Home / GDPR Compliance

PRIVACY POLICY

Effective Date: 06.03.2025
1. Introduction
Welcome to Code4Nord! We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how Code4Nord (referred to as “we”, “us”, or “our”) collects, uses, and protects personal information obtained through our website (including via our contact forms), and describes your rights regarding your personal data.
Who we are: Code4Nord is a software development company based in Cluj-Napoca, Romania. For the purposes of data protection law, Code4Nord is the “Data Controller” of the personal data collected on this website. You can contact us using the information in the Contact section below with any questions about this policy or your personal data.
By using our website or submitting information through our contact or application forms, you acknowledge that you have read this Privacy Policy. If you do not agree with the practices described here, please do not use the forms or provide personal data via the website.

2. Personal Data We Collect
We may collect and process the following categories of personal data when you interact with our site or use our contact forms:

  • Contact Inquiry Information: If you fill out our general contact form (for example, to ask a question or request a service proposal), we will collect your name, email address, phone number (if provided), company/organization (if provided), and the content of your message or inquiry. We might also collect the subject or reason for your inquiry if that is part of the form.
  • Job Application Information: If you apply or inquire about a job via our website (such as by using a form that allows you to upload your CV/resume), we will collect personal details you provide: your full name, email, phone number, city of residence, LinkedIn profile URL (if provided), any other social or professional profile links you share, and any information contained in your CV/Resume or cover message. This could include your employment history, education, skills, and any other details you choose to include in those documents. We do not require you to include sensitive personal information (like racial or ethnic origin, political opinions, religious beliefs, health information) in your CV and ask that you refrain from providing such sensitive data unless absolutely necessary. If you do provide any sensitive data, by doing so you are consenting to our processing of that data only for the purposes of evaluating your application.
  • Website Usage Data (Cookies and Analytics): (If applicable) Our website may use cookies or analytics tools to collect information about how visitors use the site (e.g., IP address, browser type, pages viewed, time spent). This is generally aggregated data and not directly linked to your identity, but if IP addresses or other identifiers are considered personal data, we treat them in accordance with GDPR. (Note: Include this section only if the site actually uses cookies/analytics; if yes, you should also have a Cookie Policy or at least describe cookie use).
  • Other Data Provided Voluntarily: If you contact us through other means (email, phone, or social media), or if you optionally provide information in forms (like additional notes), we will receive whatever information you choose to provide in those communications.


We do not deliberately collect data beyond what is necessary for the purposes described in this policy. All fields in our website forms that are required are clearly marked. Providing any additional information is voluntary. If you choose not to provide required information (such as your name or contact details in the contact form), we may be unable to respond to your request or consider you for a position, respectively.

3. How We Use Your Personal Data (Purposes and Legal Bases)
We will only use your personal data for specific, explicit purposes and in ways that are lawful under the GDPR. This section describes those purposes and the legal basis we rely on for processing.

