Legal · 3389.ro

Privacy Policy

This Privacy Policy describes how SC 3389 Software Outsourcing SRL (the “Company”, “3389”, “we”) collects, uses, discloses and protects personal data in connection with the website at www.3389.ro, the open-source tools we publish, and any business inquiry you address to us. It is written to be specific and comply with Regulation (EU) 2016/679 (GDPR) and Romanian Law 190/2018.

Controller SC 3389 Software Outsourcing SRL
VAT ID RO 33938160
Address Colentina 16, Sector 2, Bucharest, 021177, Romania
Contact office@3389.ro
Last updated 2 June 2026

1 Who is the data controller

The data controller is SC 3389 Software Outsourcing SRL, a private limited company organised under the laws of Romania, registered in Bucharest, with VAT ID RO 33938160 and registered office at Colentina 16, Sector 2, Bucharest, 021177, Romania.

For any privacy-related question, request or complaint, write to office@3389.ro. We will respond within one month, as required by article 12(3) of GDPR.

2 Categories of personal data we process

We process only the data that we genuinely need for the activity in question. The following table is comprehensive — if a category is not listed, we do not collect it.

Activity	Data we process	Source
Browsing the Site	IP address, browser user-agent, referring URL, pages visited, timestamps, anonymised analytics counters via Matomo (last two IP octets stripped)	Direct — collected automatically by the web server and the Matomo script
Sending us a message through the contact form	Name, company name (optional), email address, phone number (optional), message content, IP address and timestamp of submission	Direct — provided by you
Email correspondence with us	Email address, the content of your email, any documents you attach	Direct — provided by you
Downloading the open-source tools	IP address and timestamp of the HTTP request (web-server access log only)	Direct — collected automatically by the web server
Negotiating or running a paid engagement	Identification and contact data of the signatory, business email, billing information (company name, VAT ID, registered address, bank details), data necessary to perform the contract, data exchanged for project delivery	Direct — provided by you and your representatives, plus public business registries where applicable (ONRC / EU VAT)

We do not collect: special-category data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic, biometric, health, sex-life or sexual-orientation data) and we do not collect data of children under 16. Please do not send us such data through the contact form.

3 Purposes and legal bases

We process data only when one of the lawful bases listed in article 6 GDPR applies. For each activity, the applicable basis is:

Browsing the Site (essential). Legitimate interest (article 6(1)(f)) in operating, securing and protecting the Site against abuse.
Browsing the Site (analytics). Your consent (article 6(1)(a)), obtained through the cookie banner. See the Cookie Policy.
Responding to your inquiry. Steps taken at the request of the data subject prior to entering into a contract (article 6(1)(b)) and, secondarily, our legitimate interest in conducting business communication.
Negotiating and performing engagements. Performance of the contract (article 6(1)(b)) and compliance with legal obligations (article 6(1)(c)) such as accounting, tax and anti-money-laundering rules.
Defending legal claims. Legitimate interest (article 6(1)(f)) and compliance with legal obligations (article 6(1)(c)).
Direct marketing. We do not conduct direct marketing through the Site. No newsletter, no commercial mailing list.

4 Retention periods

We retain personal data only for as long as it is necessary for the purpose for which it was collected, plus any legally required minimum.

Web-server access logs: 30 days, then rotated and overwritten.
Anonymised Matomo analytics: 13 months (raw logs purged after this).
Contact-form submissions: the underlying email is kept for as long as the business conversation is reasonably active, up to 36 months from last contact, unless a longer retention is required by law or a legitimate claim.
Engagement records (contracts, invoices, accounting): retained for 10 years from the end of the financial year, as required by Romanian Law 82/1991 on accounting.
Anti-money-laundering / KYC data, where applicable: 5 years after the end of the business relationship, as required by Law 129/2019.

