Privacy Policy
Table of Contents
- Data Controller
- Data We Collect
- Legal Bases for Processing
- How We Use Your Data
- Aggregation, Anonymization, and Quarterly Reports
- Data Retention
- Your Rights
- Data Processors and Sub-processors
- International Transfers
- Cookies
- Security Measures
- Children's Privacy
- Information for California Residents (CCPA)
- Changes to This Policy
- Contact and DPO
1. Data Controller
The data controller for the processing described in this Privacy Policy is:
- Company: Carpathica Authentic Srl
- CUI: 36090691
- Registered office: Satu Mare, Romania
- Email: privacy@panthe.ro
We are an EU-based company subject to the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). We process all data in accordance with GDPR and applicable Romanian data protection law.
2. Data We Collect
2.1 Account Data
When you create an Account, we collect:
- Full name
- Email address
- Company name (optional)
- Password (stored as a one-way cryptographic hash; we never store your password in plain text)
- Two-factor authentication seed (if you enable 2FA, stored encrypted)
2.2 API Request Data
When you use the API as an authenticated User, we collect:
- The IP addresses, domains, or email addresses you submit for threat intelligence lookup
- Your source IP address
- Timestamp of each request
- API key identifier used (not the secret itself)
- HTTP request metadata (user agent, request method, response code)
- The threat intelligence results returned
2.3 Free Tool Usage Data
When you use Free Tools without an Account, we collect:
- The IP address or domain you submit for lookup
- Your own IP address
- Timestamp of the request
- Browser and device information (user agent string)
- The results returned
We do not require you to identify yourself to use Free Tools. However, your IP address may constitute personal data under GDPR.
2.4 Billing Data
For paid services, we collect:
- Company name and billing address
- VAT registration number (if applicable)
- Payment method details (card payments are processed by our payment processor; we do not store full card numbers)
- Invoice history and payment records
2.5 Contact and Communication Data
When you contact us through the contact form, email, or other channels, we collect the information you provide (name, email, message content) and any subsequent correspondence.
2.6 Server Logs
Our web servers automatically log:
- IP address
- Date and time of access
- URL requested
- HTTP status code
- Referrer URL
- User agent string
3. Legal Bases for Processing
We process your personal data on the following legal bases under Article 6(1) GDPR:
- Performance of a contract (Art. 6(1)(b)): Processing Account Data, API Request Data, and Billing Data is necessary to provide the services you have contracted for.
- Legitimate interest (Art. 6(1)(f)): We process server logs and Free Tool Usage Data to maintain platform security, prevent abuse, detect fraud, and improve service quality. We process threat data for aggregation and anonymization to produce Quarterly Reports, which advance the legitimate interest of cybersecurity research and threat awareness. We have conducted a balancing test and determined that these interests do not override your rights, given that Aggregated Data is fully anonymized and cannot be linked back to you.
- Legal obligation (Art. 6(1)(c)): We retain billing records and certain account data as required by Romanian tax and accounting law.
- Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent - for example, for marketing communications. You may withdraw consent at any time by contacting us or using the unsubscribe mechanism in our communications. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing, operating, and maintaining the Platform and your Account
- Processing API requests and returning threat intelligence results
- Processing Free Tool lookups
- Billing, invoicing, and payment processing
- Communicating with you about your Account, service updates, and support requests
- Monitoring and enforcing compliance with our Terms of Service and Acceptable Use Policy
- Detecting, preventing, and responding to fraud, abuse, and security incidents
- Aggregating and anonymizing threat data for statistical analysis and Quarterly Reports (see Section 5)
- Improving the Platform, including refining threat intelligence algorithms
- Complying with legal obligations
We do not sell your personal data. We do not use your personal data for automated decision-making that produces legal effects concerning you.
5. Aggregation, Anonymization, and Quarterly Reports
This section describes how we derive Aggregated Data from Platform usage. This process is central to our mission of improving global cybersecurity awareness.
- What we aggregate: Threat intelligence request patterns, risk score distributions, geographic threat origin trends, attack type frequencies, and temporal trends across the entire Platform.
- How we anonymize: We strip all identifiers (User IDs, Account information, API keys, source IP addresses, and queried IP addresses) before aggregation. The resulting data sets contain only statistical summaries - counts, averages, percentiles, and distributions. The anonymization is irreversible by design.
- Aggregated Data is not personal data: Once anonymized, the resulting Aggregated Data does not constitute personal data as defined by GDPR (Recital 26). It cannot be used to identify any individual, Account, or Property.
- Ownership: Aggregated Data is the sole and exclusive intellectual property of Carpathica Authentic Srl. This is not a claim over your personal data - it is a claim over the statistical insights derived from irreversibly anonymized data sets.
- Publication: We publish Quarterly Reports (for example, "State of Internet Threats Q1 2026") based on Aggregated Data. These reports are made publicly available on panthe.ro and may be referenced in press releases, blog posts, and industry publications.
