Privacy Policy

Systemartis SRL (CUI RO 48113411 · Reg. Com. J2023008412400), with registered office at Calea Plevnei 145B, Sector 6, 060012 Bucharest, RO, is the controller of personal data processed via this site. For any privacy question, data subject request, or to exercise your GDPR rights, contact us at contact@systemartis.com.

// we do not collect

• No cookies set by us. The site is cookieless.
• No cross-site tracking, no advertising pixels, no Google Analytics.
• No fingerprinting beyond what every web server already sees.
• No personal data sold or rented to third parties, ever.

// we do collect

• Contact form submissions. When you use the form on /contact-us, we receive the name, email, optional company, and message you provide. These submissions are stored in our own EU Postgres database behind the Payload CMS admin panel, never exported to a third-party CRM, together with a record of when you ticked the consent checkbox and which version of this policy was in force (our Article 7(1) proof of consent, deleted with the rest of the record). We retain them for up to 24 months (see §5) so we can follow up on enquiries and fulfil resulting engagements. Telegram receives only a notification ping (see §6), no content, no personal data.
• Submitter IP address and User-Agent header from the contact form. Stored alongside the submission for abuse investigation, spam triage, and incident response. Held in-memory for up to one hour for rate-limiting (5 submissions / IP / hour), and persisted in the database row itself, so it is automatically removed when the row is purged at the end of the 24-month retention window. Legal basis: Article 6(1)(f) legitimate interest in abuse prevention.
• Anonymised site analytics via our self-hosted Umamiinstance: page views, referrer, coarse country code, browser family, screen size, and the visitor's rotating server-side hash (no IP stored, no cookies, no cross-session linkability). Goal events fire when you successfully submit the contact form, that event records only the fact of submission, not its content.
• Error reports via our self-hosted Bugsink instance: JavaScript runtime errors that happen in your browser as you use the site, plus the URL and browser metadata. These exist so we can fix bugs; they do not contain the content you typed into forms.
• Web Vitalsstored in our own database: Core Web Vitals metrics (LCP, INP, CLS, FCP, TTFB) per page visit, the page path, your browser's User-Agent string (truncated to 500 characters), and a coarse country code derived from an edge header. No user identifier, IP address, or cross-session linkage is stored. These measure how fast and responsive the page felt for you, aggregated across visitors; rows are purged after 12 months (see §5).

Contact form data, to respond to your enquiry, prepare proposals, and deliver any work you hire us for. Analytics, error reports, and Web Vitals, to understand how the site is used, fix what is broken, and improve performance. We do not profile individuals, target advertising, or build shadow user databases.

• Contact form submissions, Article 6(1)(a) consent: you tick an explicit checkbox on the form confirming you have read this policy and agree to us processing your enquiry, and Article 6(1)(b) contract preparation (you reached out intending to potentially engage us). You may withdraw consent at any time by emailing contact@systemartis.com; this does not affect processing carried out before withdrawal.
• Submitter IP address and User-Agent, Article 6(1)(f) legitimate interest in abuse prevention (rate-limiting, spam triage, incident response). These are stored only for the duration of the contact submission row and purged with it.
• Analytics, error reports, Web Vitals, Article 6(1)(f) legitimate interest: operating and improving the site. The processing is bounded (no profiling, no cross-site tracking, EU-hosted on infrastructure we control) and on balance does not override your rights.

• Contact form messages: up to 24 months from submission, unless we have a contractual or legal reason to keep them longer.
• Analytics events (Umami): aggregated indefinitely; no individual identifiers stored beyond a rotating server-side hash that resets daily.
• Error reports (Bugsink): 90 days, then purged unless still actively under investigation.
• Web Vitals: 12 months, then aggregated or purged.
• Engagement records (contracts, invoices, delivery artefacts): the period required by Romanian commercial and tax law, typically 10 years for accounting documents.

We keep the sub-processor list minimal. Analytics, error tracking, and Web Vitals are self-hosted on our own EU infrastructure, none of that data leaves our control to a third party.