  • 3.1 Responding to Your Inquiries: When you contact us via the general contact form, we use your provided information to review your request and respond to you. This may include answering questions, discussing a potential project, or providing information you asked for about our services.
    • Legal Basis: Consent (Art. 6(1)(a) GDPR) – By ticking the consent box and submitting the form, you gave us permission to use your data to contact you. In cases where you reach out to us directly (e.g., via email) without a formal consent box, our legal basis may be legitimate interest (Art. 6(1)(f)), as it is in our interest to respond to potential clients/partners and it’s also expected by you when you initiated contact. We ensure this use does not override your rights and freedoms. If you do not wish us to use your data any longer for this purpose, you can let us know and we will stop (see Section 8 on your rights).
  • 3.2 Service Delivery and Pre-Contractual Discussions: If your inquiry progresses into discussions about a contract or service engagement, we will use your personal data to take steps at your request prior to entering into a contract (e.g., scoping a project, negotiating terms).
    • Legal Basis: Contractual necessity (Art. 6(1)(b) GDPR) – This applies when we are moving toward an agreement or providing services you requested. For example, if you ask for a quote and provide details, we process those details to formulate the quote.
  • 3.3 Recruitment and Hiring: When you submit a job application through our site (or send us your CV), we use your personal data to evaluate your qualifications, contact you for interviews or further information, and make hiring decisions. We may also, with your permission, keep your information on file for a period in case future opportunities arise.
    • Legal Basis: Consent (Art. 6(1)(a)) – By submitting your application and ticking the consent box, you consent to our processing of the data for recruitment. In a context of an actual job application to a posted job, contractual necessity (Art. 6(1)(b)) can also apply, as it’s a step you requested to potentially enter into an employment contract. If we retain your data for future opportunities beyond the initial hiring process, we will either do so based on your consent (which you can withdraw), or if allowed by law, based on our legitimate interest in building a talent pool – but in such case, we will inform you and give you an option to opt-out.
  • 3.4 Marketing Communications:Currently, we do not automatically add contact form submitters to any marketing or newsletter list. We will not use the contact details you provided in an inquiry or job application to send you unrelated marketing content unless you explicitly opt-in to such communications. If in the future we would like to send you updates about our services or company, we will ask for your separate consent (e.g., via a checkbox saying “Subscribe me to the newsletter” or similar).
    • Legal Basis: Consent – We will only send marketing emails or calls if you have agreed to that. You have the right to withdraw that consent at any time (see Section 8).
  • 3.5 Website Functionality and Analytics: If we process usage data or set cookies, it is to improve our website and services, understand how users interact with our site, and secure our site (e.g., preventing spam via reCAPTCHA, which may collect some user info).
    • Legal Basis: Consent – We will obtain consent for non-essential cookies/analytics as required by law (e.g., through a cookie banner). For security-related necessary processing (like basic logging of IP addresses or use of anti-spam tools), we rely on legitimate interests to keep our website and communications secure and functional.
  • 3.6 Compliance with Legal Obligations: We may need to process and retain personal data to comply with laws or regulations. For instance, if you enter into a contract with us, we might need to keep certain information for accounting/tax records, or to comply with EU data protection authorities if you exercise your rights.
    • Legal Basis: Legal obligation (Art. 6(1)(c) GDPR) – When laws require us to retain or disclose certain data (e.g., for audit or law enforcement requests), we will do so in compliance with those laws.


We will not use your personal data for any purpose that is incompatible with the purposes described above without first obtaining your consent or unless required or permitted by law. We do not use automated decision-making or profiling on the personal data collected through our contact forms.

4. How We Share Your Data (Recipients)
We treat your personal data with care and confidentiality. We do not sell your information to third parties. However, we may share your data in the following contexts, strictly on a need-to-know basis:

  • 4.1 Within Code4Nord: Your information will be accessed by relevant Code4Nord personnel who need it to fulfill the stated purposes. For example, our sales or business development team will handle contact form inquiries, and our HR/recruitment team will handle job applications. All staff are bound by confidentiality and data protection obligations.
  • 4.2 Service Providers (Processors): We use trusted third-party service providers to help us operate our website and business. These may include:
    • Web Hosting and Email Services: Our website hosting provider will inevitably process data that passes through the site (including form submissions stored on the web server). Similarly, if form submissions are sent to us via email or if you email us directly, our email service provider will process that data. These providers (e.g., web hosting company, email hosting like Microsoft 365 or Google Workspace) act under our instructions as data processors.
    • Form Handling and Storage: If we use any specific form management tool or plugin that stores submissions in their cloud, they will process the data on our behalf. We ensure any such provider is GDPR-compliant and has a Data Processing Agreement with us.
    • Analytics and Security Tools: If we use analytics (like Google Analytics) or anti-spam/security tools (like Google reCAPTCHA for form spam protection), these third parties may collect certain data from your interactions (like IP, cookies) – usually this is directly handled under their terms. We will only use reputable providers and, where required, configure them to minimize data and inform you (for example, through our Cookie notice). 
  • In all such cases, our service providers are not allowed to use your data for their own purposes. They are contractually bound to process it only for us and to maintain proper security measures.
  • 4.3 Business Partners or Clients: Normally, information from contact forms stays within Code4Nord. In some cases, if your inquiry specifically involves a partner (for example, you request that we collaborate with one of our partner companies, or you are being referred to us through a partner), we would share data with that partner with your knowledge. For job applications, we do not share your CV or personal details outside Code4Nord unless we explicitly discuss it with you (e.g., if we think you might fit a role with a sister company or client, we would only forward your details with your consent).
  • 4.4 Legal Disclosures: If required by law or an official authority (for example, a court order, or a request from a data protection authority), we might have to disclose certain personal data. We will do so only to the extent necessary and after verifying the legitimacy of the request.
  • 4.5 Corporate Transactions: In the unlikely event that Code4Nord undergoes a major business transaction, such as a merger, acquisition, or sale of assets, the personal data held by us might be transferred to the new owners or parties to the transaction. If that happens, we will ensure that the receiving party is bound to respect your personal data in line with this Privacy Policy and applicable laws, and we will notify you of the change either through the website or other means.


