Privacy Policy

Version: 1.0 Effective date: 04 May 2026 Last updated: 04 May 2026 Language: English (courtesy translation — the Romanian version prevails)

Important note on this courtesy translation. This English version is a courtesy translation of the official Romanian Privacy Policy. In case of any discrepancy or interpretive divergence, the Romanian-language version prevails as the legally binding document.

NOTICE — BETA STAGE. The Bits CRM Service is in BETA stage. The features described in this Policy may evolve, and the technical data-processing configurations may be modified. The Operator exercises reasonable diligence to keep the Policy up to date and will notify modifications in accordance with section 20.

Preamble

This Privacy Policy (hereinafter the “Policy”) describes how BITS DIGITAL SOLUTIONS S.R.L. (hereinafter the “Operator”, “we”, “our”) collects, uses, stores, transmits and protects the personal data of its users, in accordance with Regulation (EU) 2016/679 (GDPR), Romanian Law no. 190/2018 implementing GDPR in Romania, Romanian Law no. 506/2004 on the processing of personal data and protection of privacy in the electronic communications sector, and other applicable legislation.

The Policy applies to the relationships in which the Operator acts as a data controller — that is, for data about the registered users of the Bits CRM platform. For data about end clients and contacts of the User (Customer Content), processed by the Operator as processor, the Data Processing Agreement (DPA) applies — a separate document, integrated by reference into our Terms and Conditions.

Please read this Policy carefully. By creating an account, accessing or using the platform, you confirm that you have read, understood and acknowledged the contents of this Policy.

1. Identification of the Operator

The data controller is:

Element	Detail
Corporate name	BITS DIGITAL SOLUTIONS S.R.L.
Sole Registration Code (CUI)	51905748
Trade Registry order number	J2025039656002
Share capital	RON 200
Electronic contact address	office@64bits.it
Registered office	Disclosed upon written and reasoned request transmitted to the contact address
Trade name	Bits CRM

Data Protection Officer (DPO) / GDPR Point of Contact: for any questions or requests regarding the processing of personal data, please use the unique address office@64bits.it.

Supervisory authorities:

Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — https://dataprotection.ro

2. Who this Policy addresses

This Policy applies to:

Registered users of the Bits CRM platform (businesses — PFA, SRL, SA, liberal professions etc. — and consumers, as defined in our Terms and Conditions);
Visitors to the public website bitscrm.ro;
Persons who contact the Operator through the official communication channel (office@64bits.it).

The Policy does not cover data about end clients, contacts, counterparties or other third parties with which the User interacts through the platform (Customer Content). For such data, the User is the controller and the Operator is the processor; the relationship is governed by the DPA.

3. Status of the Operator with regard to data

Within the Service, the Operator processes personal data in two distinct capacities:

Controller — for data about the registered User (account, authentication, billing, support, telemetry, transactional communications and, in the future with consent, marketing). This data is the subject of this Policy.
Processor — for Customer Content (data about the User’s end clients), processed strictly on the User’s instructions. These processings are governed by the DPA, a separate document.

This distinction is important: this Policy does not describe how the User processes its own clients’ data through the platform — for this aspect, the User is responsible as data controller.

4. Categories of personal data processed

4.1 Identification data

Surname, first name
E-mail address
Phone number (optional)
Avatar (optional, uploaded by the User)
Preferred interface language
Time zone

4.2 Account and authentication data

Password hash (the password in clear text is not stored)
Two-factor authentication secret, when the feature is active
Authentication token and session identifier issued to maintain the authenticated session
Device identifier used for authentication

4.3 Business entity data (B2B)

Entity name
Sole Registration Code / CIF
Legal form
Status of registration in the Romanian Private Virtual Space (SPV) of the National Tax Agency (ANAF)

4.4 Billing data

Billing address
References to payment methods — bank card data (number, CVV code, expiry date) IS NOT collected, transmitted or stored by the Operator. Payments are processed directly by our payment provider, which holds PCI-DSS certification. The Operator receives only a transaction identifier and the payment status.

4.5 Communication data

Content of support e-mails exchanged with the Operator
Content of support tickets
In-app messages (notifications, alerts)

4.6 Technical / telemetry data

IP address
Device, browser, operating system type
Requests made to the application
Technical identifiers (session, device) used for security, prevention of abuse and incident diagnostics
Administrative audit logs
Operational error logs

4.7 Content created by the User

Notes, tasks, calendar events, appointments, files uploaded to Drive, mentions — to the extent that they contain data about the User itself. The content remains the property of the User; the Operator processes it strictly to provide the Service.

