HowiCosminLimitedhandlespersonaldatawithdiscretion,security,andfulltransparency—andtherightsyouhaveunderGDPR.
Last updated ·
01.Who we are
iCosmin Limited operates a strategic advisory website accessible at icosmin.ro (the "Site"). Throughout this document, references to "we", "us", or "our" mean iCosmin Limited, which acts as the data controller for personal data collected through the Site, as defined under Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"). For all data protection enquiries, please visit our Contact page.
02.What personal data we collect
We collect only the minimum personal data necessary, in line with the data minimisation principle under Article 5(1)(c) GDPR. Data you provide directly: When you submit our contact form, we collect your full name, email address, company name (optional), topic of inquiry, and message content. Our legitimate interest (Art. 6(1)(f)) is to handle general and pre-sales enquiries efficiently. Data collected automatically: When you visit our Site, we and our technology partners may automatically record your IP address (for security and approximate geographic analytics), device and browser identifiers (for site compatibility), and clickstream and behavioural data (for understanding how visitors navigate our content — consent required via cookie banner).
03.How we use your data
We use your data strictly to respond to enquiries, evaluate potential engagements, and deliver advisory services. We use aggregated technical data to improve the website and understand how visitors use it. We do not sell, rent, or otherwise commercially exploit your personal data. Never for advertising. Never for resale.
04.Legal bases for processing
In accordance with Articles 6 and 13 GDPR, we identify a specific lawful basis for each processing activity: • Consent (Art. 6(1)(a)) — Non-essential cookies, behavioural tracking, and analytics. You may withdraw consent freely at any time. • Contract (Art. 6(1)(b)) — Processing necessary to fulfil our obligations or take pre-contractual steps at your request. • Legal obligation (Art. 6(1)(c)) — Processing required under applicable law (financial record-keeping, regulatory obligations). • Legitimate interests (Art. 6(1)(f)) — Responding to enquiries, maintaining site security, and improving our services — balanced against your rights.
05.Data retention
We adhere to the storage limitation principle under Article 5(1)(e) GDPR. Contact form enquiries are retained for 24 months from the date of last contact. Data relating to active engagements is retained for the duration plus six years for accounting and professional-liability requirements. Analytics and behavioural data is retained per provider configuration (typically 14 months). Backup copies are purged in line with our scheduled rotation policy.
06.Your rights under GDPR
Under Chapter III GDPR, you have the right to: access (Art. 15) your personal data; rectify (Art. 16) inaccurate data; erase (Art. 17) data no longer necessary; restrict (Art. 18) processing under review; data portability (Art. 20) in a machine-readable format; object (Art. 21) to processing based on legitimate interests; and withdraw consent (Art. 7(3)) at any time without retroactive effect. We do not make solely automated decisions including profiling (Art. 22). Requests are handled within one calendar month. To exercise any right, contact us via our Contact page. You may also lodge a complaint with your national supervisory authority.
07.Data security
We apply technical and organisational security measures proportionate to the risks involved, as required by Article 32 GDPR, including encryption in transit (HTTPS), access controls, and regular security reviews. In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Article 33 GDPR) and communicate with affected individuals where the risk is assessed as high (Article 34 GDPR).
08.Third-party tools and international transfers
We use the following tools which may receive or process your personal data: Google Analytics (aggregate site usage measurement), Google reCAPTCHA (bot detection on the contact form), and Microsoft Clarity (session recordings and heatmaps). Each provider is bound by Data Processing Agreements. Where providers transfer data outside the EEA, we ensure appropriate safeguards: an EU–US Data Privacy Framework adequacy decision, or Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914). This website is hosted on Cloudflare Pages. No personal data is shared with advertising networks.
09.Changes to this policy
We review and update this policy periodically to reflect changes to our processing activities, applicable law, or regulatory guidance. Where revisions are material, we will provide clear notice on the Site and, where required, seek fresh consent. The effective date appears at the top of this document.
For all privacy enquiries, data subject rights requests, or complaints, please visit our Contact page. You also have the right to approach your local supervisory authority at any time.