Privacy Policy

1. Introduction

This document governs the policy applied by MFC TRANSPORT ONLINE S.R.L., with registered office in Bucharest, Sector 1, Strada Dr. Leonda Varnali No. 12, ROOM 2, registered in the Trade Register under No. J40/2942/2019, CUI: 40696786 (hereinafter: Administrator), regarding the protection of users' personal data and information that may constitute users' trade secrets.

This policy applies to services offered by the Administrator through the website: www.mfctransport.eu. The above policy does not apply to third-party websites and services that may be accessed through links on the above website. Detailed information regarding personal data protection is available from each service provider separately. The Administrator recommends that the relevant documents are always reviewed on the providers' websites.

2. Data We Collect

To fully use the Administrator services and products, the User may create an account or connect to the MFC Transport Platform (hereinafter: the Platform).

To use the services and products offered by the Administrator, you must register an account through the form available on the website in the Register/Register Company/Add Employee section. At registration, the following details must be provided: CUI, company name, registered office address, postal code, and country. To verify the User, the company VAT number, phone number, email address, and name are required. At login, the User enters the following information: Unique identification number. In addition, the User may complete the account profile with additional data, such as date of birth.

As part of the Platform access service, we obtain most User data (including information, photographs, documents) directly from the User. Some data may be obtained from public sources such as the Trade Register, the Official Gazette, or similar sources, as well as from private entities that collect and make available company information. From these sources, we may have data such as identification data, contact data, financial data, geolocation data, etc.

Providing data is voluntary, although necessary for service implementation and contact with the Administrator. If you do not provide the Administrator with the required information, the Administrator will not be able to perform and ensure the provision of the service.

Some data is also collected passively, meaning through website use (for example, IP address, resolution, location, browser type).

3. Use of Data

Users' personal data will be processed:

• for the purposes necessary for execution of the Platform access service based on the contract concluded between User and Administrator, or for performance of pre-contractual activities [Article 6(1)(b) GDPR],
• As Administrator, we are subject to a number of legal obligations under national legislation. If necessary, we will process your data to comply with requirements imposed by regulations [Article 6(1)(c) GDPR],
• if necessary, for purposes resulting from the legitimate interests of the Administrator or third parties [Article 6(1)(f) GDPR], including but not limited to: providing User support, responding to questions/complaints, sending the Administrator newsletter regarding software changes, MFC Transport Platform Regulations and related service regulations, ensuring the Administrator IT security, researching customer satisfaction, supporting and defending against claims, direct marketing of Administrator products and services and of MFC Transport group entities, as well as other entities to which the Administrator provides services under separate agreements, for internal administrative purposes of the Administrator such as preparing statistics, analyses, reports, for example regarding methods and User preferences for using Platform services, related services, or the Administrator website,
• based on your consent [Article 6(1)(a) GDPR], granted for specific purposes (for example, to provide the User with marketing content regarding products and offers of the Administrator and entities in the MFC Transport Group, such as newsletters, where there is interest in these, or to send data within the MFC Transport Group for specific purposes).

If the User has given consent, the Administrator sends information regarding current and future products and services of the Administrator and MFC Transport Group entities through electronic communication (for example, email, phone, SMS, MMS, push, notifications in the Platform) in the form of an information campaign (commercial information) and/or marketing campaign (advertising).

Regarding personal data, withdrawal of consent is possible at any time, but this does not affect personal data processing prior to withdrawal.

Personal data may be processed through automated means (including profiling). The purpose of profiling is to collect information about Platform activity, how the Platform is used, and User preferences, which allows us to better adapt offers, as well as products and services provided on the Platform and communications sent to Users. This type of automated processing also allows the Administrator to improve technological functioning of the Platform or detect events that may threaten security of the Platform and Users. The legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) GDPR).

4. Recipients of Personal Data

Data may be shared with other recipients to fulfill contractual conditions with you, to comply with a legal obligation of the Administrator, based on your consent, or for purposes deriving from the legitimate interests of the Administrator or a third party.

Recipients may include, in particular: entities of the MFC Transport capital group, institutions authorized by law to receive your data under applicable legal provisions (for example, criminal investigation bodies or judicial authorities, as well as public administration IT systems, including systems used for compliance with tax and accounting obligations), and entities processing data at the request of the Operator and their authorized employees, provided these entities process data under a contract concluded with the Operator, exclusively according to its instructions and with confidentiality obligations.

Entities that perform tasks on behalf and for the benefit of the Operator include, in particular, entities providing services necessary for technical infrastructure essential for services available in the Platform, such as payment service providers, IT service providers, GPS signal monitoring service providers, audit companies, and entities ensuring Platform operation and administration.

The Operator will exercise due diligence regarding data transfers, using measures and safeguards to prevent unauthorized access to data (including SSL, encrypted connections).

5. Data Transfers Outside the European Economic Area

The level of personal data protection outside the European Economic Area (EEA) may differ from that provided by European legislation. Considering this, the Administrator transfers personal data outside the EEA only when necessary.