4.8 Sensitive data — Romanian Personal Numeric Code (CNP) (Law 190/2018)

The CNP is processed exclusively for the delegated signatory functionality on electronic invoices (e-Factura) — when the User designates a natural person (for example, accountant, administrator) for the signing of fiscal documents on behalf of the entity.

Specific protection measures:

Stored encrypted in the database;
Strict access on a “need-to-know” basis;
Never displayed in clear in logs, e-mails or non-secured interfaces;
Not shared with third parties, except for the legal obligation of transmission to ANAF through SPV.

When using AI-based features (AI Assistant, OCR for invoices/payments, summarisations, embeddings for semantic search), the Operator transmits the relevant content to a third-party AI Provider for processing. See section 18 for details.

5. Sources of data

Data is obtained from the following sources:

Directly from the User — at the time of registration, profile completion, use of features, content upload, communications with the Operator.
Automatically generated — technical telemetry (IP, timestamp, events), security logs, technical session identifiers.
Public official sources — when verifying a tax code (CUI), the Operator queries the public ANAF database to confirm the validity and tax status of the entity entered by the User. The data returned is public information (entity name, status, public address from the Trade Registry).

6. Purposes of processing

The Operator processes personal data exclusively for the following purposes:

Creation, management and security of the User’s account
Provision of the Service in accordance with the Terms and Conditions
Payment processing and invoice issuance (including through the national RO e-Factura system via SPV for businesses)
Technical support and response to requests
Security, fraud and abuse prevention, incident diagnostics
Transactional communications (account confirmations, password reset, security alerts, invoices, appointment notifications, mentions, etc.)
Compliance with applicable legal obligations (accounting, taxation, reporting to authorities, GDPR, commercial law)
Marketing communications — only if such a mechanism is introduced and only after obtaining prior express consent. Currently, the Operator does not transmit marketing communications.

7. Legal bases for processing

Purpose / Category	Legal basis	Reference
Account creation, Service delivery, support	Performance of contract	art. 6(1)(b) GDPR
Billing, accounting, e-Factura reporting	Legal obligation	art. 6(1)(c) GDPR
Security, fraud prevention, diagnostics, technical telemetry	Legitimate interest	art. 6(1)(f) GDPR
Direct marketing (when introduced)	Consent	art. 6(1)(a) GDPR
Cookies / non-strictly-necessary storage (when introduced)	Consent	art. 6(1)(a) GDPR + Law 506/2004
Processing of CNP (delegated signatory e-Factura)	Legal obligation + Law 190/2018 art. 4	art. 6(1)(c) + special law
Response to requests from public authorities	Legal obligation	art. 6(1)(c) GDPR

Legitimate interests invoked: protecting the Service against attacks and fraud, ensuring operational continuity, improving the quality of the Service, recovering outstanding receivables. Data subjects have the right to object to processing based on legitimate interest, in accordance with section 12.

8. Recipients of the data

The Operator transmits personal data to the following categories of recipients, strictly to the extent necessary:

Operator’s personnel — employees, collaborators, consultants, with strict access on a “need-to-know” basis and under confidentiality obligations.
Services we rely on — third-party technology providers essential for the operation of the Service. They include the following categories (the detailed list may be obtained upon written and reasoned request):
- Cloud infrastructure provider (database hosting, object storage, cache)
- Transactional e-mail provider
- Payment processing provider (holds PCI-DSS certification)
- Artificial intelligence model provider
- Video meeting infrastructure provider
- Anti-bot protection provider (CAPTCHA)
- Mobile push notification provider
Public authorities — in fulfilment of legal obligations: ANAF (through the national SPV system for e-Factura), ANSPDCP, ANPC, courts of law, criminal investigation bodies, fiscal control bodies — strictly within the limits of formal requests and legal grounds.
Operator’s professional advisors — lawyers, accountants, auditors, to the extent necessary for the exercise of its legal rights or for the fulfilment of its obligations.

We never sell, rent or commercially transfer personal data to third parties for their own purposes.

9. International transfers

Certain services we rely on may process data outside the European Economic Area (EEA), in particular: AI model providers, payment processors and transactional e-mail providers may have components operated from the United States of America or other jurisdictions.

These transfers are covered by adequate safeguards under GDPR:

Standard contractual clauses adopted by the European Commission through Decision (EU) 2021/914;
EU-US Data Privacy Framework (EU Decision 2023/1795), for certified entities;
Other mechanisms recognised by GDPR (binding corporate rules, specific derogations, etc.), where applicable.

The detailed list of transfer destinations and applicable safeguards may be obtained upon written request transmitted to office@64bits.it, within the limits necessary for protecting the software design and commercial strategy.

