Privacy Policy
Last updated: March 31, 2026
1. Who We Are
SCIT Technology SRL (“PBXTools”, “we”, “our”) operates the PBXTools platform — an AI-powered suite of tools for telephone exchanges, including call transcription, reporting, softphone, and PBX security.
Our platform is designed exclusively for business use (B2B) and processes communication data on behalf of our customers. This policy describes what data we collect, how we use it, how we protect it, and what rights you have.
Data Controller: SCIT Technology SRL, Cluj-Napoca, Romania DPO Contact: [email protected] Official website: https://pbxtools.ro
2. Data We Collect
2.1 Data You Provide Directly
- Account data: Name, email address, company name, VAT/CUI number, phone number
- Billing data: Fiscal address, tax ID, card details (processed exclusively by Stripe — we do not store card data)
- Support: Messages, attachments, session logs submitted in support tickets
- Communications: Emails, messages via the contact form
2.2 Automatically Collected Data
- Analytics: IP address (anonymized via Cloudflare), browser, operating system, pages visited, time spent on site
- Cookies: Essential and optional cookies (full details in our Cookie Policy)
- Server logs: HTTP requests, timestamps, user agent, response codes — retained for security and troubleshooting
2.3 PBX Data (Processed for Customers)
This data is processed exclusively on behalf of our customers, in our capacity as Processor:
- CDRs (Call Detail Records): Call metadata — numbers, duration, timestamps, status (no audio content unless transcription is enabled)
- Transcriptions: Text output from Speech-to-Text processing, stored encrypted with restricted access
- AI Analyses: Summaries, sentiment scores, tags, alerts — derived data from automated processing
- Audio recordings: Stored only if the customer explicitly enables transcription; automatically deleted after processing
Important: We do not access or use customer PBX data unless explicitly requested (e.g., for troubleshooting) or as instructed through their account settings. Each customer’s data is completely isolated from other accounts.
3. Purpose of Processing and Legal Basis
| Purpose | Legal Basis (GDPR) | Retention Period |
|---|---|---|
| Service delivery | Art. 6(1)(b) — Contract performance | Contract duration + 5 years |
| Billing and payments | Art. 6(1)(c) — Legal obligation (fiscal) | 10 years (fiscal legislation) |
| Technical support | Art. 6(1)(f) — Legitimate interest | 2 years |
| Service improvement | Art. 6(1)(f) — Legitimate interest | 26 months (anonymized data) |
| Platform security | Art. 6(1)(f) — Legitimate interest | 12 months (logs) |
| Direct marketing (with consent) | Art. 6(1)(a) — Consent | Until withdrawal |
| PBX data processing | Art. 28 — Processing agreement | Per customer instructions |
4. Data Sharing
We never sell personal data. We share data only with:
Authorized Processors
| Partner | Purpose | Location | Basis |
|---|---|---|---|
| Cloudflare | CDN, DDoS protection, Web Analytics | Global (HQ in USA) | SCC + DPA |
| Stripe | Secure payment processing | Global (HQ in USA) | SCC + DPA |
| Hetzner | Server hosting, storage | Germany & Finland (EU) | DPA |
AI Providers
Transcription and AI analysis services receive only transcribed text, not original audio. All processing is under strict DPA agreements.
Authorities
We share data with authorities only when explicitly required by law (e.g., court orders, ANSPDCP requests).
All processors are GDPR compliant with signed Data Processing Agreements (DPA).
5. Embedded Content from Other Sites
Our pages may include third-party content:
- YouTube videos — for documentation and tutorials
- Stripe Elements — for payment processing
These services may collect their own data (IP, cookies) according to their own privacy policies. Interacting with this content is equivalent to directly visiting those sites.
