— GDPR Compliant · EU Data Residency

Privacy Policy

Last updated: February 25, 2026 · Effective: February 25, 2026

Obtura (“we,” “our,” or “us”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform and services. As a European company, we are fully compliant with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1. Data Controller Information

The data controller responsible for your personal data is:

Company:: Obtura SRL
Registered in:: Romania, European Union
Email:: alexserbwork@gmail.com
DPO Contact:: dpo@obtura.dev

As a data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring it is handled lawfully, fairly, and transparently.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account & Identity Data

When you register for Obtura, we collect: full name, email address, company name, job title, and password (stored as a cryptographic hash). This data is necessary to create and manage your account.

2.2 Billing & Payment Data

For paid subscriptions, we collect billing address, VAT number (for EU business customers), and payment method details. Payment card data is processed exclusively by our PCI-DSS compliant payment processor and is never stored on Obtura systems.

2.3 Platform Usage Data

To provide our services and improve performance, we collect: deployment logs, application metrics, infrastructure events, error reports, API request metadata, and feature usage statistics. This data is used exclusively to operate and improve your deployments.

2.4 Technical & Device Data

We automatically collect IP addresses, browser type and version, operating system, referring URLs, and session timestamps for security and service continuity purposes. IP addresses are anonymized after 30 days.

2.5 Communications Data

If you contact our support team, we retain records of correspondence, including emails and support tickets, to resolve your issue and improve our services.

2.6 Data You Deploy

Your application code, environment variables, and any data processed by applications you deploy on Obtura remain your property. We process this data solely as a data processor on your behalf, subject to a Data Processing Agreement (DPA) available upon request.

3. Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases to process your personal data:

Processing Activity	Legal Basis
Account creation and management	Contract performance (Art. 6(1)(b))
Providing deployment services	Contract performance (Art. 6(1)(b))
Billing and payment processing	Contract performance (Art. 6(1)(b))
Legal and tax compliance	Legal obligation (Art. 6(1)(c))
Security monitoring and fraud prevention	Legitimate interest (Art. 6(1)(f))
Product analytics and improvement	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Cookies (non-essential)	Consent (Art. 6(1)(a))

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) and determined that our interests do not override your fundamental rights. You may request a copy of our LIA by contacting us.

4. How We Use Your Data

We use your personal data for the following purposes:

Service Delivery: Provisioning, operating, and maintaining your Obtura deployments, environments, and infrastructure.
Account Management: Creating and managing your account, processing authentication, and managing team access controls.
Billing: Processing subscription payments, generating invoices, and managing your subscription plan.
Customer Support: Responding to your inquiries, diagnosing deployment issues, and resolving technical problems.
Security: Detecting and preventing fraud, unauthorized access, and abuse of our platform.
Service Improvement: Analyzing aggregated, anonymized usage patterns to improve platform reliability and develop new features.
Legal Compliance: Meeting our obligations under applicable laws, including tax regulations and court orders.
Communications: Sending transactional emails (deployment notifications, billing alerts) and, with your consent, product updates and newsletters.

We will never sell your personal data to third parties, use it for advertising purposes, or process it in ways incompatible with the purposes described above.

5. EU Data Residency & International Transfers

All Obtura customer data is stored exclusively within the European Union.

Our infrastructure is hosted in EU-based data centers. Your data does not leave the European Economic Area (EEA).

All primary infrastructure — including databases, object storage, and compute resources — is located in EU data centers (Frankfurt, Germany and Amsterdam, Netherlands).

In the limited cases where we engage sub-processors that may operate outside the EEA (e.g., email delivery providers), we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Binding Corporate Rules where applicable
Supplementary technical measures including end-to-end encryption

A full list of our sub-processors and their processing locations is available upon request at alexserbwork@gmail.com.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Category	Retention Period
Account data	Duration of account + 30 days after deletion request
Billing records	7 years (Romanian/EU tax law requirement)
Deployment logs	90 days (configurable in your account settings)
Application metrics	13 months rolling window
Security & audit logs	12 months
Support correspondence	3 years from ticket closure
IP addresses (raw)	30 days, then anonymized
Marketing consent records	3 years from last interaction or until withdrawn

Upon account deletion, we will delete or anonymize all personal data within 30 days, except where retention is required by law (e.g., billing records).

