Privacy Policy

Last updated: 23 May 2026

1. Introduction

This Privacy Policy describes how CRENZY CREATIVITY SRL (hereinafter referred to as the "Company", "We" or "Zeff Scout"), acting as a personal data controller, collects, uses, stores and protects the personal data of users of the Zeff Scout platform.

The Company fully complies with Regulation (EU) 2016/679 (GDPR), Romanian Law 190/2018 on measures for implementing the Regulation, as well as applicable national legislation on personal data protection.

By accessing or using the Platform, you confirm that you have read and understood this Privacy Policy. Please read it in full before using our services.

2. Data Controller

Company name: CRENZY CREATIVITY SRL

Tax ID (CUI): 42954326

Trade Register No.: J40/10365/2020

Registered office: Str. Grigore Ionescu 63, Bl. T73, Sc. 2, Et. 4, Ap. 42, Sector 2, Bucharest, 023674, Romania

Data protection email: office@zeffscout.ro

3. What data we collect

3.1 Data provided directly by the user

• Account data: email address, full name (optional)
• Billing data: company name, tax ID (CUI), fiscal address (for issuing invoices in compliance with the Romanian Tax Code)
• Payment data: processed exclusively by Stripe — Zeff Scout NEVER stores card numbers, CVV codes or other sensitive payment data

3.2 Data collected automatically

• Usage data: searches performed on the platform, tracked products, configured preferences, pages visited
• Technical data: IP address, browser type, operating system, screen resolution, activity timestamps
• Cookies: full details in our Cookie Policy

3.3 Data about legal entities (from the "Spy Seller" feature)

The "Spy Seller" feature aggregates public information about legal entity sellers from official public registries: the National Trade Register Office (ONRC) and the Ministry of Public Finance (public fiscal data). This data includes: company name, tax ID (CUI), registered office address and administrator names.

This information is public by legal definition, in accordance with Romanian Law 26/1990 on the Trade Register, which provides for the publicity of registered data. Data about legal entities (company name, tax ID, registered office, business activity, financial indicators published by the Ministry of Finance) does not constitute personal data and is freely accessible to any citizen through the official channels of the aforementioned authorities.

Names of individual administrators associated with a company, although public through the registry, may constitute personal data. Individual administrators who wish their names to no longer appear in Zeff Scout results may request this by email at office@zeffscout.ro. We will review each request in accordance with GDPR (right to object — Art. 21), taking into account the balance between the legitimate interest of B2B commercial research and the rights of the data subject.

4. Legal basis for processing (Art. 6 GDPR)

The Company processes personal data on the following legal bases:

4.1 Performance of a contract (Art. 6(1)(b))

Processing necessary for providing the service requested by the user: account creation and management, access to subscription features, payment processing, transactional communications (payment confirmations, account notifications, service changes).

4.2 Legal obligation (Art. 6(1)(c))

Processing required by applicable legislation: issuance and archiving of fiscal invoices (Romanian Tax Code, Accounting Law 82/1991), responding to requests from competent authorities (ANAF, courts, criminal investigation bodies), GDPR compliance (responding to data subject requests).

4.3 Legitimate interest (Art. 6(1)(f))

The Company relies on legitimate interest for the following categories of processing, after conducting a balancing assessment between the Company's interests and the rights of data subjects:

• Platform security and fraud prevention: monitoring access to detect and prevent abusive use, unauthorized access attempts and fraudulent activities (multiple accounts, refund abuse, credential sharing)
• Service improvement: aggregated analysis of platform usage to optimize features, performance and user experience — data is aggregated and does not allow individual identification of users
• Aggregated statistical analysis: generating anonymized and aggregated statistics on Platform usage, market trends and search behaviours, for the purpose of calibrating algorithms and improving estimation accuracy
• B2B commercial research based on public registry data: aggregation and structuring of public information about legal entities (eMAG sellers) from ONRC and the Ministry of Public Finance — data that is public by law (Law 26/1990, Law 207/2015 on the Tax Procedure Code) and serves the legitimate interest of transparent commercial research
• Defence of the Company's legal rights: retaining data necessary for establishing, exercising or defending a right in court

Users have the right to object to processing based on legitimate interest, in accordance with section 9 of this Policy.