6. Security Measures
We implement rigorous technical and organizational measures:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access: Role-based access control (RBAC) — each user accesses only their own data
- Isolation: Customer data is completely segregated between accounts
- Audit: Complete logging of all data access
- Location: Servers exclusively in the EU (Hetzner — Germany & Finland)
- Backup: Automated encrypted backups, 30-day retention
- Firewall: Multi-layered protection systems against unauthorized access
- Monitoring: 24/7 monitoring with automatic anomaly alerting
7. Automated Decision-Making
We use automated processing for the following purposes:
Security
- Automatic detection and blocking of unauthorized access attempts (brute-force, DDoS)
- Identification of suspicious behavior based on access patterns
PBX Data Processing
- Automatic call transcription via Speech-to-Text
- Automatic generation of summaries, sentiment scores, and alerts via AI models
- These processes are initiated exclusively by the customer and do not involve automated decisions with legal effects
No automated process produces decisions with significant legal effects without human intervention.
8. Your Rights (GDPR)
Under Regulation (EU) 2016/679, you have the following rights:
- Right of access (Art. 15) — Request a complete copy of personal data we hold
- Right to rectification (Art. 16) — Correction of inaccurate or incomplete data
- Right to erasure (Art. 17) — “Right to be forgotten” (with legal exceptions — e.g., fiscal obligations)
- Right to restriction (Art. 18) — Limit processing in certain circumstances
- Right to portability (Art. 20) — Export in structured format (JSON/CSV)
- Right to object (Art. 21) — Refuse processing based on legitimate interest
- Right to withdraw consent (Art. 7) — At any time, without retroactive effects
How to Exercise These Rights
- Send an email to [email protected] with the subject “Exercise GDPR Rights”
- Specify which right you wish to exercise
- Provide sufficient information for identification (the email associated with your account)
- We respond within 30 days of receiving your request
- In complex cases, the deadline may be extended by 60 days, with prior notification
9. International Data Transfers
Primary data storage is exclusively in the EU (Hetzner servers in Germany and Finland).
For third-party services headquartered outside the EU (Cloudflare, Stripe), transfers are carried out based on:
- Standard Contractual Clauses (SCC) approved by the European Commission
- Data Processing Agreements (DPA) signed with each provider
- Additional technical measures: end-to-end encryption, data minimization, pseudonymization
AI transcription services receive only text for processing, not directly identifiable personal data.
10. Security Incident Notification
In the event of a security incident affecting personal data:
- We notify ANSPDCP within 72 hours of discovery, per Art. 33 GDPR
- We inform affected users without undue delay, per Art. 34 GDPR
- We document the incident, its impact, and corrective measures taken
- We implement preventive measures to avoid similar incidents
11. Data Retention Periods
| Data Type | Duration | Reason |
|---|---|---|
| Account data | Contract duration + 5 years | Legal obligations |
| Billing data | 10 years | Fiscal legislation |
| PBX data (CDR, transcriptions) | Per customer settings | Customer-controlled |
| Server logs | 12 months | Security |
| Support data | 2 years | Legitimate interest |
| Analytics data | 26 months (anonymized) | Service improvement |
| Marketing data | Until consent withdrawal | Consent |
After the retention period expires, data is permanently deleted or irreversibly anonymized.
12. Cookies
We use essential and optional cookies. For complete information about cookie types, their duration, and management options, see our Cookie Policy.
13. Minors
Our services are exclusively for business entities and are not directed at individuals under 16 years of age. We do not knowingly collect data from minors. If we discover that we have collected data from a minor, we will delete it immediately.
14. Policy Changes
- We notify by email of substantial changes at least 30 days before they take effect
- Minor changes (clarifications, format updates) take effect upon publication
- The last update date is displayed at the top of the page
- We recommend periodically reviewing this page
15. Contact
SCIT Technology SRL Cluj-Napoca, Romania
DPO Email: [email protected] General Email: [email protected] Phone: +40 376 443 322 Contact page: /en/contact
Supervisory Authority
If you believe your personal data has been handled incorrectly or your rights have not been respected, you may file a complaint with:
National Supervisory Authority for Personal Data Processing (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania Website: www.dataprotection.ro