Home Legal Privacy Policy

Privacy Policy.

How we collect, use and protect your personal data when you visit HartaFarmacii. Drafted in line with the GDPR (EU Regulation 2016/679).

Last updated: 2026-04-17

1. Data controller

The hartafarmacii.ro service (hereinafter “HartaFarmacii” or “we”) is an independent price comparison tool and pharmacy locator for Romania. The data controller within the meaning of Regulation (EU) 2016/679 (GDPR) is the natural person Andrei-Șerban, a Romanian citizen residing in Romania, reachable at contact@hartafarmacii.ro.

For any request concerning your personal data — including the exercise of GDPR rights — please use exclusively the email address above. Given the scale of the project, the same email also serves as the Data Protection Officer (DPO) contact.

2. Data we collect

Our guiding principle is data minimisation: we collect only what is strictly necessary for the correct operation of the Service and for aggregated statistics. We do not build individual profiles of users and we do not sell data to third parties.

Specifically, we collect the following categories:

  • Technical server logs: IP address (stored in full in the nginx access logs for 30 days, then automatically deleted), request timestamp, accessed URL, HTTP status code, browser User-Agent and Referer. They are used for debugging, abuse protection and technical statistics.
  • Analytics (consent-based only): if you accept the cookie banner, we use Google Analytics 4 with IP anonymisation enabled and Consent Mode v2. The collected data (visits, interactions, device, approximate geographic region) is sent to Google only after your explicit consent.
  • Local preferences (localStorage): the chosen theme (dark/light), map filters and your cookie decision are stored in your browser’s localStorage. This data never leaves your device.
  • GPS location (on demand): if you use the “Nearby pharmacies” button, your browser asks for permission and uses the coordinates locally to filter the map. We do not send the coordinates to the server.
  • Email correspondence: when you write to our contact address, we keep your message for as long as is needed to resolve the request plus 6 more months in the archive, for legal traceability.

We do not collect names, dates of birth, national IDs, profile pictures or other personal identifiers unless you voluntarily send them to us by email.

3. Purposes of processing

We process your data exclusively for the following purposes:

  • Providing the Service — correct display of the map, search results and up-to-date prices.
  • Security and abuse prevention — detection of mass scraping, DDoS attempts and fraud.
  • Aggregated traffic analysis — understanding the most useful pages, devices used and geographic distribution, in order to continuously improve the Service.
  • Compliance with legal obligations — responding to duly motivated requests from competent authorities, within the limits of the law.
  • Communication with you — handling your queries, GDPR requests or content-related notifications.

4. Legal bases for processing

Pursuant to Article 6(1) GDPR, processing of your data relies on one of the following legal bases:

  • Legitimate interest (Art. 6(1)(f)) — for anonymised technical logs and for infrastructure security. Our legitimate interest (running a reliable Service) does not conflict with your rights and freedoms, given the small scope and technical nature of this data.
  • Explicit consent (Art. 6(1)(a)) — for analytics cookies (Google Analytics). You may withdraw consent at any time, without consequences for your access to the Service.
  • Performance of a contract or pre-contractual steps (Art. 6(1)(b)) — when you write to us with a question or request, data in your email is necessary in order to reply.
  • Legal obligation (Art. 6(1)(c)) — for data retention required by national or European legislation.

5. Cookies and similar technologies

We use three categories of cookies:

  • Strictly necessary cookies (no consent required) — the CSRF security token, theme preference (dark/light), cookie banner state. Without these cookies the site does not work properly, and the law does not require consent for them.
  • Analytics cookies (explicit consent) — Google Analytics 4 (_ga, _ga_*). Lifetime: 2 years. Disabled by default. You may accept or reject these cookies via the banner shown on your first visit and at any time thereafter, via the “Cookies” link in the footer.
  • Advertising cookies (explicit consent) — Google AdSense may set cookies (__gads, __gpi, NID, IDE) to serve ads, measure impressions / clicks and limit frequency. If you choose “Reject” in the cookie banner, any ads shown are non-personalised (contextual, without individual profiling), per Google Consent Mode v2. Typical lifetime: up to 13 months.

Google (LLC) is an independent controller for AdSense advertising cookies; its privacy policy is available at policies.google.com/privacy and you can manage ad-personalisation preferences at adssettings.google.com.

We do not use fingerprinting and do not set cookies outside the categories above (e.g. no independent remarketing, no data sharing with data brokers, no sale of user data).

