Privacy Policy
Last updated: 24 June 2026
Drafted Lab SRL respects the privacy rights of its users and is committed to protecting personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation.
1. Data controller
Drafted Lab SRL
Bucharest, Romania
Email: office@drafted-lab.com
2. What data we collect
Data you provide directly:
- When creating an account: name, email address, password (stored encrypted)
- When placing an order: delivery address (street, locality/sector, county, country, postcode), phone, and, if different, a billing address (name or company name, plus VAT ID for B2B invoices)
- When ordering as a guest (no account): we process your email, name, phone and delivery/billing addresses solely to fulfil the order. If you later create an account with the same email, the orders are linked automatically
- When subscribing to the newsletter: your email and, as proof of consent, the moment (date and time), IP address, source (footer/checkout) and policy version - kept in a consent registry, per Art. 7(1) GDPR
- When contacting us: your message and contact details provided
Data collected automatically:
- IP address (for security and fraud prevention)
- Browser type and operating system
- Pages visited and actions taken (internal audit log)
- Anonymous usage statistics (only with your consent): via Umami, hosted on our own servers, with no cookies and no IP storage - pages viewed, referrer, approximate country and device type, in aggregated, anonymous form. See the Cookie Policy.
3. Purposes and legal basis for processing
4. Data retention periods
- Account data: for the lifetime of the account + 3 years after deletion
- Order and invoice data: 10 years (statutory fiscal obligation)
- Security logs: 90 days
- Newsletter subscriptions: until unsubscription
5. Who we share data with
We do not sell or rent your data. We share it only with partners necessary to provide services:
- Supabase (USA) - database and authentication (covered by EU Standard Contractual Clauses)
- Stripe (USA) - card payment processing (covered by EU Standard Contractual Clauses)
- Microsoft Ireland (Microsoft 365) - sending transactional emails and the newsletter (EU datacenter)
- Oblio (Romania) - issuing and archiving fiscal invoices
- Hosting provider (VPS, EU) - server infrastructure
- Courier partners - order delivery (delivery data required)
- Cloudflare (USA) - CDN, security and anti-bot protection (covered by EU Standard Contractual Clauses)
6. Your rights (GDPR)
Under the GDPR, you have the following rights:
- Right of access - to request a copy of the data we hold about you
- Right to rectification - to correct inaccurate data
- Right to erasure - to request deletion of your data (subject to legal obligations)
- Right to data portability - to receive your data in a structured format
- Right to object - to processing based on legitimate interest
- Right to withdraw consent - at any time, without affecting the lawfulness of prior processing
Account holders can download their data and delete their account directly from Account → Profile. If you ordered as a guest, send your request to office@drafted-lab.com. We respond to any request within 30 days (Art. 12(3) GDPR). You can unsubscribe from the newsletter at any time with a single click from any email we send.
You also have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro
7. Data security
We implement appropriate technical and organisational measures to protect data: TLS encryption in transit, encryption at rest, restricted access, audit logging and periodic security reviews.
8. International transfers
Some service providers are located outside the EEA (USA). Transfers are made on the basis of Standard Contractual Clauses approved by the European Commission or other adequate transfer mechanisms.
9. Cookies
For details about the cookies we use, please see our Cookie Policy.
10. Changes to this policy
We will notify users of significant changes by email or by displaying a notice on the site at least 30 days before the changes take effect.