Privacy Policy

Summary of key points

This summary highlights the essentials; the full detail follows below.

We are QATESTINGPLUS SRL, a QA and software-engineering studio in Bucharest, and we are the controller of the data described here. We collect only what we need — mainly the details you send us through the contact form or by email, and the information you share while we scope or deliver work. We do not sell your data, we do not run advertising trackers, and today the site uses only a strictly-necessary cookie. You have strong rights over your data — access, correction, deletion, objection and more — and you can complain to the Romanian supervisory authority, ANSPDCP. To exercise any right, email contact@qatestingplus.com.

1. Who we are and what this policy covers

QATESTINGPLUS SRL ("QATestingPlus", "we", "us") is a QA and software-engineering studio based in Bucharest, Romania, registered with the Trade Register under no. J2021014443409, CUI 44774518. We are the controller of the personal data described in this policy and we determine why and how it is processed.

This policy applies to personal data we process when you browse this website, contact us, or engage our services. It does not cover third-party websites we link to, which have their own policies.

Two distinct roles. When we handle data about you as a visitor or prospective client, we act as a controller (this policy applies). When we test or build software for a client and, in doing so, process personal data held inside that client's systems, we act as a processor on the client's documented instructions under a separate data-processing agreement (DPA); there, the client's own privacy notice governs and this policy does not apply to that data.

2. The personal data we collect

We do not intentionally collect special categories of data (e.g. health, political opinions) and ask that you do not send such data through the contact form.

• Contact and enquiry data — your name, email address, company, and the content of any message you send us via the contact form or by email.
• Engagement data — the contact details of client representatives, project notes, and the credentials and technical information you choose to share with us while we scope or deliver work.
• Billing and contractual data — the details required to issue invoices and keep accounting records (typically business and tax details rather than special-category data).
• Technical and usage data — limited data such as a language preference stored in a strictly-necessary cookie, and standard server logs (e.g. IP address, browser type) generated when any website is accessed, used for security and to keep the site working.

3. How and why we use your data — purposes and legal bases

We process personal data only where the GDPR (Article 6) gives us a lawful basis:

• To respond to your enquiry and discuss a possible engagement — our legitimate interest in answering people who contact us, or steps taken at your request before entering a contract (Art. 6(1)(f) / 6(1)(b)).
• To deliver our services and manage the relationship — performance of a contract with you (Art. 6(1)(b)).
• To issue invoices and keep records — compliance with our legal obligations under Romanian tax and accounting law (Art. 6(1)(c)).
• To keep the website and our systems secure and functioning — our legitimate interest in the security and integrity of our infrastructure (Art. 6(1)(f)).
• For any optional analytics or marketing we may introduce in future — only with your prior consent (Art. 6(1)(a)), which you may withdraw at any time.

4. Our legitimate interests

Where we rely on legitimate interest, we have weighed our interest against your rights and freedoms (a balancing test). Our interests are: responding to enquiries, running and securing our website, and pursuing or defending legal claims. We only rely on this basis where the processing is limited to what you would reasonably expect and has minimal privacy impact. You can object to this processing at any time (see section 11); where you do, we will stop unless we have compelling legitimate grounds that override your interests.

5. Cookies and similar technologies

This website currently sets only a strictly-necessary cookie that remembers your language preference. We do not use analytics, advertising or behavioural-tracking cookies. If that ever changes, we will request your consent before any non-essential cookie is set. Full detail is in our Cookie Policy.

6. Who we share your data with

We do not sell your personal data and we do not share it for others' marketing. We disclose it only to the following categories of recipient, and only as far as necessary:

• Service providers (processors) who host the website and our email and help us operate, bound by contract and a data-processing agreement.
• Professional advisers — our accountant and, where relevant, our lawyers.
• Subprocessors engaged for a specific client project, bound by confidentiality and a DPA. A current list of the processors we use is available on request.
• Public authorities and courts, where we are legally required to disclose, or to establish, exercise or defend legal claims.

7. International transfers

We keep personal data within the EU/EEA wherever possible. If a provider processes data outside the EU/EEA, we transfer it only where there is an adequacy decision by the European Commission, or under appropriate safeguards such as the Commission's Standard Contractual Clauses (SCCs) together with any supplementary measures required. You may ask us for a copy of the safeguards we rely on.

8. How long we keep your data

We keep personal data only as long as needed for the purpose it was collected, then delete or anonymise it. As a guide:

• Enquiry messages — up to 24 months after our last contact, then deleted, unless they become part of an engagement.
• Engagement and contract data — for the duration of the engagement and afterwards for as long as needed to defend potential legal claims (generally the applicable limitation period).
• Invoices and accounting records — for the period required by Romanian tax and accounting law.
• Consent-based data — until you withdraw consent or it is no longer needed, whichever comes first.

9. How we keep your data secure

We apply appropriate technical and organisational measures — access control on a least-privilege basis, encryption in transit, hardened infrastructure, and binding confidentiality obligations on everyone who handles data. Before you share an application or any sensitive material with us, we are glad to sign an NDA.

If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify ANSPDCP within 72 hours where required (Art. 33) and inform you without undue delay where the breach is likely to result in a high risk (Art. 34).

10. Automated decision-making and profiling

We do not make decisions about you based solely on automated processing, and we do not carry out profiling that produces legal or similarly significant effects on you (Art. 22).

11. Your rights under the GDPR

You have the right to:

• Access — obtain confirmation that we process your data and receive a copy of it.
• Rectification — have inaccurate or incomplete data corrected.
• Erasure — have your data deleted ("right to be forgotten"), where the conditions are met.
• Restriction — limit how we use your data in certain circumstances.
• Object — object to processing based on legitimate interest, and to any direct marketing at any time.
• Data portability — receive data you provided in a structured, commonly used, machine-readable format.
• Withdraw consent — at any time, where processing is based on consent, without affecting prior lawful processing.
• Lodge a complaint — with a supervisory authority (see section 12).

12. Exercising your rights, and how to complain

To exercise any of these rights, email us at contact@qatestingplus.com. Exercising your rights is free, and we respond within one month, as required by the GDPR (extendable by two further months for complex requests, in which case we will tell you). We may need to verify your identity first.

If you believe we have not handled your data lawfully, we would like the chance to put it right — but you also have the right to lodge a complaint with the Romanian supervisory authority:

• Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
• B-dul General Gheorghe Magheru nr. 28–30, Sector 1, 010336 Bucharest, Romania
• Phone: +40 318 059 211
• Email: anspdcp@dataprotection.ro
• Website: www.dataprotection.ro

13. Children

Our website and services are aimed at businesses and are not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

14. Links to third-party websites

Our website may link to third-party sites and services we do not control. This policy does not apply to them; we encourage you to read their privacy notices before sharing any data with them.

15. Changes to this policy

We may update this policy as our practices or the law change. We will post the updated version here and revise the date at the top, and we will highlight material changes where appropriate. Your continued use of the website after an update means you are aware of the current version.

16. Languages and contact

This policy is published in English and Romanian. In the event of any discrepancy between versions, the Romanian version prevails, as our place of establishment and supervisory authority are in Romania.

Questions about this policy or your data? Email contact@qatestingplus.com.