Privacy Policy
Last updated: April 5, 2026 · SC TESTGATE SRL · CUI 47003208
1. Data Controller
SC TESTGATE SRL ("47FUNDS", "we", "us"), registered in Romania, CUI 47003208, with registered office in Târgoviște, Dâmbovița, România, is the Data Controller for account and platform data. For client company data uploaded by consultant subscribers, we act as Data Processor on your instructions.
Data Protection Contact: dpo@47funds.ro · Postal: SC TESTGATE SRL, Attn: DPO, Târgoviște, Dâmbovița, România.
Supervisory authority: ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal · www.dataprotection.ro · +40 318 059 211
2. Data We Collect & Legal Basis
We process the following categories of personal and business data, under the stated lawful bases (GDPR Article 6):
| Data Category | Examples | Lawful Basis | Retention |
|---|---|---|---|
| Account data | Name, email, professional role, COR code | Art. 6(1)(b) — contract performance | Contract duration + 3 years |
| Company identification | CUI, CAEN code, company name, incorporation date | Art. 6(1)(b) + Art. 6(1)(c) — legal obligation (ANAF/ONRC integration) | 5 years (HG 1050/1996) |
| Fiscal certificates | ANAF certificat fiscal, tax-arrears status | Art. 6(1)(c) — legal obligation | 5 years |
| Financial data (Bilanț OCR) | Turnover ranges, profit/loss, employee count from balance sheets | Art. 6(1)(b) — contract performance | PII anonymised after 90 days of inactivity; aggregated ranges retained 5 years |
| Grant application drafts | SF/DALI text, eligibility assessments, scoring results | Art. 6(1)(b) — contract performance | Active period + 60 days post-termination; then anonymised |
| WORM-archived documents | Final submitted documents with SHA-256 hash chain | Art. 6(1)(c) — legal obligation (Law 201/2024) | 10 years minimum (immutable) |
| Audit & security logs | Login events, API calls, submission attempts | Art. 6(1)(c) + Art. 6(1)(f) — legal obligation + legitimate interest (security) | 7 years (NIS2 / Law 362/2018) |
| Analytics data | Anonymised page-interaction metrics | Art. 6(1)(f) — legitimate interest (platform improvement) | 13 months, then deleted |
We do not collect special-category data (health, ethnicity, political opinions, etc.) and do not sell or trade your data to third-party marketing firms.
3. Automated Decision-Making (GDPR Art. 22)
The following Platform features perform automated data processing that produces assessments which may significantly affect your access to EU funding:
- CUI Matchmaker & Scoring Engine: Automatically calculates an eligibility score and ranks available grant calls for a company based on CUI, CAEN, financial profile, and de minimis history.
- Compliance Firewall: Automatically flags application documents for procurement violations, DII shortfalls, DNSH non-compliance, or STEP Seal eligibility.
These assessments are produced as supporting tools for human decision-making, not as final decisions. The lawful basis is Art. 6(1)(b) (necessary for contract) and Art. 22(2)(a) (necessary for entering into a contract at your request).
Your rights regarding automated decisions: You have the right to (a) obtain human review of any automated score or compliance assessment, (b) express your point of view, and (c) contest any assessment you believe to be incorrect. Submit requests to dpo@47funds.ro.
4. Registry Data Processing
When you perform a lookup via our ANAF or ONRC bridges, your query is proxied through our secure Nethyra self-hosted gateway to the national endpoint. Resulting fiscal data is cached for 24 hours to improve Platform performance; you may force a manual refresh at any time. All registry calls are logged in the immutable audit trail for security and legal-obligation purposes (retention: 7 years).
5. AI & RAG Processing
Grant drafts generated by the sven.systems AI engine are private to your workspace. We do not use your proprietary SF/DALI text to train shared or global models. Our Retrieval-Augmented Generation (RAG) corpus is trained exclusively on public government guidelines, Monitorul Oficial publications, and MIPE/AFIR/ADR programme documentation. Anonymised, aggregated metadata (e.g., "CAEN 6201 applications to Programme X") may be used to improve eligibility-matching accuracy under legitimate interest (Art. 6(1)(f)).
6. Sub-processors & Infrastructure
47FUNDS runs on self-hosted sovereign infrastructure ("Nethyra Cluster") located in Romania. We do not transfer personal data to cloud providers outside the EEA as part of core platform operations.
| Sub-processor | Role | Location | Data Processed |
|---|---|---|---|
| Nethyra Cluster (Proxmox/k3s) | Core compute, storage (Ceph RGW/WORM), database (PostgreSQL) | Romania (self-hosted) | All platform data |
| sven.systems | Proprietary RAG AI engine — isolated, audited | Romania (self-hosted) | Grant guide content; anonymised query context |
| ANAF (gov.ro) | Fiscal certificate verification — read-only API | Romania | CUI, tax-arrears status |
| ONRC (onrc.ro) | Company registry — read-only API | Romania | CUI, CAEN, company data |
| RegAS 2 (consilconcurenta.ro) | De minimis aid history — STS channel | Romania | CUI, aid history |
We execute Data Processing Agreements with all sub-processors. If a sub-processor changes, we will notify B2B subscribers at least 30 days in advance.
7. Document Integrity & WORM Archiving
Documents uploaded to the WORM Archive are SHA-256 hashed client-side before ingestion. We store the file and its integrity signature in an immutable Ceph RGW WORM bucket. Any modification attempt is recorded in the platform's immutable audit trail. WORM-archived documents may not be deleted within the 10-year retention window mandated by Law 201/2024 — this applies even if you close your account.
8. Data Breach Protocol
In the event of a personal data breach, SC TESTGATE SRL will notify ANSPDCP within 72 hours of becoming aware (GDPR Art. 33). Where the breach is likely to result in high risk to your rights and freedoms, we will notify affected workspace administrators without undue delay (GDPR Art. 34). Breach notifications will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed.
9. Your Data Subject Rights
Under GDPR and Romanian Law 190/2018, you have the following rights:
- Access (Art. 15): Request a copy of all personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your data where no longer necessary — subject to legal retention obligations (WORM documents, audit logs).
- Restriction (Art. 18): Request that we limit processing while a dispute is resolved.
- Portability (Art. 20): Receive your data in a structured, machine-readable format (available via Settings > Data Export).
- Objection (Art. 21): Object to processing based on legitimate interest; we will cease unless we can demonstrate compelling legitimate grounds.
- Automated Decision Review (Art. 22): Request human review of any automated eligibility score or compliance assessment.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time via Settings > Cookie Preferences (for analytics) without affecting lawfulness of prior processing.
To exercise any right, contact dpo@47funds.ro or use Settings > Data Rights. We will respond within 30 days. You also have the right to lodge a complaint with ANSPDCP at www.dataprotection.ro.
10. Changes to This Policy
We will notify you of material changes by email and in-platform notice at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision. We recommend reviewing this policy annually.