Privacy Policy
How we process and protect your personal data
The confidentiality of your data is a priority for us. This policy explains what data we collect, for what purpose, on what legal basis, to whom we transmit it, how long we keep it and what rights you have. The document is prepared in accordance with the General Data Protection Regulation - Regulation (EU) 2016/679 (GDPR), Law No. 190/2018 and Law No. 506/2004 on data protection in the electronic communications sector.
§ 1 Data controller
The controller of the personal data processed through the website www.biobuilds.com and in pre-contractual and contractual relationships is BIOBUILDS S.R.L.
| Name | BIOBUILDS S.R.L. |
|---|---|
| Registered office | Str. 66, no. 16, Tăuții-Măgherăuș, 437345, Maramureș County, Romania |
| ONRC registration | J24/300/2012 |
| Unique registration code | RO30040678 |
| Data protection contact point | privacy@biobuilds.com |
For any question or request concerning your personal data, you may write to us at privacy@biobuilds.com. We respond within a maximum of 30 calendar days from receipt of the request. In complex cases, the period may be extended by a further two months, with prior notice to you, in accordance with Art. 12 para. (3) GDPR.
BIOBUILDS S.R.L. is not legally required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR. If this situation changes, the DPO's contact details will be published in this policy.
§ 2 What data we process
Data you provide directly to us
When you complete the forms on the website, download the catalogue, configure a module or contact us directly, we process: first and last name, e-mail address, telephone number, city, delivery country, the source through which you discovered us, your message and, if you contact us as a company, the company name and tax registration number.
If you conclude a contract with us, we additionally process: billing and delivery address, identity document data strictly for identification in the contract, IBAN for issuing invoices and verifying receipts, delivery contact person, photographs and video recordings from delivery (delivery condition reports).
Data collected automatically through the website
When you visit www.biobuilds.com, we automatically process: IP address, browser type and version, operating system, pages visited, visit duration, device identifiers, traffic source and diagnostic data. These data are collected through cookies and similar technologies, in accordance with section 5 below.
§ 3 For what purpose we use the data and on what legal basis
| Purpose | Legal basis | Retention period |
|---|---|---|
| Responding to quotation requests, contact forms, catalogue downloads, configurator | Art. 6 para. (1) letter b) GDPR - pre-contractual measures at your request | 24 months from the last interaction |
| Preparing the offer and negotiating the contract | Art. 6 para. (1) letter b) GDPR | 24 months from the last interaction, if no contract is concluded |
| Concluding and performing the contract - production, DAP delivery, technical support and warranty management | Art. 6 para. (1) letter b) GDPR | For the duration of the contract, plus the warranty period, plus 1 year |
| Legal tax, accounting and reporting obligations | Art. 6 para. (1) letter c) GDPR; Law No. 82/1991 | 10 years accounting archive |
| Managing complaints and warranty rights | Art. 6 para. (1) letters b) and f) GDPR | Warranty period plus 1 year |
| Marketing communications - newsletter, personalised offers | Art. 6 para. (1) letter a) GDPR - your consent, confirmed through double opt-in | Until consent is withdrawn. Proof of consent is kept for 3 years after withdrawal, to defend our rights in the event of a complaint. |
| Statistical analysis and improvement of website experience | Art. 6 para. (1) letter a) GDPR - consent through the cookie banner | Maximum 26 months |
| Server-side management of analytics and marketing tags through the Stape infrastructure, with pseudonymisation of data before transmission to third-party providers (Google, Meta) | Art. 6 para. (1) letter a) GDPR - consent through the cookie banner | According to the retention of each applicable tag - see the Cookie Policy |
| Website security, fraud prevention, access logs | Art. 6 para. (1) letter f) GDPR - legitimate interest | 12 months |
| Defending our rights in court | Art. 6 para. (1) letter f) GDPR | For the duration of the dispute plus the applicable limitation periods |
§ 4 To whom we transmit the data
We work with carefully selected service providers, under data processing agreements in accordance with Art. 28 GDPR or equivalent commitments. We do not sell your data and do not use automated profiling with legal effects.
| Recipient category | Role | Data categories |
|---|---|---|
| UniCredit Bank S.A. | Independent controller | Payment and identification data |
| External accounting and tax services | Processor | Contractual and tax data |
| Carriers and logistics partners | Independent controllers | Delivery address, contact |
| IT, hosting, CRM, e-mail providers | Processors | Contact data, communications |
| Stape (Stape Belgium / Stape Europe, EU hosting) | Processor | Technical usage data, processed server-side for the management of analytics and marketing tags, before transmission to Google and Meta |
| Google LLC - Google Analytics 4 | Processor | Pseudonymised website usage data, identifiers (after consent) |
| Google LLC - Google Ads | Processor | Pseudonymised conversion data, remarketing audiences (after consent) |
| Google LLC - Google Tag Manager (client-side) | Processor | Tag management (does not collect personal data by itself) |
| Google LLC - reCAPTCHA | Processor | Technical data for the prevention of automated fraud |
| Meta Platforms Ireland Ltd. - Meta Pixel and Conversions API (CAPI) | Independent controller / Joint controller | Hashed conversion data (after consent) |
| Postmark (AC PM LLC, ActiveCampaign Inc., USA) | Processor | Transactional e-mails and newsletter - e-mail address, e-mail content |
| Online payment processors - if we enable this functionality | Independent controllers | Transactional data |
| Legal, tax and audit consultants | Independent controllers or processors | Data strictly necessary for the assignment |
| Competent authorities | In accordance with legal obligations | In accordance with the authority's request |
We use the Stape infrastructure (server-side Google Tag Manager) hosted in the European Union to process technical website usage data on an intermediate server in the EU, where it is minimised and pseudonymised before transmission to third-party providers (Google, Meta), in accordance with your consent expressed through the cookie banner. Analytics and marketing tags are activated only after consent, through Google Consent Mode v2.
