Privacy Policy

1. Introduction

VonStaff (hereinafter "the application" or "we") is a SaaS software solution for managing human resources, attendance, leave, and employee management. The confidentiality and security of your personal data are a priority for us. This Privacy Policy explains how we collect, use, and protect personal data, what categories of data we process and for what purposes, as well as what your rights are under Regulation (EU) 2016/679 (GDPR) and similar legislation outside the EU, such as the California Consumer Privacy Act (CCPA). By using our application, you agree to the practices described in this personal data policy.

2. Categories of Personal Data Collected

We collect only the personal data necessary for the operation and improvement of the VonStaff services. These data can be provided directly by users (for example, by employees or HR administrators of client companies) through the application’s forms and interfaces, or generated in the course of using the service. The categories of personal data that we may collect include:

• Identification data: Name, surname, gender, personal identification number (CNP) or equivalent, ID series and number, nationality, date of birth.
• Contact data: Home or mailing address, email address (personal and/or work), phone number (personal and/or work).
• Data regarding the employment relationship: Position/job title, type of employment contract, work schedule (full-time/part-time), working hours and attendance, leave and absence history, information about the department or work location (office, remote, etc.).
• Financial and fiscal data: Information required by labor and tax laws, such as salary, bank details for salary payment, personnel codes or identifiers (e.g., REVISAL number, COR code), tax status, applicable deductions or benefits.
• Additional data in the user profile: Profile photos, CV or professional summary, professional skills or certifications, performance evaluations (if managed through the application), and any other information the user or employer chooses to provide on the platform in an HR context.

We do not intentionally collect special categories of personal data (such as data regarding racial or ethnic origin, political opinions, sexual orientation, genetic or biometric data, health status, etc.), except in situations where this information is necessary and provided by the user or employer in the legal context of the employment relationship (for example, a medical fitness certification for employment). In such cases, we will apply additional protective measures, and processing will only be carried out on a basis permitted by law.

3. Purposes of Processing and Legal Grounds

VonStaff processes personal data only for legitimate, specified purposes and on an appropriate legal basis in accordance with the GDPR. Below are the main purposes for which we collect and use data, along with the applicable legal grounds:

• Administration of employment relationships and contract execution: We process employee and administrative staff data to facilitate the performance of the employment contract and associated services (recording worked hours, managing leave, timekeeping, payroll, etc.). Legal basis: performance of a contract to which the data subject is a party (Art. 6(1)(b) GDPR).
• Fulfillment of legal obligations: We process certain data to comply with obligations imposed by labor law, tax law, or other regulations (e.g., preparing payrolls, reporting to authorities such as ITM (labor inspectorate), ANAF (tax authority), etc.). Legal basis: legal obligation (Art. 6(1)(c) GDPR).
• Security and integrity of the application and data: We use login data and technical identifiers to ensure the security of accounts and IT infrastructure (e.g., preventing unauthorized access, detecting fraud or malicious activities). Legal basis: our legitimate interest in protecting systems and data (Art. 6(1)(f) GDPR).
• Service improvement and customer support: We may analyze in aggregate how the application is used to improve its features and user experience. We may also use contact data to provide technical support or to communicate with you regarding your use of the service. Legal basis: legitimate interest in developing the service (Art. 6(1)(f) GDPR) and, in some cases, your explicit consent (Art. 6(1)(a) GDPR), for example if you provide us with optional feedback.
• Marketing (commercial communications): We may use the email address of our clients’ administrators or representatives to send updates about our services, only if we have prior consent for this. Recipients can unsubscribe from such communications at any time. Legal basis: consent (Art. 6(1)(a) GDPR).

VonStaff will not use personal data in a manner incompatible with the above purposes without informing you and, if necessary, obtaining your prior consent.

4. Data Collection Method

We collect personal data directly from you in most cases: when you create an account, when you complete forms in the application (for example, filling out your employee profile) or when you actually use the platform’s features (time tracking, leave requests, etc.). In addition, certain data may be entered into the application by system administrators or by your employer (such as contractual or financial data required for personnel records). We also automatically collect some technical data when you interact with our application or website, such as the IP address, device type, operating system, and session information, through cookies and similar technologies (for details, see the Cookie Policy).

If we receive data about you from other sources (for example, updates provided by your employer or relevant public information regarding professional qualifications), we will ensure these data are processed in accordance with permitted purposes and with respect for your rights.

