Legal · GDPR

Privacy policy

In short

Egalis calculations run on pseudonymised data (no names, no national ID numbers — only the payroll identifier and sex, the only criterion the Directive permits). Everything is hosted exclusively in the European Union, the website uses cookie-less analytics, and data is exported or permanently deleted on request.

1. The controller

ADDO VISION SOLUTIONS SRL, registered office: Bucharest, Șos. Berceni 96, Monaco Towers, A9.06, Romania, trade register no. J2013010973404, EUID ROONRC.J2013010973404, VAT RO32203240. For any data-related question: office@addovision.ro or +40 722 232 481.

For employee data uploaded by client companies into the application, the client company is the controller and Egalis is the processor — the full rules are in the data processing agreement.

2. What data we process, and why

  • Your account (email, irreversibly hashed password): providing the service — basis: the contract. Kept for as long as the account exists.
  • The payroll data imported by your company (payroll identifier, sex, job title, occupation code, department, working-time fraction, remuneration): the calculations required by the Pay Transparency Directive — basis: the contract with the company plus its legal obligation. No names and no national ID numbers in the calculation data; the Directive explicitly restricts the criteria to sex.
  • Employee names (optional), if the company chooses to import them for day-to-day operations: stored separately, encrypted (AES-256-GCM), visible only to the owner and HR admin roles.
  • Workers’ requests submitted through the public form (employee ID, contact email, message): the legally required answer — basis: the employer’s legal obligation (Art. 7 of the Directive).
  • The audit log (who, what, when, at action level): the legal evidence of compliance — basis: legitimate interest plus legal obligations. It contains no salary data.
  • Website usage statistics: aggregate, cookie-less, without persistent identifiers (Umami, self-hosted by us, in the EU).

3. Where the data lives

Exclusively in the European Union: the servers are at Hetzner Online GmbH (data centres in Germany), on infrastructure we administer. We do not transfer data outside the EU/EEA, and we never sell data, to anyone.

4. For how long

Calculation data and reports: for the duration of the contract, plus the legal retention of reports required by the Directive and national implementing laws, unless the company requests earlier deletion. When a company is deleted, all content data is deleted; the audit log remains as legal evidence (basis: Art. 17(3) GDPR).

5. Your rights

Access, rectification, erasure, restriction, portability, objection — write to the contact address. Employees of client companies exercise their rights first with their employer (the data controller); we support it technically with every request. You may also lodge a complaint with your national data protection authority (for Romania: ANSPDCP, dataprotection.ro).

For companies: full export (JSON) and permanent deletion are buttons in the application, under Governance → Company data — not email requests.

6. Processors

  • Hetzner Online GmbH (Germany) — hosting.
  • Transactional email (legal notifications) is sent from our own server, hosted in the EU — no third-party email provider.
  • Stripe Payments Europe, Ltd. (Ireland) — card payment processing for subscriptions; Stripe receives billing data only, never payroll data.

The complete, up-to-date list is an annex to the DPA.

Updated: 10 July 2026. Figures reflect Directive (EU) 2023/970 as adopted. Member states had to transpose it by 7 June 2026 and may impose stricter national rules — check your country's implementing law (Egalis country editions track them).

Egalis does not provide legal advice; for specific situations, consult an employment lawyer.