Privacy Policy

Last updated: September 18, 2025

Please read this Privacy Policy of CMR Management, a service operated by SC Rage Solutions S.R.L., headquartered in Romania, Targu Mureș, Str. 1 Decembrie 1918, Nr. 275, Ap. 7, registered with the Trade Register under no. J26/65/2006, tax identification code RO18297258 (hereinafter “CMR Management”, “we”, “our”, or “us”).

By subscribing to and using CMR Management services and websites, you agree to and accept all terms set forth in this Privacy Policy. If you accept these terms on behalf of a company or organization, you warrant full authority to bind the company or organization.

1. General

This Privacy Policy explains how CMR Management processes personal data of users and clients in connection with our websites and services. We are committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2020/1056 on electronic freight transport information (eFTI), the EU Data Act (Regulation (EU) 2023/2854), and other applicable data protection laws. Our services are for business use only and not directed at individuals under 16, per GDPR Article 8. We do not knowingly collect or process children’s data. A Data Processing Agreement (DPA), per GDPR Article 28, is incorporated into our Terms and Conditions and available upon request. This policy applies to all CMR Management websites and services but not to third-party websites, applications, or services accessible via links.

2. Definitions

  • Client: Legal entity subscribing to our services.
  • User: Individual authorized by the Client to use our services.
  • Personal Data: Information relating to an identified or identifiable person.
  • Processing: Any operation performed on personal data.
  • Data Controller: The Client (for uploaded data) or CMR Management (for account and billing data).
  • Data Processor: CMR Management, when processing data on behalf of the Client.
  • Joint Controller: Under eFTI Regulation (EU) 2020/1056, Clients may act as joint controllers with other transport entities (e.g., carriers, consignees) for CMR document data. CMR Management acts solely as a data processor in such cases, per agreed terms.

3. Categories of Personal Data We Collect

We may collect and process:

  • Identification and Contact Details: Name, email, phone, company details, billing address.
  • Authentication Data: Username, password.
  • Usage Data: IP address, browser type, logs, account activity, CMR usage statistics.
  • Payment and Billing Data: Transaction details (where applicable).
  • Communication Data: Messages, support requests, newsletters.
  • eFTI Data: CMR document data (e.g., sender/recipient names, cargo details) processed in compliance with eFTI Regulation.

4. Purposes and Legal Basis for Processing

We process personal data for:

  • Performance of a Contract (Art. 6(1)(b) GDPR):
    • Providing platform access, including CMR document creation and management per eFTI Regulation.
    • Managing subscriptions and payments.
    • Offering customer support.
  • Compliance with Legal Obligations (Art. 6(1)(c) GDPR):
    • Tax, accounting, and record-keeping.
    • eFTI compliance for electronic transport document standards.
  • Legitimate Interests (Art. 6(1)(f) GDPR):
    • Improving services, ensuring security, preventing fraud.
    • Sending service-related communications.
  • Consent (Art. 6(1)(a) GDPR):
    • Sending promotional communications (e.g., newsletters, offers) only with prior consent, per GDPR Article 6(1)(a). Withdraw consent via the unsubscribe link in emails or by contacting [email protected].
    • Using non-essential cookies (analytics, marketing).

Consent can be withdrawn at any time without affecting prior lawful processing.

5. Cookies

We use cookies to ensure website functionality, improve performance, and analyze traffic via a Consent Management Platform (CMP). Types include:

  • Essential Cookies: Required for platform operation (cannot be disabled).
  • Functional Cookies: Store preferences.
  • Analytics Cookies: Collect usage statistics (optional, via consent).
  • Marketing Cookies: Deliver relevant ads (optional, via consent).

6. Data Retention

We retain personal data only as necessary:

  • Account and Billing Data: Up to 5 years post-contract termination (legal obligation).
  • Usage Logs: Up to 12 months.
  • Backups: Weekly, stored up to 30 days.
  • Marketing Data: Until consent withdrawal.
  • eFTI Data: As required by transport laws, typically 5 years.

7. Sharing of Personal Data

We share data only with:

  • Trusted Sub-Processors: Hosting (e.g., AWS), payment processors (e.g., Stripe), email providers (e.g., SendGrid) under GDPR-compliant agreements, listed at https://cmr-management.eu/sub-processors.
  • Public Authorities: When required by law.
  • Business Transfers: In case of merger, acquisition, or asset transfer.

We do not sell or rent personal data.

8. International Data Transfers

Data transfers outside the European Economic Area (EEA) use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate safeguards.

9. Security

We implement technical and organizational measures, including:

  • Encrypted connections (HTTPS).
  • Access controls and authentication.
  • Regular backups and security audits.
  • Staff confidentiality commitments.

In case of a personal data breach, we will notify affected clients and the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours, per GDPR Article 33.

10. Data Subjects’ Rights

Under GDPR, you have the rights to:

  • Access (Art. 15).
  • Rectification (Art. 16).
  • Erasure (“right to be forgotten”) (Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability (Art. 20): Export in machine-readable format (e.g., CSV) at no cost, per EU Data Act.
  • Object (Art. 21).
  • Avoid automated decision-making (Art. 22). We do not currently perform automated decision-making or profiling with legal effects, per GDPR Article 22. Any future use will require explicit consent.

Contact us at [email protected] to exercise these rights. Complaints can be lodged with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania, Email: [email protected], Website: www.dataprotection.ro, or another EU supervisory authority.

11. Updates to this Policy

We may update this policy to reflect changes in law, services, or practices. Updates will be announced on our websites and, where appropriate, notified by email at least 30 days in advance.

12. Contact

For questions or requests:
SC Rage Solutions S.R.L.
Targu Mureș, Romania
Email: [email protected]