5. Data Storage and Security

We have implemented appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of the personal data we process, in accordance with Art. 32 GDPR. The data are securely stored on secure servers provided by our hosting partner (CyberFolks, with data centers in the European Union), which applies high security standards, including encryption of stored data and secure transmission.

The security measures implemented by VonStaff include:

• Encryption of sensitive data – certain information (such as personal identification numbers, account passwords, or other sensitive personal data) is stored and transmitted using strong encryption algorithms, so that unauthorized access to these data is prevented.
• Two-factor authentication (2FA) – we have made two-step authentication mechanisms available for administrative access, which adds an extra level of protection when logging into accounts, preventing unauthorized access even if a password is compromised.
• Access control and confidentiality – our employees’ access to personal data is strictly limited based on the "need-to-know" principle and is protected by strict internal policies. Only authorized personnel trained in data protection have access to personal information, and only to perform technical support or service administration tasks.
• Monitoring and backups – we continuously monitor our infrastructure to detect security incidents and have procedures for periodic data backups, stored in secure environments, to ensure the ability to restore data in case of physical or technical incidents.
• Testing and evaluation – we periodically assess the effectiveness of our security measures and update our infrastructure and internal policies based on the evolution of risks and technologies, to maintain an adequate level of protection.

Although we make considerable efforts to protect your data, you must remember that no data transmission over the internet or storage technology is 100% secure. In the unlikely event of a security incident (data breach) that could affect your confidentiality, we will follow the legal notification procedures for both the competent authorities and the affected individuals, in accordance with our obligations (Art. 33 and 34 GDPR).

6. International Data Transfers

In principle, we store and process personal data within the territory of the European Union. However, in certain limited situations, some data may be transferred outside the European Economic Area (EEA), for example:

• Payment processing: if you use an online payment module (e.g., for purchasing a VonStaff subscription or other services offered), it is possible that billing or payment data will be transferred to our payment processor, Stripe, which also has servers in the United States.
• Global third-party services: if in the future we use other cloud services or analytics tools located outside the EEA (such as email services or push notifications), we will ensure that any data transfer takes place with appropriate safeguards.

In all cases of international transfer, we ensure that an adequate level of data protection is provided, in accordance with Chapter V of the GDPR. This means we will use approved legal transfer mechanisms, such as the Standard Contractual Clauses (SCC) issued by the European Commission, and will assess in advance the risks associated with these transfers. For example, for transfers to the USA, data sent to Stripe or other providers will be protected via SCC and, if applicable, additional security measures or updated international agreements. We will inform users if there are changes to the transfer mechanisms (for example, the implementation of a new EU–US privacy framework).

Important: VonStaff does not disclose or "sell" users’ personal data to third parties for commercial purposes. In the sense of the CCPA, "selling" personal data refers to providing information to a third party for financial or commercial purposes without consent – something we do not engage in. Any transfer of your data to third parties takes place exclusively for the permitted purposes mentioned in this policy, and involves providers acting either as processors who process data only on our behalf and according to our instructions, or as recipients who need the data based on a legal ground (e.g., authorities).

7. Rights of Data Subjects

Your rights under GDPR (for users in the European Union):
As a data subject, you have a number of rights guaranteed by the GDPR, which VonStaff respects. These rights include, primarily:

Right to be informed – you have the right to be informed about the personal data we collect and how we process it (this privacy policy helps fulfill this right).

Right of access – you can request confirmation of whether or not we are processing your personal data and, if so, access to that data and relevant additional information (purposes, categories of data, recipients, storage period, etc.).

Right to rectification – you can request the correction of inaccurate personal data or the completion of data that are incomplete.

Right to deletion (right to be forgotten) – under the conditions provided by law, you can request the deletion of your personal data (for example, if the data are no longer necessary for the purposes of collection or you have withdrawn consent and there is no other legal basis for processing). We will delete the data at your request if the legal conditions are met (Art. 17 GDPR), while also taking into account our archiving or retention obligations required by law.

Right to restriction of processing – you can request the temporary suspension of data processing in a number of situations, for example if you contest the accuracy of the data or if the processing is unlawful, until the issue is resolved.