5 Who has access to your data

We share personal data only when strictly needed and only with the categories below:

3389 staff and contractors who need access to perform their role, bound by confidentiality.
Hosting and infrastructure providers processing data strictly under our instructions (data processors under article 28 GDPR), bound by a written data-processing agreement.
Email service provider used for incoming and outgoing mail (currently Microsoft Outlook 365 SMTP through our domain). Microsoft acts as a processor for the routing of email and is bound by Microsoft’s standard data-processing addendum.
Accounting, tax and legal advisors in the context of contractual or statutory obligations, bound by professional secrecy.
Banks and payment institutions in the context of invoicing and payment.
Public authorities when legally compelled (court order, tax inspection, criminal investigation, supervisory authority request).

We do not sell, rent or trade personal data, and we do not use it for profiling, automated decision-making with legal effects, or advertising-network targeting.

6 International transfers

Our primary infrastructure (web hosting, Matomo, email) is located within the European Economic Area. Where a sub-processor of one of our providers is located outside the EEA (for example a Microsoft Office 365 data centre in the United States), the transfer is governed by:

An adequacy decision under article 45 GDPR (currently the EU–US Data Privacy Framework for compliant US processors); or
Standard Contractual Clauses approved by the European Commission under article 46 GDPR, plus supplementary technical measures where appropriate.

7 Your rights

Under GDPR, with respect to the personal data we hold about you, you have the rights listed below. They apply to your data only, not to data about other people.

Right of access (art. 15) — ask us what data we have about you and obtain a copy.
Right of rectification (art. 16) — correct inaccurate or incomplete data.
Right of erasure (art. 17) — ask us to delete your data when one of the conditions of article 17 applies.
Right of restriction (art. 18) — ask us to limit processing while a dispute or a request is being resolved.
Right of data portability (art. 20) — obtain a structured, commonly used, machine-readable copy of data you gave us based on consent or contract.
Right to object (art. 21) — object to processing based on legitimate interest; absolute right to object to direct marketing (which we do not do).
Right to withdraw consent (art. 7(3)) — where processing is based on consent, you may withdraw it at any time, without affecting prior lawful processing.
Right to lodge a complaint (art. 77) — with the Romanian Supervisory Authority (dataprotection.ro) or the supervisory authority of your EU country of residence.

To exercise any of these rights, write to office@3389.ro and identify yourself sufficiently for us to be sure we are not disclosing your data to a third party. We will respond within one month, or earlier where required.

8 Security

We implement technical and organisational measures appropriate to the risk, as required by article 32 GDPR. These include:

TLS 1.2+ in transit for all Site traffic;
HTTP security headers (Content-Type-Options, Referrer-Policy);
Least-privilege access to backend systems and credentials;
Application secrets stored outside the web root and never committed to version control;
Regular software updates for the web server, the language runtimes and the analytics platform;
Incident-response practices (logging, alerting, breach-notification readiness within the 72-hour window of article 33 GDPR).

No method of transmission or storage is 100% secure. If you become aware of a security or privacy issue affecting your data, please contact us immediately.

9 Cookies

The Site uses a strictly-necessary first-party cookie and (with your consent) a self-hosted Matomo analytics cookie. Detailed information — including each cookie’s name, purpose, retention and provider — is in our Cookie Policy.

10 Open-source tools

The open-source utilities the Company publishes for free download (NetLens, AI Status Monitor) do not transmit any personal data to us or to any third party. They operate entirely on your machine. They never phone home, never accept analytics opt-in, never receive AI API keys, prompts, responses or model traffic. Their network activity is strictly the scan or the public-status-feed read that you ask them to do.

11 Children

The Site and our services are addressed to professionals and businesses. We do not knowingly process personal data of children under 16 in this context. If you believe a child has provided us personal data, contact us so we can delete it.

12 Changes to this policy

We may update this Privacy Policy when our processing activities or legal obligations change. The current version — with the last-updated date in the header — is always live at this URL. Where the change is material, we will indicate it on the Site so that you have a chance to review.

13 Contact and complaints

Privacy questions, requests, or complaints:
SC 3389 Software Outsourcing SRL
Colentina 16, Sector 2, Bucharest, 021177, Romania
VAT ID: RO 33938160
Email: office@3389.ro

If you are not satisfied with our response, you have the right to lodge a complaint with the Romanian Supervisory Authority (dataprotection.ro) or the supervisory authority of your country of residence within the EU.