10. Storage duration

Category	Duration
Account data (active user)	Throughout active use
Account after voluntary termination	90 days for export, then irreversible deletion
Account inactive for 6 consecutive months	Prior notification → full deletion
Voluntarily deleted account	7-day grace period (cancellable) → effective deletion
Technical authentication data (sessions, tokens, device identifiers)	Limited durations set in accordance with our internal security policy; immediately revocable at the User’s request or in the event of a security incident
Technical and audit logs	Rotated periodically; duration determined in accordance with internal security policy, strictly limited to what is necessary for diagnostics and incident investigation
Operational backups	maximum 35 days
Invoices and fiscal documents	10 years — legal obligation under art. 25 of Romanian Accounting Law no. 82/1991
Support communications	maximum 3 years from the last interaction
Marketing data (when introduced)	Until withdrawal of consent; 3-year consent audit after withdrawal

After the expiry of the above terms, data is irreversibly deleted from production systems. Backups may contain data for an additional limited period (max. 35 days), after which they are rotated and deleted in accordance with the Operator’s backup policy.

11. Data security

The Operator implements adequate technical and organisational measures (TOM) to protect data, in accordance with art. 32 GDPR:

Technical measures:

Encryption in transit (TLS) for all communications;
Encrypted storage for sensitive data (CNP);
Modern hashing for passwords;
Two-factor authentication (2FA TOTP) — available, strongly recommended;
Role-based access control (RBAC), with granular permissions;
Limited-duration session tokens and the possibility of immediate revocation;
Rate-limiting and anti-brute-force protection on sensitive points (authentication, share links);
Anti-bot CAPTCHA on publicly exposed forms;
Daily automated backups, with 30-day retention and the possibility of point-in-time recovery for 7 days;
Monitoring of infrastructure and security events.

Organisational measures:

Strict need-to-know access;
Personnel confidentiality obligation;
Security incident management procedures;
Periodic data protection training of the team.

Security breach notification: in the event of a breach that presents a risk to the rights and freedoms of data subjects, the Operator notifies ANSPDCP within 72 hours (GDPR art. 33) and, if the risk is high, directly informs the data subjects (GDPR art. 34).

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. The Operator cannot guarantee absolute security, but exercises reasonable diligence to protect the data.

12. Data subject rights

In accordance with GDPR (art. 15-22) and Romanian legislation, you benefit from the following rights regarding your personal data:

12.1 Right of access (art. 15)

You may request confirmation that we process data about you, as well as a copy of such data and information about the processing (purposes, categories, recipients, duration, rights).

12.2 Right of rectification (art. 16)

You may request the correction or completion of inaccurate or incomplete data. For data you can modify directly in the platform interface (name, e-mail, phone, etc.), we recommend using these tools.

12.3 Right of erasure (“right to be forgotten”) (art. 17)

You may request the deletion of data under the conditions provided by GDPR (for example, when the data is no longer necessary for the original purposes, when you withdraw consent, when you object to processing). This right is not absolute — certain data must be retained in accordance with legal obligations (for example, invoices for 10 years under Law no. 82/1991).

12.4 Right of restriction (art. 18)

You may request the restriction (temporary blocking) of processing in certain situations (challenging accuracy, unlawful processing, pending objection, etc.).

12.5 Right of portability (art. 20)

You may receive the data you have provided to us in a structured, machine-readable format (JSON, CSV) and transmit it to another controller.

12.6 Right to object (art. 21)

You may object to processing based on legitimate interest (section 7), in particular for direct marketing. Upon objection to direct marketing, we immediately cease processing for this purpose.

When the processing is based on consent (for example, direct marketing, when introduced), you may withdraw this consent at any time, without affecting the legality of prior processing.

12.8 Right not to be subject to automated decisions (art. 22)

The Operator does not perform automated decisions that produce legal effects or that significantly affect you in a similar manner. The automatic application of contracted plan limits constitutes performance of the contract, not profiling.

12.9 Right to lodge a complaint with ANSPDCP

You may lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), either through the online platform (https://dataprotection.ro) or at the address: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, Bucharest. This right is distinct from the right to apply to court.

13. How to exercise your rights

13.1 Standard procedure

Channel: send the request by e-mail to office@64bits.it.

Recommended subject: Personal data access / portability / erasure request — GDPR art. [X]

Minimum content of the request:

Identification of the requester (name + e-mail address associated with the account)
Specification of the right exercised (access / rectification / erasure / portability / restriction / objection / withdrawal of consent)
Categories of data targeted (all / specific: profile, billing, content created, etc.)
For portability requests: preferred format (JSON, CSV, ZIP)

Identity verification: the request must be transmitted from the e-mail address associated with the account. For requests from other addresses, we will request additional verification (for example, confirmation of certain account details).

