The Pay With Smile Association, with its registered office at Aleea Gugu nr. 1, Reșița, Caraș-Severin County, CIF 45009379, takes the protection of your personal data seriously. If you have any questions, write to us at contact@paywithsmile.ro or call 0720 041 043.
1. Who is the data controller?
Pay With Smile Association
CIF: 45009379
Registered office: Aleea Gugu nr. 1, Reșița, Caraș-Severin County
Email: contact@paywithsmile.ro
Phone: 0720 041 043
We have not formally appointed a Data Protection Officer (DPO), because our processing activities are not large-scale and not systematic. Any request relating to personal data should be addressed directly to the email address above.
2. What data we collect and how
2.1. Website visitors
The paywithsmile.ro website is a static site. We do not use integrated contact forms, we have no user accounts and we do not place any first-party cookies.
Nevertheless, simply by visiting the site, the following may be collected automatically:
- IP address and technical server data — through Hostinger (our web hosting provider), which records standard access logs (IP address, date/time, page accessed, browser). These logs are necessary for security and for the technical operation of the server. We do not use them to identify you individually.
- IP address transferred to Google — our site loads fonts from the Google Fonts service (fonts.googleapis.com). This loading means that your browser automatically sends your IP address to the servers of Google LLC (USA). Google processes this data in accordance with its own privacy policy (policies.google.com). If you wish to avoid this transfer, you can block the fonts.googleapis.com domain through your browser settings or through privacy extensions.
2.2. People who contact us by email or phone
If you choose to contact us at the association's addresses or by phone, we collect the data you send us directly: name, email address, phone number and any information included in your message.
Special note — health data. The main purpose of our association is to support people who have been through cancer. As a result, the messages you send us may contain, on your own initiative, information about your health condition. This is special category data under Article 9 of the GDPR and benefits from additional protection:
- Legal basis: your explicit consent, given by voluntarily sending this information (Article 9(2)(a) GDPR). You may withdraw your consent at any time by requesting the deletion of the data at contact@paywithsmile.ro.
- Confidentiality: emails containing health data are accessed exclusively by the president of the association or by the person appointed to coordinate the programme for beneficiaries. We do not pass them on to third parties, we do not publish them and we do not use them for marketing purposes.
- Who has access: a maximum of 2-3 people from the association's management, bound by confidentiality obligations.
- How long we store them: correspondence containing health data is kept for the duration of the relationship with the beneficiary and for a maximum of 3 years after the programme ends, after which it is permanently deleted or anonymised for internal statistics. If you withdraw your consent before these deadlines, we delete the data within a maximum of 30 days, except where retention is necessary for the establishment, exercise or defence of a legal claim in court. If the correspondence gives rise to accounting or contractual obligations, the retention period is the statutory one (minimum 10 years, Law 82/1991).
2.3. Sponsors and partners
If you get in touch with us as a sponsor or partner, we process the data necessary to conclude and perform the contract: name, role, professional contact details, tax identification data. The legal basis is the performance of the contract (Article 6(1)(b) GDPR) and the legal archiving obligations (point (c)). The data is kept for a minimum of 10 years in accordance with the Accounting Law.
3. Purposes of processing and legal basis
- Responding to requests — the association's legitimate interest in communicating with interested persons (Article 6(1)(f) GDPR) or the performance of a contract (point (b));
- Coordinating the programmes for beneficiaries — explicit consent for health data (Article 9(2)(a)); for the other data: the performance of a participation agreement (Article 6(b));
- Legal obligations — accounting and tax archiving (Article 6(c));
- Security of the technical infrastructure — server logs, the legitimate interest of the controller (Article 6(f)).
4. Recipients of the data
We do not sell and we do not transfer your data to third parties for commercial purposes. We may pass data on, strictly limited, to:
- Hostinger (hosting provider) — technical logs, under a data processing agreement (DPA);
- Google LLC — IP address through the loading of fonts, in accordance with Google's policy;
- Public authorities (ANAF, courts) — exclusively when we are legally obliged to;
- The association's accountant/auditor — data necessary for tax reporting, under a confidentiality agreement.
We do not transfer data outside the European Economic Area, with the exception of the implicit transfer of the IP address to Google (USA), which is based on the Standard Contractual Clauses approved by the European Commission.
5. Storage period
- General correspondence (without health data): a maximum of 3 years from the last contact;
- Correspondence containing health data: a maximum of 3 years after the programme ends;
- Documents with accounting/contractual value: a minimum of 10 years (Law 82/1991);
- Hostinger server logs: in accordance with Hostinger's policy (generally 30-90 days).
6. Your rights
Under the GDPR, you have the following rights, which you may exercise at any time by writing to contact@paywithsmile.ro:
- Right of access — to know what data we hold about you;
- Right to rectification — to correct inaccurate data;
- Right to erasure — to request the deletion of the data, where there are no legal retention obligations;
- Right to restriction of processing — in the situations provided for by law;
- Right to data portability — to receive the data you provided in a structured format;
- Right to object — to processing based on legitimate interest;
- Right to withdraw consent — at any time, without affecting the lawfulness of previous processing;
- Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP): anspdcp.ro, phone 031 805 9211, email anspdcp@dataprotection.ro.
We respond to your requests within a maximum of 30 calendar days.
7. Cookies
The paywithsmile.ro website does not place any first-party cookies. We do not use analytics, marketing or session cookies. The only external element is the loading of Google fonts, described in section 2.1. Full details in the Cookie Policy.
8. Traffic analytics (section prepared — currently inactive)
This section is not currently active. We include it for transparency regarding the future.
If we activate a traffic analytics tool (for example Google Analytics), we will update this policy, add a cookie banner in accordance with GDPR requirements and request your consent before any tracking. Until such a tool is activated, we do not collect any analytics data about your behaviour on the site.
9. Data security
We take reasonable measures to protect data: restricted access to the association's email inboxes, secure passwords, an HTTPS connection on the site. Correspondence containing health data is treated with the utmost discretion and is not forwarded or archived on insecure third-party platforms.
10. Changes to the policy
If this policy changes significantly, we will display a notice on the site and update the version date. Continued use of the site after the changes are published constitutes acceptance of the new version.
11. Contact
For any question or to exercise your GDPR rights:
Email: contact@paywithsmile.ro
Phone: 0720 041 043
Address: Pay With Smile Association, Aleea Gugu nr. 1, Reșița, Caraș-Severin County