Right to object – you can object, on grounds relating to your particular situation, to processing based on our legitimate interest. We will comply with the objection unless we have compelling legitimate grounds that justify continuing the processing or if we process the data for mandatory legal reasons. Additionally, you have the right to object at any time to the processing of data for direct marketing purposes (if any).

Right to data portability – you have the right to receive the personal data you have provided to us, in a structured, commonly used, and machine-readable format, and the right to request the transmission of this data to another controller, where technically feasible. This right only applies to data processed by automated means, based on consent or the performance of a contract.

Right not to be subject to an automated individual decision – VonStaff does not use exclusively automated decision-making processes that produce legal or similarly significant effects for users (such as automated profiling without human intervention). In general, you have the right not to be subject to a decision based solely on automated processing if that decision produces legal effects concerning you.

To exercise any of the above rights, you can contact us at any time at the email address indicated in the Contact section of this policy. We will respond to valid requests within the legal term of 30 days (which can be extended under the GDPR by up to 60 days if the request is complex, in which case we will inform you of the need for extension). Note that for certain requests we may ask for additional information to verify your identity (for example, an ID or other contact details) before complying, especially in the case of sensitive data, to ensure we do not disclose personal data to an unauthorized person.

You also have the right to file a complaint with the national data protection supervisory authority if you believe your rights have been violated. In Romania, this authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP – www.dataprotection.ro). However, we would appreciate the chance to resolve any issue amicably – we encourage you to contact us first, and we will make every effort to assist you.

Additional rights for California residents, under the CCPA (California Consumer Privacy Act, amended by CPRA):
If you are a California resident, local law grants you certain rights regarding your personal data, largely similar to those above, but also with some specifics. In accordance with CCPA/CPRA, as a consumer you have, mainly, the following rights:

Right to be informed (Right to notice) – the right to know what categories of personal information a business collects about you and for what purposes those informations are used. This includes the right to know if your data are sold or disclosed to other entities and to which categories of third parties. (This privacy policy provides you with this information.)

Right of access / Right to know – you can request a company that holds your data to inform you what personal information it has collected about you, from where it was collected, the purpose of collection, the categories of third parties with whom it was shared, and the specific personal information collected. Upon your request, we will provide a report on the personal data we have collected about you over a specific period (generally the last 12 months, according to the CCPA).

Right to deletion – similar to the right to be forgotten under the GDPR, you have the right to request the deletion of personal information that a company has collected from you, subject to the exceptions provided by law (for example, if the information is necessary to provide a requested service, to comply with a legal obligation, or for other permitted purposes). If we receive a valid deletion request, we will remove personal data from our systems, except for those data we are obliged to retain (e.g., for legal record-keeping or if the data are necessary to defend a legal right in court).

Right to opt out of the sale of personal data – you have the right to request that we do not sell your personal information to third parties. VonStaff does not engage in sales of personal data, as mentioned, but this right means that if we ever intend to share your data in a way that would be considered a "sale" under the CCPA, we will ensure you have the opportunity to opt out before such disclosure takes place. On our website, California residents can use cookie management options or tools like Global Privacy Control (GPC) to exercise this right with regard to online identifiers (GPC is a signal that the browser can send to indicate the preference not to sell data; we will honor such signals to comply with the CCPA).

Right to correction – you have the right to request that we correct any inaccurate personal information we hold about you. This right was introduced by the CPRA amendment and ensures that your data can be kept up to date and accurate upon request. If you notice that certain data in your profile or in our records are incorrect or incomplete, you can ask us to update them, and we will act accordingly.

Right to limit use of sensitive personal information – to the extent that we collect sensitive personal information about you (as defined by CCPA/CPRA, e.g., personal identification numbers or other unique identifiers, financial data, health or genetic information, racial or ethnic origin, religious beliefs, etc.), you have the right to request that we limit the use or disclosure of this information strictly to purposes permitted by law. In practice, if we process such sensitive data, they will be used only for providing the service or other essential purposes (such as security or legal compliance), and not, for example, for targeted behavioral advertising without consent.

Right not to be discriminated against – you have the right not to receive any unfavorable treatment from us for exercising any of the above rights. We will provide our services under the same conditions regardless of whether you choose to request data access, deletion, or exercised your right to object. We will not refuse services, provide a lower quality of service, or impose penalties just because you exercised your legal privacy rights.

