Privacy Policy

Last Updated: 07 April 2026

This Privacy Policy explains how SC EGGNITA STUDIO SRL ("Eggnita Studio", "Company", "we", "us", or "our"), a company registered in Romania under CUI 35194449, with its registered office at Str. SALCAMULUI 30, Et:2, Cluj-Napoca, jud. Cluj, Romania, collects, uses, stores, and protects your personal data when you use the Adapto CMS platform ("Service") available at https://adaptocms.com, https://app.adaptocms.com, and any other subdomains operated by us.

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Romanian Law No. 190/2018 implementing the GDPR, and other applicable data protection legislation.

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller and Contact Information

The data controller for the personal data processed as described in this Privacy Policy is:

SC EGGNITA STUDIO SRL Str. SALCAMULUI 30, Et:2 Cluj-Napoca, jud. Cluj, Romania CUI: 35194449

Data Protection Contact: contact@adaptocms.com

For any questions, requests, or complaints regarding the processing of your personal data, please contact us at the email address above.

2. Roles and Responsibilities

2.1. When we are the Data Controller: We act as the Data Controller when we process your personal data for our own purposes, such as managing your Account, processing payments, operating the website, and conducting analytics on Service usage.

2.2. When we are the Data Processor: When you use the Service to store and manage content that contains personal data of your own users, customers, or other individuals, you are the Data Controller and we act as the Data Processor. In this capacity, we process personal data only on your documented instructions and in accordance with our Terms and Conditions and any Data Processing Agreement ("DPA") executed between us.

2.3. If you require a DPA for GDPR compliance, please contact us at contact@adaptocms.com.

3. Personal Data We Collect

3.1. Data You Provide Directly

3.2. Data Collected Automatically

3.3. Data from Third Parties

We may receive limited data from the following third parties:

• Stripe: Transaction confirmation, payment status, fraud risk assessment (no card numbers are shared back to us)
• Meta Platforms: Aggregated and anonymized advertising performance metrics (e.g., campaign reach, click-through rates, conversion attribution) — only where you have consented to marketing cookies

4. Legal Bases for Processing

We process your personal data based on the following legal bases under Article 6(1) of the GDPR:

Where we rely on legitimate interests, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

5. How We Use Your Data

5.1. Service Delivery: To create and manage your Account, provide access to the platform, deliver API services, process content management operations, and enforce Plan usage limits.

5.2. Payment Processing: To process subscription payments, generate invoices, manage billing cycles, handle refunds, and maintain financial records as required by Romanian fiscal law.

5.3. Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.

5.4. Product Improvement: To understand how the Service is used, identify bugs and performance issues, prioritize feature development, and improve the overall user experience. Analytics data is aggregated and anonymized wherever possible.

5.5. Security: To detect and prevent fraud, unauthorized access, abuse, and other security threats to the Service and its users.

5.6. Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, including Romanian fiscal reporting requirements and EU data protection regulations.

5.7. Communication: To send you transactional notifications (account changes, billing, security alerts), service announcements, and, where you have opted in, marketing communications.

6. Cookies and Tracking Technologies

6.1. What Are Cookies

Cookies are small text files placed on your device when you visit our website. We use cookies and similar technologies to provide, protect, and improve the Service.

6.2. Types of Cookies We Use

6.3. Analytics: PostHog

We use PostHog for product analytics on both our marketing website (adaptocms.com) and our application (app.adaptocms.com), hosted on EU-based servers (PostHog EU Cloud, Frankfurt, Germany). PostHog collects:

• Anonymized page views and feature usage
• Session recordings (if enabled, with personal data redacted)
• Event data related to product interactions

PostHog processes data in compliance with the GDPR. IP addresses are anonymized. No personal data is transferred outside the EEA for analytics purposes. Analytics tracking is loaded only after you grant consent through our cookie banner; if you decline, PostHog operates in cookieless mode and captures no events.

PostHog privacy information: https://posthog.com/privacy

6.4. Marketing & Conversion Tracking: Meta Pixel

We use the Meta Pixel (operated by Meta Platforms Ireland Ltd.) on both our marketing website (adaptocms.com) and our application (app.adaptocms.com) to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram), build audiences for advertising campaigns, and track conversions such as account registrations.

The Meta Pixel collects:

• Page views, button clicks, and standard events (e.g., sign-up, subscription)
• Browser and device information
• IP address (used by Meta for fraud prevention and aggregation, then deleted or anonymized)
• A pseudonymous identifier that may be linked to your Meta account if you are logged in

Important: The Meta Pixel is a marketing technology and only loads after you grant consent for "Marketing" cookies through our cookie banner. If you decline marketing consent, the Meta Pixel is not loaded and no data is sent to Meta.

