Privacy Policy
Effective date: 2026-05-17. This notice is issued under Art. 13 of Regulation (EU) 2016/679 (GDPR) and Romanian Law no. 190/2018.
1. Who We Are (Data Controller)
The data controller for personal data processed through this website is:
CIPRIAN-PAUL FRANDEȘ - CABINET DE AVOCAT
Brand: Frandeș Law
Form of organisation: individual law office (cabinet individual de avocat) under Law no. 51/1995 on the organisation and practice of the legal profession and the Statute of the Legal Profession.
Bar registration: Baroul București. Titular: Avocat Ciprian Frandeș, member since 2013.
Registered office: Timișoara Blvd. no. 26, Plaza Romania Offices, 1st Floor, Office 115-116, Sector 6, 061344 Bucharest, Romania.
Email: ciprian@frandes.law
Phone: +40 746 426 538
Insolvency and restructuring matters are handled under a separate professional entity led by the same titular:
FRANDEȘ CIPRIAN-PAUL CABINET INDIVIDUAL DE INSOLVENȚĂ
Trading style: CII FRANDEȘ CIPRIAN PAUL (operating under the Frandeș Law brand)
Form of organisation: individual insolvency practitioner's office (cabinet individual de practician în insolvență) under Government Emergency Ordinance no. 86/2006 on the organisation of the insolvency practitioner's profession (approved with amendments by Law no. 254/2007) and the UNPIR Statute.
Professional registration: Uniunea Națională a Practicienilor în Insolvență din România (UNPIR), Filiala București, Registrul Formelor de Organizare (RFO) no. 5369, registered on 19 December 2025. Annual atestat valid through 31 December 2026 (renewable).
Correspondence address: same as above (Bd. Timișoara nr. 26, Plaza Romania Offices, 1st Floor, Office 115-116, Sector 6, 061344 Bucharest, Romania).
Email: ciprian@frandes.law
Phone: +40 746 426 538
Both entities operate under the unified brand Frandeș Law and are personally led by Avocat Ciprian Frandeș. The applicable controller for a given matter is the one whose regulatory framework governs that matter (Baroul București for advisory and litigation; UNPIR for insolvency and restructuring).
Attorney-client privilege from first contact. Any personal data or information you share with us, whether through the contact form, the AI chat assistant, email, or telephone, is protected by the obligation of professional secrecy set out in Article 11 of Law no. 51/1995 on the organisation and practice of the legal profession (for advisory matters) and by the equivalent confidentiality obligations under OUG no. 86/2006 and the UNPIR Statute (for insolvency matters), even if you do not subsequently engage us. This protection applies in addition to your rights under the GDPR.
2. What Data We Process and For What Purpose
This website processes personal data only through the surfaces listed below. We do not process any data beyond what is described here.
2.1 Contact Form
When you submit the contact form, we collect your name, email address, phone number (optional), and the content of your message. We also collect your IP address as part of the server-side processing of your request (for rate-limiting and spam prevention).
Purpose: to receive and respond to your inquiry, and to assess whether a professional relationship may be established.
2.2 AI Chat Assistant
The chat widget on this site is powered by an AI model (Mistral AI). When you send a message, the text you type is transmitted to our server and then forwarded to Mistral AI for processing. Your IP address is captured server-side. We do not log the content of chat messages. The conversation history exists only in your browser's memory for the duration of your session and is lost when you navigate away or close the tab.
Purpose: to provide you with answers about our practice areas and services. This assistant is AI-powered and does not provide legal advice.
2.3 CUI Lookup Tool
When you use the CAEN migration tool to look up a company by its CUI (registration number), the CUI is sent to our server to query publicly available ONRC data. We do not log CUI lookup requests. No personal data is collected by this tool unless the CUI belongs to a sole trader (PFA/II), in which case it may indirectly identify a natural person. The data returned is sourced from the ONRC open data register (data.gov.ro).
Purpose: to display publicly registered company information to assist with CAEN code migration planning.
