Privacy Policy
Last updated: June 2026
This policy explains what personal data sapio.ro processes, why, on what legal basis, who we share it with, and what rights you have. Short version: we collect only what you send us through the contact form or the AI assistant, we set no advertising or analytics cookies, and we never sell data.
Who we are (controller)
The data controller for sapio.ro is SAPIO ARTIFICIAL INTELLIGENCE SYSTEMS SRL (“Sapio”, “we”), a company registered in Bucharest, Romania.
Registered with the Trade Register under no. J40/17363/2021, sole registration code (CUI) RO45038625, registered office Str. Serg. Apostol Constantin nr. 11, București, România.
Privacy contact: privacy@sapio.ro. We are not required to appoint a Data Protection Officer (we carry out no large-scale or special-category processing) and have not appointed one; privacy requests go to the address above. We respond within the legal deadline of one month.
What we collect, why, and on what legal basis
Contact form / project brief — name, company (optional), email address, and your message. Purpose: to respond to your inquiry and prepare a possible collaboration. Legal basis: pre-contractual steps (GDPR Art. 6(1)(b)) together with your consent given via the form checkbox (Art. 6(1)(a)).
Marketing emails — only sent to you if you explicitly opt in. Legal basis: consent (Art. 6(1)(a)), which you can withdraw at any time via the unsubscribe link or by writing to us. We do not rely on any “soft opt-in” — we email only people who opted in.
AI assistant (chat) — the messages you type are processed to generate a reply and to run the service safely (Turnstile, hashed-IP rate-limiting, spam prevention). Legal basis: our legitimate interest in operating and securing the service (Art. 6(1)(f)). Conversations are not linked to your identity unless you include personal data in a message — please don't.
Server logs — our web server records IP addresses in standard access logs for security and troubleshooting. Legal basis: legitimate interest (Art. 6(1)(f)). Submission rate-limiting stores only a one-way hash, never your raw IP address.
Preferences — your language and dark-mode choices are stored in your browser's localStorage. They never leave your device and are not tracking.
Who we share data with (processors)
We disclose personal data only to the service providers we need to operate the site, each acting under a data-processing agreement. Our current processors and sub-processors are:
Anthropic (Claude, model `claude-haiku-4-5`) — generates the AI assistant's replies. Location: United States. Transfer: Standard Contractual Clauses and/or the EU-US Data Privacy Framework where the vendor is certified.
Neon (PostgreSQL) — stores chat transcripts and lead records. Location: EU (eu-central-1) — no transfer outside the EEA.
Cloudflare Turnstile — bot and abuse prevention; loads only when you start interacting with the chat or a form. Location: United States. Transfer: SCC and/or EU-US Data Privacy Framework.
Google Workspace (Gmail SMTP) — delivers lead-notification emails to our inbox. Location: United States. Transfer: SCC and/or EU-US Data Privacy Framework.
Resend — fallback email delivery if the primary route fails. Location: United States. Transfer: SCC and/or EU-US Data Privacy Framework.
Tech Coach CRM (techcoach.ro) — our central customer-relationship-management system, operated within the same company/group, to which contact-form leads are forwarded so we can follow up. Location: EU. As it sits with the same controller/group, this is an internal forward, not a transfer to an unrelated third party.
Hosting (VPS + Caddy edge) — runs the site and produces server logs. Location: EU/US infrastructure.
We never sell your personal data and do not use it for advertising or profiling.
International transfers
Some of the processors above are located in the United States. Where data leaves the European Economic Area, the transfer is protected by the European Commission's Standard Contractual Clauses and/or the EU-US Data Privacy Framework where the vendor is certified. Data stored in Neon's EU region (eu-central-1) does not leave the EEA.
How long we keep it
Contact / CRM records (leads, briefs) — up to 24 months after the last interaction, after which they are anonymized or deleted.
AI assistant transcripts — up to 180 days, then deleted. We keep them for service operation and abuse prevention only.
Server logs — a short operational period only.
If a collaboration leads to invoicing, the related accounting records are kept for as long as Romanian fiscal law requires (up to 10 years); this obligation survives any contact-data deletion.
Your rights
Under the GDPR you can request access to your data, rectification or erasure, restriction of processing, data portability, and you can object to processing or withdraw consent at any time (withdrawal does not affect processing already carried out). To exercise any of these, write to privacy@sapio.ro or use the contact form.
You also have the right to lodge a complaint with the Romanian supervisory authority: ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, B-dul G-ral Gheorghe Magheru 28-30, Sector 1, Bucharest — anspdcp.ro.
Cookies
We use only essential, functional storage and set no analytics, advertising, or tracking cookies. The full breakdown is in our Cookie Policy.
Security
We use appropriate technical and organizational measures to protect personal data — encrypted transport (HTTPS), access controls on the database and admin panel, and data minimization. No method of transmission or storage is perfectly secure, but we work to protect your data and to disclose any incident as required by law.
Changes to this policy
We update this page when our processing changes and revise the “Last updated” date above. Significant changes will be highlighted on this page.
Contact
For any question about this policy or your data, write to privacy@sapio.ro or use the contact form.