Response term: 30 calendar days from receipt of the request. In the case of complex requests or a large number of requests, the term may be extended by a maximum of 60 additional days, with prior information of the requester within the first 30 days (GDPR art. 12(3)).

Costs: free of charge. Exception: manifestly unfounded or excessive requests (in particular due to repetitive nature) — in such cases, we may charge a reasonable fee based on administrative costs or refuse the request, with reasons (GDPR art. 12(5)).

13.2 Categories of data included in the full export

Upon a request for access (art. 15) or portability (art. 20), the export includes:

Account and profile data: name, e-mail, phone, preferred language, time zone, avatar
Business entity data (B2B): name, CUI, SPV status
History of invoices issued through the platform
History of recorded payments
Created content: notes, tasks, appointments, calendar events, meeting recording metadata
Files uploaded to Drive (upon express request, in original format)
History of support communications (e-mails exchanged, tickets)
Audit log relevant to your own account (last 30 days)

Exclusions from the export:

Data which the Operator has the legal obligation to retain (invoices for 10 years);
Data about other users or third parties, the disclosure of which would infringe their rights;
Internal data of the Operator (operational technical logs, trade secrets, know-how).

13.3 Delivery format

Access (art. 15): PDF with a summary of the data and information about the processing (purposes, recipients, duration, rights).
Portability (art. 20): ZIP archive with structured files (JSON for account data, CSV for contacts / invoices / etc.).
Content generated by the User is provided in the original format or in an equivalent format.

13.4 Confirmation of delivery

The response is transmitted through a secure channel — either encrypted e-mail (upon request) or download link with authentication, expiring in 7 days.

13.5 In the future — dedicated endpoint

The Operator intends to implement a self-service export endpoint directly in the platform interface. Until its availability, the e-mail procedure described above remains in force.

14. Cookies and similar technologies

14.1 Public site bitscrm.ro

At present, the public site does not use non-essential, analytical or marketing cookies. The site does not integrate tracking instruments (Google Analytics, marketing pixels, etc.).

14.2 Web application

Upon authentication, the platform uses a session-maintenance mechanism that is strictly necessary for the operation of the Service — without it, the application cannot maintain an active session. This mechanism falls within the “essential” category and does not require separate consent under Law 506/2004 art. 4(5).

14.3 Mobile application

On iOS and Android, session data is stored using the secure storage mechanisms provided by the operating system, accessible exclusively by the Bits CRM application.

A dedicated Cookie Policy will be published as a separate document, integrated by reference into this Policy.

14.5 Future modifications

If the Operator introduces usage analysis tools or other technologies involving non-essential information storage, it will request prior consent through a banner in accordance with Law 506/2004 and the ANSPDCP / EDPB guidelines.

15. Automated decisions and profiling

The Operator does not perform automated decisions that produce legal effects on the User or that significantly affect the User in a similar manner (GDPR art. 22).

In particular:

The automatic application of contracted plan limits (storage quotas, number of users, OCR volume, etc.) constitutes contractual performance, not profiling.
Artificial intelligence features (AI assistant, OCR, summarisation, etc.) are tools at the disposal of the User, NOT mechanisms by which the Operator makes decisions about the User.
Rate-limiting and anti-bot mechanisms are generic security measures, without legal impact on the User.

16. Children’s data

The Service is not intended for persons under 18 years of age. The Operator does not knowingly collect data about minors. If we identify that we have collected data about a minor without valid consent of the parental responsibility holder, we will promptly delete such data.

If you are a parent or guardian and consider that a minor has provided us with personal data, please contact us at office@64bits.it.

17. Sensitive data (Law 190/2018)

17.1 Romanian Personal Numeric Code (CNP)

In accordance with Romanian Law no. 190/2018, the CNP is a special category requiring adequate safeguards. Bits CRM processes CNPs exclusively for the delegated signatory functionality on electronic invoices (e-Factura) — when the User designates a natural person (for example, accountant) to sign fiscal documents on behalf of the entity.

Legal basis: legal obligation (GDPR art. 6(1)(c)) correlated with fiscal requirements regarding electronic signatures on documents transmitted through SPV.

Protection measures:

Stored encrypted in the database;
Restricted access to operationally authorised persons;
Never displayed in clear in logs, e-mails or non-secured interfaces.

Sharing: only with ANAF through the SPV system, in accordance with the legal fiscal obligation. Never with other third parties.

