Extended GDPR Information Notice for Asociația INDORA
Website: https://indora.social
Last updated: June 2026
1. Who is the data controller
The data controller is Asociația INDORA, CIF 52115038, based in Constanța, Romania.
Email: asociatiaindora@gmail.com
Website: https://indora.social
This Privacy Policy explains how Asociația INDORA collects, uses, stores and protects personal data belonging to people who visit our website, complete forms, request information, subscribe to our updates, enrol in courses, participate in learning activities, communicate with us or collaborate with us.
2. Our data protection principles
We process personal data in accordance with the principles of the General Data Protection Regulation (GDPR): lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
In practice, this means that we collect only the data we need for clear purposes, we inform people about how their data is used, we limit access to personal data and we apply reasonable technical and organisational measures to protect it.
3. What personal data we may process
Depending on how you interact with INDORA, we may process the following categories of personal data:
Identification and contact data
Name, surname, email address, phone number, country, nationality, organisation, employer, role or preferred communication language.
Data submitted through forms
Information sent through contact forms, course request forms, employer offer forms, newsletter forms, guide download forms or other website forms.
Course and learner data
Course enrolment data, language level, attendance or participation information, completed activities, test results, learning progress, feedback, certificates of participation or completion and course-related communication.
Corporate or employer-related data
Name and contact details of company representatives, organisation name, industry, number of workers to enrol, languages spoken by workers, preferred timeline and course needs.
Contractual and billing data
Data necessary for offers, contracts, invoices, payments, accounting records and contractual correspondence, where applicable.
Communication data
Messages sent by email, website forms, phone, online meetings, social media or other communication channels used by the person contacting us.
Newsletter and marketing data
Email address, subscription preferences, consent records, newsletter interactions, unsubscribe information and interest in educational or integration-related resources.
Technical data
IP address, cookie identifiers, device type, browser, operating system, pages visited, traffic source, date and time of access, website security logs and analytics data, where applicable.
Audio/video data
Image, voice, display name or meeting participation data, only when online sessions, meetings or recordings are organised and this is communicated transparently.
We do not intentionally collect special categories of personal data, such as health data, religious beliefs, political opinions, biometric data or trade union membership, unless the person voluntarily provides such information or a clear legal context makes it necessary.
4. Sources of personal data
We may receive personal data:
directly from you, when you complete a form, contact us, subscribe to updates, request a guide, enrol in a course or participate in an activity;
from an employer, organisation, institution or partner that enrols participants in INDORA courses or programmes;
from technical platforms used for website hosting, forms, email, newsletter management, online learning, analytics, security or communication;
from correspondence, meetings or contractual/pre-contractual communication.
5. Why we process personal data and legal bases
We process personal data for the following purposes:
Responding to requests and messages
When you contact us, request information, ask for an offer or send us a message, we use your data to respond to your request.
Legal basis: pre-contractual steps, legitimate interest or consent, depending on the context.
Providing courses and educational activities
When you or your organisation enrol in an INDORA course or activity, we process the data necessary to provide access, organise learning, monitor participation and issue course-related documentation.
Legal basis: performance of a contract, pre-contractual steps, legitimate interest or consent, depending on the context.
Managing employer or organisational requests
When an employer, NGO, institution or partner contacts us regarding courses for foreign workers or other groups, we process data necessary to understand the request, prepare an offer and manage communication.
Legal basis: pre-contractual steps and legitimate interest.
Course participation, progress and documentation
We may process participation data, activity completion, test results, progress information and certificates in order to manage the course and provide agreed documentation to the participant or, where applicable, to the organisation that requested the programme.
Legal basis: performance of a contract, legitimate interest and, where required, consent.
Sending guides, educational resources and newsletters
If you subscribe to receive a guide, newsletter or educational updates, we use your email address to send the requested resource and occasional INDORA updates about Romanian language learning, integration, educational resources and related activities.
Legal basis: consent. You can unsubscribe at any time.
Website operation, analytics and security
We process technical data to ensure that the website works properly, to protect it from misuse, to understand general traffic and to improve the user experience.
Legal basis: legitimate interest for essential technical and security data; consent for non-essential cookies and analytics, where required.
Contracting, accounting and legal obligations
Where services are contracted, we may process contractual, billing and accounting data to issue invoices, manage payments, keep accounting records and comply with legal obligations.
Legal basis: performance of a contract and legal obligation.
Managing complaints, legal claims or disputes
If a complaint, request or dispute occurs, we may process relevant data to manage the situation and protect our rights and legitimate interests.
Legal basis: legal obligation and legitimate interest.
6. Data concerning learners enrolled by employers or organisations
In corporate or organisational programmes, an employer, NGO, institution or partner may provide learner data to INDORA for the purpose of organising Romanian language courses, integration support, educational activities or related programmes.
In such cases, the organisation providing the data is responsible for ensuring that it has a valid legal basis for sharing the data with INDORA and that the people concerned are properly informed.
INDORA will use the data only for the organisation, delivery, administration, monitoring and reporting of the agreed services, in line with the principle of data minimisation.
