Legal · Data Protection Disclosure

Privacy Policy

Version: 2.4 Effective: 22 April 2026 Last updated: 22 April 2026 Applicable law: Romania / EU

At a glance This Privacy Policy explains how MICRO DIGITAL ELECTRONICS CORP S.R.L. (trading as VENDOR.Energy) processes personal data collected through https://vendor.energy. It is issued under Regulation (EU) 2016/679 (GDPR), Romanian Law No. 190/2018, and Law No. 506/2004. For contractual conditions, see the Terms of Service; for cookies and similar technologies, see the Cookie Policy; for the Company’s statutory identification, see the Legal Notice. To exercise your data-subject rights or for any privacy question, write to info@vendor.energy with subject line [PRIVACY].

01Who we are

The controller of personal data processed through this Website, within the meaning of Article 4(7) of the GDPR, is the Romanian company identified below:

Legal nameMICRO DIGITAL ELECTRONICS CORP S.R.L.

Trading name / brandVENDOR.Energy

Registered officeSplaiul Unirii nr. 16, Office 705, Bucharest, Sector 4, Romania

Trade Registry no.J2024009262405

Fiscal code (CUI)50047468

Privacy contactinfo@vendor.energy (subject line: [PRIVACY])

We have not appointed a Data Protection Officer because our processing activities do not meet the thresholds set out in Article 37(1) GDPR (we are not a public authority, our core activity does not consist of large-scale systematic monitoring, and we do not process special categories of data on a large scale). Privacy matters are handled directly by the controller at the contact above.

02Scope and applicable law

This Privacy Policy applies to all personal data processed in connection with your use of our Website and related communication channels. Processing is governed by:

Regulation (EU) 2016/679 (GDPR);
Romanian Law No. 190/2018 on measures for the application of the GDPR;
Romanian Law No. 506/2004 on processing personal data in electronic communications;
Directive 2002/58/EC (ePrivacy Directive) as implemented in Romania.

03What data we collect

3.1 Data you provide directly

Qualified inquiry form (contact page): full name, work email, phone number (optional), organisation, role, inquiry type, deployment context (optional), message content.

Investor and partnership inquiries: contact information, professional background, stated investment or collaboration interest, and any information you choose to include in your submission.

R&D voluntary contributions (via PayPal on our Support R&D page): we receive transaction confirmation data from PayPal including your name, email, transaction ID, amount, currency, and transaction timestamp. We do not receive or store your card number, bank account details, or PayPal login credentials — these remain with PayPal as an independent controller. PayPal acts as an independent data controller for payment processing under its own privacy policy and terms. We are not responsible for PayPal’s processing activities; for information on how PayPal processes your data, please consult PayPal’s Privacy Statement.

Newsletter subscriptions (planned service, not yet active): when our newsletter is launched, we will collect your email address and, optionally, your name. A dedicated consent statement will appear at the point of subscription. Until the newsletter is live, no newsletter-related data is being collected.

3.2 Data collected automatically

Server access logs: our hosting provider records your IP address, User-Agent string, requested URL, HTTP status code, referring URL, and timestamp. These logs are retained for up to 14 days for security and troubleshooting purposes and are then automatically deleted.

Analytics data (Google Analytics 4, only with your consent): when you accept analytics cookies through our consent banner, we collect anonymised usage data including pages visited, session duration, device type, approximate geographic location (country-level), and referral source. IP anonymisation is enabled and IP addresses are not stored in a directly identifiable form.

Cookies and similar technologies: strictly necessary cookies (always active), and — subject to your consent — analytics, preferences, and marketing cookies. See Section 09 and our separate Cookie Policy for per-cookie details.

3.3 Data we do not intentionally collect

We do not intentionally request or seek to collect special categories of personal data under Article 9 GDPR (health, biometric, religious, political, trade union, sexual orientation, racial or ethnic origin, genetic data). If you voluntarily include such information in a message to us, we will process it only to the extent necessary to handle your inquiry and will retain it only in accordance with the retention principles set out in Section 07.