To exercise any of the consumer rights granted by the CCPA, you can contact us at the same email address mentioned at the end of this policy (or through any available contact method). We will verify the identity of the requester (to ensure you are authorized to receive the data in question) and will respond to the request within the timeframes provided by California law. We assure you that we will not discriminate in any way against individuals who exercise their rights under the CCPA (for example, we will not deny access to the application or provide inferior services to those who make such requests).

Note: In most cases, the rights provided by GDPR and CCPA overlap in purpose and effect. Thus, we will attempt to fulfill any request in a comprehensive manner favorable to the data subject, regardless of which legislation it is made under. For example, a data access request from a user outside the EU will be handled with the same level of detail and transparency as required by the GDPR, and a deletion request from a user in the EU will be honored taking into account the exceptions provided by the CCPA (if applicable, for example for data necessary to provide the service). Our goal is to ensure all users have control over their personal data, according to the highest applicable privacy standards.

8. Third-Party Providers and Processors (data recipients)

To provide the VonStaff service at high standards, we collaborate with certain trusted third-party providers. Your personal data may be transmitted to these third parties only when necessary for operating and maintaining the service, and only under conditions of safety and contractual confidentiality. The main recipients and processors who might have access to certain data are:

Hosting provider (hosting) – CyberFolks (or another equivalent EU partner) provides the cloud infrastructure on which the application is hosted. Consequently, data stored on our servers may be accessible to this provider strictly for technical purposes (hardware/software maintenance). CyberFolks is a company with data centers in the EU and is contractually obliged to comply with GDPR and to implement strong security measures to protect data.

Payment processor – Stripe, Inc. (USA) processes online payments made by users (for example, payment of VonStaff subscriptions or services). To process a payment, certain data may be necessary, such as the cardholder’s name, billing address, or payment details. Stripe is certified regarding industry data security standards (PCI DSS), and we have also signed Standard Contractual Clauses with Stripe for the protection of data transferred outside the EU. Stripe is committed to using personal data only for payment processing and as required by law.

Web analytics services – Google Analytics (provided by Google Ireland and Google LLC) may collect information about how you visit the public VonStaff website (e.g., pages visited, session duration, device type). These data are generally aggregated and anonymized (they do not directly identify an individual) and help us understand traffic and improve the website. Google acts as a processor for these analytics data. We have configured Google Analytics so that your IP address is anonymized (truncating the last octets) and we do not allow Google to use or share this data except to provide us the analytics service. You can always refuse analytics cookies (see the Cookie Policy) and, in that case, Google Analytics will not collect data about your visit.

Other service providers – Occasionally, we may use other companies or contractors for ancillary services: for example, software maintenance, email services (for sending notifications or communications to users), customer support services (helpdesk), or IT consulting. In all such cases, if these entities require access to personal data, they will act either as processors (processing data solely on our behalf and according to our instructions) or as joint controllers (if they have their own legal obligations, e.g., an external auditor). We will sign specific data processing agreements with each provider, ensuring that they respect the confidentiality and security of your data.

All our partners and providers are carefully selected to ensure they adhere to high data protection standards. We conclude data processing agreements with each provider acting as a processor, in accordance with Art. 28 GDPR, which legally obliges them to keep your data confidential, to use it exclusively for the purpose of providing the service to us, and to implement appropriate technical and organizational security measures. We also do not allow these third parties to use your data for their own purposes (e.g., their own marketing) and we forbid them from disclosing the data further without authorization.

Aside from the providers mentioned, we do not disclose your data to anyone else, except in situations where we have a legal obligation to do so (for example, at the legitimate request of a public authority or in the context of legal proceedings).

9. Internal Data Protection Policies

VonStaff (operated by Von Consulting) has adopted rigorous internal policies to ensure compliance with data protection legislation (GDPR) and to maintain the confidentiality of information:

• Management and staff commitment – All members of our team are aware of the importance of data protection. The company’s management actively supports compliance with GDPR/CCPA rules, and employees with access to data are subject to contractual confidentiality obligations.
• Staff training – Relevant staff are periodically trained in information security and personal data protection, to stay up to date with best practices and their legal responsibilities.
• Data minimization – We follow the principle of "data minimization": we collect and process only the data strictly necessary for the purposes pursued, avoiding as much as possible the processing of excessive data. We also anonymize or pseudonymize data where using real data is not necessary (for example, in system testing or generating internal statistics).
• Audit and compliance – We conduct periodic evaluations of how data are processed within our organization and ensure that we keep necessary documentation up to date (such as records of processing activities, impact assessments where applicable, data retention policies, security incident response procedures).
• Protection by design and by default – In developing and improving the VonStaff platform, we integrate data protection measures from the outset in the technical architecture and adopt the most privacy-protective default settings for users, according to the "Privacy by Design & by Default" principle.

