Privacy Policy

Effective Date: October 7, 2025 | Last Updated: October 7, 2025

Mararu & Mararu SCA ("we," "us," or "the Firm"), a Romanian-based boutique law firm specializing in aerospace, technology, arts, digital media, insurance, energy, and industry associations, is committed to safeguarding your privacy and personal data in full compliance with the EU General Data Protection Regulation (GDPR) 2016/679, Romanian Law No. 190/2018 on GDPR implementation, and emerging frameworks like the EU AI Act (anticipated full enforcement 2026). This Policy outlines our practices for collecting, processing, storing, and protecting personal data from individuals and entities ("you" or "data subjects") interacting with us via our website (mararu.com), contact forms, emails, telephone calls, or other channels. We process data as a controller, ensuring transparency, lawfulness, and accountability. For inquiries, contact our Data Protection Officer (DPO) at office@mararu.com or +4 (031) 421-5150, Str. Carpatilor 11F, Otopeni 075100, Romania.

1. Data We Collect and Sources

We collect personal data necessary for providing legal services, responding to inquiries, and maintaining professional relationships. Categories include:

• Identification Data: Name, email address, phone number, job title, company name (from contact forms, emails, calls).
• Communication Data: Content of inquiries, emails, call recordings (with consent for quality assurance), attachments (e.g., documents shared via contact form).
• Technical Data: IP address, browser type, device info (automatically via Google Analytics, anonymized per GDPR Article 25—IP masking enabled to prevent identification).
• Confidential Data: Sensitive information (e.g., business secrets, IP details) shared in prospective client communications—we treat this as confidential under Romanian Bar ethics and GDPR special categories if applicable (e.g., health-related in insurtech queries). Sources: Directly from you (forms/emails/calls); indirectly via referrals or public sources (with notification upon processing). No automated profiling occurs; all decisions are human-reviewed.
  

2. Purposes and Legal Bases for Processing

We process data lawfully under GDPR bases:

• Contractual Necessity (Art. 6(1)(b)): To respond to inquiries, draft agreements, or provide preliminary advice.
• Legitimate Interests (Art. 6(1)(f)): For business development (e.g., follow-up emails), fraud prevention, and network security—balanced against your rights via impact assessments.
• Consent (Art. 6(1)(a)): For marketing or non-essential cookies (revocable anytime).
• Legal Obligation (Art. 6(1)(c)): Compliance with Romanian fiscal laws or anti-money laundering. Specific to channels:
• Contact Forms/Emails: Process to facilitate consultations; confidential info triggers non-disclosure protocols—unsolicited submissions don't form attorney-client privilege until engagement, but we secure them immediately (e.g., encrypted storage).
• Calls: Recorded only with explicit consent; used for accuracy, deleted after 6 months unless legally required.
• Electronic Comms: Emails/calls may involve third-party providers (e.g., ProtonMail for end-to-end encryption); we use quantum-resistant algorithms (e.g., post-quantum cryptography trials) for future-proofing against emerging threats. Implications of sharing confidential info: We advise against sending sensitive data unsecured; upon receipt, we apply Romanian confidentiality rules (Law 51/1995), notifying you of risks and offering secure portals.
  

No data is used for automated decisions with legal effects. Retention: Up to 5 years post-interaction (Romanian statute of limitations), or shorter if requested—erased via secure deletion (overwriting).

3. Data Sharing and Transfers

We share data minimally:

• With affiliates/partners for joint services (EU-based, under DPAs).
• Processors: Google Analytics (anonymized, no personal export); no Google Maps API currently (if added, for location services—disclosed here, with consent banners).
• Authorities: If legally compelled, after protest (e.g., subpoenas). No transfers outside EEA without adequacy decisions or safeguards (e.g., EU Standard Contractual Clauses 2021). Google Analytics/Search Console verification (via GTM tag in <head>) doesn't export identifiable data if configured anonymously—no GDPR impact beyond disclosure.
  

4. Security Measures

We employ next-gen safeguards: AES-256 encryption for storage/transmission, multi-factor authentication, regular audits (annual penetration tests), and incident response plans (breach notification within 72 hours per Art. 33). For electronic comms, we recommend PGP (as your site offers)—confidentiality upheld via ethical duties.

5. Your Rights

Under GDPR, exercise rights free of charge (response within 1 month):

• Access (Art. 15): Copy of your data.
• Rectification (Art. 16): Correct inaccuracies.
• Erasure ("Right to be Forgotten," Art. 17): Delete if no longer needed.
• Restriction (Art. 18)/Objection (Art. 21): Limit or stop processing.
• Portability (Art. 20): Receive/transfer data.
• Withdraw Consent (Art. 7): Anytime, without affecting prior lawfulness.
• Lodge Complaints: To Romanian ANSPDCP (www.dataprotection.ro) or your local authority. Contact DPO to exercise; we'll verify identity tactically.
  

6. Cookies and Tracking

We use cookies for functionality (e.g., session persistence) and analytics (Google Analytics for anonymized traffic insights—no personal profiling). No ads trackers. See our Cookie Policy below; consent via banner (below). Future additions (e.g., Maps API) will be disclosed.

7. Children’s Data

We don't target under-16s; if collected inadvertently, deleted immediately.

8. Changes to Policy

Notified via site banner; reviewed annually for veridicality.

‍