Privacy Policy

This document describes how we process your personal data under Regulation (EU) 2016/679 (GDPR), Romanian Law 506/2004 and Regulation (EU) 2024/1689 (AI Act).

Version 2.0 · Last updated: 16 June 2026

Contents 1. Controller (who processes) 2. Data we process 3. Purposes and legal basis (GDPR Art. 6) 4. Recipients and processors 5. Transfers outside the EEA 6. Retention period 7. Your rights (GDPR Art. 15–22) 8. Complaint to ANSPDCP 9. Cookies 10. AI Act — RADU transparency 11. Security 12. Changes

1. Controller

LeadMotor AI — commercial name currently operated by:

Mircea Crașoveanu, natural person, currently registering as a Romanian sole trader (PFA) / limited company (SRL).
Address: will be made available upon official registration of the legal entity (estimated Q3 2026).
Contact email (including for GDPR requests): [email protected]
Person responsible for data protection (sole-person controller — no DPO obligation under GDPR Art. 37): Mircea Crașoveanu.

Upon SRL registration, identification details (legal name, registered office, tax ID, Trade Registry number) will be updated here and on the About page.

2. Data we process

Site visitors

Strictly necessary technical data: IP address, user-agent, timestamp, Cloudflare logs for security and DDoS protection.

Early-access / contact form

Name, work email, company, role (optional), niche / industry, free-text message.

RADU chatbot

Conversation content (text messages), IP address, timestamp, session identifier.
Before being sent to LLM models, content is automatically filtered for obvious personal data (email, Romanian phone, national ID, IBAN), which are replaced with placeholders.

B2B prospecting (post-SRL activity)

Public data about companies (legal name, tax ID, address, CAEN/NACE code) from ANAF and the Trade Registry.
Names of directors and shareholders — public data mandated by law (Romanian Law 26/1990).

3. Purposes and legal basis (GDPR Art. 6)

Activity	Purpose	Legal basis
Reply to form / email	Pre-contractual commercial communication	Consent — Art. 6(1)(a)
RADU chatbot	Provide AI assistant service	Consent — Art. 6(1)(a)
B2B prospecting (post-SRL)	Identify target companies	Legitimate interest — Art. 6(1)(f), with LIA documented internally
Email marketing to existing clients	Communication of similar offers	Soft opt-in — Romanian Law 506/2004 Art. 12(2)
Cloudflare logs / security	DDoS, anti-abuse	Legitimate interest — Art. 6(1)(f)

4. Recipients and processors

Your data may be processed by the following entities, each as a processor (GDPR Art. 28):

Processor	Country	Purpose	Transfer safeguard
Cloudflare Inc.	USA	Site hosting, Workers, security, edge AI	EU-US Data Privacy Framework (DPF)
Google LLC (Gemini API)	USA	AI model for RADU	EU-US Data Privacy Framework (DPF)
Groq, SambaNova, Cerebras	USA	LLM inference models	Standard SCCs / DPF verification in progress
Z.AI (Zhipu)	China	Long-context LLM model	GDPR Art. 49(1)(a) — explicit consent + PII redaction
Moonshot (Kimi)	China	Alternative LLM model	GDPR Art. 49(1)(a) — explicit consent + PII redaction
Telegram FZ-LLC	Dubai / UAE	Internal signup-form notification	GDPR Art. 49(1)(a) — consent; planned migration in Q3 2026 to an EEA processor (Resend EU)

List current as of 16 June 2026. Additions or removals of processors will be reflected here with the new version date.

5. Transfers outside the European Economic Area

Yes, transfers to non-EEA countries occur. Protection mechanisms:

USA: "EU-US Data Privacy Framework" adequacy decision (EU Commission decision of 10 July 2023, upheld by the CJEU on 3 September 2025) — for DPF-certified recipients.
China (Z.AI, Kimi): GDPR Art. 49(1)(a) derogation — explicit consent given by you via the "I agree with processing my conversation by international AI providers" checkbox in the chat widget, combined with technical measures (automatic redaction of obvious PII before transmission). Use of these providers is occasional, not systematic for special categories of data.
Dubai (Telegram): GDPR Art. 49(1)(a) derogation — implicit consent through form submission. The processor is used strictly for operational notification, not for profiling. Replacement with Resend EU is planned in Q3 2026.

If you do not want your data to be processed by non-EEA providers, contact us at [email protected] to use an alternative channel (direct email, phone).

6. Retention period

Early-access form: 24 months from the last communication or until consent is withdrawn.
RADU chatbot conversations: 30 days for identifiable content; afterwards anonymisation (we retain only statistical patterns without PII).
B2B prospect data (post-SRL): until objection or 36 months from the last interaction.
Emails and communication archive: up to 5 years (tax justification and commercial history).
Cloudflare logs: as per Cloudflare's policy (typically max. 30 days).

7. Your rights (GDPR Art. 15–22)

As a data subject you have the following rights:

Right of access (Art. 15) — to know what data we hold about you.
Rectification (Art. 16) — to correct inaccurate data.
Erasure / "right to be forgotten" (Art. 17).
Restriction of processing (Art. 18).
Portability (Art. 20) — to receive your data in a structured format.
Objection (Art. 21) — especially for processing based on legitimate interest.
Withdraw consent at any time (Art. 7(3)) — without affecting prior processing.
Right not to be subject to automated decision-making (Art. 22) — RADU assists, it does not make decisions with legal effect on you.

To exercise any right, write to [email protected]. We respond within 30 days.

8. Complaint to the supervisory authority

You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

Address: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, Bucharest, 010336, Romania
Web: dataprotection.ro
Email: [email protected]

9. Cookies

This site uses only strictly necessary cookies (Cloudflare session for security). We do not use third-party analytics, marketing pixels, or profiling cookies. That is why we do not display a consent banner — under Romanian Law 506/2004 Art. 4(5), there is no request to be made.

The chat widget uses localStorage to remember your consent to conversation processing by international AI providers. This storage is local to your browser and is not transmitted to the server.

10. AI Act — RADU chatbot transparency

In application of Regulation (EU) 2024/1689 (AI Act) Art. 50, we inform you that:

You are interacting with an AI system, named "RADU".
Conversations are processed by AI models operated by the providers listed in section 4.
The disclosure banner is shown on the first load of the chat widget and includes an explicit consent mechanism for processing by international AI providers (especially non-EU).
RADU does not make decisions with legal or similarly significant effect on you (GDPR Art. 22 does not apply).
You have the right at any time to ask "are you AI?" or "am I talking to a human?" — RADU will transparently confirm its status as an AI agent.

11. Security

We implement appropriate technical and organisational measures under GDPR Art. 32:

TLS encryption on all HTTP channels.
Automatic redaction of obvious PII before transmission to external LLMs.
Cloudflare WAF + API rate-limiting.
FileVault enabled on the operator's devices.
Encrypted backup outside the primary device.
Restricted physical access to local processing systems.

12. Changes

This policy may be updated periodically. Significant changes will be announced via email to registered users and through a visible notice on the site for 30 days. Historical versions are available on request.

Version 2.0 · 16 June 2026 · Major update — added extra-EU recipients, AI Act Art. 50, explicit retention, full data-subject rights.