Skip to content
factcurier
RO

Privacy Policy

Last updated: March 17, 2026

I. Preliminary Information

factcurier SRL (hereinafter "factcurier" or "the Controller"), CUI 49620528, J25/108/2024, registered at Str. Antonini 17, Drobeta-Turnu Severin, Mehedinți, Romania, operates the factcurier.md and app.factcurier.md platforms.

factcurier is a Romanian company (EU member state) providing cross-border services to users in the Republic of Moldova. Personal data processing is carried out in accordance with:

  • Regulation (EU) 2016/679 (GDPR) — applicable to factcurier SRL as a controller established in the EU
  • Law No. 133 of 08.07.2011 of the Republic of Moldova on Personal Data Protection — applicable to Moldova users
  • Law No. 195/2024 of the Republic of Moldova on Personal Data Protection (GDPR transposition into Moldovan legislation, effective from 23 August 2026) — applicable from its effective date

This policy may be updated periodically. Continued use of the platform after publication of changes constitutes acceptance of the new version. If you do not agree with this privacy policy, please do not use our services.

Data protection contact: info@factcurier.md

II. Definitions

  • GDPR — Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
  • Law No. 133/2011 — Republic of Moldova Law on Personal Data Protection (based on EU Directive 95/46/EC)
  • Controllerfactcurier SRL, the entity determining the purposes and means of data processing
  • Data subject — any identifiable natural person whose data is processed
  • Personal data — any information relating to an identified or identifiable natural person
  • Processing — any operation performed on personal data: collection, storage, use, transmission, deletion
  • NCPDP — National Center for Personal Data Protection of the Republic of Moldova, the Moldovan supervisory authority
  • Consent — a freely given, specific, informed and unambiguous indication of your agreement to the processing of your data

III. Personal Data Collected

We collect the following categories of personal data:

  • Identification data: name, email address
  • Authentication data: Google, Apple, or email magic link account (we do not store passwords — authentication is performed via OAuth or unique verification links)
  • Company data: company name, IDNO (tax ID), registered address, registration number, CAEM code
  • Accounting documents: invoices, receipts, bank statements, fiscal receipts uploaded by the user or received via email
  • Communication data: messages exchanged with the assigned accountant through the platform
  • Technical data: IP address, browser type, operating system, device — collected automatically for functionality and security
  • Mobile app data: push notification token (Firebase Cloud Messaging), document photos taken with the device camera — only with explicitly granted permissions
  • Temporary accounts: name and email provided at registration, stored temporarily (30 days) for platform exploration, automatically deleted upon expiration if the account is not activated

IV. Processing Purposes and Legal Basis

For clients:

  • Contract performance (Art. 6(1)(b) GDPR / Art. 5(b) Law 133/2011) — providing accounting and company registration services. Refusal to provide necessary data prevents service delivery.
  • Legal obligation (Art. 6(1)(c) GDPR / Art. 5(c) Law 133/2011) — compliance with applicable tax and accounting legislation, including the National Accounting Standards (SNC) of the Republic of Moldova and obligations to the State Tax Service (SFS).
  • Legitimate interest (Art. 6(1)(f) GDPR / Art. 5(f) Law 133/2011) — platform improvement, fraud prevention, anomaly detection, infrastructure security.
  • Consent (Art. 6(1)(a) GDPR / Art. 5(a) Law 133/2011) — marketing communications, if you have explicitly opted in. You may withdraw consent at any time.

For visitors:

  • Website usage analytics (Google Analytics with consent + Cloudflare Web Analytics without cookies)
  • Display preferences (visual theme, language — stored locally in the browser)

V. Personal Data from Public Registers (Art. 14 GDPR)

In addition to data provided directly by users, factcurier processes personal data obtained indirectly from public government registers, as part of the company search functionality available on this website.

Categories of data processed

  • Names of individuals holding positions within companies (directors, shareholders, auditors, founders, managers)
  • Role held within the company

Data source

The State Register of Legal Entities (RSUD), administered by the Public Services Agency (ASP), via the open data portal dataset.gov.md.

Legal basis

Legitimate interest (Art. 6(1)(f) GDPR / Art. 5(f) Law 133/2011) — displaying data from public registers enables company verification for informed commercial decisions (due diligence), contributing to business environment transparency. The data is already public through official registers, and our processing is strictly limited to names and roles, without including personal addresses, phone numbers, or other contact details.

Your rights

  • Right to object (Art. 21 GDPR) — you may request that we stop processing your data from public registers, on grounds relating to your particular situation. We will assess the request in accordance with European case law (including CJEU C-398/15).
  • Right of access (Art. 15 GDPR) — you may request confirmation of processing and a copy of the data.
  • Right to rectification (Art. 16 GDPR) — if the displayed data is inaccurate, we will correct or update it.

To exercise these rights: info@factcurier.md

VI. AI Processing

We use AI systems for automatic classification, data extraction, and triage of accounting documents. AI processes documents exclusively to prepare the information needed by the licensed accountant who reviews and approves everything.

The immutable rule: no tax declaration is submitted to the State Tax Service (SFS) without prior review and approval by a certified accountant. No automated decisions with legal effects are made without human intervention, in accordance with Art. 22 GDPR and Art. 15 of Law 133/2011.

