Privacy Policy
Last updated: 1 June 2025
1. Who We Are
Imosto SRL is the data controller for personal data processed through the Imosto platform. We are registered in Romania and our primary place of business is Bucharest, Romania. Contact: privacy@imosto.com.
This policy applies to all personal data we process about users of our platform, visitors to our website, and anyone who contacts us.
2. Data We Collect and Why
The table below summarises the personal data we process, its purpose, and our legal basis under GDPR Regulation (EU) 2016/679:
| Data category | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Name, email, phone | Account creation, authentication, communication | Art. 6(1)(b) — contract performance |
| Listing content (photos, descriptions, address) | Publishing and managing property listings | Art. 6(1)(b) — contract performance |
| Payment and billing data | Processing subscriptions; VAT compliance | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation |
| Usage data (pages visited, feature interactions) | Platform analytics, performance, fraud prevention | Art. 6(1)(f) — legitimate interests |
| IP address, device info | Security, abuse prevention, diagnostics | Art. 6(1)(f) — legitimate interests |
| Email correspondence | Customer support | Art. 6(1)(b) — contract performance |
We do not process special categories of personal data (Article 9 GDPR) and we do not use personal data for automated individual decision-making or profiling with legal or similarly significant effects.
3. Cookies
We use strictly necessary cookies (authentication session), functional cookies (language preference, UI settings), and analytics cookies (platform usage). Analytics cookies are set only with your consent. You can manage cookie preferences at any time via the cookie banner or your browser settings.
4. How We Share Your Data
We share personal data only in the following circumstances:
- Service providers: Cloud infrastructure (AWS), email delivery, payment processors — bound by data processing agreements under Art. 28 GDPR.
- Your organisation: If you join a team on Imosto, your name and profile information are visible to other members of that team.
- Legal requirements: When required by Romanian or EU law, court order, or to protect the rights and safety of others.
We do not sell personal data to third parties and we do not share it for third-party advertising purposes.
5. International Transfers
Some of our service providers are located outside the European Economic Area. Where transfers occur, we rely on the European Commission's Standard Contractual Clauses (SCCs) or adequacy decisions to ensure an equivalent level of protection.
6. Data Retention
We retain personal data only as long as necessary for the purposes described above:
- Account data: retained for the lifetime of your account plus 90 days after deletion.
- Listing content: deleted upon account deletion, subject to any legal retention obligations.
- Billing records: retained for 10 years under Romanian accounting law (Legea 82/1991).
- Server logs: retained for 90 days for security purposes.
7. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Correct inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Restriction (Art. 18): Ask us to restrict processing in certain circumstances.
- Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any right, email privacy@imosto.com. We will respond within 30 days. You may also exercise the right to erasure directly from your account settings.
8. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.
9. Supervisory Authority
You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
- Website: www.dataprotection.ro
- Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București
- Email: anspdcp@dataprotection.ro
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or a prominent notice in the platform at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
For any privacy-related questions or to exercise your rights, contact our privacy team at privacy@imosto.com.