4.4 Consent (Art. 6(1)(a))

Processing that requires the user's explicit consent: marketing communications (newsletter, offers, news), analytical and marketing cookies (non-essential), participation in studies or surveys. Consent may be withdrawn at any time, without affecting the lawfulness of processing prior to withdrawal.

5. How we use the data

Personal data is used exclusively for the following purposes:

• Providing access to the Platform and its features in accordance with the active subscription
• Processing payments and issuing fiscal invoices
• Account-related communications: technical notifications, service changes, transactional confirmations
• Technical support and managing the relationship with users
• Marketing communications — only with explicit consent
• Improving services through aggregated and anonymized usage analysis
• Platform security, fraud prevention and abuse detection
• B2B commercial research through aggregation of public data from official registries
• Compliance with legal obligations (tax, ANPC, ANSPDCP, courts)
• Defence of the Company's legal rights

6. Who we share data with

Users' personal data is not sold, rented or shared for commercial purposes with third parties. We may transmit data strictly to the following sub-processors, with whom we have entered into data processing agreements (DPA) in compliance with Art. 28 GDPR:

• Stripe Payments Europe Ltd. — secure payment processing (PCI-DSS certified; Stripe's privacy policy)
• Supabase Inc. — hosting infrastructure, databases and authentication (servers in the European Union, SOC 2 Type II certified; Supabase's privacy policy)
• Resend — sending transactional emails and account notifications
• FGO.ro — issuance and transmission of electronic fiscal invoices

All sub-processors are contractually obligated to process data exclusively in accordance with our instructions, to implement adequate security measures and not to use data for their own purposes.

We may also transmit data to public authorities when legally required: courts, ANAF (National Agency for Fiscal Administration), criminal investigation bodies, ANSPDCP (National Data Protection Authority).

7. International transfers

Personal data is stored and processed predominantly within the European Union. The main infrastructure (Supabase) uses data centres located in the EU.

Where a sub-processor processes data outside the EU/EEA (for example, Stripe for certain payment operations), we ensure an adequate level of protection through Standard Contractual Clauses (SCCs) approved by the European Commission, through an adequacy decision of the Commission (where applicable) or through other mechanisms provided for by GDPR (Art. 46).

8. How long we retain data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or for the duration required by legal obligations:

• Account data: for the duration of the active account + a maximum of 30 calendar days after the deletion request, to complete technical deletion operations
• Fiscal invoices and billing data: 10 years from issuance, in compliance with obligations under the Romanian Tax Code (Art. 25) and Accounting Law 82/1991, which allow the retention of financial-accounting documents for periods of up to 10 years for audits and fiscal inspections
• Technical data and security logs: a maximum of 12 months, to ensure platform security, investigate incidents and comply with legal obligations
• Marketing data: until consent is withdrawn or until unsubscription
• Public registry data about sellers (legal entities): for the duration of service operation; names of individual administrators may be removed upon request, in accordance with section 3.3

Upon expiry of retention periods, data is deleted or irreversibly anonymized.

9. Your rights under GDPR

As a data subject, you benefit from the following rights provided by Regulation (EU) 2016/679:

