Data Processing Transparency Notice
01Purpose of this Notice
This Notice responds to a practical need voiced by investors, prospective partners, and supervisory authorities: a concise disclosure of the processing ecosystem surrounding VENDOR.Energy, complementing the detailed disclosures in the Privacy Policy. It is intended for transparency and due-diligence review rather than promotional purposes. The Notice itself is not a contract, does not require a signature, and does not grant any rights or obligations beyond those already established by the GDPR and by the applicable agreements referred to in this Notice.
Where this Notice refers to processors or to international transfers, the authoritative detail — legal bases, purposes, retention periods, and data subject rights — is set out in the Privacy Policy. Where a divergence between the two documents arises, the Privacy Policy remains the authoritative source for data-subject-facing information.
02Our role under GDPR
With respect to personal data collected and processed through vendor.energy, MICRO DIGITAL ELECTRONICS CORP S.R.L. is the controller. We determine the purposes and the means of processing. We do not offer data-processing services to third parties, and we do not act as a processor on behalf of external controllers. Accordingly, third parties should not construe this Notice as an offer to enter into a processor relationship. Consequently, this Notice does not constitute a Data Processing Agreement within the meaning of Article 28 GDPR; it is a unilateral transparency disclosure.
If, at any future time, VENDOR.Energy engages in service arrangements that would require us to act as a processor, a dedicated Article 28 agreement will be executed with the relevant controller and will govern that specific processing, independently of this Notice.
03Processors engaged on our behalf
The following service providers process personal data on our documented instructions, each bound by a written data processing agreement (DPA) under Article 28 GDPR. The categories of data, purposes, and retention periods that apply to each are described in the Privacy Policy, Section 5.1.
| Processor | Service | Location | Article 28 status |
|---|---|---|---|
| Hetzner Online GmbH | Website hosting infrastructure | Germany (EU) | Covered by Article 28 DPA |
| OnTheGoSystems Limited (WPML) | Multilingual content management | Cyprus (EU) | Covered by Article 28 DPA |
| Intuit Mailchimp | Newsletter delivery (not yet active) | United States | Article 28 DPA to apply upon activation |
Copies of the applicable processor DPAs may, where appropriate, be made available for due-diligence review upon written request to the contact address in Section 08, subject to appropriate confidentiality arrangements and the processor's own disclosure terms.
04Independent controllers we interface with
The following third parties determine the purposes and means of their own processing activities; they are independent controllers, not our processors. Their processing of any personal data they receive is governed by their own privacy policies and legal obligations.
| Party | Role / context | Location | GDPR status |
|---|---|---|---|
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Payment processing for voluntary R&D donations | Luxembourg (EU) | Independent controller |
| Google Ireland Limited / Google LLC | Website analytics (GA4) — activated only with consent | Ireland (EU) / United States | Recipient; Google processes under its own privacy terms and, where applicable, its data processing terms |
We have no authority to direct or limit the processing activities these parties conduct for their own purposes. Data subjects seeking information about that processing should consult the privacy policies of the respective parties.
05International data transfer mechanisms
Our primary infrastructure is located within the European Economic Area. Transfers to third countries occur only in the two specific cases described below and rely on the safeguards detailed in the Privacy Policy, Section 06.
- Google Analytics (GA4) — transfers to Google LLC (United States) when analytics cookies are enabled. Covered by the EU–US Data Privacy Framework and Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
- Mailchimp — once the newsletter service is activated, transfers to the United States will be covered by the same EU–US Data Privacy Framework and Standard Contractual Clauses. Until activation, no data is transferred.
06Our commitments as controller
In selecting and supervising the processors listed in Section 03, we apply the following practices consistent with Article 28 GDPR:
- Due diligence before engagement, including review of the processor's technical and organisational measures;
- A written data processing agreement for each processor, specifying purposes, categories of data, duration, confidentiality, security measures, sub-processor terms, data subject assistance, breach notification, and data return or deletion at end of service;
- Documentation of processing activities as required by Article 30 GDPR;
- Periodic review of the relationship and of the processor's continued compliance;
- Notification to data subjects, through the Privacy Policy, of any material change in the set of processors engaged.
07Relationship to other documents
This Notice is one element of a coordinated set of disclosures. For the authoritative and detailed statements, the reader should consult the documents listed below, each of which is authoritative in its respective subject matter.
- Privacy Policy — primary source for data subject rights, legal bases, purposes, categories of data, retention periods, and supervisory authority.
- Legal Notice — statutory company identification, trade registry and EUID.
- Terms of Service — terms governing use of this website and any contractual services.
- Cookie Policy — cookies and similar technologies, consent handling, category breakdown.
08Due-diligence contact
For due-diligence requests — including copies of processor DPAs, Standard Contractual Clauses, or, where appropriate and subject to confidentiality constraints, limited extracts from our records of processing activities — please write to info@vendor.energy with the subject prefix [DD] and a brief description of the documentation requested. Responses are provided under suitable confidentiality arrangements, and specific processor disclosures remain subject to those processors' own release terms.
For data subject rights requests (access, rectification, erasure, objection, and the other rights in Articles 15–22 GDPR), please refer to the Privacy Policy, Section 08, which sets out the contact address and the procedure.
09Governing law, language and changes
This Notice is governed by the law of Romania and by directly applicable European Union law. Where a divergence arises between this Notice and the Privacy Policy, the Privacy Policy remains the authoritative source for data-subject-facing information. The Notice is published in English, Romanian, German, and Simplified Chinese; in case of any material divergence between language versions, the English version is authoritative for interpretive purposes, without prejudice to any mandatory consumer-protection or administrative rule that prescribes or accords priority to a specific language version.
We may update this Notice from time to time to reflect changes in our processor arrangements or in applicable law. The effective date at the top of the document always reflects the current version. Superseded versions are retained internally and may be provided upon request.