Aroundly | Privacy Policy

1. Data Controller

The data controller for the personal data processed through Aroundly is:

OVERTIME O'CLOCK S.R.L.
CUI: RO47328072
Trade Register: J12/7345/2022
Registered office: Aviator Traian Darjan no. 53F Street, Sannicoara City (Apahida), Cluj County, Romania
Email: privacy@aroundly.app

Throughout this policy, "we," "us," and "Aroundly" refer to OVERTIME O'CLOCK S.R.L.

2. Information We Collect

Account Information

When you create an account, we collect your email address and password. Your password is securely hashed before storage and is never stored in plain text. You may optionally provide your first name, last name, company name, and role.

Payment Information

Payments are processed by Stripe, a PCI DSS compliant payment processor. We do not store your credit card number, CVV, or full billing details on our servers. We retain a record of the transaction amount, currency, Stripe transaction ID, and the credit package purchased, for your billing history.

Report Data

When you generate a report, we store the parameters you provided during report creation, along with the generated report data. Report data is retained for 30 days and then permanently deleted from our servers.

Usage Data

We collect usage data to maintain and secure our service. This includes your IP address, browser type and version, pages visited, and timestamps. IP addresses are stored in their original form for up to 30 days for security monitoring and abuse prevention. After 30 days, IP addresses are irreversibly hashed and the original address is deleted. The hashed value allows us to detect patterns without identifying individual users.

Communications

If you contact us through our contact form, we store your name, email, message content, and any follow up correspondence in order to respond to your inquiry.

Two Factor Authentication

If you enable two factor authentication, we store your authenticator secret in encrypted form. This secret is used to verify your authenticator app codes at login.

3. How We Use Your Information

To create and manage your account
To process payments and maintain billing records
To generate and deliver your market analysis reports
To send transactional emails (report notifications, password resets, refund updates, report expiry warnings)
To send product updates and newsletters, only if you opt in
To respond to your support inquiries
To monitor the security of our service and prevent abuse
To improve our platform based on aggregate, anonymized usage patterns
To measure advertising performance and understand which ads led you to Aroundly, only with your consent. We do not pass your name, email, or any personal data for this purpose.

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Article 6(1) of the GDPR:

Contract performance (Article 6(1)(b)): Account creation, report generation, credit management, and payment processing are necessary to provide the service you signed up for.
Legitimate interest (Article 6(1)(f)): Security monitoring, fraud prevention, abuse detection, and service improvement based on aggregate usage data. Our legitimate interest is balanced against your rights and does not override your fundamental freedoms.
Consent (Article 6(1)(a)): Marketing emails and newsletters are sent only with your explicit opt in consent, which you can withdraw at any time from your notification preferences. Marketing cookies are also based on consent, given via the cookie banner and withdrawable at any time via Cookie Settings in the footer.
Legal obligation (Article 6(1)(c)): Retention of payment records as required by Romanian tax and accounting law.

5. Third Party Services

We use the following third party services to operate Aroundly:

Stripe

Payment processing. Stripe receives your payment details directly during checkout and is PCI DSS compliant. We receive from Stripe only the transaction ID, amount, and payment status. See Stripe's Privacy Policy.

Google

Mapping, data display, and advertising measurement. We pass report parameters to Google in order to generate and display maps with relevant business data within your reports. If you consent to marketing cookies, the Google Ads tag is also loaded, which sends conversion events to Google. Google receives a browser identifier and the page URL for ad measurement. We do not send your name, email, or account data to Google. See Google's Privacy Policy.

Amazon Web Services

Email delivery. All transactional and notification emails are sent through AWS. We share your email address and the email content with AWS for delivery purposes only. See AWS Privacy Policy.

We do not sell, rent, or trade your personal information. These services receive only the minimum data required to perform their specific function.

6. Data Storage and Security

Your data is stored on servers located in Frankfurt, Germany, within the European Economic Area. All connections to Aroundly are encrypted using TLS (HTTPS). Passwords are securely hashed and are never stored in plain text. Two factor authentication secrets are encrypted at rest.

IP addresses are stored in their original form for up to 30 days. After that period, they are irreversibly hashed and the originals are deleted. Authentication is handled via secure cookies that are not accessible to client-side scripts.

While we take reasonable technical and organizational measures to protect your data, no system is completely secure. We cannot guarantee absolute security but we are committed to responding promptly to any security incident.

7. Data Retention

Account data: Retained while your account is active. Upon an account deletion request, your account is deactivated immediately and personal data is deleted within 30 days, except where retention is required by law.
Report data: Automatically deleted 30 days after creation.
Payment records: Retained for up to 10 years as required by Romanian fiscal and accounting regulations (Legea contabilitatii nr. 82/1991, Codul Fiscal).
Usage logs: IP addresses are retained in original form for up to 30 days, then hashed. Hashed logs are retained for up to 12 months, then deleted.
Contact messages: Retained until the inquiry is resolved and for a reasonable period afterward for reference.

8. Your Rights

You have the right to:

Access the personal data we hold about you
Correct inaccurate personal data (name, company, and role can be updated directly from your account settings after logging in)
Delete your account and associated personal data
Restrict processing of your data in certain circumstances
Object to processing based on legitimate interest
Withdraw consent for marketing communications at any time from your notification preferences after logging in
Data portability: request a copy of your personal data in a structured, machine readable format

To exercise any of these rights, contact us at privacy@aroundly.app or through our contact page. We will respond within 30 days. For complex requests, we may extend this by up to 60 additional days, in which case we will inform you of the reason for the delay.

For more details about your rights under the GDPR, including the specific legal articles, see our GDPR Compliance page.

9. International Data Transfers

Our servers are located in Frankfurt, Germany, within the European Economic Area. However, some of our third party service providers are based in the United States:

Stripe: certified under the EU-US Data Privacy Framework
Google: certified under the EU-US Data Privacy Framework
Meta: certified under the EU-US Data Privacy Framework
Amazon Web Services: certified under the EU-US Data Privacy Framework; additionally covered by Standard Contractual Clauses (SCCs) adopted by the European Commission per Article 46(2)(c) GDPR

The EU-US Data Privacy Framework provides an adequacy decision under Article 45 of the GDPR for transfers to certified US organizations. Where the Data Privacy Framework does not apply, we rely on Standard Contractual Clauses as the legal mechanism for data transfers outside the EEA.

10. Cookies and Local Storage

Aroundly uses secure cookies to keep you signed in and browser local storage to remember your preferences. We use marketing cookies to measure advertising performance, loaded only with your consent via the cookie banner. You can withdraw consent at any time via Cookie Settings in the footer. We do not use any third party analytics services. All internal usage tracking is handled by our own backend and stored on our own servers.

For a complete list of what is stored in your browser and why, see our Cookie Policy.

11. Children's Privacy

Aroundly is not intended for individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. This age threshold is consistent with the minimum age for consent to data processing under Romanian law (Legea 190/2018, implementing Article 8 of the GDPR). If we become aware that we have collected data from a person under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or through a notice on the platform at least 15 days before the changes take effect. Your continued use of Aroundly after the effective date constitutes your acceptance of the updated policy.

13. Contact and Supervisory Authority

For privacy related questions or to exercise your data protection rights:

Email: privacy@aroundly.app
Contact form: aroundly.app/contact

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with a supervisory authority. The Romanian data protection authority is:

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucuresti, Romania
Website: www.dataprotection.ro

If you reside in another EEA country, you may also contact the supervisory authority in your country of residence.

Privacy Policy