Accepting new casesBucharest · KyivMon–Fri · 10:00 – 16:00
+380 95 401 0000 / +40 757 275 394[email protected]

Privacy and Personal Data Protection Policy

1. Who we are

This website, arapova.org (the "Site"), is operated by [ARAPOVA Counsel S.R.L.], a business consulting company incorporated in Romania, registered with the Trade Registry under no. [J2025057023000], fiscal code [CUI 52247888], with its registered office at Strada Vaselor 60, Sector 2, Bucharest, Romania (the "Company", "we").

For the purposes of Regulation (EU) 2016/679 (the "GDPR") and Romanian Law no. 190/2018, the Company is the data controller of the personal data described in this Policy.

Contact for all data protection matters: Email: [email protected] Phone: +40 757 275 394 / +380 95 401 0000 Post: Strada Vaselor 60, Sector 2, Bucharest, Romania

2. Scope of this Policy

This Policy explains how we collect and use personal data when you visit the Site, contact us through it, or engage the Company for consulting services. Where you are a client, this Policy applies alongside the confidentiality terms of your service agreement.

The Company provides business consulting services. It is not a law firm, and the information on the Site does not constitute legal advice. Where a matter requires acts reserved to regulated professions — court representation, notarial acts, certified translations — these are performed by licensed professionals engaged for that purpose, as described in Section 5.

3. What data we collect

a) Data you give us through the contact form or by email: full name, email address, phone number (optional), the service area selected, and the description of your situation that you choose to provide.

b) Data collected when you become a client: identification data required by the engagement and by law (identity document details, address, tax identification where relevant), data contained in the documents of your matter, billing and payment data, and correspondence.

c) Data collected automatically when you visit the Site: technical data such as IP address, browser type, device type, pages visited, and the language preference you select. Cookies are addressed separately in our [Cookie Policy].

d) Special categories of data. Some engagements may, by their nature, involve sensitive data — for example, data contained in civil status, migration, or citizenship documents you ask us to assist with. We process such data only where the engagement requires it, on the basis of your explicit consent (Art. 9(2)(a) GDPR) or, where applicable, for the establishment, exercise, or defence of legal claims (Art. 9(2)(f) GDPR). Please do not include sensitive information in the initial contact form unless it is necessary to describe your request.

We do not knowingly collect data from children under 16 through the Site. The Site does not use data for automated decision-making or profiling.

4. Why we process your data, and on what legal basis

a) To respond to your inquiry. When you write to us through the contact form or by email, we process the data you provide in order to answer you and, where relevant, to prepare an offer of services. The legal basis is Art. 6(1)(b) GDPR — steps taken at your request prior to entering into a contract — together with the consent you give when submitting the form (Art. 6(1)(a) GDPR).

b) To provide our services. Once an engagement is signed, we process the data necessary to perform it — the documents of your matter, correspondence, and coordination with the institutions and professionals involved. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

c) To meet our legal obligations. We process identification, billing, and payment data for invoicing, accounting, tax compliance, and any client identification required by law. The legal basis is compliance with a legal obligation (Art. 6(1)(c) GDPR).

d) To keep the Site running and secure. Technical data such as IP addresses and access logs is processed to operate the Site, prevent abuse, and diagnose faults. The legal basis is our legitimate interest in maintaining a functional, secure website (Art. 6(1)(f) GDPR).

e) To protect the Company's rights. Where necessary, we retain and use data to establish, exercise, or defend legal claims — for example, in a payment dispute. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR).

We do not use your data for marketing, we do not send newsletters unless you have expressly requested one, and we never sell personal data.

5. Who can access your data

Personal data is accessed only by the Company and, strictly to the extent necessary, by:

  • Service providers acting as processors under contract: website hosting, email infrastructure, accounting services, and IT support. Each is bound by confidentiality and data-processing obligations under Art. 28 GDPR.
  • Public authorities and institutions, where disclosure is required to carry out your engagement or by law — for example, in connection with filings you have mandated us to assist with before immigration authorities, civil status offices, the land registry, or other competent bodies.
  • Licensed professionals engaged for your matter — lawyers, notaries, certified translators, or other specialists — under confidentiality obligations, and only with your knowledge.

All data connected to a client engagement is treated as confidential under the terms of the service agreement.

6. Transfers outside the European Economic Area

Because the Company's work spans Romania and Ukraine, data connected to a cross-border engagement may be transferred to Ukraine — for example, to Ukrainian authorities, institutions, or collaborating professionals involved in your matter. Ukraine is not covered by an EU adequacy decision; such transfers are made under Art. 49(1)(b) and (e) GDPR (necessity for the performance of your contract or for the establishment, exercise, or defence of legal claims), and, where applicable, under standard contractual clauses concluded with service providers. We transfer only what the specific engagement requires.

7. How long we keep your data

  • Inquiries that do not become engagements: up to 2 years from the last contact, after which they are deleted, unless retention is needed to defend a legal claim.
  • Client files: for the duration of the engagement and thereafter for the general limitation period applicable to contractual claims — as a rule 3 years, extended where a specific legal obligation or an ongoing matter requires it.
  • Accounting and billing records: the statutory archiving periods under Romanian fiscal law (currently up to 10 years).
  • Technical Site data: see the [Cookie Policy].

When a retention period expires, data is deleted or irreversibly anonymised.

8. How we protect your data

We apply technical and organisational measures appropriate to the sensitivity of the work: encrypted transmission (HTTPS), access restricted to persons bound by confidentiality, secure storage of client files, and contractual safeguards with every processor. No internet transmission is entirely risk-free; if a breach likely to affect your rights occurs, we will notify you and the supervisory authority as required by Art. 33–34 GDPR.

9. Your rights

Under the GDPR you have the right to:

  • access the data we hold about you (Art. 15);
  • rectification of inaccurate or incomplete data (Art. 16);
  • erasure, where the conditions of Art. 17 are met;
  • restriction of processing (Art. 18);
  • data portability, for data processed by automated means on the basis of consent or contract (Art. 20);
  • object to processing based on legitimate interest (Art. 21);
  • withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to [email protected]. We respond within one month, extendable by two further months for complex requests, as permitted by Art. 12(3) GDPR. Please note that some rights — in particular erasure — may be limited by statutory archiving obligations.

You also have the right to lodge a complaint with the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania www.dataprotection.ro · [email protected]

10. Changes to this Policy

We may update this Policy to reflect changes in the law or in our practice. The current version, with its date, is always published on this page. Material changes affecting existing clients will be communicated directly.