Bits CRM does not intentionally collect data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for unique identification purposes), data on health, sex life or sexual orientation about the registered User.

If the User, in its capacity as controller, processes such data through the platform about its own end clients (for example, a medical clinic that retains medical notes), this processing is the User’s responsibility and is governed by the DPA, not by this Policy.

18. AI data and flows to models

18.1 AI features

The Service includes features based on artificial intelligence:

AI Assistant (answering questions, drafting, summarising);
OCR for invoices and payments (automatic extraction of fields from scanned documents);
Embeddings for semantic search (RAG — retrieval-augmented generation).

18.2 Data flow

When using these features, the relevant content (the question, the scanned document, the text to be indexed) is transmitted to a third-party AI Provider for processing. The response is returned to the Bits CRM application and displayed to the User.

18.3 Trigger

AI operations are triggered exclusively by the User’s action (pressing a button, uploading a document, formulating a query). There is no automatic background indexing without the User’s implicit consent through use of the feature.

18.4 Model training

The Operator exercises reasonable diligence to configure AI services so that the User’s data is not used for training the AI Provider’s models. According to the public terms of the AI Providers used, data transmitted via API is not, by default, used for training public models.

The Operator does not contractually guarantee the AI Provider’s behaviour beyond its public terms and reserves the right to update configurations in accordance with market evolution and provider terms.

18.5 AI content marking

In accordance with art. 50 of EU Regulation 2024/1689 (AI Act), content generated or substantially modified by AI is marked as such in the Service interface.

18.6 Opt-out

The User may choose not to use AI features. It is sufficient not to activate or invoke these features in the interface. Data not involved in AI actions is not transmitted to the AI Provider.

19. Electronic communications

19.1 Transactional communications

The Operator transmits to its Users strictly transactional communications, necessary for the provision of the Service:

Account confirmation and activation;
Password reset;
Two-factor authentication codes;
Payment confirmations and invoices;
Security alerts (new authentications from unknown devices, etc.);
Appointment notifications (confirmations, reminders, cancellations);
Meeting invitations and shared links;
In-app mentions triggering e-mails (e.g., on tasks, notes);
Notifications regarding important changes to the Terms or this Policy;
Responses to support requests.

These communications are transmitted on the basis of performance of the contract or a legal obligation and do not require the User’s consent — they are an integral part of the provision of the Service.

19.2 Marketing communications — current situation

At present, the Operator does not transmit marketing communications (newsletter, promotions, product recommendations, cross-selling or up-selling communications).

19.3 Marketing communications — future

If the Operator introduces such communications in the future, they will be transmitted only with prior express consent of the recipient (opt-in), in accordance with Romanian Law no. 506/2004 art. 12. Each such communication will include:

Clear identification of the sender and the commercial nature of the message;
A simple and free unsubscribe mechanism operational at any time;
The possibility to withdraw consent without affecting the validity of other transactional communications.

Before any introduction of such mechanisms, this Policy will be updated and notified to Users in accordance with section 20.

20. Modifications to the Policy

The Operator reserves the right to modify this Policy in order to reflect the evolution of the platform, legislative changes or operational decisions.

Prior notification: at least 30 calendar days by e-mail associated with the account and in-app notification, except for modifications imposed by mandatory legislative changes (entering into force immediately) or those that are neutral clarifications without adverse effect.

Public versioning: on the dedicated Policy page, with the effective date clearly marked. Previous versions remain archived and accessible for consultation.

Continued use: after the entry into force of the modifications, continued use of the Service amounts to acceptance, within the limits permitted by consumer law (see Terms and Conditions, section 3.4).

21. Contact and Complaints

21.1 Questions and requests to the Operator

For any question or request related to this Policy or to the processing of your data, please use the unique address:

E-mail: office@64bits.it

21.2 Complaint to the supervisory authority

If you consider that the data processing breaches GDPR or national legislation, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

Website: https://dataprotection.ro
Address: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, Bucharest
Can also be contacted through the authority’s online complaints platform.

21.3 Court action

You have the right to apply directly to the competent court of law to protect the rights guaranteed by GDPR. For consumers, the competent court is the one at the consumer’s domicile.

Closing note

Application in BETA stage. The technical configurations described may evolve. Material modifications will be notified in accordance with section 20.

Related documents:

Data Processing Agreement (DPA) — for the Operator ↔ User relationship when the User processes data about end clients through the platform;
Acceptable Use Policy (AUP);
Cookie Policy.

End of Privacy Policy — version 1.0 — 04 May 2026.

The Romanian-language version is the official and prevailing version. This English version is a courtesy translation.