04Why we process your data

Every processing activity on this Website is tied to a specific purpose and a specific legal basis under Article 6 GDPR:

Purpose	Legal basis (Art. 6 GDPR)	Data used
Respond to your qualified inquiry	6(1)(b) — steps prior to entering into a contract, at your request	Contact form data
Review investor / partnership inquiries	6(1)(b) — pre-contractual steps at your request	Inquiry data
Process voluntary R&D contributions	6(1)(b) — contract; 6(1)(c) — accounting and tax obligations	PayPal transaction confirmation
Send the newsletter (once launched)	6(1)(a) — your explicit consent	Email address, optional name
Website security, abuse prevention, technical operation	6(1)(f) — legitimate interest in protecting our infrastructure	Server access logs
Analytics and website improvement	6(1)(a) — your consent (via consent banner)	GA4 analytics data
Legal and regulatory compliance	6(1)(c) — legal obligation	As required by law
Defending legal claims	6(1)(f) — legitimate interest	Minimum data necessary

Where we rely on legitimate interest, we have conducted a balancing test weighing our interest against your rights and freedoms. This includes ensuring that (i) processing is limited to what is strictly necessary, (ii) no disproportionate impact on your rights occurs, and (iii) you retain the right to object at any time. You have the right to object to processing based on legitimate interest — see Section 08.

05Who receives your data

We do not share, rent, trade, or otherwise make your personal data available to third parties for their own independent commercial purposes. We disclose personal data only to service providers and other recipients where necessary for the purposes described in this Policy. Different GDPR roles apply to different recipients: where a recipient acts as our processor, it is bound by a written data processing agreement under Article 28 GDPR; where a recipient acts as an independent controller, its own privacy policy and legal obligations apply.

5.1 Processors acting on our behalf (Article 28 GDPR)

These recipients process personal data strictly on our documented instructions under a signed Data Processing Agreement:

Recipient	Role	Location
Hetzner Online GmbH	Website hosting infrastructure	Germany (EU)
OnTheGoSystems Limited (WPML)	Multilingual website management	Cyprus (EU)
Intuit Mailchimp (if and when newsletter launches)	Newsletter delivery	United States

5.2 Independent controllers and third-party recipients

These recipients determine the purposes and means of processing for their own operations; they are not acting on our instructions. Their processing of your data is governed by their own privacy policies:

Recipient	Role	Location	GDPR status
PayPal (Europe) S.à r.l. et Cie, S.C.A.	Payment processing for R&D contributions	Luxembourg (EU)	Independent controller
Google Ireland Limited / Google LLC	Website analytics (GA4) — only with your consent	Ireland (EU) / United States	Recipient; Google processes data under its applicable privacy terms and, where relevant, its data processing terms

5.3 Other disclosures

We may additionally disclose personal data to (i) our legal advisors, tax advisors, or auditors under professional confidentiality; (ii) law enforcement, supervisory authorities, or courts where required by applicable EU or Romanian law; (iii) a successor entity in the event of a merger, acquisition, or corporate restructuring, in which case you will be notified and retain all rights under GDPR.

06International data transfers

Our primary infrastructure, including hosting and all stored personal data, is located within the European Economic Area (EEA). In two specific cases data may be transferred outside the EEA:

Google Analytics (GA4): when you consent to analytics cookies, Google may transfer analytics data to Google LLC in the United States. This transfer is covered by the EU-U.S. Data Privacy Framework (Google LLC is a certified participant) and, additionally, by Standard Contractual Clauses (Commission Decision (EU) 2021/914). We have configured GA4 with IP anonymisation enabled.

Mailchimp (only after newsletter launch): subject to the same EU-U.S. Data Privacy Framework and Standard Contractual Clauses. Until the newsletter is live, no data is transferred to Mailchimp.

Schrems II acknowledgement. Following the Schrems II ruling (CJEU C-311/18), we acknowledge that U.S. law may permit access to personal data by public authorities under FISA Section 702 and Executive Order 12333. The EU-U.S. Data Privacy Framework, adopted by the European Commission on 10 July 2023, provides additional safeguards including a redress mechanism before the Data Protection Review Court. You may request a copy of the Standard Contractual Clauses and transfer impact assessment by contacting us at info@vendor.energy.

07How long we keep your data

Category	Retention period
Contact form inquiries	24 months from last meaningful interaction, then deleted
Investor / partnership inquiries without follow-up	24 months from last contact
Investor / partnership inquiries leading to an active engagement	Duration of the engagement plus 3 years
PayPal transaction records (R&D contributions)	10 years, per Romanian Accounting Law No. 82/1991
Newsletter subscription (post-launch)	Until you unsubscribe; then deleted within 30 days
Server access logs	14 days, then automatically deleted
Google Analytics data	Up to 14 months, as configured in our Google Analytics property (GA4 default maximum)
Cookie consent records	12 months, to demonstrate compliance with Art. 7(1) GDPR

Where a longer retention period is required by specific statutory obligations (for example, tax or commercial law), we retain only the minimum data necessary to satisfy that obligation.

