Last updated: October 25, 2025

MICROPIM PRIVACY POLICY

1. INTRODUCTION AND CONTROLLER INFORMATION

1.1 Who We Are

This Privacy Policy explains how Marmix SOFT SRL (“we,” “us,” “our”) collects, uses, processes, and protects your personal data when you use MicroPIM services.

Data Controller:

Legal Name: Marmix SOFT SRL
Registration Number (CUI): 43379669
Trade Registry Number: J40/16251/2020
EUID: ROONRC.J40/16251/2020
D-U-N-S® Number: 66-305-9016
Registered Address: Str. Lujerului 42J, Cod 061135, Bucuresti, Sector 6, Romania
Email: [email protected]

Data Protection Contact:
Marmureanu Andrei Email: [email protected]

1.2 What This Policy Covers

This Privacy Policy applies to:

• Website: micropim.net (marketing website)
• Application: app.micropim.net (PIM platform)
• Documentation: docs.micropim.net
• Chrome Extension: MicroPIM browser extension
• Mobile Applications: iOS and Android apps (when available)
• All related services provided by Marmix SOFT SRL

This policy describes how we handle personal data when we act as a data controller - that is, when we decide how and why to process your personal data, such as your account information, billing details, and usage data.

1.3 Controller vs. Processor Roles

Important Distinction:

When YOU are the controller (for your customer/product data):

When you upload product catalogs, customer information, or other business data to MicroPIM, you are the data controller for that data and we are the data processor acting on your instructions. This relationship is governed by our Data Processing Addendum (DPA) available at https://micropim.net/contact.

This Privacy Policy does NOT apply to the product data you upload - that is controlled by you. For questions about data in your MicroPIM account from your customers or end users, those individuals should contact you directly as the controller.

When WE are the controller (for your account data):

For personal data about YOU as our customer (your name, email, payment information, usage analytics), we are the controller and this Privacy Policy applies.

1.4 Our Commitment to Privacy

Marmix SOFT SRL is committed to protecting your privacy and complying with:

• EU General Data Protection Regulation (GDPR)
• Romanian Law 190/2018 implementing GDPR
• ePrivacy Directive and Romanian implementing legislation
• UK GDPR (for UK users)
• California Consumer Privacy Act (CCPA/CPRA) where applicable
• Other applicable privacy laws

2. PERSONAL DATA WE COLLECT

We collect personal data in several contexts. The table below shows what we collect, why we collect it, and our legal basis under GDPR.

2.1 Account and Registration Data

How we collect it: You provide this directly when registering or updating your profile.

2.2 Billing and Payment Data

Important: We do NOT store full payment card numbers or CVV codes. Payment processing is handled by Stripe (PCI-DSS Level 1 certified), which stores your full payment information securely. See Section 4.3 for details about Stripe’s role.

How we collect it: You provide this when subscribing or during checkout.

2.3 Usage and Analytics Data

How we collect it: Automatically collected through your use of our services, website, and applications.

Analytics Tools Used:

• First-party analytics: Collected directly by MicroPIM infrastructure
• Google Analytics: Used on marketing website (micropim.net) and documentation site (docs.micropim.net) with your consent only (see Cookie Policy)
• Application analytics: Used within app.micropim.net for service improvement

2.4 Communication and Support Data

How we collect it: You provide this when contacting support, responding to surveys, or communicating with us.

2.5 Marketing Data (with your consent)

Existing Customer Marketing: We may send service-related updates and relevant product information to existing customers based on legitimate interest, with an easy opt-out in every email.

How we collect it: You provide consent through website forms, cookie banners, newsletter signups, or event registrations.

2.6 Data We Do NOT Collect

We do NOT collect or require:

• Social Security numbers or government ID numbers
• Financial account details (bank account numbers - payments via Stripe only)
• Health or medical information
• Biometric data
• Information about children under 16
• Racial or ethnic origin, political opinions, religious beliefs
• Trade union membership, sexual orientation
• Criminal history

Customer Responsibility: You must NOT upload any of the above sensitive data to MicroPIM. See Terms and Conditions Section 6.3.