2.4 Free Legal Calculation Tools
The cap-table modelling tool, Civil Code term calculator, insolvency timeline generator, BVB capital-markets AGM calendar, and CAEN code-search function all operate entirely in your browser. No data entered into these tools is transmitted to our server or to any third party. We do not process any personal data through these tools.
2.5 Server Access Logs
Our hosting server (Hostinger UAB, Germany) automatically records standard access log entries for every HTTP request: IP address, request path, response status code, and response size. These logs are used for network security monitoring and abuse prevention. Log entries for the contact form and chat endpoints contain only your IP address and request metadata, not your name, email, or message content.
Purpose: network security and abuse prevention.
2.6 Third-Party CDN Services (Tailwind CSS)
Since 2026-05-17, this site no longer transmits any data to Google for typography. All fonts (Playfair Display and Inter) are served from our own server infrastructure (Hostinger UAB, Germany, intra-EEA). No font-related data is sent to Google.
The Tailwind CSS framework is loaded from the Tailwind CDN (Tailwind Labs Inc., USA). This is loaded passively on each page visit. By making this request, your browser transmits your IP address and User-Agent string to Tailwind Labs' servers in the USA. We do not receive or store this data ourselves. For further detail, see our Cookies and Storage page.
Purpose: rendering the website's styling. Font delivery occurs entirely within the EEA.
2.7 Static Office Map
The contact page displays a static map image of the office location. This image is served from our own server infrastructure (Hostinger UAB, Germany) and does not involve any third-party scripts, cookies, or tracking. No personal data is processed by displaying this image. The page also contains two deep links (to Google Maps and Apple Maps) that open in a new browser tab when you choose to click them. These links are user-initiated and we have no access to any data processed by the map provider as a result of your click.
Purpose: to assist visitors in locating the office.
3. Legal Basis for Processing
We process personal data under the following legal bases set out in Art. 6(1) GDPR:
- Art. 6(1)(b) (pre-contractual steps): processing your contact form data (name, email, phone, message) to assess and respond to your inquiry, at your own request, as a step towards potentially entering a legal services engagement.
- Art. 6(1)(f) (legitimate interest): processing IP addresses in server access logs (legitimate interest in network security and abuse prevention); transmitting chat messages to the Mistral AI model (legitimate interest in providing the assistant service); loading the Tailwind CSS framework from the Tailwind CDN (legitimate interest in rendering the website correctly). In each case, our legitimate interest is balanced against a low impact on your privacy: the data is technical in nature and is not used for profiling or marketing.
We do not process data on the basis of consent (Art. 6(1)(a)) for any current processing activity. We do not conduct direct marketing. If this changes, we will update this notice and, where required, seek your consent.
4. Recipients and Transfers Outside the EEA
We share personal data with the following processors, only to the extent necessary for each purpose:
| Processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Hostinger UAB | VPS hosting (server infrastructure) | Germany (EEA) | Intra-EEA; Hostinger DPA |
| Resend Inc. | Email delivery for contact form submissions | USA (extra-EEA) | Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework |
| Mistral SAS | AI inference for chat assistant | France (EEA) | Intra-EEA; no transfer required |
| Tailwind Labs Inc. | Tailwind CSS CDN (passive, every page load) | USA (extra-EEA) | DPA/DPF status to be confirmed |
| Microsoft Corporation | Email inbox (Microsoft 365) for ciprian@frandes.law | EEA (if M365 EEA residency is configured) or USA | Microsoft DPA; EU-US Data Privacy Framework where applicable |
Contact form submissions received via Resend are delivered to the ciprian@frandes.law inbox hosted on Microsoft 365. The email body contains your name, email address, phone number, message, and IP address. Emails in that inbox are retained for as long as the operator maintains the mailbox (typically indefinitely until manually deleted). If this is a concern, you may request deletion by contacting us at ciprian@frandes.law.
We anticipate no other transfers of personal data outside the European Economic Area. Where a legal mandate requires sharing data with foreign counsel or authorities, the transfer will be based on Art. 49(1)(b) GDPR (transfer necessary for the performance of a contract to which the data subject is party) or another applicable derogation.