Aside from the above, we will not share your personal data with third parties unless we have your consent or have otherwise informed you and are permitted by law. If in the future we need to share information in a new way, we will update this Privacy Policy and, if required, obtain your consent.


5. International Data Transfers
Code4Nord is based in the European Union (Romania), and we primarily process personal data on servers located in the EU. However, some of our service providers might be located or have servers in other countries. For example, if we use Microsoft or Google for email, or another cloud service, some data might be stored or accessed outside the EU/EEA (for instance, in the United States).
When we transfer or permit access to personal data outside the European Economic Area (EEA), we take steps to ensure that your data receives an adequate level of protection consistent with EU law. These steps include:

  • EU Commission Adequacy: Whenever possible, we transfer data to countries that have been deemed “adequate” by the European Commission, meaning they provide a similar level of data protection as the EU (for example, countries like the UK, Switzerland, etc., if applicable).
  • Standard Contractual Clauses (SCCs): For transfers to our service providers in countries without an adequacy decision (e.g., United States), we have agreements in place using the European Commission’s Standard Contractual Clauses, which contractually oblige the recipient to protect your data to EU standards. We also assess, where necessary, any additional measures or risks as recommended by EU authorities.
  • Other Safeguards: We also ensure our providers commit to robust security and privacy standards. Some providers may rely on frameworks like the EU-US Data Privacy Framework (if applicable and certified) or other approved transfer mechanisms. We monitor legal developments and will adjust our data transfer practices if required to remain in compliance.


You can request more information about our data transfer safeguards (or obtain a copy of the SCCs, etc.) by contacting us (see Section 9).

6. Data Retention
We will not keep your personal data for longer than necessary for the purposes for which we collected it, unless a longer retention period is required or permitted by law. Here is how this applies to different types of data we collect:

  • Contact Form Inquiries: We retain the personal data from general inquiries for up to 6 months after our last communication with you regarding your inquiry. For example, if you contact us and we respond, we might keep your information for X months in case you have follow-up questions or to refer back to our conversation if you reach out again. After that period, we will delete or anonymize the data, unless it is necessary to retain it for establishing a business relationship (e.g., if you become a client, your contact data might be kept in our client records under a separate client privacy notice). You have the right to ask us to delete your inquiry data sooner – see Section 8 on your rights.
  • Job Applications (CVs and related data): If you apply for a job and are not hired in that round, we will retain your application data for 12 months after the position is filled or after our last contact with you. We keep it for this period to consider you for any future positions that might be a fit, or in case the initial hiring decision needs to be revisited. If you prefer that we do not retain your data once the hiring process is complete, please let us know, and we will delete your application (unless we are required by law to retain certain details). If you are hired, your data will be retained and transferred to your employee file and handled under our internal employee privacy policies (you will be informed about that separately).
  • Website usage data (cookies): Different cookies have different lifespans. Our Cookie Policy  provides details on cookie retention. Analytics data is typically retained in aggregate form; any personal identifiers (like full IP addresses) are either anonymized or deleted within a short period (e.g., Google Analytics IP anonymization).
  • Legal Compliance and Disputes: In some cases, we may need to retain data for a longer period if it’s necessary for legal obligations or resolving disputes. For instance, if you enter into a contract with us or there is a legal claim, we may retain relevant data through the statute of limitations period. Also, if you exercise certain rights (like opting out of marketing), we might keep minimal information (like your email in a suppression list) to honor that request in the future.