Joint controllership: When the Meta Pixel transfers personal data to Meta, Meta and Eggnita Studio act as joint controllers within the meaning of Article 26 of the GDPR for the collection and transmission of that data. The arrangement between us is governed by Meta's Controller Addendum, available at https://www.facebook.com/legal/controller_addendum. Meta acts as an independent controller for any further processing it performs.

International transfers: Meta Platforms, Inc. is based in the United States. Data transferred to Meta is protected under the EU-US Data Privacy Framework and Standard Contractual Clauses approved by the European Commission.

Meta privacy information: https://www.facebook.com/privacy/policy

6.5. Cookie Consent

We use Cookiebot (operated by Usercentrics A/S, Denmark) as our consent management platform on both our marketing website (adaptocms.com) and our application (app.adaptocms.com). Cookiebot is EU-based and ISO 27001 certified.

On your first visit, Cookiebot presents a consent banner that allows you to:

• Accept all cookies (strictly necessary + analytics + marketing)
• Accept only strictly necessary cookies (analytics and marketing disabled)
• Manage preferences (granular control over each cookie category)

Cookiebot stores an anonymized record of your consent (consent ID, timestamp, consent state) to enable us to demonstrate compliance with GDPR Article 7(1). This consent record does not contain personally identifiable information.

You may change your cookie preferences at any time through the cookie settings link available in our website footer, or by clicking the Cookiebot icon. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Cookiebot privacy information: https://www.cookiebot.com/en/privacy-policy/

6.6. How to Control Cookies

In addition to our cookie consent mechanism, you can control cookies through your browser settings:

• Most browsers allow you to refuse or delete cookies
• Disabling strictly necessary cookies may impact the functionality of the Service
• For more information, visit https://www.aboutcookies.org

7. Data Sharing and Third-Party Processors

7.1. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

7.2. We share personal data with the following categories of recipients, solely for the purposes described in this Privacy Policy:

Sub-Processors

7.3. We will update this table as new sub-processors are added. Material changes to sub-processors will be communicated with at least 30 days' notice via email, during which time you may object.

7.4. We may also share personal data:

• (a) With your consent: When you have given explicit consent to share data with a specified third party
• (b) For legal compliance: When required by law, regulation, legal process, or enforceable governmental request
• (c) To protect rights: When necessary to enforce our Terms, protect our rights, privacy, safety, or property, or those of our users or the public
• (d) In a business transfer: In connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy regarding your personal data
• (e) With professional advisors: Such as lawyers, auditors, and insurers, where necessary for them to provide their services to us

8. International Data Transfers

8.1. Our primary data processing infrastructure is located within the European Economic Area (EEA).

8.2. Where personal data is transferred outside the EEA (for example, to Stripe or Meta Platforms in the USA), we ensure that appropriate safeguards are in place, including:

• EU-US Data Privacy Framework: For US-based processors certified under the Framework
• Standard Contractual Clauses (SCCs): As approved by the European Commission under Decision 2021/914
• Adequacy decisions: Where the European Commission has determined that a third country provides an adequate level of data protection

8.3. You may request information about the safeguards in place for international transfers by contacting us at contact@adaptocms.com.

9. Data Retention

9.1. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

9.2. Upon expiry of the retention period, personal data is either permanently deleted or irreversibly anonymized so that it can no longer be linked to an individual.

9.3. Where we are acting as a Data Processor for Customer Content containing personal data, retention is governed by the Data Controller's (your) instructions and any applicable DPA.

10. Data Security

10.1. We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:

• Encryption: Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent.
• Access Controls: Role-based access control, principle of least privilege, multi-factor authentication for internal systems.
• Infrastructure Security: Network segmentation, firewalls, intrusion detection systems, and regular vulnerability assessments.
• Monitoring: Continuous logging and monitoring of access to personal data and critical systems.
• Employee Training: Regular data protection and security awareness training for all personnel with access to personal data.
• Incident Response: Documented incident response procedures including detection, containment, eradication, recovery, and notification processes.

10.2. While we take commercially reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

10.3. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and the remedial actions taken

11. Your Rights Under the GDPR

Under the GDPR, you have the following rights regarding your personal data:

11.1. Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is processed.

11.2. Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

11.3. Right to Erasure (Article 17)

You have the right to request deletion of your personal data when:

• It is no longer necessary for the purposes for which it was collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required for compliance with a legal obligation

Note: We may retain certain data where we have a legal obligation or overriding legitimate interest to do so (e.g., billing records for fiscal compliance).

