Back to Payvera

Privacy Policy

Last updated: 2026-05-23

This Policy explains how Gheorghe SRL (trading as Payvera) processes personal data. It is issued under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and Romanian Law 190/2018.

1. Data controller

2. Two roles, two scopes

Payvera processes personal data in two distinct roles:

  • As Controller — for our website visitors, Merchants who sign up, and account holders. We decide why and how this data is processed.
  • As Processor — for end-customer data passing through a Merchant's checkout (email, billing address, transaction metadata). The Merchant is the Controller; we act on documented instructions in the Merchant Agreement.

3. What we process and why

Merchants (controller)

  • Account data (email, name, business name, password hash) — contract performance, Art. 6(1)(b).
  • Stripe Connect account ID, payout status — contract performance.
  • Dashboard usage, IP address, session cookies — legitimate interest in service security, Art. 6(1)(f).
  • Communications (support emails, billing) — legitimate interest and legal obligation.

End customers paying at checkout (processor on behalf of Merchant)

  • Email, cardholder name, billing address — to create the Stripe Payment Intent.
  • Card data is never seen or stored by Payvera. It is collected directly by Stripe's Payment Element and tokenised by Stripe.
  • Transaction outcome, last 4 digits, card brand — for receipts and dispute handling.

4. Sub-processors

We use the following sub-processors:

  • Stripe Payments Europe, Ltd. (Ireland) — payment processing and Connect platform.
  • Lovable Cloud / Supabase (EU region) — database, authentication, and file storage.
  • Cloudflare, Inc. — edge serving and DDoS protection.

All sub-processors are bound by GDPR Art. 28 contracts and process data inside the EEA or under approved transfer mechanisms (Standard Contractual Clauses).

5. Retention

  • Account data: for the duration of your account, plus 10 years for accounting and tax records required by Romanian law.
  • Transaction data: 10 years (Romanian Accounting Law 82/1991).
  • Support emails: 2 years.
  • Server access logs: 90 days.

6. Your rights

Under GDPR you may request:

  • access to your data (Art. 15);
  • rectification (Art. 16);
  • erasure, subject to legal retention obligations (Art. 17);
  • restriction of processing (Art. 18);
  • data portability (Art. 20);
  • objection to processing based on legitimate interest (Art. 21).

Email privacy@payvera.ro. We respond within 30 days. If you are dissatisfied you may lodge a complaint with the Romanian supervisory authority ANSPDCP (dataprotection.ro).

7. International transfers

Data is primarily stored in the EU. Where Stripe or Cloudflare processes data outside the EEA, transfers are covered by Standard Contractual Clauses approved by the European Commission.

8. Cookies

See our Cookie Policy.

[LAWYER REVIEW] Confirm sub-processor list, retention periods against Romanian sector-specific law, and DPO appointment threshold (Art. 37 GDPR).

Payvera is a product of Gheorghe SRL, a company registered in Romania. Payment processing is provided by Stripe Payments Europe, Ltd., a regulated payment institution.