In case of such transfer, the Administrator will ensure an adequate level of personal data protection mainly through:

1. transfer of personal data to countries for which a European Commission adequacy decision has been issued confirming that the country ensures an adequate level of personal data protection,
2. use of Standard Contractual Clauses issued by the European Commission,
3. use of other appropriate safeguards.

6. Rights of the Data Subject

The User has the right to access personal data, request rectification, restriction, or deletion of personal data, withdraw consent at any time to the extent such consent exists, and transfer personal data.

The User has the right to lodge a complaint with the supervisory authority, which in Romania is the National Supervisory Authority for Personal Data Processing (ANSPDCP), if the User believes that processing of personal data violates GDPR provisions.

In addition, the User has the right to object at any time to data processing for reasons related to a particular situation when the operator processes data for legitimate interest purposes, direct marketing purposes, including profiling.

After confirming User identity, the Administrator will exercise the rights above based on analysis of request legitimacy and applicable law. The Administrator will make all reasonable efforts to comply with User requests regarding personal data, unless data must be retained due to applicable law or other legitimate legal interests of the Administrator.

7. Data Retention Period

Personal data will be processed and stored by the Operator for the period necessary to fulfill purposes, namely:

• execution of the Contract concluded between User and Administrator - until completion and, subsequently, for the period provided by law or for fulfillment of possible claims,
• regarding compliance with legal obligations incumbent on the Administrator, until the Administrator has fulfilled those obligations,
• to the extent data is processed based on consent - as Administrator, data will be processed until consent withdrawal,
• until legitimate interests of the Operator, which form the basis for such processing, are fulfilled, or until User objects to such processing, unless there are legitimate grounds for further data processing.

Data collected during User visits on the Operator website will be processed until it becomes outdated or no longer useful. This applies to data processed for analytical and statistical purposes, including use of cookies and administration of Administrator pages.

8. Cookie Files

The Administrator uses so-called cookies to track visits of website users and save their preferences, for example language and login data, as well as to adapt services offered to their needs. These files are used to compile general statistics regarding website use by Users and are stored until they become outdated or no longer relevant. Cookies will not be made available to other third parties; they will only be transferred to service providers to the extent necessary to provide technical support for management of the above-mentioned files and to entities belonging to the MFC Transport Group.

Cookies may be disabled in the User web browser, which will not prevent use of services, but some difficulties may occur, namely the Administrator website may no longer function fully correctly.

It is also possible to manage cookie categories through the Consent window, Show details tab, which appears when the User first visits our website. Detailed information regarding use of cookies by the Administrator is provided in the Consents message, under the Learn more link, referring to the Cookie Policy document available at: https://www.mfctransport.eu/politica-cookie-uri/.

9. AI

Please note that functionalities available on the Platform may use advanced tools based on generative artificial intelligence, including generative AI models, which form the basis for operation of applications, tools and/or functionalities by processing information obtained from users. We emphasize that artificial intelligence tools used by the Administrator are only for informational and assistance purposes and do not replace consultation with a natural person or provision of professional services. All data processing operations are performed in accordance with applicable personal data protection regulations.

10. Social Networks

Please note that the Administrator's website may include social network plug-ins, including but not limited to: Facebook, Twitter, LinkedIn, Instagram, etc. As a result of their inclusion on the Administrator's website, the User is required to independently review privacy policies of these providers in order to receive updated information regarding personal data protection.

11. Data in Google Analytics and Other Service Providers

Traffic on Administrator websites is monitored, among others, by Google Analytics or other service providers such as Albacross, whose purpose is to collect data on website use and popularity, identify users who visit websites, and adapt advertising content. This data (for example browser used or IP address) will not be shared by the Administrator with any third party.

12. Security

To ensure security, the Administrator:

• uses SSL encryption,
• allows account access only after entering login address and password (it is recommended to set passwords with at least 8 characters containing uppercase and lowercase letters, special characters and digits), which the User must keep exclusively for personal knowledge,
• controls methods of information collection, storage and processing, including physical security measures for protection against unauthorized access to the system,
• grants access to personal data only to employees, collaborators and associates who must have access in order to process data for Administrator purposes; in addition, these persons are bound by contract and ancillary obligations (for example authorizations) to maintain strict confidentiality and protect information and, in case of entrustment, through personal data processing entrustment contracts.

13. Privacy Policy Statement

This Privacy Policy entered into force on 13.02.2026. We may periodically update the Privacy Policy to reflect changes in our information management practices and standards. Such changes may occur without prior notice to the User. In case of material changes affecting principles of personal data processing, the User may be notified by email or by notice made available on the website. Changes will enter into force from publication date on https://www.mfctransport.eu/politica-de-confidentialitate/, together with date of their introduction.

14. Contact Details

If you have questions or comments regarding this Privacy Policy, please contact the Administrator:

MFC TRANSPORT ONLINE S.R.L.Bucharest, Sector 1, Strada Dr. Leonda Varnali No. 12, ROOM 2Email: contact@mfctransport.euThe Administrator appointed a Data Protection Officer, who can be contacted at: iod@mfctransport.eu