Learn how TrustedOrb collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation.
Last updated: 25 May 2026
EU GDPR Compliant
About this Policy
This Privacy Policy explains how TrustedOrb processes personal data when you use our website, contact us by phone or email, schedule a meeting through Microsoft Bookings, complete the indicative NIS2 evaluation, or interact with our analytics tools (Google Analytics and Microsoft Clarity). This policy is intended to meet the transparency requirements of the EU General Data Protection Regulation (GDPR), Romanian implementing legislation, and other applicable transparency requirements.
01
Data Controller and Contact Details
Data Controller
TrustedOrb
Registered Office
Bucharest, Nerva Traian Street, No. 27–33, Office No. 6, 1st Floor, District 3, Romania
This policy applies to website visitors, individuals who contact us by phone or email, individuals who schedule meetings through Microsoft Bookings, and individuals who complete the indicative NIS2 evaluation. It also covers the processing associated with analytics tools used on the website (Google Analytics and Microsoft Clarity).
It does not cover third-party websites that may be accessed through links on the TrustedOrb website; the third parties' own policies apply.
03
Categories of Personal Data We Process
3.1. Data provided through direct contact
If you contact us by phone or email, we may process:
full name;
company name;
company email address;
phone number;
role or department, if you provide it;
reason for contacting us;
message content, follow-up notes, and any other information you voluntarily provide.
3.2. Data provided for scheduling through Microsoft Bookings
If you schedule a meeting through Microsoft Bookings, we may process:
full name;
email (typically a company email);
phone number, company name, country (if requested/provided);
meeting reason / request description;
selected service, meeting date, time, and booking details (confirmations, changes, cancellations);
technical information generated by Microsoft Bookings and the related calendar/email invitations.
3.3. Data provided through the indicative NIS2 evaluation
If you use the NIS2 evaluation questionnaire, we may process:
full name;
email address;
organisation/company;
answers to the questionnaire;
the indicative result generated from your answers;
confirmation of consent for sending the result and contacting you in relation to your request;
technical data required for security and abuse prevention, such as timestamp, anti-abuse token, honeypot, IP address, or user-agent, where necessary.
Please do not enter passwords, technical secrets, payment card data, special category data, or confidential information that is not necessary for the indicative evaluation.
3.4. Automatically collected data (technical, security and analytics data)
When you use our website, we may automatically collect:
IP address and online identifiers (e.g., cookie IDs) – in particular for security and/or analytics, as applicable;
browser/device information (e.g., user-agent, operating system, language settings);
navigation and interaction data (e.g., pages visited, clicks, scrolling, timestamps, errors);
technical and security logs (required for operation, monitoring, and protection).
3.5. Data processed through analytics tools
TrustedOrb uses:
Google Analytics (GA4) – for website usage analytics (e.g., pages visited, events, traffic sources, interactions).
Microsoft Clarity – for behavioural analytics, including heatmaps and session recordings of website interactions (e.g., clicks, scrolling, navigation).
Where required by law, these tools are enabled only after you provide consent for analytics cookies, as described in our Cookie Policy.
04
Purposes of Processing and Legal Bases
We process your personal data for the following purposes and on the following legal bases:
Handling inquiries and communicating with you by phone or email (Article 6(1)(b) and/or 6(1)(f) GDPR).
Qualifying inquiries (e.g., company, country, reason) to respond accurately and efficiently (Article 6(1)(b) and/or 6(1)(f) GDPR).
Scheduling and administering meetings through Microsoft Bookings (Article 6(1)(b) and/or 6(1)(f) GDPR).
Sending the indicative NIS2 evaluation result to you and to the TrustedOrb team (Article 6(1)(b), 6(1)(f), and, for follow-up contact based on your agreement, 6(1)(a) GDPR, as applicable).
Recording NIS2 evaluation results in internal work systems (for example, Microsoft SharePoint List through Power Automate), for record keeping, operational analysis, and follow-up (Article 6(1)(f) GDPR).
