Privacy Policy
Last updated: April 14, 2026
1. Introduction
This Privacy Policy explains how GD CLOUD COMPANY S.R.L. ("Company", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use the PriceDropSignal service ("Service").
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — and applicable Romanian data protection legislation.
Data Controller:
- GD CLOUD COMPANY S.R.L.
- Fiscal Code: 42798790
- Trade Register Number: J2020001873355
- Address: Bld. Take Ionescu 46B, Timisoara, Timis, 300124, Romania
- Email: [email protected]
2. What Personal Data We Collect
2.1 Data You Provide Directly
- Account information: name, email address, and password (stored in hashed form) when you register;
- Product data: product names and URLs from online stores that you submit for price tracking;
- Two-factor authentication data: TOTP secret and recovery codes, if you enable two-factor authentication (stored encrypted).
2.2 Data Collected Automatically
- Session data: IP address, browser user-agent string, and last activity timestamp, stored when you log in;
- Price check data: prices fetched from the URLs you submit, timestamps of each check, and any error messages from failed checks;
- Email verification status: whether and when your email address was verified.
2.3 Data We Do Not Collect
We do not collect payment information, location data (beyond IP address), social media profiles, or any special categories of personal data (e.g., health, biometric, or political data). We do not use analytics or advertising trackers.
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account creation and authentication | Name, email, password | Performance of contract (Art. 6(1)(b)) |
| Price tracking and notifications | Product names, URLs, email | Performance of contract (Art. 6(1)(b)) |
| Session management and security | IP address, user-agent, session tokens | Legitimate interest (Art. 6(1)(f)) |
| Email verification | Email address | Performance of contract (Art. 6(1)(b)) |
| Two-factor authentication | TOTP secret, recovery codes | Consent (Art. 6(1)(a)) |
| Service improvement and debugging | Error logs from price checks | Legitimate interest (Art. 6(1)(f)) |
4. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We may share data with the following categories of third parties, solely to operate the Service:
- Email delivery provider: your email address and notification content are transmitted to our email service provider to deliver price drop notifications and transactional emails (e.g., email verification, password reset).
- Hosting provider: all data is stored on servers operated by our infrastructure provider. Data remains within the European Union or in jurisdictions with an adequate level of data protection as determined by the European Commission.
- Font provider: we use Bunny Fonts (bunny.net, operated by BunnyWay d.o.o., an EU-based company) to serve web fonts. Bunny Fonts is designed to be GDPR-compliant and does not log or track visitors.
When fetching prices, our system accesses the publicly available web pages at the URLs you provide. No personal data about you is transmitted to those third-party websites during this process.
5. Data Retention
- Account data: retained for as long as your account is active. When you delete your account, all personal data including products, URLs, and price history is permanently deleted.
- Product and price data: retained for as long as the product exists in your account. When you delete a product, all associated URLs and price check history are permanently deleted (cascading deletion).
- Session data: session records expire after 120 minutes of inactivity and are periodically purged from the database.
6. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15): request a copy of the personal data we hold about you;
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data;
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten");
- Right to restriction (Art. 18): request that we limit the processing of your data;
- Right to data portability (Art. 20): request your data in a structured, commonly used, machine-readable format;
- Right to object (Art. 21): object to processing based on legitimate interest;
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent (e.g., two-factor authentication).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or the data protection authority in your country of residence.
7. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Passwords are stored using one-way cryptographic hashing (bcrypt);
- Two-factor authentication secrets are stored encrypted;
- Session cookies are HTTP-only and use the SameSite attribute;
- CSRF protection is enabled on all forms;
- All communication with the Service is encrypted via HTTPS.
No method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
8. International Data Transfers
Your data is processed and stored within the European Union. If a transfer outside the EU/EEA is required (e.g., by an email delivery provider), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision.
9. Children's Privacy
The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service. The "Last updated" date at the top of this page indicates the most recent revision.
11. Contact
For any questions or requests regarding your personal data, contact us:
- Email: [email protected]
- Address: GD CLOUD COMPANY S.R.L., Bld. Take Ionescu 46B, Timisoara, Timis, 300124, Romania