1. Controller identity
Controller: Bogdan-Cătălin Chiotea PFA, Popești-Leordeni, Ilfov County, Romania.
Email: hello@matchquote.ai
Phone: +40 739 521 206
For a business of our size a Data Protection Officer (DPO) is not mandatory under GDPR Art. 37. Privacy inquiries are handled directly by the founder at the contact above.
2. Categories of personal data we process
As a controller (marketing site, sales, billing):
- Contact data: name, work email, company name, job title, phone (if provided).
- Communication data: messages you send us, call transcripts if you book a discovery call, meeting notes.
- Billing data: invoicing details (company name, VAT ID, registered address). We do not store card numbers — payments are processed by our payment provider.
- Usage data: IP address, browser type, pages visited, referral URL. Used in aggregate for analytics and security logs.
As a processor (inside the Services, on behalf of customer):
- Customer business documents (RFPs, invoices, compliance filings, SPV messages), structured extractions, model prompts and outputs, audit logs. These are covered by the DPA, not this Privacy Policy.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Respond to demo requests and sales inquiries | Art. 6(1)(b) pre-contractual measures |
| Deliver the Services, support, invoicing | Art. 6(1)(b) contract performance |
| Security logs, abuse prevention | Art. 6(1)(f) legitimate interest |
| Tax and accounting records | Art. 6(1)(c) legal obligation (RO accounting law) |
| Marketing emails to existing customers (soft opt-in) | Art. 6(1)(f) legitimate interest + PECR soft opt-in |
| Newsletter to non-customers | Art. 6(1)(a) consent (unsubscribe in every email) |
4. Subprocessors we use
We rely on a small number of vendors to operate the Services. Each is contractually bound to GDPR-equivalent terms.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services EMEA SARL | Hosting, storage, AI inference via Bedrock | eu-central-1 (Frankfurt, Germany) |
| Anthropic PBC (via AWS Bedrock) | Foundation model (Claude) | Processed inside AWS eu-central-1 |
| Vercel Inc. | Static site hosting, edge runtime | EU edge regions where possible |
| Cloudflare Inc. | CDN, DDoS protection | Global edge; EU-first routing |
| Google LLC (Workspace) | Business email, documents | EU with SCCs |
| Calendly LLC | Meeting scheduling | US with SCCs and EU-US DPF |
| Stripe Payments Europe Ltd. | Payment processing (if used) | Ireland |
The current customer-facing subprocessor list is also published in the DPA and kept in sync.
5. International transfers
Personal data is primarily hosted in the EU (Frankfurt). Where a subprocessor has a US parent (e.g. Anthropic, Calendly, Stripe), we rely on the EU Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework. Customer content processed through AWS Bedrock stays within eu-central-1 and is not routed to US endpoints.
6. Retention
- Sales/marketing leads: 24 months from last meaningful interaction, then deleted or anonymized.
- Customer account + configuration data: for the duration of the agreement + 12 months, unless shorter is required.
- Customer content processed by the Services: per the DPA, deleted within 30 days of agreement termination unless the customer exports it first.
- Invoices and fiscal records: 10 years (Romanian accounting law).
- Security logs: 12 months.
7. Your rights
Under GDPR Articles 15–22 you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Request erasure (“right to be forgotten”);
- Restrict processing;
- Receive your data in a portable format;
- Object to processing based on legitimate interest;
- Withdraw consent at any time for consent-based processing.
To exercise any right, email hello@matchquote.ai. We respond within 30 days (extendable to 90 days for complex requests, per Art. 12(3)).
If we fail to resolve your concern, you may lodge a complaint with the Romanian supervisory authority ANSPDCP (dataprotection.ro) or with the supervisory authority of your EU country of residence.
8. Cookies and analytics
We use strictly necessary cookies to run the site and, optionally, privacy-respecting analytics (no cross-site tracking, IPs anonymized). A cookie banner lets you accept or decline non-essential cookies on first visit.
9. Security
See the Security Overview for a detailed description of our technical and organizational measures: encryption at rest and in transit, access controls, audit logging, incident response, and secure development practices.
10. Children
The Services are offered to businesses, not to children. We do not knowingly collect data from anyone under 16.
11. Automated decision-making and AI
Some Services use AI to generate classifications, extractions, or drafts. These outputs are labelled as AI-generated and are meant for review by a qualified human before any regulated action is taken (e.g. filing a tax response, sending an invoice, signing off on a compliance report). We do not make solely-automated decisions with legal or similarly significant effects on data subjects without human involvement.
12. Changes to this policy
We update this policy when our processing materially changes. The “Last updated” date at the top reflects the latest version. Substantive changes are communicated to active customers by email.
13. Contact
For any privacy question, request, or complaint: hello@matchquote.ai.
This Privacy Policy is provided as a good-faith template reflecting our current practices. It is not legal advice. Customers operating in regulated industries should have their own counsel review this policy against their specific obligations.