5. Retention Periods
| Data | Retention period |
|---|---|
| Contact form submissions (inquiries that do not become client files) | 24 months from receipt |
| Client files (where a legal services engagement is concluded) | Duration of the engagement plus a minimum of 10 years from closing, in accordance with the archival obligations under the Statute of the Legal Profession (Statutul profesiei de avocat) and the National Archives Law no. 16/1996 |
| Server access logs (IP address, request metadata) | 90 days |
| Chat assistant messages | Zero retention by us. The conversation exists only in your browser's memory and is not stored on our server or by Mistral AI beyond what their own data processing terms permit for EU users. |
| CUI lookup requests | Not logged. No retention. |
| Free tool inputs (cap-table, term calculator, etc.) | Not processed by us. Local browser only. |
6. Your Rights
Under GDPR and Romanian Law no. 190/2018, you have the following rights in relation to personal data we hold about you:
- Right of access (Art. 15 GDPR): you may request a copy of the personal data we hold about you, along with information about how it is processed.
- Right to rectification (Art. 16 GDPR): you may request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): you may request deletion of your personal data, subject to legal retention obligations (for example, client files must be retained for the period required by the Statute of the Legal Profession).
- Right to restriction of processing (Art. 18 GDPR): you may request that we restrict processing in certain circumstances, for example while a rectification request is pending.
- Right to data portability (Art. 20 GDPR): where processing is based on your consent or on a contract and is carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): you may object to processing based on legitimate interest (Art. 6(1)(f)). We will then cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
To exercise any of these rights, please send a written request to ciprian@frandes.law. We will respond within one month of receipt, as required by Art. 12 GDPR. No fee is charged for a first request. Where requests are manifestly unfounded or excessive, we may charge a reasonable administrative fee or decline to act.
7. Right to Lodge a Complaint
If you consider that the processing of your personal data infringes GDPR or Romanian Law no. 190/2018, you have the right to lodge a complaint with the Romanian supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Bd. G-ral Gheorghe Magheru nr. 28-30, Sector 1, București, 010336, România
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro
You may also lodge a complaint with the supervisory authority of any EU member state where you reside, work, or where an alleged infringement occurred.
8. Automated Decision-Making and Profiling
We do not carry out any automated decision-making that produces legal effects concerning you or similarly significantly affects you, within the meaning of Art. 22 GDPR. The AI chat assistant generates informational responses only and has no decision-making authority whatsoever.
9. Special Categories of Personal Data
We do not process special-category data (as defined in Art. 9 GDPR: health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, data concerning sex life or sexual orientation, or criminal convictions) through this website. If the provision of legal services requires processing special-category data, that processing is governed separately by the engagement agreement between the client and the cabinet, not by this notice.
10. Cookies and Local Storage
This website sets no cookies, no localStorage, and no sessionStorage entries. We do not use analytics software, tracking pixels, or any form of behavioural profiling.
The only remaining third-party data transmission is the passive HTTP request made by your browser to the Tailwind CDN (Tailwind Labs Inc., USA) when each page loads (see section 2.6 above). This request transmits your IP address and User-Agent to servers in the USA. Since 2026-05-17, this site no longer loads any resources from Google: fonts are served from our own server. Because no information is stored on or read from your device by these services, Art. 5(3) of the ePrivacy Directive (implemented by Romanian Law no. 506/2004) does not require us to obtain your consent before they load. The legal basis is our legitimate interest in delivering a correctly rendered website (Art. 6(1)(f) GDPR).
For full detail, including what we do not do (no Google Analytics, no tracking pixels, no advertising), see our Cookies and Storage page.
11. Changes to This Notice
We may update this notice from time to time to reflect changes in our processing activities, applicable law, or the advice of supervisory authorities. The effective date at the top of this page indicates when it was last revised. Where changes are material, we will take reasonable steps to inform you.
12. Contact
For any questions about this notice or about the processing of your personal data, please contact us at ciprian@frandes.law or by post at the registered office address listed in section 1.