3. HOW WE USE YOUR PERSONAL DATA

3.1 Service Provision and Account Management

We process your account data to:

• Create and maintain your MicroPIM account
• Authenticate you when you log in
• Provide access to the PIM platform and all features
• Process your subscription and manage billing
• Provide customer support and technical assistance
• Communicate about your account, services, and updates

Legal Basis: Contract performance (GDPR Article 6(1)(b)) - necessary to provide the services you subscribed to.

3.2 Payment Processing and Billing

We process billing data to:

• Process subscription payments via Stripe
• Generate invoices and receipts
• Manage subscription renewals and cancellations
• Handle refund requests (where applicable)
• Comply with tax and accounting obligations
• Prevent fraud and payment disputes

Legal Basis: Contract performance (GDPR Article 6(1)(b)) + Legal obligation (GDPR Article 6(1)(c)) for tax compliance.

3.3 Service Improvement and Analytics

We analyze usage data to:

• Improve MicroPIM features and functionality
• Optimize user experience and interface
• Identify and fix bugs and technical issues
• Monitor service performance and reliability
• Develop new features based on usage patterns
• Conduct A/B testing for improvements

We anonymize or aggregate this data whenever possible so it cannot identify you individually.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - we have a legitimate interest in improving our services for all customers.

3.4 Security and Fraud Prevention

We process certain data to:

• Detect and prevent unauthorized access
• Monitor for suspicious activity or abuse
• Protect against fraud and payment issues
• Enforce our Terms and Conditions
• Maintain system security and stability
• Respond to security incidents

This may include analyzing IP addresses, login patterns, and usage anomalies.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - protecting our services and all customers is a legitimate interest that does not override your rights.

3.5 Marketing Communications (with your consent)

With your explicit consent, we may:

• Send newsletters about MicroPIM updates and features
• Share product announcements and new releases
• Provide educational content (webinars, guides, tutorials)
• Invite you to events or user surveys
• Send promotional offers and discounts

For existing customers: We may send relevant product information based on legitimate interest, but you can always opt out.

How to opt out:

• Click “Unsubscribe” in any marketing email
• Update preferences in your account settings
• Email [email protected] with your request

Opting out of marketing does NOT stop:

• Service-related emails (receipts, account notifications)
• Support responses
• Legal or security notifications

Legal Basis: Consent (GDPR Article 6(1)(a)) for marketing to non-customers. Legitimate interest for existing customer marketing with easy opt-out.

3.6 Legal Compliance and Protection

We may process your data when necessary to:

• Comply with legal obligations (tax laws, court orders, regulatory requirements)
• Respond to lawful requests from authorities
• Protect our rights, property, or safety
• Protect customers’ rights and safety
• Enforce our Terms and Conditions
• Resolve disputes or legal claims

Legal Basis: Legal obligation (GDPR Article 6(1)(c)) or Legitimate interest (GDPR Article 6(1)(f)).

3.7 With Your Specific Consent

For certain optional features or processing, we will ask for your specific consent:

• Cookies for analytics and marketing (see Cookie Policy)
• Testimonials or case studies featuring your name/company
• Beta program participation
• Call recordings for support
• Marketing communications to non-customers

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

4. WHO WE SHARE YOUR DATA WITH

4.1 We Do Not Sell Your Personal Data

Marmix SOFT SRL does NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

4.2 Service Providers and Sub-Processors

We share personal data with trusted service providers who process data on our behalf to deliver services. These processors are contractually obligated to:

• Process data only according to our instructions
• Implement appropriate security measures
• Not use data for their own purposes
• Comply with GDPR requirements

Full, current list: We maintain an updated list of all subprocessors at https://micropim.net/contact and will notify you 30 days before adding new subprocessors.