Meta Platforms Ireland Ltd. (controller for Meta Pixel and Conversions API) is established in the European Union. Google LLC and ActiveCampaign Inc. are entities in the United States - for these transfers we rely on mechanisms recognised by Art. 46 GDPR: the EU-US Data Privacy Framework (under which Google LLC and ActiveCampaign Inc. are certified at the time this policy is drafted) and, in addition, the Standard Contractual Clauses approved by the European Commission through Decision (EU) 2021/914. We periodically check the certification status of the relevant providers.
§ 5 Cookies and similar technologies
We use cookies for the operation of the website, audience measurement and improvement of your experience. Strictly necessary cookies are installed without consent. All other categories - preferences, analytics, marketing - are installed exclusively after your express consent, expressed through the cookie banner displayed on the first visit, in accordance with Art. 4 para. (5) of Law No. 506/2004.
Our banner displays, on the first layer, buttons with equivalent visibility for "Accept all" and "Reject all", as well as the option "Customise preferences". No non-essential cookie is pre-ticked. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
| Category | Purpose | Consent required |
|---|---|---|
| Strictly necessary | Website operation, session, security | No |
| Preferences | Language, region, configurator choices | Yes |
| Analytics | Usage statistics (Google Analytics) | Yes |
| Marketing | Remarketing, campaign measurement | Yes |
Server-side architecture. Some tags run directly in your browser (client-side), and some run through a server-side Google Tag Manager container hosted on the Stape infrastructure in the European Union. This architecture allows us to process technical data on a server in the EU, minimise it and pseudonymise it before transmission to Google or Meta. Both types of tags respect your choices from the cookie banner and are activated only after the corresponding consent, through Google Consent Mode v2.
The full Cookie Policy, with the detailed inventory of each cookie used (name, provider, purpose, duration, US transfer), is available at www.biobuilds.com/ro/cookie-policy and is permanently accessible from the cookie banner and from the footer.
You can change your choices at any time through the "Cookie settings" link permanently available in the footer. Withdrawing consent is as easy as giving it.
§ 6 Your rights
Under the GDPR and Law No. 190/2018 you have the following rights:
| Right to information and access (Arts. 13-15 GDPR) | To receive confirmation that we process your data and to access these data |
|---|---|
| Right to rectification (Art. 16) | To correct inaccurate data or complete incomplete data |
| Right to erasure (Art. 17) | The right to be forgotten, in the cases provided by the GDPR |
| Right to restriction of processing (Art. 18) | To request suspension of processing in certain situations |
| Right to portability (Art. 20) | To receive the data in a structured format and transmit it to another controller |
| Right to object (Art. 21) | To object to processing based on legitimate interest or direct marketing |
| Right to withdraw consent (Art. 7) | At any time, for processing based on consent, without affecting the lawfulness of prior processing |
| Right to lodge a complaint | With the National Supervisory Authority for Personal Data Processing - www.dataprotection.ro |
To exercise any right, write to us at privacy@biobuilds.com. Identification of the requester is necessary only to the strict extent required to prevent disclosure of another person's data.
§ 7 Data security
We apply appropriate technical and organisational measures in accordance with Art. 32 GDPR: TLS encryption for data transmission, role-based access control, daily backup, access logs, periodic staff training, and a register of processing activities in accordance with Art. 30 GDPR. No system is absolutely secure, but we periodically review the measures to maintain an appropriate level of protection.
§ 8 Minors
Our website and services are addressed to persons over 18 years of age. In accordance with Law No. 190/2018, we process the data of a minor under 16 only with the consent of the holder of parental responsibility. If we identify such unintended processing, we delete the data without delay.
§ 9 Automated decisions
Our configurator provides indicative estimates based on your choices. These estimates are not fully automated decisions that produce legal effects concerning you. The final offer and the conclusion of the contract always involve human review by our commercial team.
§ 10 Changes to this policy
We may update this policy to reflect legislative or operational changes. The version in force is permanently available at www.biobuilds.com/ro/privacy-policy, with the date of the last update visible. In the case of substantial changes, we will inform you by e-mail if you are subscribed to the newsletter or through a visible notice on the website, at least 30 days before entry into force.
§ 11 Contact
For any question regarding this policy or the processing of your data, you may contact us:
| Dedicated data protection e-mail | privacy@biobuilds.com |
|---|---|
| Postal address | BIOBUILDS S.R.L., Str. 66, no. 16, Tăuții-Măgherăuș, 437345, Maramureș County, Romania |
| Supervisory authority | ANSPDCP - Bd. Gheorghe Magheru 28-30, Bucharest, www.dataprotection.ro |
Last updated: May 2026