Privacy Policy
Data controller: Plenvar Labs SRL
1. Who is responsible for your data (controller)
Plenvar Labs SRL ("Contwave", "we") operates the Contwave platform and is the data controller for the personal data described in §3 below, except where we act as a processor on behalf of a Client (see §2).
- Registered office: Str. Anghelești nr. 5, Curtea de Argeș, Argeș County, Romania
- Trade Register no.: J2026042747008 · CUI: 55123337
- Email (general): privacy@contwave.com
- Privacy / data protection contact: privacy@contwave.com
Based on our current processing, a statutory Data Protection Officer (DPO) is not mandatory under Article 37 GDPR: our core activity is content production (not large-scale, regular and systematic monitoring of individuals), and we do not process special categories of data at scale. We have documented this assessment internally and will re-assess as our processing grows (for example, if large-scale behavioural tracking is introduced). A privacy contact point — privacy@contwave.com — is provided regardless. (This assessment is to be confirmed with counsel.)
2. Controller vs processor — two different roles
Contwave processes personal data in two distinct capacities:
2.1. As controller — for data relating to: our Client account holders and their authorised users; visitors to contwave.com; prospects and leads who contact us; and our own business operations. For this data, this Privacy Policy applies.
2.2. As processor — where we process personal data on behalf of a Client (for example, the Client's own marketing contacts, audiences, or end-user data handled through the Platform). In that case the Client is the controller, the Client's own privacy notice applies to the data subjects, and our processing is governed by a Data Processing Agreement (DPA) under Article 28 GDPR. This Privacy Policy describes our own (controller) processing, not the Client's.
3. What personal data we collect (as controller)
- Account & identification data: name, business email, role, company, credentials/authentication data.
- Usage & technical data: log data, IP address, device/browser information, actions in the Platform, diagnostics.
- Communications: messages, support requests, and correspondence with us.
- Prospect/marketing data: contact details of business prospects who engage with us, and (where consent is given) newsletter subscribers.
- Billing data: information necessary to administer Subscriptions (processed largely by our payment processor; we do not store full card data).
- Cookies and similar technologies: see §7.
Sources. Most personal data is collected directly from you. Some prospect data may be obtained from publicly available business sources or referrals, and — where Contwave acts as processor — audience or end-user data is provided by the Client (controller). Where we obtain personal data other than directly from you, we provide the information required by Article 14 GDPR.
We do not intentionally collect special categories of data, and the Platform is not directed at consumers or children (see §13).
4. Why we process it and our legal bases (Article 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Providing and administering the Platform and accounts | Performance of a contract — Art. 6(1)(b) |
| Security, fraud prevention, service integrity, diagnostics | Legitimate interests — Art. 6(1)(f) |
| Billing, accounting, tax and legal record-keeping | Legal obligation — Art. 6(1)(c) / contract |
| Responding to enquiries and support | Contract / legitimate interests |
| Direct marketing by electronic means (email, newsletters) | Prior consent (opt-in) — Art. 6(1)(a) GDPR and Art. 12(1) of Law no. 506/2004, which requires prior express consent for commercial email and applies equally to business recipients. A narrow "soft opt-in" exception (Art. 12(2)) allows emailing our own existing customers about similar products, with an easy free opt-out at collection and in every message |
| Product improvement using aggregated/anonymised data | Legitimate interests — Art. 6(1)(f) |
Where we rely on consent, you may withdraw it at any time (§12); withdrawal does not affect prior lawful processing.
5. AI processing and automated content generation
5.1. The Platform uses artificial intelligence to generate and assist in creating Content. AI processing for Content generation generally operates on Client-supplied briefs and brand inputs, not on the personal data of unrelated individuals.
5.2. We do not use your personal data to make decisions producing legal or similarly significant effects on you by solely automated means within the meaning of Article 22 GDPR. Where any such processing were introduced, we would provide the required information and safeguards.
5.3. AI-generated Content is marked and disclosed in accordance with applicable transparency rules, including Article 50 of the EU AI Act.
6. Who we share data with (recipients and sub-processors)
We share personal data only as necessary, with the following categories of recipients and sub-processors:
| Sub-processor | Function | Status |
|---|---|---|
| Supabase | Hosting, database and authentication (core infrastructure) | In use |
| Railway | Application/back-end hosting (processes data in transit) | In use |
| Vercel | Front-end / dashboard hosting and serverless functions | In use |
| Anthropic | AI text/copy generation | In use |
| OpenAI | AI text generation | In use |
| HeyGen | AI video / avatar generation | In use |
| ElevenLabs | AI voice / narration | In use |
| Resend | Transactional and email delivery (processes email addresses) | In use |
| Stripe | Subscription payment processing | Planned |
| DataForSEO | Trend/keyword data (operates on non-personal query data) | Planned |
In addition, advertising and social platforms (including Meta, Google/YouTube, TikTok, LinkedIn and X) act as recipients where the Client connects its own accounts — those accounts are controlled by the Client, not by Contwave. We may also share data with professional advisers and competent authorities where required by law.