4.3 Stripe Payment Processing

Stripe handles all payment processing. When you enter payment information:

• Data is transmitted directly to Stripe’s secure servers
• We never receive or store your full credit card number or CVV
• We only store last 4 digits and expiration for display purposes
• Stripe is PCI-DSS Level 1 certified (highest security standard)
• Stripe’s privacy policy: https://stripe.com/privacy
• Stripe acts as a data processor under our instructions

4.4 Data Transfers Outside the EEA

Some of our processors are located outside the European Economic Area (EEA). We ensure adequate protection for these transfers through:

EU Standard Contractual Clauses (SCCs):

• We use the European Commission’s 2021 Standard Contractual Clauses
• SCCs are contractual commitments between us and processors to protect your data
• We have executed SCCs with AWS, Stripe, Cloudflare, Google, and Meta

EU-US Data Privacy Framework (DPF):

• Several processors are certified under the EU-US DPF program
• DPF provides adequacy for transfers to certified US companies
• We use SCCs as primary mechanism with DPF as supplementary safeguard

Transfer Impact Assessments:

• We have conducted assessments of third-country laws and surveillance risks
• We implement supplementary measures including encryption and access controls
• We monitor legal developments (potential Schrems III) and adjust as needed

UK Adequacy:

• EU adequacy for UK data transfers is currently valid until December 2025
• We use UK Addendum to SCCs as contingency
• We monitor UK adequacy status and will implement additional safeguards if needed

You have the right to obtain information about these safeguards by contacting [email protected].

4.5 Legal Obligations and Protection

We may disclose personal data if required by law or necessary to:

• Comply with legal process (court orders, subpoenas, warrants)
• Respond to lawful requests from authorities
• Enforce our Terms and Conditions
• Protect our rights, property, or safety
• Protect rights, property, or safety of customers or the public
• Detect, prevent, or address fraud, security, or technical issues

Where legally permitted, we will:

• Notify you before disclosure
• Challenge overly broad or inappropriate requests
• Provide only the minimum data necessary

4.6 Business Transfers

If Marmix SOFT SRL is involved in a merger, acquisition, asset sale, or bankruptcy:

• Your personal data may be transferred to the acquiring entity
• We will notify you before your data is transferred and becomes subject to different privacy practices
• You have the right to object or delete your account before transfer

4.7 With Your Consent

We may share data with third parties when you explicitly consent, such as:

• Testimonials or case studies (with your permission)
• Public reviews or feedback (if you choose to post)
• Integrations you enable with third-party services
• Co-marketing events with partners (with your consent)

5. DATA RETENTION

5.1 General Retention Principles

We retain personal data only as long as necessary for:

• The purposes for which it was collected
• Compliance with legal obligations
• Resolution of disputes
• Enforcement of agreements

5.2 Retention Periods by Data Type

5.3 Account Deletion

When you delete your account or we terminate your subscription:

Immediate actions:

• Account access is disabled
• Deletion countdown begins (31 days)
• Notification email sent explaining process

During 31-day grace period:

• Data remains available for recovery if deletion was accidental
• Self-service export tools available
• You can reactivate account
• Reminder emails sent (7 days and 1 day before final deletion)

After 31 days:

• Permanent deletion of all Customer Data from:
  • Production databases
  • Backup systems
  • All storage infrastructure
• Anonymization of analytics data (cannot identify you)
• Retention only of:
  • Billing records (7 years for tax compliance)
  • Legal records if required by law
  • Anonymized aggregated data

Immediate deletion: You can request immediate deletion by emailing [email protected]. We will process this within 30 days of your request.

Note: Deleted data cannot be recovered. Export all needed data before deletion.

5.4 Marketing Data Retention

• Active subscribers: Until you unsubscribe
• After unsubscribe: Consent withdrawal recorded, marketing data deleted within 30 days
• Inactive subscribers: Automatically removed after 2 years of no engagement
• Consent records: Retained for 2 years after withdrawal to prove compliance

5.5 Legal Holds

In rare cases, we may need to retain data beyond normal periods due to:

• Active legal proceedings or investigations
• Regulatory investigations or audits
• Disputes or claims

We will notify you if your data is subject to a legal hold.

6. DATA SECURITY

6.1 Security Measures

We implement comprehensive security measures to protect your personal data:

Technical Measures:

• Encryption in transit: TLS 1.2+ for all data transmissions
• Encryption at rest: AES-256 encryption for stored data
• Password security: Bcrypt hashing with salts (industry standard)
• Access controls: Role-based access, principle of least privilege
• Multi-factor authentication: Available for user accounts
• Firewall protection: Network-level security
• Intrusion detection: Real-time monitoring for threats
• DDoS protection: Via Cloudflare
• Regular security updates: Patching and vulnerability management
• Secure development practices: Security built into development lifecycle