• Right of access (Art. 15): the right to obtain confirmation that your data is being processed and a copy of that data
• Right to rectification (Art. 16): the right to request correction of inaccurate data or completion of incomplete data
• Right to erasure / "right to be forgotten" (Art. 17): the right to request deletion of your data, subject to legal retention obligations and GDPR exceptions
• Right to restriction of processing (Art. 18): the right to request limitation of processing under certain conditions
• Right to data portability (Art. 20): the right to receive the data you have provided directly to us, in a structured, commonly used and machine-readable format (JSON export, available from the platform interface). This right applies to data provided by the user (account information, preferences); reports, analyses and content generated by the platform's algorithms are not subject to portability
• Right to object (Art. 21): the right to object to processing based on legitimate interest. For data about legal entities (company name, tax ID, registered office, fiscal indicators), these are public by law and do not constitute personal data — the right to object does not apply to information about legal entities. However, for names of individual administrators, we will review each objection request, assessing the balance between the legitimate interest of B2B commercial research and the rights of the data subject
• Right not to be subject to automated decision-making (Art. 22): see section 10
• Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal

How to exercise these rights

Send a request by email to office@zeffscout.ro, with the subject "GDPR Request — [type of request]". We will confirm receipt of the request and respond within a maximum of 30 calendar days from receipt, in accordance with Art. 12(3) GDPR. In complex cases or when there is a high volume of requests, the deadline may be extended by a maximum of 60 days, with prior notification to the requestor.

To verify your identity, we may request additional information before processing the request.

Many of these rights are available directly from the platform interface: Settings → Privacy → My data.

10. Automated decisions and profiling (Art. 22 GDPR)

Zeff Scout uses proprietary algorithms to generate scores, sales estimates, opportunity indicators and rankings. These results are produced through automated processing of aggregated public data.

We clarify that:

• The scores and estimates generated by the Platform are informational and indicative tools, intended to support users' commercial decisions
• These scores do not produce legal effects on users and do not significantly affect them within the meaning of Art. 22(1) GDPR
• The Platform does not make automated decisions regarding access to services, personalized pricing or any other aspect that would produce legal or similar effects on individuals
• Users are free to use, disregard or supplement the information generated with their own analyses and data sources

Therefore, the automated processing performed by Zeff Scout does not fall under the restrictions of Art. 22 GDPR, as it does not produce legal or similarly significant effects on data subjects.

11. Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction or disclosure, in accordance with Art. 32 GDPR:

• Encryption in transit: all connections use the HTTPS protocol (TLS 1.2+)
• Encryption at rest: sensitive data is encrypted at rest in the database
• EU servers: the main infrastructure (Supabase) uses data centres located in the European Union, SOC 2 Type II certified
• Access control: restricted access to the database and internal systems, based on the need-to-know principle, only for authorized personnel
• Audit logs: monitoring and recording access to sensitive data for detection of unauthorized activities
• Secure authentication: hashed passwords, brute-force attack protection, sessions with automatic expiry

In the event of a security breach that presents a risk to the rights and freedoms of data subjects, we will notify the National Supervisory Authority for Personal Data Processing (ANSPDCP) within a maximum of 72 hours from discovery and will inform affected users without undue delay, in accordance with Art. 33-34 GDPR.

12. Cookies

The Platform uses essential cookies for functionality and, with the user's consent, analytical and marketing cookies. Full details about the types of cookies used, their purpose and duration, as well as control options, are available in the Cookie Policy.

13. Complaints

If you believe that your data protection rights have been violated, we encourage you to first contact us at office@zeffscout.ro to resolve the matter amicably.

You also have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP):

• Website: www.dataprotection.ro
• Address: B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, 010336, Romania
• Email: anspdcp@dataprotection.ro

14. Policy changes and contact

We will periodically update this Privacy Policy to reflect legislative, operational or technological changes. The updated version will be published on this page, with the date of the last modification noted at the top.

Significant changes will be notified to users by email at least 30 calendar days before taking effect. Continued use of the Platform after the new version takes effect constitutes acceptance of the changes.

Previous versions of the Policy may be requested by email at office@zeffscout.ro.

Contact

For any questions or requests related to personal data protection:

• Email: office@zeffscout.ro
• Address: Str. Grigore Ionescu 63, Bl. T73, Sc. 2, Et. 4, Ap. 42, Sector 2, Bucharest, 023674, Romania