08Your rights

Under GDPR you have the following rights regarding your personal data:

Access (Art. 15): obtain confirmation whether we process your data and receive a copy;
Rectification (Art. 16): correct inaccurate or incomplete data;
Erasure (Art. 17): request deletion of your data where GDPR grounds apply;
Restriction of processing (Art. 18): limit our use of your data in defined circumstances;
Data portability (Art. 20): receive your data in a structured, machine-readable format;
Objection (Art. 21): object to processing based on legitimate interest; absolute right to object to direct marketing;
Withdrawal of consent (Art. 7(3)): where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing;
Lodge a complaint (Art. 77): with a supervisory authority — in Romania, ANSPDCP (see Section 15); or with the supervisory authority of your EU country of residence.

How to exercise your rights. Send a written request to info@vendor.energy or by post to the registered office in Section 01. We will respond within one month of receipt (Art. 12(3) GDPR), extendable by up to two further months for complex or multiple requests, in which case we will inform you of the extension within the initial one-month period. We may request proof of identity where we have reasonable doubts, strictly for the purpose of preventing unauthorised access to your data. Exercising your rights is free of charge; we reserve the right to charge a reasonable fee or refuse manifestly unfounded or excessive requests under Art. 12(5) GDPR.

09Cookies and tracking

Our Website uses cookies and similar technologies. Strictly necessary cookies are set automatically because they are required to deliver the service you explicitly requested (for example, security, session integrity, language preference). All other categories — preferences, analytics, marketing — are set only after you give consent through our cookie banner.

You can review or withdraw your cookie consent at any time by clicking the cookie settings link in the Website footer. For a full, per-cookie breakdown of categories, providers, purposes, and durations, please see our separate Cookie Policy.

10Data security

We implement appropriate technical and organisational measures under Article 32 GDPR to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

TLS 1.2+ encryption for all data in transit;
Hosting in ISO 27001-certified EU data centres (Hetzner, Germany);
Access controls on administrative systems, including strong authentication requirements;
Regular software updates and security patching;
Signed Data Processing Agreements with processors acting on our behalf, as identified in Section 5.1;
Principle of data minimisation applied at design stage (Privacy by Design, Art. 25).

11Data breach notification

In the event of a personal data breach, we will notify the competent supervisory authority (ANSPDCP) without undue delay and, where feasible, within 72 hours of becoming aware of it (Art. 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay (Art. 34 GDPR), except where one of the exceptions in Art. 34(3) applies.

12Children

Our services are directed to adults in a professional capacity. We do not knowingly collect personal data from persons under 16 years of age. If we become aware that data belonging to a person under 16 has been submitted to us, we will delete it without undue delay in accordance with Art. 17 GDPR. If you believe a minor has provided us with personal data, please contact us at info@vendor.energy.

13Automated decision-making

We do not make any decision concerning you based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR.

14Changes to this Policy

We may update this Privacy Policy to reflect changes in our processing activities, applicable law, or supervisory-authority guidance. The effective date at the top of this document always reflects the current version. Material changes will be communicated through a prominent notice on the Website and, where consent is the legal basis affected, we will seek renewed consent before acting on the change. Prior versions are kept in our records and available on request.

15Governing law, jurisdiction, and supervisory authority

This Privacy Policy is governed by Romanian law and applicable EU regulations. Any dispute arising in connection with it that cannot be resolved amicably falls within the exclusive jurisdiction of the competent courts of Bucharest, Romania, without prejudice to your right under Art. 79 GDPR to bring proceedings before the courts of the EU Member State where you habitually reside.

The Romanian supervisory authority is:

AuthorityAutoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

AddressB-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, 010336 Bucharest, Romania

Websitehttps://www.dataprotection.ro/

Emailanspdcp@dataprotection.ro

16Language

This Privacy Policy is published in English, Romanian, German, and Simplified Chinese. The translations are provided for accessibility and convenience. In case of material discrepancy between the language versions, the English version is considered authoritative for interpretive purposes, without prejudice to any mandatory rule of consumer-protection or administrative law that requires, or gives precedence to, a specific language version.