Organizational Measures:

• Staff training: Regular security and privacy training for all employees
• Background checks: For employees with data access
• Confidentiality agreements: All staff sign NDAs
• Access logging: All data access is logged and monitored
• Security policies: Comprehensive information security policies
• Incident response plan: Documented procedures for security breaches
• Vendor security: Due diligence on all processors and service providers
• Physical security: Secure data centers (Hetzner) with 24/7 monitoring

Certifications and Audits:

• [SPECIFY WHEN OBTAINED: ISO/IEC 27001:2013]
• [SPECIFY WHEN OBTAINED: SOC 2 Type II]
• Regular security audits and penetration testing
• Continuous security monitoring

6.2 Your Security Responsibilities

You are responsible for:

• Choosing a strong, unique password
• Keeping your password confidential
• Not sharing account credentials
• Enabling multi-factor authentication
• Logging out after using shared computers
• Promptly notifying us of unauthorized access ([email protected])
• Keeping your email account secure (we use it for password resets)

6.3 No Absolute Security

While we implement strong security measures, no system is completely secure. We cannot guarantee:

• Absolute security of data transmitted over the internet
• Complete protection against all cyber threats
• Prevention of all unauthorized access

We continuously improve our security but cannot warrant that data will never be compromised. You use the services at your own risk regarding security.

6.4 Data Breach Notification

In the event of a data breach affecting your personal data:

Within 72 hours of discovery:

• We will notify the Romanian supervisory authority (ANSPDCP - Autoritatea NaÈ›ională de Supravegere a Prelucrării Datelor cu Caracter Personal)

Without undue delay:

• If the breach creates high risk to your rights and freedoms, we will notify you directly via email
• Notification will include:
  • Nature of the breach
  • Likely consequences
  • Measures taken or proposed
  • Contact point for more information

Our response:

• Immediate containment and investigation
• Remediation of vulnerabilities
• Cooperation with authorities
• Transparent communication with affected individuals

If you believe your data has been compromised, contact us immediately at [email protected].

7. YOUR PRIVACY RIGHTS UNDER GDPR

As a data subject under GDPR, you have the following rights:

7.1 Right of Access (Article 15)

You have the right to:

• Know whether we process your personal data
• Access your personal data
• Receive information about how we process your data
• Obtain a copy of your personal data

How to exercise: Email [email protected] or use our web form at https://micropim.net/contact

Response time: Within 30 days (may be extended by 2 months for complex requests)

What you’ll receive:

• Confirmation of data processing
• Copy of your personal data
• Information about purposes, categories, recipients, retention, sources

Free of charge for the first request. Excessive or repetitive requests may incur reasonable fees.

7.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to exercise:

• Update directly in your account settings (for account data)
• Email [email protected] for data you cannot update yourself

Response time: Within 30 days

We will notify recipients of corrections if required by law.

7.3 Right to Erasure / “Right to be Forgotten” (Article 17)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for the purposes collected
• You withdraw consent (where processing was based on consent)
• You object to processing and no overriding legitimate grounds exist
• Data was unlawfully processed
• Erasure is required by legal obligation
• Data was collected from a child under 16

How to exercise:

• Delete your account through account settings (initiates 31-day deletion)
• Email [email protected] to request immediate deletion

Exceptions: We may refuse deletion when processing is necessary for:

• Compliance with legal obligations (e.g., 7-year retention for tax records)
• Establishment, exercise, or defense of legal claims
• Archived data for public interest, scientific/historical research

Response time: Within 30 days. We will confirm deletion or explain why we cannot delete.

7.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing (we store but don’t actively process) when:

• You contest the accuracy of data (restricted while we verify)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (restricted while we verify grounds)

How to exercise: Email [email protected]

Response time: Within 30 days

We will notify you before lifting the restriction.