- No re-identification: We do not attempt to re-identify any individual from Aggregated Data, and we prohibit third parties who receive Aggregated Data from doing so.
6. Data Retention
We retain your personal data only as long as necessary for the purposes described in this Policy, or as required by law:
- Account Data: Retained for the duration of your Account plus 30 calendar days after deletion to allow for account recovery, then permanently deleted.
- API Request Data: Retained for 12 months for service operation, abuse detection, and billing reconciliation, then permanently deleted.
- Free Tool Usage Data: Retained for 90 calendar days for abuse detection and rate-limit enforcement, then permanently deleted.
- Billing Data: Retained for 10 years after the end of the financial year in which the transaction occurred, as required by Romanian fiscal law.
- Server Logs: Retained for 90 calendar days, then permanently deleted.
- Contact and Communication Data: Retained for 3 years after the last communication, then permanently deleted.
- Aggregated Data: Retained indefinitely. Because it is not personal data, retention limits do not apply.
7. Your Rights
Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@panthe.ro. We will respond within 30 calendar days (extendable by 60 days for complex requests, with notification).
- Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about the processing.
- Right to rectification (Art. 16): You have the right to correct inaccurate personal data and to complete incomplete personal data.
- Right to erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent (where consent is the legal basis), or when the data has been unlawfully processed. We may refuse erasure where retention is required by law (for example, billing records under fiscal obligations) or for the establishment, exercise, or defense of legal claims.
- Right to restriction (Art. 18): You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or when you object to processing pending verification of our legitimate grounds.
- Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) and to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means.
- Right to object (Art. 21): You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You may object to processing for direct marketing purposes at any time, without restriction.
- Right not to be subject to automated decisions (Art. 22): We do not make automated decisions that produce legal effects or similarly significantly affect you based solely on automated processing.
- Right to lodge a complaint: You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or with the supervisory authority in your Member State of residence.
Important: These rights apply to your personal data, not to Aggregated Data. Because Aggregated Data is not personal data and cannot be linked back to you, rights of access, rectification, erasure, portability, and objection do not apply to it.
8. Data Processors and Sub-processors
We engage a limited number of third-party processors to help operate the Platform. Each processor is bound by a Data Processing Agreement that requires GDPR-compliant safeguards. Our current categories of processors include:
- Hosting provider: Server infrastructure located in the European Union.
- Payment processor: For processing card payments. Receives only the billing data necessary to complete the transaction.
- Email delivery service: For sending transactional emails (account verification, password resets, invoices). Receives only email addresses and message content.
We do not share your personal data with advertisers, data brokers, or social media platforms. We do not sell personal data.
We may disclose personal data if required by law, court order, or governmental regulation, or to protect our rights, property, or safety or that of our users or the public.
9. International Transfers
Your personal data is processed and stored on servers located within the European Union. We do not routinely transfer personal data outside the EU/EEA.
If a transfer outside the EU/EEA becomes necessary (for example, if a sub-processor is located in a third country), we will ensure that the transfer is protected by one of the following safeguards:
- An adequacy decision by the European Commission (Art. 45 GDPR)
- Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR)
- Binding Corporate Rules (Art. 47 GDPR)
We will not transfer personal data to a country that lacks adequate protections without implementing appropriate supplementary measures.
10. Cookies
We use a minimal set of cookies that are strictly necessary for the Platform to function. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. For full details, see our Cookie Policy.
11. Security Measures
We implement technical and organizational measures appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2 or higher for all connections)
- Encryption of sensitive data at rest (passwords, 2FA seeds, API secrets)
- HMAC-signed API authentication to prevent credential interception
- Strict Content Security Policy (CSP) preventing execution of unauthorized scripts and loading of external resources
- Network-level protections (firewall rules, rate limiting, intrusion detection)
- Access controls limiting employee access to personal data on a need-to-know basis
- Regular security assessments and code reviews
- Incident response procedures with notification timelines compliant with Art. 33 and Art. 34 GDPR
No system is perfectly secure. While we take extensive precautions, we cannot guarantee absolute security. If we detect a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, notify you without undue delay.
12. Children's Privacy
The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@panthe.ro.
13. Information for California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:
- Right to know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
- No sale of personal information: We do not sell personal information as defined by the CCPA.
To exercise your CCPA rights, contact us at privacy@panthe.ro. We will verify your identity before fulfilling your request.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify registered Users by email at least 30 calendar days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.
15. Contact and DPO
For questions about this Privacy Policy, to exercise your data subject rights, or to raise a privacy concern, contact us at:
- Email: privacy@panthe.ro
- Company: Carpathica Authentic Srl
- CUI: 36090691
- Address: Satu Mare, Romania
If you are not satisfied with our response, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at anspdcp.ro or with your local supervisory authority.