Each sub-processor acting on our behalf is engaged under a data-processing agreement consistent with Article 28 GDPR. [● Confirm that a signed DPA / current Data Processing Addendum is in place with each provider before publishing.] An up-to-date list of sub-processors is available on request at privacy@contwave.com. We may update our sub-processors as the Platform evolves; material changes to the sub-processor list will be notified by reasonable means, and you may raise an objection.
To reduce third-party data exposure, the Platform self-hosts web fonts and avoids unnecessary third-party calls in published outputs where feasible.
7. Cookies and similar technologies
7.1. We use cookies and similar technologies in two categories: - Strictly necessary cookies — required for the Platform to function (e.g. authentication, session, security, load balancing). These are exempt from the consent requirement under the ePrivacy regime, because they are strictly necessary to provide the service you request. - Optional cookies (analytics and preferences) — set only with your prior consent, to understand usage and improve the Platform.
7.2. This reflects the ePrivacy regime and Law no. 506/2004. Non-essential cookies are not set without your prior consent, which you can give, refuse or withdraw at any time via our cookie banner or settings. Refusing optional cookies does not affect access to the core Platform.
7.3. Some cookies may be set by the sub-processors listed in §6 (for example, authentication or payment providers) strictly to deliver their function.
8. International transfers
Where personal data is transferred outside the EEA (for example, to a US-based processor), we rely on an appropriate safeguard under Chapter V GDPR: - for providers certified under the EU-US Data Privacy Framework (DPF), the European Commission's adequacy decision of July 2023 (the DPF was upheld by the EU General Court on 3 September 2025 and remains valid, though an appeal is pending before the Court of Justice); and/or - the European Commission's Standard Contractual Clauses (SCCs), which we also maintain as a fallback safeguard, together with supplementary measures where needed.
Details of the safeguard applicable to a given transfer are available on request.
9. How long we keep data (retention)
We keep personal data only as long as necessary for the purposes above. Our standard periods are:
- Account and contract data — for the duration of the contract and for 3 years thereafter (the general limitation period for civil claims under Article 2517 of the Romanian Civil Code), so that we can establish, exercise or defend legal claims;
- Invoices and supporting accounting documents (documente justificative, registre de contabilitate) — 5 years, calculated from 1 July of the year following the financial year in which they were drawn up, as required by Article 25 of the Romanian Accounting Law no. 82/1991 (as amended by Law no. 36/2023); this also aligns with the 5-year fiscal limitation period;
- Annual financial statements — 10 years, as required by the Accounting Law (entity-level records);
- Marketing data — until consent is withdrawn or the data is no longer relevant, reviewed periodically;
- Compliance and content audit trail (content generation, compliance flags and warnings, approvals, overrides and publication decisions) — retained for the duration of the contract and 3 years thereafter, to preserve evidence of the parties' decisions for the applicable limitation period (see Terms of Service §6.6);
- Logs and technical diagnostics — typically 6 to 12 months, retained on the basis of our legitimate interest in security and service integrity.
After the applicable period, data is deleted or anonymised. These periods are recorded in our internal retention schedule and confirmed with our accountant/counsel.
10. Security
We apply appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, credential management and least-privilege practices. No system is perfectly secure; we work to continuously improve our safeguards and to handle any breach in accordance with Articles 33–34 GDPR.
11. Your rights under the GDPR
Subject to the conditions in the GDPR, you have the right to: access your data (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction of processing (Art. 18); data portability (Art. 20); object to processing based on legitimate interests or to direct marketing (Art. 21); and not to be subject to solely automated decisions producing legal/significant effects (Art. 22). Where processing is based on consent, you may withdraw consent at any time.
To exercise your rights, contact us at privacy@contwave.com. We respond within the time limits set by the GDPR (generally one month).
12. Right to lodge a complaint
If you believe your data protection rights have been infringed, you may lodge a complaint with the Romanian supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) - Address: B-dul G-ral Gheorghe Magheru nr. 28-30, Sector 1, 010336 București, Romania - Phone: +40 31 805 9211 - Email: anspdcp@dataprotection.ro · Website: www.dataprotection.ro
You may also seek a judicial remedy. If you are located in another EEA country, you may contact your local supervisory authority.
13. Children
The Platform is a business-to-business service, is not directed at children, and we do not knowingly process the personal data of minors.
14. Changes to this policy
We may update this Privacy Policy. Material changes will be notified by reasonable means, and the "last updated" date will be revised. Continued use after the effective date constitutes acknowledgement.
15. Contact
Questions about this policy or your data: privacy@contwave.com.