7.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your personal data in structured, commonly used, machine-readable format
• Transmit that data to another controller

Applies when:

• Processing is based on consent or contract
• Processing is carried out by automated means

How to exercise:

• Use self-service export tools in your account
• Email [email protected] for JSON or CSV export

What you’ll receive:

• Account data (name, email, profile)
• Usage data (if applicable)
• Customer Data you uploaded (product catalogs, images)

Formats available: JSON, CSV, XML (depending on data type)

Response time: Within 30 days

7.6 Right to Object (Article 21)

You have the right to object to processing based on:

Legitimate interest (Article 6(1)(f)):

• You may object for reasons related to your particular situation
• We will stop processing unless we demonstrate compelling legitimate grounds that override your interests

Direct marketing:

• You may object at any time to marketing communications
• We will stop all marketing immediately upon objection
• No need to provide reasons

How to exercise:

• Click “Unsubscribe” in marketing emails
• Update preferences in account settings
• Email [email protected]

Response time: Immediate for marketing. Within 30 days for other objections.

7.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.

MicroPIM does NOT:

• Make automated decisions with legal or significant effects
• Use profiling that produces legal effects
• Use AI/machine learning for decisions about you

If we implement such processing in the future, we will:

• Notify you and obtain consent if required
• Provide information about the logic involved
• Allow you to obtain human intervention
• Allow you to express your views and contest the decision

7.8 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to:

• Withdraw consent at any time
• Withdraw as easily as it was given

Withdrawal does not affect lawfulness of processing before withdrawal.

Applies to:

• Marketing communications
• Cookies (analytics and marketing)
• Call recordings
• Optional features requiring consent

How to exercise:

• Update cookie preferences in cookie banner
• Click “Unsubscribe” in emails
• Email [email protected]
• Update account settings

7.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your privacy rights.

Romanian Supervisory Authority:

Autoritatea Națională de Supravegere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, România
Phone: +40 318 059 211 or +40 318 059 212
Email: [email protected]
Website: www.dataprotection.ro

For users in other EU countries: You may also contact the supervisory authority in your country of residence.

For UK users:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113
Online complaint: https://ico.org.uk/make-a-complaint/

7.10 How to Exercise Your Rights

Contact Us:

Email: [email protected] (Subject: “Privacy Rights Request”)
Postal Address: Marmix SOFT SRL, Str. Lujerului 42J, Cod 061135, Bucuresti, Sector 6, Romania
Web Form: https://micropim.net/contact (recommended for faster processing)

What to Include in Your Request:

1. Your full name and email address used for your account
2. Specific right you wish to exercise (access, deletion, etc.)
3. Description of your request
4. Proof of identity (to protect your data from unauthorized access)

Identity Verification:

To protect your data, we must verify your identity before processing requests. We may ask for:

• Government-issued ID (front side only)
• Additional information only you would know about your account
• Confirmation from the email address associated with your account

We handle verification data confidentially and delete it after processing your request.

Response Time:

• Standard: Within 30 days of receiving your request
• Complex requests: May be extended by 2 months (we’ll notify you and explain the delay)

No Charge:

• First request is free
• Excessive, repetitive, or manifestly unfounded requests may incur reasonable administrative fees or be refused

8. ADDITIONAL PRIVACY RIGHTS (US RESIDENTS)

8.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident and we meet CCPA thresholds (100,000+ CA residents or $25M+ revenue), you have additional rights:

Right to Know:

• Categories and specific pieces of personal information collected
• Categories of sources
• Business or commercial purposes for collection
• Categories of third parties with whom we share data

Right to Delete: Similar to GDPR right to erasure

Right to Correct: Similar to GDPR right to rectification

Right to Opt-Out of “Sale” or “Sharing”:

• We do NOT sell personal information
• “Sharing” for cross-context behavioral advertising may occur through Facebook Pixel and Google Analytics (with your consent)
• Opt out by managing cookie preferences

Right to Limit Use of Sensitive Personal Information: We do not collect or use sensitive personal information beyond what’s necessary for services

Right to Non-Discrimination: We will not discriminate against you for exercising privacy rights

Authorized Agents: You may designate an authorized agent to make requests on your behalf

Contact for California Residents: [email protected] with “California Privacy Request” in subject

8.2 Other US State Privacy Laws

Similar rights may apply under:

• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)

If you are a resident of these states and we meet applicability thresholds, the rights described above for California generally apply to you. Contact [email protected].

