General Data Protection Regulation (GDPR)

1. Scope of this notice

This page applies to our insurance applications targeting the Romanian market, including projects for RCA, RCA calculators, CASCO, home, travel, flight, health insurance, and similar products operated by SUNERGOS IT SRL.

This is a product-specific privacy notice for the insurance portfolio and it complements our general Privacy Policy. At the moment, some of these applications are informational or pre-launch products. If we activate new quote, issuance, or document-management flows, we will update this page so it accurately reflects the data collected and the legal bases used.

2. Data controller

The data controller for these applications is:

For privacy questions, GDPR requests, or security-related concerns, you can contact us using the address above.

3. Principles that guide our data collection

Across the insurance applications, we follow a few strict rules:

• we collect only the data needed for the concrete service requested by the user;
• we do not ask for sensitive data earlier in the journey than necessary;
• we clearly separate data needed for quoting, policy issuance, marketing, and analytics;
• we do not use pre-ticked consent boxes;
• we do not sell personal data and we do not use hidden commercial profiling;
• we periodically review form fields to remove unnecessary data points.

4. What we collect today

At the current stage of the portfolio, data collection is limited and varies by product:

• Waiting lists / launch notifications: in most pre-launch applications, we only collect the email address voluntarily submitted through the form.
• RCA calculator without personal data: we use parameters such as vehicle type, owner type, engine power, age group, registration area, authorized mass, and bonus-malus class. This flow is intentionally built to work without a national ID number, without a name, and without a plate number.
• Product comparisons and selections: in some applications, we only retain technical selections needed to display product comparisons, without directly asking for identifying data.
• Technical and security data: like any web service, we may process technical logs, IP addresses, user-agent strings, request IDs, and diagnostic data strictly for security, abuse prevention, and service operation.

5. What we may collect when quote or policy flows go live

If we activate full quoting, policy purchase, or policy-management workflows, we may request only the data relevant to the selected insurance product, for example:

• Identification data: first name, last name, ID document details, national ID number or other identifier required by the insurer, date of birth.
• Contact data: email, phone number, home or correspondence address.
• RCA / CASCO data: vehicle category, make, model, year, VIN, registration number, owner details, bonus-malus history, and other information needed to calculate or issue the policy.
• Home insurance data: property address, construction type, surface area, year built, usage, and requested level of cover.
• Travel / flight insurance data: destination, travel period, number of insured persons, ages, and other details strictly needed for the selected policy.
• Health insurance data: only where the product or insurer requires it and only within the limits permitted by law; this may include health declarations, relevant medical history, or other information strictly necessary for underwriting.

If a quote or policy journey is hosted directly by an insurer, broker, or another partner, that entity may act as an independent controller for that stage and will provide its own GDPR notice.

6. Processing purposes and legal bases

We process personal data only for clear purposes and on appropriate legal bases, including:

• At your request, prior to contract (Art. 6(1)(b) GDPR): to respond to a request for a quote, simulation, comparison, or policy issuance.
• For contract performance (Art. 6(1)(b) GDPR): if you purchase a policy, if we manage contractual documents, or if we provide post-sale support.
• For legal obligations (Art. 6(1)(c) GDPR): for example tax, accounting, compliance, supervisory, or legal-defense obligations.
• For legitimate interests (Art. 6(1)(f) GDPR): security, fraud prevention, protection of rights, technical administration of the services, and limited, proportionate, transparent analytics.
• Based on consent (Art. 6(1)(a) GDPR): for marketing communications, newsletters, non-essential cookies, or other optional processing.

Where health data or other special-category data is involved, we will process such information only where a valid additional condition under Art. 9 GDPR applies, such as explicit consent or another lawful condition permitted by the applicable insurance framework.

7. When providing data is mandatory

Not all fields will be mandatory. However, some data is necessary if we are to provide the service you requested. If we do not receive the essential data needed for a quote, policy issuance, or contractual verification, we may be unable to process the request.

For marketing communications, consent will be clearly separated from the main quote or purchase request.

8. Who we may share data with

Personal data may be shared, where necessary, with the following categories of recipients:

• insurers, brokers, distribution partners, or processors involved in quoting, issuance, or policy administration;
• hosting, email, analytics, storage, security, and other IT service providers used to operate the applications;
• legal, tax, accounting, or audit advisers where access is necessary and justified;
• public authorities, courts, regulators, or other bodies where the law requires disclosure;
• payment or billing providers if we enable online payments.

Recipients will receive only the data necessary for their role and, where they act as processors, we will use agreements aligned with Art. 28 GDPR.

9. Transfers outside the EEA

If we use providers that store or access personal data from outside the European Economic Area, we will verify that an appropriate legal transfer mechanism is in place, such as an adequacy decision, standard contractual clauses, or another safeguard recognized by the GDPR.

We do not intend to transfer data outside the EEA merely for convenience; any such transfer will be limited to what is necessary to operate the service.

10. Retention periods

We apply different retention periods depending on the purpose:

• Pre-launch or notification emails: until the product launch, withdrawal of consent, or no later than 12 months after the last interaction, unless a shorter period is justified.
• Unfinished quote requests: only for as long as needed to respond and perform a reasonable follow-up, after which the data will be deleted or anonymized unless the law requires otherwise.
• Contractual, tax, and accounting data: for the duration of the contractual relationship and afterwards in line with statutory archiving obligations.
• Sensitive data: only for the period strictly required for the purpose for which it was requested and with heightened protection measures.

11. Cookies, analytics, and marketing

As a rule, we prefer cookieless analytics for measuring traffic and product performance. If an application uses cookies or other non-essential identifiers, they will be activated only after clear notice and, where the law requires it, your consent.

Marketing communications will be sent only where there is a separate legal basis. You will be able to unsubscribe at any time, without affecting contractual services.

12. Data security

We apply reasonable technical and organizational measures to protect data against unauthorized access, loss, destruction, or disclosure. These measures may include access controls, authentication, logging, encryption in transit, separation of environments, and periodic reviews of access rights.

Access to personal data will be limited to the people and systems that genuinely need it for the declared purpose.

13. Automated decisions and profiling

We do not intend to make decisions based solely on automated processing that produce legal or similarly significant effects on you without human involvement on our side. If an insurer or partner uses its own underwriting, scoring, or anti-fraud logic, that processing may be governed by its own GDPR notice.

14. Your rights

Subject to the conditions set by the GDPR, you have the following rights:

• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restriction of processing;
• the right to data portability;
• the right to object, including to processing based on legitimate interests;
• the right to withdraw consent at any time for processing based on consent;
• the right not to be subject to a decision based solely on automated processing, where Art. 22 GDPR applies;
• the right to lodge a complaint with the competent supervisory authority.

To exercise your rights, you can write to office@sunergos.ro. We will generally respond within one month of receiving the request.

15. Supervisory authority

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Romanian supervisory authority:

16. Changes to this page

We will update this page whenever we materially change the categories of data processed, the purposes, the legal bases, the partner setup, or the product architecture. The latest update date is shown at the top of the page.