• Telegram FZ-LLC (Dubai, UAE), receives a notification ping (“new enquiry on systemartis.com” plus a deep link to the authenticated admin entry) whenever the contact form is submitted. The actual message contents stay in our EU Postgres, Telegram never sees the name, email, company, or message body. This keeps Telegram out of the personal-data processing chain entirely; it functions as a push notification channel only.
• Cloudflare, Inc. (San Francisco, USA), provides Turnstile, the bot-protection challenge that runs on the contact form. Cloudflare receives your IP address, TLS fingerprint, User-Agent, and the public site key when the widget loads. Cloudflare acts as an independent controller for that processing under its own legitimate interest in improving bot detection. We chose Turnstile specifically because it is privacy-preserving by design: no first-party cookies are set on systemartis.com, no behavioural profile is built, no advertising signal is generated. Cloudflare’s data processing terms and DPA are publicly available.
• Reclaim.ai / Cal.com (San Francisco, USA), provides the optional “Book a 30-min call” scheduling link on this site. If you click that link, you leave systemartis.com and book directly on their platform; the scheduling, calendar invite, and any details you enter there are subject to their privacy policy, not ours. No booking data is sent to Reclaim until you actively initiate a booking.
• Our hosting provider, runs the virtual server within the EU/EEA that this site, the self-hosted analytics, and the self-hosted error tracker all operate on. The provider sees only what any hosting provider sees (encrypted traffic, server load, operational metadata) and does not process site content.
• GitHub Inc. (San Francisco, USA), holds the source code of this site and runs continuous integration. No visitor or customer data is sent to GitHub.

A current, fully-named sub-processor list with provider contracts is available on request to contact@systemartis.com.

Where data is transferred outside the EEA, to Telegram (UAE) for the notification ping, to Cloudflare (USA) for the Turnstile bot challenge, to Reclaim.ai/Cal.com (USA) when you initiate a booking, and to GitHub (USA) for source-code hosting, we rely on the Standard Contractual Clauses adopted by the European Commission, supplemented by appropriate technical measures (transport encryption, minimal data scope). We deliberately scoped Telegram down to a metadata-only notification (no personal data) so the only meaningful cross-border data flow that touches a visitor is Cloudflare’s bot signal evaluation at the form submission moment. We are happy to share the relevant SCC and DPA references on request.

Under the GDPR you have the right to:

• Access, a copy of personal data we hold about you.
• Rectification, correct anything inaccurate.
• Erasure, ask us to delete your data (right to be forgotten).
• Restriction, limit how we process your data.
• Portability, receive your data in a structured, common format.
• Objection, to processing based on legitimate interest.
• Withdrawal of consent, at any time, where consent was the basis.

To exercise any of these rights, email contact@systemartis.com with enough information to identify your records. We respond within one month (Article 12(3) GDPR). You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP, dataprotection.ro) or with the supervisory authority in your country of residence.

The public marketing site (everything outside /admin) sets no analytics or marketing cookies. Our self-hosted analytics (Umami), error tracker (Bugsink), and Web Vitals collector are all cookieless by design. We do not use fingerprinting, cross-site tracking, or advertising pixels.

The Payload CMS admin at /admin uses standard session cookies for authentication, these are set only after you successfully log in with admin credentials. Public visitors never see them. Our framework (Next.js) sets no cookies on the public site either: form submissions are protected against cross-site request forgery by same-origin checks, not by cookies.

The contact form at /contact-us loads the Cloudflare Turnstile bot-challenge widget from challenges.cloudflare.com. Turnstile does not set any first-party cookies on systemartis.com. It reads transient device signals (User-Agent, TLS fingerprint) on Cloudflare’s domain to decide whether you’re a real visitor. See §6 for the data Cloudflare processes as an independent controller.

We store a single strictly-necessary value (theme) in your browser’s localStorage to remember your light/dark display preference across visits. It holds no personal data, sets no identifier, and is used only to render the colour scheme you chose, it qualifies as strictly necessary under ePrivacy Article 5(3) and requires no consent.

Because we set no analytics or marketing cookies, no consent banner is required under the ePrivacy Directive and we deliberately do not show one.

We deliberately publish a Content-Signal HTTP header on /robots.txt declaring ai-train=yes, search=yes, ai-input=yes. This means we permit AI crawlers (such as GPTBot, ClaudeBot, PerplexityBot, Google-Extended) to read, index, and use our public content. We also push URL change notifications to the IndexNow protocol (Bing, Yandex and downstream AI search engines). Only public page URLs are pushed to IndexNow, never any user data, form content, or analytics. If you are a content owner whose material we have inadvertently published, contact us and we will remove it.

We host this site and its supporting services on our own infrastructure within the EU/EEA, behind TLS, with least-privilege access controls and routine dependency patching. If a personal-data breach occurs that is likely to result in risk to your rights, we will notify the supervisory authority within 72 hours and, where required, notify affected individuals without undue delay (Articles 33 and 34 GDPR).

This site is aimed at B2B audiences and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.

Material updates will be posted here with a revised “last updated” date and a short note describing what changed. Continued use of the site after a change constitutes acceptance of the updated policy.