8.3 US Marketing Emails (CAN-SPAM)

For US recipients, our marketing emails comply with CAN-SPAM Act:

• Clearly identified as advertisements
• Valid physical postal address included
• Accurate “From” and subject lines
• Functional unsubscribe mechanism
• Unsubscribe requests honored within 10 business days

9. CHILDREN’S PRIVACY

9.1 Age Restrictions

MicroPIM is NOT directed to children and we do NOT knowingly collect personal data from children under 16 years of age (or under 13 in some jurisdictions).

You must be at least 18 years old or the age of legal majority in your jurisdiction to use MicroPIM services.

9.2 Parental Discovery

If we learn that we have collected personal data from a child under 16 without parental consent:

• We will delete the data as quickly as possible
• We will terminate the account
• We will take steps to prevent future collection

Parents/Guardians: If you believe your child has provided us with personal data, contact us immediately at [email protected] and we will delete it.

9.3 Product Data Uploaded by Customers

Customer Responsibility: If you (as our customer) collect data from children through your business and upload it to MicroPIM:

• YOU are the controller and responsible for GDPR compliance
• YOU must obtain parental consent where required
• YOU must ensure lawful processing
• Our Data Processing Addendum governs this processing

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Overview

We use cookies and similar tracking technologies. Complete information about our cookie practices is available in our Cookie Policy at https://micropim.net/contact.

10.2 Types of Cookies We Use

Strictly Necessary Cookies:

• Essential for service operation (authentication, session management, security)
• No consent required under law
• Used on app.micropim.net for logged-in functionality

Analytics Cookies:

• Google Analytics on micropim.net and docs.micropim.net
• Help us understand how visitors use our sites
• Consent required - only set after you accept
• IP addresses anonymized

Marketing/Advertising Cookies:

• Facebook Pixel for retargeting and advertising
• Help us show relevant ads
• Consent required - only set after you accept

10.3 Managing Cookies

Cookie Preferences:

• Manage via cookie banner on first visit
• Update anytime via “Cookie Settings” link in website footer
• Access preference center at https://micropim.net/contact

Browser Settings:

• Disable cookies in browser settings (may affect functionality)
• Use browser extensions (e.g., uBlock Origin, Privacy Badger)
• Use private/incognito browsing

Opt-Out Tools:

• Google Analytics Opt-out: https://tools.google.com/dlpage/gaoptout
• Facebook Ad Preferences: https://www.facebook.com/ads/preferences
• Your Online Choices (EU): http://www.youronlinechoices.eu
• Network Advertising Initiative: https://optout.networkadvertising.org

10.4 Do Not Track (DNT)

We respect Global Privacy Control (GPC) signals from browsers. When we detect GPC:

• We will not set marketing or analytics cookies
• We will respect your opt-out preference

Standard DNT signals are not uniformly implemented, but we strive to respect all privacy signals.

11. THIRD-PARTY LINKS AND SERVICES

11.1 External Links

Our services may contain links to third-party websites, applications, or services. This Privacy Policy does NOT apply to those external sites.

We are NOT responsible for:

• Privacy practices of third-party sites
• Content on third-party sites
• Security of third-party sites

We encourage you to read privacy policies of every site you visit.

11.2 Third-Party Integrations

If you enable integrations with third-party services (e.g., import/export tools, sales channels):

• Those services have their own privacy policies
• You control what data is shared with them
• We are not responsible for their processing of your data
• You should review their privacy practices

11.3 Social Media Plugins

We may use social media plugins (e.g., LinkedIn, Twitter share buttons). These plugins may:

• Set cookies from social media platforms
• Track your activity across sites
• Be governed by the social media platform’s privacy policy

We have no control over social media plugins. Consult their privacy policies for information.

12. INTERNATIONAL DATA TRANSFERS

12.1 Where We Operate

Marmix SOFT SRL is based in Romania (EU). However, we use service providers globally, which may result in data transfers to:

• United States: AWS, Stripe, Google Analytics, Facebook
• Other EU Countries: Germany (Hetzner, AWS Frankfurt), Finland (Hetzner)
• Global CDN: Cloudflare (US-based, global network)

12.2 Safeguards for International Transfers

For transfers from EU/EEA to third countries:

We implement multiple layers of protection:

1. EU Standard Contractual Clauses (2021 version):

• Contractual commitments approved by European Commission
• Module 2 (controller to processor) with all applicable modules
• Executed with AWS, Stripe, Google, Meta, Cloudflare

