

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR, proportionate to the risk, including: hosting on hardened servers with restricted access, encryption of data in transit (TLS), access on a need-to-know basis, logical separation of client environments, authentication and access controls, and regular software updates and security patching. No security measure can guarantee absolute security; however, we review and improve our measures on an ongoing basis. In the event of a personal data breach, we will notify the competent supervisory authority and, where required, the affected individuals, in accordance with Art. 33 and 34 GDPR; where we act as processor, we will notify the relevant client (controller) without undue delay in accordance with the DPA.

10. Your Rights

Subject to the conditions and exceptions provided by the GDPR, you have the right to: (i) be informed about the processing of your personal data; (ii) access your personal data (Art. 15); (iii) obtain rectification of inaccurate or incomplete data (Art. 16); (iv) obtain erasure of your data in the cases provided by Art. 17; (v) obtain restriction of processing (Art. 18); (vi) data portability (Art. 20); (vii) object to processing based on legitimate interest, including objecting at any time to direct marketing (Art. 21); and (viii) where processing is based on consent, withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3)).

To exercise your rights, please contact us at contact@security53.com. We will respond to your request without undue delay and in any event within 1 (one) month of receipt, a period that may be extended by 2 (two) further months where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension and its reasons (Art. 12(3) GDPR). To protect your data, we may request additional information necessary to confirm your identity. Exercising these rights is, in principle, free of charge.

If your personal data is processed through a system we operate on behalf of a client (where we act as processor), please address your request to that client as controller; we will assist them as required.

11. Right to Lodge a Complaint

If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Romanian supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), with its seat at B-dul G-ral. Gheorghe Magheru nr. 28–30, Sector 1, Bucharest, 010336, Romania; telephone: +40 318 059 211; e-mail: anspdcp@dataprotection.ro; website: www.dataprotection.ro. The complaint procedure is governed by the GDPR and Law no. 102/2005. We would, however, appreciate the opportunity to address your concerns directly before you approach the authority. You also have the right to an effective judicial remedy before the competent courts.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes in our processing activities or in legal, technical or organizational requirements. The current version, together with its “effective date”, is always available on the Website. For material changes affecting active clients, we will provide notice by e-mail. We encourage you to review this Policy periodically. This Policy does not create contractual rights beyond those provided by applicable data protection law.