Privacy Policy

At S.C. CYREX GROUP S.R.L., headquartered at Str. Stefan Octavian Iosif, Bl. 1C, Sc. 1, Ap. 1, 332021, Petroșani, Hunedoara, Romania, CUI 49342723, we are committed to protecting the confidentiality and security of your personal data.

This policy describes what data we collect, how we use it, who we share it with, what safeguards we apply to international transfers, and what rights you have under GDPR and applicable national legislation.

• Identification and contact data: name, surname, email address, phone number, company name — collected via the contact form.
• Technical data collected automatically: IP address, browser type and version, operating system, pages accessed, and session duration.
• Financial data: transactions are processed exclusively through authorised payment processors; card details are not stored locally.
• Account data (where applicable): preferences, uploaded photos, invoice history, email, phone, date of birth, address, location, company affiliation.
• Security logs and monitoring events — retained for a maximum of six months.

• Provision and personalisation of services — legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Marketing materials and promotional offers — legal basis: explicit, revocable consent (Art. 6(1)(a) GDPR).
• Technical and usage data for analytics, optimisation, and fraud prevention — legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• Financial and billing data — fulfilment of legal and tax obligations (Art. 6(1)(c) GDPR).

Your data may be shared with the following categories of partners, acting solely as data processors:

• Infrastructure and hosting providers (including Cloudflare, Inc.) — for DDoS protection, CDN, and application security.
• Cloud services and email providers — for delivering transactional communications.
• Authorised payment processors — exclusively for handling financial transactions.
• Financial services and billing providers.
• Public authorities — exclusively in response to valid legal requests.

Partner access to user data occurs only for technical maintenance (with prior partner consent), at the partner's explicit request for data management assistance, or in cases of suspected security breach or fraud.

For transfers outside the European Economic Area, the Company ensures that processors apply adequate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission or binding corporate rules, so that the level of protection is equivalent to that provided within the EU.

• Contact form data: 1 year from the last interaction.
• Account and user profile data: for the duration of the account plus 5 years after closure.
• Tax documents and contracts: 5 years.
• Technical and security logs: 6 months.
• Traffic analytics data: 14 months.

Once the purpose for which data was collected has been fulfilled and/or the legal retention periods have expired, data is securely deleted or irreversibly anonymised.

• SSL/TLS encryption for all connections.
• Encryption at the storage level for sensitive information.
• Regular backups and incident recovery procedures.
• Role-based internal access control with two-factor authentication.
• Regular staff training on security practices and incident response.

Under GDPR, you have the right to request: access to your data, rectification, erasure, restriction of processing, objection (including to direct marketing), data portability, and withdrawal of consent.

Requests may be submitted to contact@cyrexgrp.com or via the contact form. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the ANSPDCP (anspdcp.ro).

We do not intentionally collect data from persons under the age of 16. If we identify that we have inadvertently collected data from a minor without parental or legal guardian consent, we will delete it immediately.

Strictly necessary cookies (no consent required):

Performance and analytics cookies (consent required):

Preferences can be modified via the banner displayed on first visit, the cookie management page, or browser settings.

The Company assumes no responsibility for the content or privacy policies of third-party sites accessible via links on our platform.

Updates are announced via a banner visible on the site for 7 calendar days from publication. The updated policy remains permanently accessible at the same address.

For questions, requests, or to exercise your data rights, please contact our Data Protection Officer (DPO):