GDPR Compliance
Last updated: April 5, 2026 · SC TESTGATE SRL · CUI 47003208
Data Controller & Processor Roles
SC TESTGATE SRL ("47FUNDS") acts as:
- Data Controller for your account information (name, email, role, subscription data) and Platform interaction logs.
- Data Processor for client company data you upload as a consultant subscriber — you are the Data Controller for that data, and you must execute a Data Processing Agreement ("DPA") with us before uploading any client personal data.
Data Protection Contact: dpo@47funds.ro · SC TESTGATE SRL, Attn: DPO, Târgoviște, Dâmbovița, România.
Processing Purposes & Lawful Bases
| Processing Activity | Lawful Basis (GDPR Art. 6) | Retention |
|---|---|---|
| Account management & authentication | Art. 6(1)(b) — contract performance | Contract + 3 years |
| Grant eligibility vetting via ANAF/ONRC | Art. 6(1)(b) + Art. 6(1)(c) — legal obligation | 5 years |
| SF/DALI document drafting & AI suggestions | Art. 6(1)(b) — contract performance | Active + 60 days post-termination |
| WORM-compliant archiving (Law 201/2024) | Art. 6(1)(c) — legal obligation | 10 years (immutable) |
| Platform security & audit logging | Art. 6(1)(c) + Art. 6(1)(f) — legitimate interest | 7 years (NIS2) |
| Automated eligibility scoring (Art. 22) | Art. 6(1)(b) + Art. 22(2)(a) — contract necessity | Scoring lifetime + 60 days |
| Anonymised analytics for platform improvement | Art. 6(1)(f) — legitimate interest | 13 months |
Automated Decision-Making (GDPR Art. 22)
The following Platform features use automated processing to produce assessments that may significantly affect grant eligibility decisions:
- CUI Matchmaker & Eligibility Scoring Engine: Automatically produces a ranked eligibility score using CUI, CAEN code, financial profile, and de minimis aid history from RegAS 2.
- Compliance Firewall: Automatically scans application documents and flags procurement violations, DII digitalization shortfalls, DNSH environmental non-compliance, and STEP Seal eligibility.
Lawful basis: Art. 6(1)(b) and Art. 22(2)(a) — the automated assessment is necessary to provide the eligibility service you requested.
Your rights regarding automated assessments:
- Request human review of any score or compliance flag
- Express your point of view and provide additional context
- Contest any assessment you believe is based on incorrect data
To exercise these rights: email dpo@47funds.ro with subject line "Art. 22 Review Request — [your CUI]". We will respond within 30 days.
Infrastructure & Sub-processors
47FUNDS operates on sovereign, self-hosted infrastructure in Romania. Personal data does not leave the EEA as part of core platform operations. Our infrastructure sub-processors are:
- Nethyra Cluster (Proxmox / k3s / Ceph): Core compute, PostgreSQL database, Ceph WORM object storage, Qdrant vector DB. Location: Romania (self-hosted datacenter).
- sven.systems AI Engine: Proprietary RAG processing — isolated, audited, Romania (self-hosted). Processes anonymised query context only; no raw personal data.
- Romanian State APIs: ANAF, ONRC, RegAS 2, MySMIS2021 — read-only integration via secure gateway. These are data sources, not sub-processors.
We maintain executed Data Processing Agreements with all sub-processors. B2B subscribers will be notified 30 days before any sub-processor change.
Data Breach Protocol (GDPR Art. 33–34)
Within 72 hours
ANSPDCP notification with: nature of breach, categories and number of affected individuals, likely consequences, measures taken.
Without undue delay
Direct notification to affected workspace administrators if breach presents high risk to individuals' rights and freedoms.
GDPR & WORM Protection (Law 201/2024)
All fiscal data received from ANAF and all submitted project documents are SHA-256 hashed and stored in an immutable Ceph RGW WORM bucket for 10 years per Law 201/2024. This WORM obligation overrides any right-to-erasure request for documents in that archive — we will inform you if an erasure request cannot be fulfilled due to this legal retention obligation.
Your Data Subject Rights
Art. 15 — Access
Request a copy of all personal data we hold about you.
Art. 16 — Rectification
Request correction of inaccurate or incomplete data.
Art. 17 — Erasure
Request deletion — subject to WORM and legal retention obligations.
Art. 18 — Restriction
Request we limit processing while a dispute is resolved.
Art. 20 — Portability
Receive your data in JSON/CSV via Settings > Data Export.
Art. 21 — Objection
Object to legitimate-interest processing; we will cease unless overriding grounds exist.
Art. 22 — Human Review
Contest any automated eligibility score or compliance flag.
Withdraw Consent
Withdraw analytics consent at any time via Settings > Cookie Preferences.
Exercise any right via Settings > Data Rights, or email dpo@47funds.ro. Response within 30 days (extendable by 60 days for complex requests with notice). You may also lodge a complaint with ANSPDCP at any time.