Third-party AI integrations (desktop app)

The factcurier desktop app allows you to connect your own subscription to third-party AI providers (OpenAI/ChatGPT, Anthropic/Claude, Google/Gemini) via the MCP (Model Context Protocol). When using these integrations:

  • Data is transmitted directly from your device to your chosen AI provider, under that provider's terms
  • factcurier does not intermediate, store, or access data processed by third-party AI providers
  • Your API keys and credentials are stored exclusively on your device
  • You are responsible for choosing which data you share with third-party AI providers

Push notifications (mobile apps)

The mobile apps use Firebase Cloud Messaging (FCM) for push notification delivery. The FCM token is stored on factcurier's servers and is used exclusively for delivering notifications related to your account activity. You can disable notifications from your device settings at any time.

Camera (mobile apps)

Camera access is explicitly requested and used exclusively for photographing documents (invoices, receipts). Images are processed by factcurier's AI for data extraction and are transmitted to your assigned accountant. We do not access the photo gallery or other files on your device.

VII. Data Transfer to Third Parties

Personal data may be transmitted to the following categories of recipients:

  • Certified accountant assigned to your contract — for document review and approval
  • SFS (State Tax Service of the Republic of Moldova) — for filing tax declarations, as required by law
  • ASP (Public Services Agency) — for company registration operations
  • Infrastructure providers — Hetzner Online GmbH (Germany) for servers, Cloudflare Inc. for CDN, DNS, and email routing, Google Firebase (mobile push notifications) — under standard contractual clauses
  • Third-party AI providers (desktop app only, at the User's initiative) — OpenAI, Anthropic, Google — data is transmitted directly from your device, factcurier does not intermediate the transfer
  • Public authorities — upon explicit legal request

We do not sell, rent, or share data with third parties for advertising or marketing purposes. All contracts with infrastructure providers include GDPR-compliant data protection clauses.

VIII. Cross-Border Data Transfers

factcurier SRL is established in Romania (EU). All data is stored on servers within the European Union (Hetzner, Germany). This involves a cross-border transfer of data from the Republic of Moldova to the EU.

From a GDPR perspective: data remains within the EU; there is no transfer to third countries. Processing is carried out in accordance with GDPR standards.

From a Moldovan law perspective: EU/EEA countries are recognized by the Republic of Moldova as ensuring an adequate level of personal data protection. The transfer of your data to EU servers is permitted under this recognition pursuant to Law No. 133/2011.

End-to-end encryption (E2EE) of messages and documents within the platform provides an additional layer of protection: even in the event of unauthorized server access, encrypted content remains inaccessible.

IX. Security and Storage

We implement the following security measures:

  • All data is stored exclusively on servers within the European Union (Hetzner, Germany)
  • Encryption in transit (TLS 1.3) and at rest, plus end-to-end encryption (E2EE) for messages and documents
  • Role-based access control on each contract (owner, accountant, viewer)
  • Immutable audit trail — every document, message, and action is recorded in a history that cannot be modified or deleted
  • Data minimization — we collect only necessary, adequate, and relevant data
  • Access restricted to authorized personnel with confidentiality obligations

Despite preventive measures, no system is perfect. In the event of a security incident, we follow strict notification procedures in accordance with Art. 33-34 GDPR and applicable Moldovan legislation, notifying both ANSPDCP and NCPDP.

X. Retention Period

Personal data is retained only as long as necessary:

  • Accounting documents: as required by applicable accounting legislation
  • Tax documents: as required by the Tax Code of the Republic of Moldova
  • Account data: for the duration of the contractual relationship + 30 days after deletion request
  • Technical data: maximum 12 months

Upon expiration of the retention period, data is permanently deleted or anonymized. Deleting your account does not automatically delete personal data under legal retention obligations — an explicit request is required.

XI. Your Rights

Under Art. 15-21 GDPR and Art. 12-18 of Law No. 133/2011, you have the following rights:

  • Right of access — confirmation of processing and access to your personal data
  • Right to rectification — correction of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — deletion of data when no longer necessary for the original purpose
  • Right to restriction of processing
  • Right to data portability — receiving your data in a structured, commonly used format
  • Right to object — including to marketing communications
  • Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

These rights may be limited in specific situations provided by law (for example, legal obligations to retain accounting documents).

To exercise your rights, contact us. We will respond within 30 days.

You also have the right to lodge a complaint with:

  • National Center for Personal Data Protection (NCPDP) of the Republic of Moldova — datepersonale.md
  • Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)dataprotection.ro

XII. Cookies and Local Storage

This site uses the following storage mechanisms:

  • theme — visual theme preference (light/dark), stored in the browser's localStorage
  • cookie-consent — your analytics cookie choice (accepted/declined), stored in localStorage
  • Google Analytics (GA4) — analytics cookies (_ga, _gid) set only after explicit consent. Collects anonymized data about site usage (pages visited, session duration, country). Does not collect personally identifiable data. You can decline these cookies via the banner shown on your first visit.

Cloudflare Web Analytics additionally operates without cookies and without collecting personal data.

If you are logged into the factcurier app, a functional cookie (fc_user) set by the app may be read by this site to personalize the browsing experience. This cookie is strictly necessary and does not require consent.

XIII. Policy Changes

We reserve the right to update this privacy policy. Significant changes will be communicated via email or platform notification at least 15 days before taking effect. The date of the last update is displayed at the top of this page.