After the applicable retention period has elapsed, we will ensure that your data is either securely deleted or irreversibly anonymized (so it can no longer be associated with you). We regularly review the data we hold and erase or anonymize that which is no longer needed.

7. Data Security Measures
We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: Our website is secured via SSL/TLS encryption (HTTPS), which means that the data you submit through the contact forms is encrypted in transit between your browser and our server. For stored data (databases, backups), we employ encryption where feasible and appropriate.
  • Access Controls: Personal data collected through the forms is accessible only to authorized personnel who need to use it for the purposes described (e.g., our staff handling inquiries or HR staff handling recruitment). Accounts and systems that have access to personal data are protected with strong passwords and, where possible, two-factor authentication.
  • Secure Storage: We store electronic data on secure servers. We ensure that our hosting providers maintain high security standards (firewalls, intrusion detection, etc.). Any physical copies (unlikely for contact form data, but if say a CV is printed for an interview) are kept secure and shredded or securely disposed of when no longer needed.
  • Training and Policies: Our team members are educated about data protection and the importance of privacy. We have internal policies in place to prevent unauthorized sharing or mishandling of personal data. For example, we instruct employees not to download CVs or inquiry data to unsecured personal devices, and to use company-approved tools for communication which are subject to our security controls.
  • Regular Updates and Patching: We keep our website platform, plugins, and software up to date to protect against security vulnerabilities that could be exploited to gain unauthorized access to data.
  • Backups and Recovery: We perform regular backups of important data to prevent data loss, and those backups are secured. In case of any physical or technical incident, we have the ability to restore data.
  • Vendor Due Diligence: As mentioned, any third-party processors we use are vetted for strong security practices and are bound by contracts to protect your data.
  • Incident Response: Despite best efforts, no system can be 100% secure. We have a procedure to detect, respond to, and report data breaches. If a personal data breach occurs that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (in Romania, the National Supervisory Authority for Personal Data Processing – ANSPDCP) within 72 hours, and if there is a high risk to you (e.g., your rights might be adversely affected), we will also inform you without undue delay, as required by GDPR.


We continually assess and improve our security measures to keep up with evolving threats. However, you should also take care when sending information to us via the internet. If you have reason to believe that your interaction with us is no longer secure (for example, if you suspect a vulnerability on our site), please contact us immediately.

8. Your Rights Regarding Personal Data
As an individual whose data we process, you have several rights under the GDPR. We are committed to respecting these rights and enabling you to exercise them easily. Below we outline your key rights and how to use them:

  • 8.1 Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to obtain a copy of that data along with supplementary information (similar to what’s provided in this Privacy Policy – the purposes of processing, categories of data, etc.). This is commonly known as a “Data Subject Access Request.”
    How to exercise: Contact us with proof of identity (so we don’t give your data to the wrong person) and let us know what information you want to access. We will respond within one month (or inform you if we need more time, which can be an additional two months for complex requests). The first copy of your data will be provided free of charge.
  • 8.2 Right to Rectification: If you find that any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. For example, if you realize you typed the wrong phone number in a contact form, or your email address has changed, you can request that we update our records.
    How to exercise: Contact us specifying what data is incorrect and what it should be replaced with. We may need to verify the correct information, but we will rectify errors promptly.
  • 8.3 Right to Erasure (Right to be Forgotten): You can ask us to delete your personal data when: (a) it’s no longer needed for the purposes we collected it; (b) you initially consented and now you withdraw consent and we have no other legal basis to keep it; (c) you object to processing based on legitimate interests and we don’t have an overriding reason to continue; (d) we processed your data unlawfully; or (e) we have to erase it to comply with a legal obligation. For example, if you submitted a job application but want us to delete it, you can request erasure.
    How to exercise: Contact us with a request to delete your data. We will evaluate your request under the GDPR criteria and inform you of the outcome. If we have a legal reason to keep some data (e.g., invoices, or a record that you asked us to not contact you), we’ll explain that. Otherwise, we will comply and confirm once deletion is completed. Please note that once deleted, we cannot recover your data.
  • 8.4 Right to Restrict Processing: In certain situations, you can ask us to halt the processing of your personal data, essentially freezing it in place. This can be done if: (a) you contest the accuracy of the data (until we verify it); (b) the processing is unlawful but you prefer restriction to deletion; (c) we no longer need the data but you need it for a legal claim; or (d) you have objected to our processing (see 8.6) and we are considering that objection. Restricting means we will store your data but not actively use it until the restriction is lifted.
    How to exercise: Contact us specifying you want to restrict processing and explain the circumstances. We will acknowledge the restriction and inform you before lifting it.
  • 8.5 Right to Data Portability: For data that you have provided to us and is processed by us by automated means under consent or contract, you have the right to request that we provide it to you in a structured, commonly used, machine-readable format (for example, a CSV or JSON file), and you can also ask that we transmit it directly to another controller where technically feasible. In practice, this right likely applies to information you submitted in forms. If you wanted a copy of the data you provided to reuse elsewhere, this right facilitates that.
    How to exercise: Contact us and specify that you want your data in portable format. Let us know if you want us to send it to you or directly to another service. We will do our best to comply, provided it doesn’t adversely affect others’ rights (which usually isn’t an issue for your own data).
  • 8.6 Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests (Art. 6(1)(f)) or public interest (Art. 6(1)(e)). You also have an unconditional right to object to direct marketing. In context of our activities: if we were processing your inquiry data under legitimate interest (say, following up with you), you could object and we would stop, unless we have compelling reasons not to (which is rare). For any marketing (which we only do with consent currently), you can opt out at any time and we will cease.
    How to exercise: If you receive any communication from us that you no longer wish to receive, let us know to stop. To object to any data processing, just contact us stating your objection. If it’s marketing, we’ll remove you from the list immediately (and you can always use an “unsubscribe” link if it’s an email newsletter). If it’s an objection to legitimate interest processing, we will review whether we have any overriding necessity; otherwise, we will honor your request.
  • 8.7 Right not to be subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects or similarly significant effects. Code4Nord does not engage in fully automated decision-making without human involvement for decisions that could significantly affect you. For example, we do not use an algorithm to reject candidates without human review. If this ever changes, we will inform you and ensure such processing complies with GDPR (including obtaining consent if required).
  • 8.8 Right to Withdraw Consent: Where we rely on your consent for processing, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing that was done before your withdrawal. If you withdraw consent, we will stop the processing for which the consent was intended. For instance, if you consented to us keeping your CV for future opportunities, you can later withdraw that and we will delete your data (absent another lawful reason to keep it).
    How to withdraw: You can contact us at any time to withdraw consent. For something like newsletter emails, you can use the unsubscribe mechanism. For other consents (like the contact form), just send us an email stating that you withdraw your consent for us using your form data, and we will comply.


Exercising your rights: To exercise any of your rights, please contact us using the information in Section 9 (Contact Us). We may need to verify your identity (to make sure we don’t give your data to someone else or delete the wrong person’s information). We will respond to your requests without undue delay, generally within one month as mandated by GDPR. There is usually no fee for making a request; however, if a request is manifestly unfounded or excessive (e.g., repetitive), the law allows us to charge a reasonable fee or refuse the request – but we will explain our reasoning in such cases.


Finally, you have the right to lodge a complaint with a Supervisory Authority if you believe we have infringed your data protection rights. You can do this in the EU Member State where you live, work, or where the alleged infringement occurred. In Romania, the supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP). We would, however, appreciate the chance to address your concerns directly before you approach the authority, so please feel free to reach out to us first.

9. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:
Code4Nord
Attn: Data Protection Officer
Address: Barbu Ștefănescu Delavrancea, Nr. 8, Cluj Napoca, Cluj, România
Email: dpo@code4nord.com
Phone: +40746073402
We will be happy to assist you and provide any information or assistance needed in relation to your personal data.

10. Updates to this Privacy Policy
We may update this Privacy Policy from time to time in response to evolving legal, technical, or business developments. When we update it, we will revise the “Effective Date” at the top. If changes are significant, we may also notify you by other means, such as by posting a notice on our website or contacting you via email if appropriate and we have your email.


We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Continued use of our website or services after any modifications to this Policy will be subject to the updated terms.