11.4. Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

• You contest the accuracy of the data (for the period needed to verify accuracy)
• Processing is unlawful and you prefer restriction over erasure
• We no longer need the data, but you need it for legal claims
• You have objected to processing pending verification of overriding grounds

11.5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and to request transfer of that data to another controller, where technically feasible. This right applies to data processed based on consent or contract performance by automated means.

11.6. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. For other objections, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

11.7. Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects on you. We do not currently make any such automated decisions.

11.8. Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

11.9. How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: contact@adaptocms.com

We will respond to your request within 30 days of receipt. This period may be extended by an additional 60 days for complex or numerous requests, in which case we will inform you of the extension and the reasons within the initial 30-day period.

We may ask you to verify your identity before processing your request to protect your data from unauthorized access.

Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

11.10. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti, Romania Website: https://www.dataprotection.ro Email: anspdcp@dataprotection.ro

If you are located in another EU Member State, you may also lodge a complaint with your local supervisory authority.

12. Children's Privacy

12.1. The Service is not directed to individuals under the age of 16 years. We do not knowingly collect personal data from children under 16.

12.2. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to delete that data promptly.

12.3. If you believe that we have inadvertently collected personal data from a child under 16, please contact us immediately at contact@adaptocms.com.

13. Marketing Communications

13.1. We may send you marketing communications about the Service, including product updates, new features, and promotional offers, only where:

• (a) You have provided your explicit opt-in consent to receive such communications; or
• (b) You are an existing customer and the communications relate to similar products or services, and you have not opted out (in accordance with the "soft opt-in" permitted under Directive 2002/58/EC as transposed into Romanian law)

13.2. Every marketing communication includes a clear and easy mechanism to unsubscribe. We will process your unsubscribe request within 5 business days.

13.3. Transactional communications (account notifications, security alerts, billing confirmations, service announcements) are not considered marketing and may be sent without consent, as they are necessary for the performance of our contract with you.

14. Do Not Track Signals

14.1. Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for how to respond to DNT signals.

14.2. We honor DNT signals by treating them equivalently to non-consent for analytics cookies. If your browser sends a DNT signal, we will not load non-essential analytics tracking.

15. Third-Party Links

15.1. The Service and our website may contain links to third-party websites, services, or applications that are not operated by us.

15.2. We have no control over and assume no responsibility for the content, privacy policies, or practices of third-party websites. We encourage you to review the privacy policies of any third-party website you visit.

15.3. The inclusion of a link does not imply endorsement of the linked website or its operators.

16. Changes to This Privacy Policy

16.1. We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs.

16.2. For material changes (changes to data processing purposes, legal bases, third-party sharing, or data subject rights), we will:

• Notify you via email to the address associated with your Account at least 30 days before the changes take effect
• Display a prominent notice on the Service
• Update the "Last Updated" date at the top of this document

16.3. For non-material changes (clarifications, formatting, addition of examples), we will update the "Last Updated" date. We encourage you to review this Privacy Policy periodically.

16.4. Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and delete your Account.

17. Specific Provisions for Customer Content (Data Processor Role)

17.1. When you use the Service to store, manage, and deliver content that contains personal data of third parties (your users, customers, or other data subjects), the following provisions apply:

17.2. Instructions: We process such personal data solely on your documented instructions. The use of the Service, including the API, constitutes your instructions to process data as necessary to provide the Service.

17.3. Confidentiality: All personnel authorized to process personal data on our behalf are bound by confidentiality obligations.

17.4. Sub-Processors: We may engage sub-processors to assist in providing the Service. The current list of sub-processors is provided in Section 7.2. We will notify you of any intended changes and provide an opportunity to object.

17.5. Assistance: We will assist you in fulfilling your obligations to respond to data subject requests and in ensuring compliance with Articles 32-36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation).

17.6. Deletion or Return: Upon termination of the Service, we will delete or return all personal data processed on your behalf, in accordance with Section 8.6 of our Terms and Conditions, unless applicable law requires further storage.

17.7. Audits: We will make available to you all information necessary to demonstrate compliance with Article 28 of the GDPR. Upon reasonable request and subject to confidentiality obligations, we will permit and contribute to audits and inspections conducted by you or an auditor mandated by you.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

SC EGGNITA STUDIO SRL Str. SALCAMULUI 30, Et:2 Cluj-Napoca, jud. Cluj, Romania CUI: 35194449

Email: contact@adaptocms.com Website: https://adaptocms.com

We aim to respond to all privacy-related inquiries within 30 days.