Website analytics and improvement (Google Analytics, Microsoft Clarity) – consent (Article 6(1)(a) GDPR), where required for analytics cookies.
Compliance with legal obligations and cooperation with authorities (Article 6(1)(c) GDPR).
Establishing, exercising, or defending legal claims (Article 6(1)(f) GDPR).
05
Cookies and consent
The website uses strictly necessary cookies for functionality and security and analytics cookies (Google Analytics and Microsoft Clarity), which are used based on consent where required.
TrustedOrb does not sell personal data. We may share personal data only where necessary to operate the website, administer scheduling, send the NIS2 evaluation result, deliver services, or comply with legal obligations, in particular with service providers (processors) acting on our behalf under appropriate contractual safeguards.
Current providers (as configured):
cyberfolks – web hosting and related infrastructure services;
Cloudflare – DNS services and, where applicable, associated performance/security functions;
Microsoft Bookings / Microsoft 365 – scheduling, calendar invitations, email, and meeting administration;
Microsoft Power Automate and SharePoint – transferring and storing NIS2 evaluation results in internal work systems;
Google – web analytics services (Google Analytics);
Microsoft Clarity – behavioural analytics services.
NIS2 evaluation results may be shared internally with the TrustedOrb team members designated for review and follow-up. We may also disclose data to public authorities/courts or professional advisors (legal/audit) where required by law or where necessary to protect TrustedOrb's rights.
07
International Transfers
As a rule, data is processed within the European Economic Area (EEA). However, certain services (e.g., Cloudflare, Google, Microsoft) may involve processing/transfers outside the EEA. In such cases, TrustedOrb relies on appropriate legal transfer mechanisms (e.g., Standard Contractual Clauses) and, where applicable, supplementary measures to ensure an adequate level of protection.
08
Data Retention
We retain personal data only as long as necessary for the stated purposes and applicable legal requirements. Typical retention periods are:
Phone or email inquiries: for the duration of handling the request, plus up to 24 months for records and legal defence (unless legal obligations/litigation require longer).
Microsoft Bookings scheduling: for the duration of administering the booking, plus up to 24 months for records and legal defence (unless legal obligations/litigation require longer).
NIS2 evaluation results: up to 24 months for record keeping, follow-up, and operational analysis, unless the request leads to a contractual relationship or legal obligation that justifies a different period.
Technical/security logs: typically up to 12 months, depending on security, audit, and investigation needs.
Google Analytics (GA4): user/event-level data retention is configured in the GA4 property; typically set up to 14 months for explorations (configuration-dependent).
Microsoft Clarity: session recordings are retained for 30 days; heatmaps are retained up to 13 months. If a session is labelled or marked as a "favorite", it may be retained up to 13 months. Operationally, TrustedOrb does not intend to retain recordings beyond the standard period unless justified (e.g., security investigations).
09
Data Security
We implement appropriate technical and organisational measures to protect personal data (e.g., HTTPS/TLS encryption, access controls, security monitoring/logging, anti-abuse measures).
For behavioural analytics, TrustedOrb applies reasonable safeguards to reduce the risk of capturing sensitive personal data (e.g., masking form fields where personal data may be entered).
10
Your Rights
Under the GDPR, you have the right to access, rectification, erasure, restriction of processing, data portability, objection, and, where applicable, withdrawal of consent.
Consent for analytics cookies can be withdrawn at any time via the cookie preferences module (or by deleting cookies in your browser).
You also have the right to lodge a complaint with the Romanian supervisory authority (ANSPDCP).
To exercise your rights: please contact us at [email protected]. We may request reasonable information to verify your identity. We typically respond within one month, with the possibility of extension in justified cases under the GDPR.
11
Automated decision-making
TrustedOrb does not use automated decision-making that produces legal effects or similarly significantly affects individuals within the meaning of Article 22 GDPR.
12
Children
The TrustedOrb website is not intended for children under 16. If you believe a child has provided us with personal data, please contact us.
13
Changes to this Policy
We may update this policy to reflect legal, technical, or operational changes. The current version will be published on the website together with the "Last updated" date.