2. EU-US Data Privacy Framework:

• Adequacy mechanism for transfers to certified US companies
• AWS, Stripe, Cloudflare, Meta are DPF-certified
• We use as supplementary safeguard, not primary reliance

3. Transfer Impact Assessments (TIAs):

• Evaluated risks under third-country laws (FISA 702, EO 12333)
• Assessed supplementary measures needed
• Determined adequate protection exists with SCCs + technical measures

4. Supplementary Measures:

• Encryption (TLS 1.2+, AES-256)
• Pseudonymization where practical
• Access controls and authentication
• Minimization of data transfers
• Contractual restrictions on government access

UK Transfers:

• EU adequacy for UK valid until December 2025
• UK Addendum to SCCs implemented as contingency
• We monitor UK legal developments and will adjust as needed

Switzerland:

• Swiss Federal Act on Data Protection (FADP) compliance
• Swiss version of SCCs or EU SCCs with Swiss adaptation

12.3 Your Rights Regarding Transfers

You have the right to:

• Obtain information about transfer safeguards
• Receive copy of SCCs (with redactions for confidential information)
• Object to transfers if adequate protection not provided
• Lodge complaint with supervisory authority about transfers

Contact [email protected] for information about specific transfers.

12.4 Data Residency Options

Default: Data stored in Hetzner EU (Frankfurt/Helsinki) with some processing in US (Stripe, analytics)

EU-Only Option: [If you plan to offer this] Contact us about EU-only data residency where all data remains in EU regions

13. CHANGES TO THIS PRIVACY POLICY

13.1 Policy Updates

We may update this Privacy Policy to reflect:

• Changes in our data processing practices
• New features or services
• Legal or regulatory requirements
• Best practices and security improvements

13.2 Notification of Changes

Material changes:

• We will notify you at least 30 days before changes take effect
• Notice via email to your registered address
• Prominent notice on website and application
• We may request renewed consent for significant changes

Non-material changes:

• Posted at micropim.net/privacy
• Effective date updated
• No prior notice required

13.3 Your Choices

If you do not agree to updated Privacy Policy:

• You may delete your account before effective date
• You may object to processing under new terms
• We will process your data under previous terms until account deletion

Continued use of services after effective date constitutes acceptance.

13.4 Version History

We maintain a version history of Privacy Policy updates. Previous versions available upon request at [email protected].

Current Version: 1.0
Effective Date: October 25, 2025 Last Updated: October 25, 2025

14. CONTACT US

14.1 Data Protection Contact

For questions about this Privacy Policy or our data practices:

Data Protection Contact: Marmureanu Andrei
Email: [email protected]
Subject Line: “Privacy Inquiry”

Postal Address:
Marmix SOFT SRL
Str. Lujerului 42J, Cod 061135
Bucuresti, Sector 6, Romania

14.2 Privacy Rights Requests

To exercise your privacy rights (access, deletion, etc.):

Preferred Method: Web form at https://micropim.net/contact
Email: [email protected] (Subject: “Privacy Rights Request”)
Response Time: Within 30 days

14.3 Data Protection Authority

If we cannot resolve your concern, contact the supervisory authority:

Autoritatea Națională de Supravegere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, România
Phone: +40 318 059 211 / +40 318 059 212
Email: [email protected]
Website: www.dataprotection.ro

14.4 Security Incidents

To report suspected security incidents or data breaches:

Email: [email protected]
Subject: “URGENT - Security Incident”

15. ACKNOWLEDGMENT

By using MicroPIM services, you acknowledge that:

✓ You have read and understood this Privacy Policy
✓ You understand how we collect, use, and protect your personal data
✓ You understand your privacy rights and how to exercise them
✓ You agree to our processing of your personal data as described herein
✓ You understand the difference between our role as controller (your account data) and processor (your customer data)

If you do not agree with this Privacy Policy, do not use MicroPIM services.

Version: 1.0
Effective Date: October 25, 2025 Last Updated: October 25, 2025
Language: This Privacy Policy is available in English and Romanian. For Romanian consumers, the Romanian version controls per Romanian law (OUG 34/2014).

© 2025 Marmix SOFT SRL. All rights reserved.