You can also control cookies from your browser settings. Most browsers offer “Delete cookies” and “Block third-party cookies” options. Note that blocking strictly necessary cookies may affect site functionality.

6. Sharing with third parties

We share personal data only with the following providers, on the basis of standard contractual clauses approved by the European Commission:

  • Google Ireland Limited (Google Analytics 4 operator for the European Economic Area) — only if you accept analytics cookies. Data is pseudonymised by IP anonymisation and is not combined with other Google products that would enable individual identification.
  • Microsoft Bing Webmaster Tools — for SEO indexing and for IndexNow (quick notification of search engines when new content is published). No personally identifiable data is transmitted.
  • Yandex Webmaster — for IndexNow. Like Bing, no personally identifiable data is transmitted, only public URLs.
  • Hosting provider — our servers are located in the European Union (Germany), with an ISO 27001 compliant provider. The contract includes GDPR standard and confidentiality clauses.
  • Competent authorities — on a duly motivated, law-compliant request, we may disclose data to courts, police or other national authorities.

We never sell your personal data and we do not share it with marketing agents, data brokers or commercially-motivated third parties.

7. International data transfers

Our technical infrastructure is located entirely within the European Union. However, Google Analytics, by its nature, may process data on infrastructure located in the United States of America. For this transfer, Google Ireland Limited applies:

  • Standard contractual clauses approved by the European Commission (Decision 2021/914);
  • EU-US Data Privacy Framework (2023) — Google being a certified company;
  • Supplementary technical measures: IP anonymisation, data encryption in transit and at rest, strict access controls on a need-to-know basis.

8. Your rights (GDPR)

Under the GDPR, you have the following rights, which you may exercise free of charge at any time by writing to contact@hartafarmacii.ro:

  • Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — you may request correction of inaccurate data or completion of incomplete data.
  • Right to erasure (“right to be forgotten”, Art. 17) — you may request deletion of data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — you may request temporary suspension of processing in certain circumstances.
  • Right to data portability (Art. 20) — you may receive your data in a structured, machine-readable format (JSON or CSV), to transfer it to another controller.
  • Right to object (Art. 21) — you may object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — for analytics cookies, at any time, without consequences.
  • Right to lodge a complaint with a supervisory authority — in Romania, with the National Supervisory Authority for Personal Data Processing (ANSPDCP): dataprotection.ro.

We respond to GDPR requests within 30 calendar days of receipt. In complex cases, we may extend this deadline by a further two months and will inform you of the reasons. We verify your identity through a proportionate procedure: for access requests, confirmation of a reply to your registered email may be sufficient.

9. Retention periods

  • Server logs: 30 days, then automatically deleted.
  • Backups: 90 days, encrypted, then deleted.
  • Analytics cookies: 2 years from the last visit (standard Google Analytics duration); can be deleted at any time from the browser settings.
  • Email correspondence: duration of resolving the request plus 6 months, for legal traceability.
  • Local preferences (localStorage): remain on your device for as long as you keep them in your browser settings; we have no access to them.

10. Data security

We implement technical and organisational measures proportionate to the risk, including:

  • HTTPS enforced across the whole site (TLS 1.3, HSTS with preload);
  • strict Content Security Policy (CSP);
  • rate limiting on all API endpoints and public forms;
  • encrypted backups stored on separate servers;
  • database access restricted by IP allowlist and SSH public-key authentication;
  • log monitoring for detection of unauthorised access attempts;
  • security updates applied automatically within 24 hours of release for critical dependencies.

11. Minors

HartaFarmacii is not intended for persons under the age of 16, and we do not knowingly collect data from minors. If you are under 16, please do not accept analytics cookies and ask a parent or guardian to assist you if you wish to contact us.

If we learn that we have inadvertently collected personal data from a minor under 16 without parental or guardian consent, we will delete such data immediately. If you are a parent or guardian and suspect such a situation, please contact us urgently at contact@hartafarmacii.ro.

12. Amendments to this policy

We may update this policy as the Service evolves or as applicable legislation changes. For substantial changes, we will show an information banner on the main pages at least 30 days before the effective date. Previous versions are kept in the archive and can be provided on request.

13. Contact

For any question concerning this policy or your personal data, please use: contact@hartafarmacii.ro.

We personally respond to every request, in plain language, in line with Art. 12 GDPR (“concise, transparent, intelligible and easily accessible”).

Questions or requests? Email us at contact@hartafarmacii.ro.

Back to homepage