If individual reports are provided to an employer or organisation, they will be limited to relevant course-related information, such as participation, progress, activity completion, general level or educational recommendations. INDORA will not share excessive, sensitive or irrelevant information.
7. Online courses, meetings and recordings
INDORA may organise online learning activities, webinars, meetings or courses through digital platforms.
Online sessions are not recorded unless this is necessary for the service or clearly communicated before the session. If recordings are used for recap, later access, quality assurance, internal training or other purposes, we will inform participants about the purpose, storage period and access rules.
For marketing, public posting or external promotional use of images, voices or recordings, separate consent will generally be requested.
8. Recipients and service providers
Personal data may be accessed only by people and organisations that need it for the purposes described in this Privacy Policy.
This may include:
INDORA team members, trainers, collaborators and authorised representatives;
website hosting, maintenance and security providers;
email, forms, CRM and newsletter platforms;
online learning and e-learning platforms;
videoconferencing and communication platforms;
accounting, legal, audit or consultancy providers;
payment or banking service providers, where applicable;
public authorities, courts or control bodies, when required by law.
All service providers are expected to process data only according to applicable data protection rules and only for the purposes for which they were engaged.
9. International data transfers
We aim, where possible, to use service providers that process data within the European Union or the European Economic Area.
If we use tools or providers that involve transfers of personal data outside the European Economic Area, we will rely on appropriate safeguards, such as adequacy decisions, standard contractual clauses or other lawful transfer mechanisms, where applicable.
10. How long we keep personal data
We keep personal data only for as long as necessary for the purposes for which it was collected, unless a longer period is required or permitted by law.
As a general rule:
requests received through forms or email may be kept for up to 24 months from the last interaction, unless a contract or ongoing relationship follows;
course participation, progress and completion data may be kept during the course and afterwards for the period necessary for support, reporting, documentation and proof of service delivery;
contracts, invoices and accounting documents are kept according to applicable Romanian legal, fiscal and accounting retention periods;
newsletter data is kept until consent is withdrawn, the person unsubscribes or the data is no longer necessary;
technical and security logs may be kept for a limited period, depending on security needs and technical requirements;
complaint, claim or dispute-related data may be kept for the period necessary to manage the issue and in accordance with applicable limitation periods.
After the relevant retention period expires, data will be deleted, anonymised or archived with restricted access, where permitted or required by law.
11. Security measures
We apply reasonable technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure or misuse.
These measures may include access control, passwords, role-based permissions, secure hosting, software updates, backups, encryption where appropriate, internal confidentiality rules, limited access to personal data and careful selection of relevant service providers.
No internet transmission or digital storage system can be guaranteed as 100% secure, but we treat data security as an ongoing responsibility.
12. Your rights under GDPR
Under the GDPR, you may have the following rights:
Right of access — to know whether we process your data and to receive a copy of it.
Right to rectification — to correct inaccurate or incomplete data.
Right to erasure — to request deletion of data in the cases provided by law.
Right to restriction of processing — to limit processing in certain situations.
Right to data portability — to receive your data in a structured, commonly used and machine-readable format, where applicable.
Right to object — to object to processing based on legitimate interest or to direct marketing.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
Right not to be subject to automated decision-making — where applicable.
To exercise your rights, please contact us at:
We may request additional information to verify your identity. We will respond within the legal deadline, usually within one month, with the possibility of extension where permitted by GDPR.
13. Newsletter, guides and marketing communication
If you subscribe to receive a guide, newsletter or educational updates, INDORA will use your email address for the purpose explained at the time of subscription.
Subscription forms will explain what you are subscribing to and may include a consent checkbox. You may unsubscribe at any time using the unsubscribe link included in our emails or by contacting us directly.
We do not sell email lists and we do not intentionally send marketing emails without a lawful basis.
14. Cookies and similar technologies
Our website may use cookies and similar technologies for website operation, security, preferences, analytics and, where applicable, marketing.
Essential cookies may be necessary for the website to function properly. Non-essential cookies, such as analytics or marketing cookies, will be used only where the applicable legal requirements are met.
More details may be provided in a separate Cookie Policy or cookie notice.
15. Links to other websites
Our website may contain links to external websites, platforms or resources. INDORA is not responsible for the privacy practices or content of third-party websites. We recommend that you read the privacy policies of any external websites you visit.
16. Complaints
If you believe that your personal data has been processed unlawfully, you may contact us first at:
You also have the right to lodge a complaint with the Romanian data protection authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru nr. 28–30, Sector 1, București, Romania
Website: https://www.dataprotection.ro
Email: anspdcp@dataprotection.ro
17. Updates to this Privacy Policy
This Privacy Policy may be updated from time to time to reflect legal, technical or operational changes.
The current version will always be published on our website, with the date of the latest update. For significant changes, we may provide additional notice where appropriate.
18. Legal framework
This Privacy Policy is based, in particular, on the following legal framework:
Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR);
Romanian Law no. 190/2018 on measures for the implementation of the GDPR;
Romanian Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector;
other applicable Romanian and European legal provisions, where relevant.
Asociația INDORA
CIF: 52115038
Constanța, Romania
Email: asociatiaindora@gmail.com
Website: https://indora.social
