Privacy Policy

1. Controller, scope, and legal standard

This policy describes how Nesqual Tech SRL collects, uses, discloses, and protects personal data when you use our websites, complete forms, create an account, request services, join community features, interact with support, or apply for a role. For most of the flows described here we act as the data controller under the GDPR.

We apply the principles in Article 5 GDPR: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and demonstrable accountability.

2. What data we collect and from which sources

Data comes either directly from you, automatically from service use, or from colleagues, stakeholders, or providers involved in a legitimate project engagement.

• Identity and contact data: name, company, role, email, phone number, billing address, and communication history.
• Account and security data: user identifiers, session tokens, login logs, anti-abuse signals, and security events.
• Commercial and operational data: briefs, project documents, tickets, uploaded files, order statuses, invoices, and deliverables.
• Technical data: IP address, browser, operating system, error diagnostics, infrastructure telemetry, and consent preferences.
• Recruitment data, when you apply: CV, cover letter, portfolio, availability, and assessment notes.

3. Explicit legal bases - Article 6 GDPR

We do not process personal data without a legal basis. In practice, we mainly rely on the following bases:

• Art. 6(1)(b) GDPR - performance of a contract: for account creation, onboarding, service delivery, support, project delivery, and account administration.
• Art. 6(1)(c) GDPR - legal obligation: for accounting, tax, record-keeping, lawful authority requests, and mandatory retention duties.
• Art. 6(1)(f) GDPR - legitimate interests: for security, fraud prevention, platform administration, protection of our rights, and service reliability improvements.
• Art. 6(1)(a) GDPR - consent: for non-essential analytics, certain cookies, optional telemetry, and other processing that legally requires opt-in.

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Your rights - Articles 12-21 and Article 77 GDPR

Depending on the situation, you may ask us to carry out one or more of the following actions:

• Art. 15 - access: confirmation of whether we process your data and a copy or meaningful summary of it.
• Art. 16 - rectification: correction of inaccurate or incomplete data.
• Art. 17 - erasure: deletion where there is no overriding legal reason to retain the data.
• Art. 18 - restriction: limitation of processing while a dispute or verification is ongoing.
• Art. 20 - portability: receipt of data you provided in a structured format where the legal basis is contract or consent and the processing is automated.
• Art. 21 - objection: to object to processing based on legitimate interests, including certain limited profiling or communications.
• Art. 77 - complaint: to lodge a complaint with ANSPDCP or another competent authority if you believe your rights have been infringed.

5. Recipients, transfers, and retention

We do not sell personal data. We may share data only as necessary with hosting, observability, communications, payment, security, support, professional advisory, or competent authority recipients.

If a supplier processes data outside the EEA, we rely on Chapter V GDPR mechanisms such as adequacy decisions or Standard Contractual Clauses and assess whether supplementary measures are needed.

• Client and project records are retained for the duration of the contractual relationship and then according to statutory archiving, tax, and limitation periods.
• Security logs and technical diagnostics are retained for as long as reasonably necessary for investigation, audit, and platform defense.
• Recruitment data is retained for the relevant process and, where justified, for a limited period afterwards if law or consent allows it.

6. Security, incidents, and contact

In line with Articles 25 and 32 GDPR, we implement technical and organizational measures proportionate to risk, including access control, environment separation, logging, encrypted transport, credential management, and incident-oriented monitoring.

If a personal data breach occurs, we assess whether it falls within Articles 33 or 34 GDPR and, where required, notify the competent authority and affected individuals within the applicable legal timeframe.