Through these internal measures, we aim to ensure that personal data is processed in a responsible and transparent manner, in accordance with legal requirements and the expectations of our users.

10. Data Protection Officer (DPO)

To independently oversee the compliance of our operations with data protection rules, we have appointed a Data Protection Officer (DPO). The DPO’s role is to advise and inform the company and employees about GDPR obligations, to monitor compliance with the rules, and to be the contact point for data subjects and the supervisory authority.

If you have any questions, concerns, or requests related to your personal data or how VonStaff processes it, you can address our DPO using the contact details below (see the Contact section). The DPO’s involvement ensures that any such communication will be handled seriously and confidentially, and you will receive a response as soon as possible.

11. Data Retention Period

We retain personal data only for the duration necessary to fulfill the purposes for which it was collected, except when there are legal archiving obligations or legitimate interests that justify retention for a longer period. Specifically:

• User account data (profile, authentication information, basic info) are kept for as long as you have an active account on the VonStaff platform. If you or your employer decide to close the account, we will delete or anonymize the data within a reasonable time (usually within 30 days), except for data that must be retained by law.
• Personnel records data (timekeeping, contracts, HR documents) will be retained as long as needed for administrative and compliance purposes. For example, timekeeping or salary data may be kept for the duration of the employment relationship and afterward, in accordance with the archiving periods imposed by labor and financial-accounting legislation (which in Romania can be 5 to 10 years for certain financial-accounting documents).
• Contact data for commercial communications (if you subscribed to our newsletter or consented to be contacted) will be processed until you unsubscribe or exercise your right to object; once you have withdrawn your consent, we will no longer use your email for marketing, though we may keep it in an internal "suppression" list to ensure you are not accidentally contacted again.
• Data collected through cookies have a specific storage duration for each cookie (see the Cookie Policy), and after that period expires, the data are automatically deleted by your browser. Analytics information stored by us (e.g., in Google Analytics) is aggregated and retained for long-term trend analysis, but it no longer contains direct personal identifiers once it has been aggregated or anonymized.
• Security logs and backups: logs that may contain IP addresses or user actions (e.g., logins, changes made) are usually kept for a few months up to a year, for security purposes (to be able to investigate potential incidents). Data backups are rotated and stored, usually for short periods (e.g., the last few daily backups and some monthly backups), after which they are gradually deleted, except in cases where they need to be retained longer in connection with an exceptional event.

Upon the expiration of the relevant retention period, or if we receive a legitimate deletion request and have no legal ground to continue processing, we will securely remove personal data from our systems, through automated or manual mechanisms (ensuring the deletion is irreversible). If certain data are stored in backup copies that cannot be immediately deleted, we will continue to protect them until their removal (for example, by restricting any access or use).

12. Policy Updates

This Privacy Policy may be updated periodically to reflect changes in our data processing practices or legal and technological developments. When we update the policy, we will publish the new version on our website (and in the application, if applicable) and will modify the "Last update" date at the end. In the event of substantial changes that could affect your rights or freedoms, we will attempt to inform you proactively (for example, through an in-app notification or email, if we have your email address). We recommend that you check this page periodically to stay informed of any updates. Continuation of using the VonStaff application after any updates take effect will constitute acceptance of the revised Privacy Policy.

13. Contact

For any questions, concerns, or requests related to this Privacy Policy or how VonStaff processes personal data, you can contact us using the following:

• Email (DPO): gdpr@vonconsulting.ro
• Postal address: 1455 Frazee Road, Suite 500, San Diego, CA 92108
• Online form: You can also send us requests through the contact form available on our website, in the Contact section. Please mention that your inquiry is about privacy or personal data, so it can be directed correctly.

We will respond to all requests as soon as possible, but no later than the applicable legal deadlines. We are committed to resolving any privacy-related complaint or issue diligently and transparently.

Last update of this Privacy Policy: March 29, 2025