Privacy Policy

This policy explains what personal data Pagaia Studio collects, why, how it is protected, and what rights you have, whether you are a visitor to our website or a client engaging our services.
‍

1. Who We Are

Pagaia Studio SRL is a creative and digital studio registered in Romania.

• Company: Pagaia Studio SRL‍
• Address: Bulevardul Unirii nr. 20, Bl. 5, Sc. 1, Et. 7, Ap. 41, Sector 4, Bucharest, Romania
• VAT: RO18812710
• ‍Trade Reg.: J40/6676/2006‍
• Website: pagaia.studio‍
• Contact: hi@pagaia.studio

Pagaia Studio SRL is the entity responsible for data processing activities described in this policy.
‍

2. Data Processing Roles

Depending on context, Pagaia Studio acts in different capacities under GDPR:

• Data Controller: When we process personal data for our own business purposes - responding to enquiries, issuing contracts, and managing invoicing. We decide what data is collected and why.
  ‍
• Data Processor: When we process personal data on behalf of our clients, strictly following their documented instructions, as part of delivering agreed services (design, digital marketing, web development).

In either case, we apply the same standards of care to the data we handle.‍‍
‍

3. Data We Collect

We collect the minimum data necessary for each interaction.

• Website contact form
  Name, email address, message content
  → Submitted voluntarily by you
  ‍
• Client contracts
  Name, company, email, address, VAT number, bank details
  → Provided during onboarding
  ‍
• Business communication
  Name, email, professional context
  → Email or direct message
  ‍
• Invoicing & accounting
  Name, company, address, VAT, payment data
  → Provided for contract execution
  ‍

We do not process special categories of personal data (health, biometric, racial, political data) and we do not collect data from children under the age of 16.
‍

4. Legal Basis for Processing

Every processing activity has a specific legal basis under Article 6 of the GDPR:

• Contractual necessity (Art. 6(1)(b)) - processing required to deliver services agreed with you, including project execution, deliverable sharing, and client communication.
  ‍
• Legal obligation (Art. 6(1)(c)) - processing required to comply with Romanian accounting and tax legislation (e.g. retention of invoicing records).
  ‍
• Legitimate interest (Art. 6(1)(f)) - processing for general business communication and responding to inbound enquiries, where our interest does not override your rights and freedoms.

Where none of the above applies, we will ask for your explicit consent before processing.
‍

5. How We Use Your Data

We use personal data strictly for the following purposes:

• Responding to enquiries submitted through our contact form or by email
• Preparing, executing, and managing client contracts and project deliverables
• Issuing invoices and fulfilling accounting and tax obligations
• Internal business operations and record-keeping

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data for automated decision-making or profiling.
‍

6. Storage & Sub-processors

We use a small number of trusted third-party services to operate our business. These providers may process personal data on our behalf:

• Google LLC (Google Workspace)
  Purpose: Email, document storage, collaboration
  Location: USA
  Safeguard: EU-US Data Privacy Framework + SCCs
  ‍
• Webflow, Inc.
  Purpose: Website hosting & CMS
  Location: USA
  Safeguard: Standard Contractual Clauses (SCCs)
  ‍

We do not grant any sub-processor the right to use your personal data for their own purposes. Each provider is bound by data processing agreements.
‍

7. International Transfers

Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. Transfers to these providers are protected by one or more of the following mechanisms approved by the European Commission:

• EU-US Data Privacy Framework - for providers certified under this framework (e.g. Google LLC)
  ‍
• Standard Contractual Clauses (SCCs) - binding contractual obligations between the parties, as adopted by the European Commission (Decision 2021/914)

You may request further information about the specific transfer mechanisms in place by contacting us at hi@pagaia.studio.
‍

8. Data retention

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:

• Contract & invoicing data
  Retention period: 10 years from contract end
  Basis: Romanian accounting law (Law 82/1991)

• ‍Business communication
  Retention period: Duration of collaboration + 1 year
  Basis: Legitimate interest
  ‍‍
• Contact form submissions
  Retention period: Until enquiry is resolved, max 6 months
  Basis: Legitimate interest

After the applicable retention period, data is deleted or anonymised. Data stored in accounting records is subject to mandatory legal retention regardless of other preferences.
‍

9. Data Access & Security

Pagaia Studio is operated by a single administrator. Access to personal data is therefore limited to that individual and any directly engaged collaborators who are bound by confidentiality obligations.

We apply the following technical measures:

• Two-factor authentication (2FA) on all accounts used to access personal data
• Storage exclusively in reputable cloud services with encryption at rest and in transit (Google Workspace)
• Password management best practices; no shared credentials
• HTTPS enforced across our website

No method of data transmission or storage is entirely secure. In the event of a personal data breach, we will notify the relevant supervisory authority and affected individuals as required by GDPR Articles 33 and 34.
‍

10. Cookies

Cookies are small text files stored on your device when you visit a website. Below is a full account of what is used on pagaia.studio:

• Essential cookies (Always active): Necessary for the website to function correctly (e.g. Webflow CMS session management, form handling). These cannot be disabled without breaking core site functionality.

This site uses no analytics or marketing cookies. No cookie consent banner is displayed because no non-essential cookies are active. If analytics or marketing cookies are introduced in the future, a consent mechanism compliant with ePrivacy Directive requirements will be implemented before any tracking begins.

For questions about cookies, contact hi@pagaia.studio.
‍

11. Your Rights

Under the GDPR, you have the following rights regarding your personal data. These apply where Pagaia Studio acts as Data Controller.

• Right of Access: Request a copy of the personal data we hold about you and information on how it is processed (Art. 15).
  ‍
• Right to Rectification: Request correction of inaccurate or incomplete personal data (Art. 16).
  ‍
• ‍Right to Erasure: Request deletion of your personal data where it is no longer necessary or where you withdraw consent (Art. 17). Note: legally required records cannot be deleted.
  ‍‍
• Right to Restriction: Request that we limit the processing of your data in certain circumstances (Art. 18).
  ‍‍
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (Art. 20).
  ‍‍
• Right to Object: Object to processing based on legitimate interests at any time. We will stop unless compelling legitimate grounds exist (Art. 21).

To exercise any of these rights, email hi@pagaia.studio. We will respond within 30 calendar days. No fee applies for standard requests.

If you believe your rights have not been respected, you have the right to lodge a complaint with the Romanian data protection authority:

• ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) - www.dataprotection.ro
  ‍

12. Policy Updates

We may update this Privacy Policy when our practices change or when required by law. The date at the top of this page reflects the most recent revision. Material changes will be communicated via the website or directly to affected individuals where appropriate.

We recommend reviewing this page periodically. Continued use of our website or services after changes take effect constitutes acceptance of the updated policy.
‍

13. Contact

For any questions, requests, or concerns related to this Privacy Policy or the processing of your personal data:

• Pagaia Studio SRL: Bulevardul Unirii nr. 20, Bl. 5, Sc. 1, Et. 7, Ap. 41, Sector 4, Bucharest, Romania
• Email: hi@pagaia.studio‍
• Website: pagaia.studio
  ‍

© 2026 Pagaia Studio SRL. This policy is governed by Romanian law and Regulation (EU) 2016/679 (GDPR).

‍