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. We will respond to all verified requests within 30 days (extendable to 3 months for complex requests, with notice).

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, along with information about how it is processed.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to Restriction (Art. 18)

Request that we restrict processing of your personal data in certain circumstances.

Right to Portability (Art. 20)

Receive your personal data in a structured, machine-readable format (JSON/CSV) and transfer it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling. You may also opt out of direct marketing at any time.

Right to Withdraw Consent

Withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.

Right to Lodge a Complaint

Lodge a complaint with the Romanian supervisory authority (ANSPDCP) or your local EU data protection authority.

To exercise any of these rights, submit a request to alexserbwork@gmail.com. We may need to verify your identity before processing your request. There is no charge for exercising your rights.

You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro, or with the supervisory authority in your EU member state.

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our website and platform. We categorize these as follows:

8.1 Strictly Necessary Cookies

These cookies are required for the platform to function and cannot be disabled. They include session authentication tokens, CSRF protection tokens, and load balancer routing cookies. No consent is required for these cookies.

8.2 Functional Cookies

These cookies remember your preferences (e.g., theme settings, language) to improve your experience. They require your consent.

8.3 Analytics Cookies

We use privacy-respecting analytics (hosted in the EU) to understand how our platform is used. These cookies collect anonymized, aggregated data and require your consent. We do not use Google Analytics or other US-based tracking services.

8.4 Managing Cookies

You can manage your cookie preferences through our cookie consent banner or your browser settings. Note that disabling functional cookies may affect platform usability.

9. Third-Party Services & Sub-Processors

We engage trusted third-party service providers to operate our platform. All sub-processors are contractually bound to process data only on our instructions and in compliance with GDPR. Key categories of sub-processors include:

Cloud Infrastructure: EU-based cloud providers for compute, storage, and networking. All data remains within EU data centers.
Payment Processing: PCI-DSS Level 1 certified payment processors. Card data is never stored on Obtura systems.
Email Delivery: Transactional email providers for sending deployment notifications and account communications.
Customer Support: Support ticketing systems for managing customer inquiries.
Error Monitoring: Application error tracking for diagnosing platform issues, operated with data minimization.

We will notify you of any material changes to our sub-processors at least 30 days in advance. The complete, up-to-date list of sub-processors is available at alexserbwork@gmail.com.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or damage:

✓SOC 2 Type II certified infrastructure

✓256-bit AES encryption at rest

✓TLS 1.3 for all data in transit

✓Multi-factor authentication (MFA)

✓Role-based access controls (RBAC)

✓Regular penetration testing

✓Continuous security monitoring

✓Automated vulnerability scanning

✓Encrypted backups with tested recovery

✓Employee security training & vetting

✓Incident response plan (72-hour notification)

✓Annual third-party security audits

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, in accordance with GDPR Article 33.

11. Children's Privacy

Obtura's services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at alexserbwork@gmail.com and we will delete the data promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated policy with a new "Last Updated" date
Sending an email notification to your registered address at least 30 days before significant changes take effect
Displaying a prominent notice on our platform dashboard

Your continued use of Obtura after changes take effect constitutes acceptance of the updated policy. If you do not agree, you may close your account at any time.

13. Contact & Data Protection Officer

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries

Email:: alexserbwork@gmail.com
Response time:: Within 5 business days

Data Protection Officer

Email:: dpo@obtura.dev
Scope:: GDPR rights, DPA requests, complaints

If you are unsatisfied with our response, you have the right to lodge a complaint with the Romanian supervisory authority:

Authority:: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
Website:: www.dataprotection.ro