GDPR & Privacy

Privacy
Privacy

Last updated: March 2026 THEMANIAKS ENGINEERING WORKSHOP SRL

We fully comply with EU Regulation 2016/679 (GDPR)This policy transparently describes

01 Who we are (Data Controller)

THEMANIAKS ENGINEERING WORKSHOP SRL
Sediu: Str. Chimistilor 2, Bl. 2, Ap. 42, cod 505100, Codlea, Brasov
CUI: 46955928  ·  J08/3159/2022
Email: contact@mkwork.ro
Web: mkwork.ro

Notice: In the relationship with its own employees entered in the application, the client is a data controller, and the Provider acts as data processor. The client is responsible for ensuring that the processing of their employees' data has a legal basis (e.g. consent, employment contract).

02 What data we collect and why

Data categoryData collectedPurpose
Account identification Name, email, username, role Authentication and access management
Authentication Password (bcrypt hash), 2FA token, active sessions Account security
Organization data Company name, CUI, registered address, email, billing data Service provision, invoice issuance
Production data Parts, technical drawings PDF/3D, projects, orders, BOM Main application functionality
Employee data Name, hours worked, timekeeping, project allocations HR management and reporting
Usage data App actions, audit logs, IP address, browser Security, troubleshooting, service improvement
Payment data Transaction history, invoices, payment method Payment processing, accounting, tax obligations

03 Legal basis for processing

  • Art. 6(1)(b) GDPR — Contract performance: for providing the subscribed MKWork Manager service
  • Art. 6(1)(a) GDPR — Consent: for non-essential analytical cookies
  • Art. 6(1)(c) GDPR — Legal obligation: for billing data, accounting (Law 227/2015), fiscal archiving
  • Art. 6(1)(f) GDPR — Legitimate interest: for security logs, abuse prevention, product improvement

04 Cookies

We use:

  • Essential cookies (mandatory): authentication session token, CSRF protection token against cross-site attacks. Cannot be disabled — required for the app to function.
  • Preference cookies: UI theme, language, sidebar settings. Does not collect personal data.
  • Analytics cookies (optional): anonymized usage statistics. Can be declined via the consent banner.

We do not use marketing or tracking cookies No ads.

05 Data security

  • Encryption at rest: uploaded technical files (PDF, 3D) are encrypted with AES-256-GCM, with per-organization keys derived via HKDF-SHA256
  • Encryption in transit: all communications are protected by HTTPS/TLS 1.3
  • Passwords: stored exclusively as hash bcrypt (cost factor 12) — The provider cannot recover the password in plain text
  • Multi-tenant isolation: Each organization has a dedicated PostgreSQL schema
  • Audit log: all administrative actions are recorded with timestamp, user and IP
  • Backups: daily, encrypted, stored geographically separate in the EU

06 Storage and retention

Data is stored on servers located in European Union (not transferred outside the EU).

  • Active account data: for the duration of the subscription
  • Data after account closure: maximum 30 days during the grace period, after which permanently deleted
  • Fiscal data (invoices, payments): 10 years per Romanian fiscal law (Law 82/1991)
  • Security logs: maximum 12 months

07 Sharing data with third parties

We do not sell or rent your data. Data may be accessed exclusively by:

  • Payment processors — billing data required for the transaction only, through secure channels
  • EU hosting infrastructure providers — subject to GDPR obligations, no access to content
  • SMTP providers — for sending notification emails (does not store content)
  • Public authorities — only when required by law

08 Your GDPR rights

Right of access
To receive a complete copy of your data within 30 days
Right to rectification
Correction of incorrect or incomplete data
Right to erasure
"Right to be forgotten" — deletion of data when no longer needed
Right to portability
Export data in structured format (JSON/CSV) for transfer to another service
Right to object
Against processing based on legitimate interest
Right to restriction
Temporary restriction of processing under certain conditions

To exercise any right, contact us at contact@mkwork.ro. We respond within a maximum of 30 calendar days. If you are not satisfied with our response, you may file a complaint with ANSPDCP (National Supervisory Authority for Personal Data Processing).

09 Notification of security breaches

In case of a security incident affecting personal data, we will notify:

  • ANSPDCP — within a maximum of 72 hours from the time of identification (Art. 33 GDPR)
  • Affected persons — without undue delay, when the incident presents a high risk (Art. 34 GDPR)

10 Policy changes

We reserve the right to modify this policy. Significant changes will be communicated by email and/or in-app notification at least 15 days before taking effect. The date of last modification is displayed in the header of this page.