Legal · GDPR
Privacy policy
In short
1. The controller
ADDO VISION SOLUTIONS SRL, registered office: Bucharest, Șos. Berceni 96, Monaco Towers, A9.06, Romania, trade register no. J2013010973404, EUID ROONRC.J2013010973404, VAT RO32203240. For any data-related question: office@addovision.ro or +40 722 232 481.
For employee data uploaded by client companies into the application, the client company is the controller and Egalis is the processor — the full rules are in the data processing agreement.
2. What data we process, and why
- Your account (email, irreversibly hashed password): providing the service — basis: the contract. Kept for as long as the account exists.
- The payroll data imported by your company (payroll identifier, sex, job title, occupation code, department, working-time fraction, remuneration): the calculations required by the Pay Transparency Directive — basis: the contract with the company plus its legal obligation. No names and no national ID numbers in the calculation data; the Directive explicitly restricts the criteria to sex.
- Employee names (optional), if the company chooses to import them for day-to-day operations: stored separately, encrypted (AES-256-GCM), visible only to the owner and HR admin roles.
- Workers’ requests submitted through the public form (employee ID, contact email, message): the legally required answer — basis: the employer’s legal obligation (Art. 7 of the Directive).
- The audit log (who, what, when, at action level): the legal evidence of compliance — basis: legitimate interest plus legal obligations. It contains no salary data.
- Website usage statistics: aggregate, cookie-less, without persistent identifiers (Umami, self-hosted by us, in the EU).
3. Where the data lives
Exclusively in the European Union: the servers are at Hetzner Online GmbH (data centres in Germany), on infrastructure we administer. We do not transfer data outside the EU/EEA, and we never sell data, to anyone.
4. For how long
Calculation data and reports: for the duration of the contract, plus the legal retention of reports required by the Directive and national implementing laws, unless the company requests earlier deletion. When a company is deleted, all content data is deleted; the audit log remains as legal evidence (basis: Art. 17(3) GDPR).
5. Your rights
Access, rectification, erasure, restriction, portability, objection — write to the contact address. Employees of client companies exercise their rights first with their employer (the data controller); we support it technically with every request. You may also lodge a complaint with your national data protection authority (for Romania: ANSPDCP, dataprotection.ro).
For companies: full export (JSON) and permanent deletion are buttons in the application, under Governance → Company data — not email requests.
6. Processors
- Hetzner Online GmbH (Germany) — hosting.
- Transactional email (legal notifications) is sent from our own server, hosted in the EU — no third-party email provider.
- Stripe Payments Europe, Ltd. (Ireland) — card payment processing for subscriptions; Stripe receives billing data only, never payroll data.
The complete, up-to-date list is an annex to the DPA.