Cartela is in soft launch - browsing only, no orders yet.

Privacy policy

Privacy policy

In force from the date this page was published.

This policy explains in detail how Cartela.online collects, processes and protects users’ personal data. For a summary of your GDPR rights and how to exercise them, see the GDPR Information page.

1. Data controller

Digital Payments SRL, a Romanian legal entity with registered office at Strada Liniștii Nr. 15 C, C2, Paleu, Bihor county, 417166, Romania. VAT (RO)38316257, Trade Register J5/2640/2017. Contact: support@cartela.online. No outsourced Data Protection Officer (DPO) has been appointed – requests are handled by an internal representative.

2. Categories of data collected

Data you provide directly:

  • Email address (mandatory – for voucher delivery).
  • Mobile phone number (for direct top-up or SIM identification).
  • Focus Sat subscriber ID (for TV recharge).
  • Billing data (name, address, VAT – optional, for fiscal invoice).
  • Payment confirmation received from the processor (PayPal, Stripe, BTCPay Server).

Data collected automatically:

  • IP address, for fraud prevention and technical logs.
  • Browser type and operating system (User-Agent).
  • Access and interaction timestamps.
  • Cookies essential to session and cart (see below).

We do not collect special categories of data (ethnic origin, political opinions, health data, etc.) under GDPR Art. 9.

3. Purposes and legal basis

Purpose Legal basis Data involved
Order processing and voucher delivery Contract execution (Art. 6.1.b GDPR) Email, phone, payment
Invoicing and fiscal archiving Legal obligation (Art. 6.1.c) Billing data, amounts
Fraud prevention and AML compliance Legitimate interest (Art. 6.1.f) and legal obligation IP, patterns, KYC if needed
Promotional communications (newsletter) Consent (Art. 6.1.a) Email, if you have subscribed

4. Retention period

  • Transaction data and invoices: 10 years, per the Romanian Fiscal Code (Art. 25(1) of Accounting Law 82/1991).
  • Technical logs (IP, User-Agent): maximum 12 months.
  • KYC data (if collected): 5 years after the last transaction, per Romanian Law 129/2019.
  • Newsletter subscriber email: until unsubscribe or deletion request.

5. Who we share data with

We do not sell your data. We share it only with the following recipient categories, strictly to fulfil the stated purpose:

  • Payment processors: PayPal, Stripe, BTCPay Server – to authorise the transaction.
  • Mobile carriers / Focus Sat: Orange, Vodafone, Telekom, Digi, Focus Sat – the phone number / subscriber ID is sent to apply the top-up.
  • Technical service providers: hosting, transactional email, cloud backup (Box.com) – under GDPR-compliant contracts.
  • Public authorities: ANAF, Police, courts – only on documented legal request.

International transfers (if needed) only occur to countries with an adequate protection level or under standard contractual clauses approved by the European Commission.

6. Cookies

We use cookies strictly necessary for site operation (session, cart, authentication). We do not use advertising tracking cookies without explicit consent. Full details about each cookie are available in the cookie banner shown on first visit.

7. Data security

  • TLS 1.3-encrypted connections between browser and server.
  • Sensitive data (voucher PINs) is encrypted with Sodium / libsodium and only accessible via an HMAC-signed link.
  • Encrypted backups, kept in two distinct geographic locations.
  • Restricted access on the “least privilege” principle.
  • Breaches notified within 72 hours to ANSPDCP if user rights are affected (GDPR Art. 33).

8. Your rights

You have all the rights granted by GDPR: access, rectification, erasure, restriction, portability, objection, consent withdrawal. See the GDPR Information page for details and how to exercise them. Requests go to support@cartela.online.

9. Complaints

If you are not satisfied with how we manage your data, you have the right to file a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro.

10. Changes

This policy may be updated periodically. Significantly changed versions will be announced on the homepage or by email (for customers with an account). The current version is the one on this page.