KST Agency Serv SRL ("KST Invictus"), VAT ID 47857740, Trade Reg. J18/283/22.03.2023, Costesti Village, Gorj County, Romania, acting as the data controller, processes your personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation.
This policy describes what data we collect, why we collect it, how we use it, who we share it with, and what rights you have as a data subject.
1. What data do we collect?
We collect data you provide directly through the website:
- Contact form — first name, last name, email, phone, message, desired package (processed via Web3Forms)
- Newsletter popup — email address (optional, with explicit consent, via MailerLite)
- Job application form — professional data provided voluntarily (processed via Forminator + Brevo, when active)
- Cal.com bookings — name, email, preferred time slot (if the booking system is active)
We also automatically collect, with your consent, technical data via cookies and analytics tools: anonymised IP address, browser, device, pages visited, time spent on site, and traffic source.
2. Why do we process your data?
Necessary
Responding to inquiries
Data from the contact form is used solely to get in touch with you regarding your inquiry.
Necessary
Contract performance
If you become a client, your data is necessary for delivering contracted services and related communication.
Consent
Newsletter
Marketing communications by email, only with your explicit consent. Withdrawable at any time via the unsubscribe link.
Consent
Analytics & optimisation
Improving content and browsing experience using anonymised data from Google Analytics.
Consent
Marketing & retargeting
Displaying relevant content via Google Ads and Meta Pixel — planned, activated exclusively with your consent.
Legitimate interest
Security & operation
Fraud prevention, website security (Wordfence), and correct platform operation.
3. How long do we retain your data?
- Contact form data — 2 years from the last interaction
- Contractual data — 5 years in accordance with fiscal and accounting obligations
- Newsletter data — until consent is withdrawn (unsubscribe)
- Job application data — 6 months from receipt of the application, or longer with your explicit consent
- Technical data (logs, IPs) — maximum 12 months
- Cookies — as specified by each provider (see Cookie Policy)
4. Who do we share data with?
We do not sell or transfer your data for our own commercial purposes. We share data on a limited basis with the technical providers necessary for operating our website and services:
Forms & communication:
- Web3Forms (USA) — contact form processing; data is sent by email and stored temporarily · privacy policy
- WP Mail SMTP — transactional email delivery via configured SMTP server
- Forminator — job application form; data processed locally on the server (when active)
Email marketing & newsletter:
- MailerLite UAB (Lithuania, EU) — newsletter, subscription popup and email automations · privacy policy
- Brevo (Sendinblue) (France, EU) — transactional emails for the Jobs form, when active · privacy policy
Bookings:
- Cal.com Inc. (USA) — online booking system, if active · privacy policy
Analytics & performance:
- Google Analytics / Site Kit by Google (USA) — traffic and behaviour analysis · with consent, anonymised data · privacy policy
- Rank Math SEO — SEO optimisation, local processing, no personal data transmitted
Marketing & advertising (planned):
- Google Ads / Google LLC (USA) — remarketing and conversion tracking · will be activated exclusively with your consent · privacy policy
- Meta Platforms Inc. (USA) — Facebook/Instagram Pixel for remarketing · will be activated exclusively with your consent · privacy policy
WordPress infrastructure & security:
- Wordfence Security — firewall and antivirus protection; data processed locally and on Wordfence servers · privacy policy
- Elementor / Royal Elementor — page builder, local processing
- Polylang — multilingual management, local processing
- Complianz — cookie consent management · privacy policy
- OMGF — self-hosting Google Fonts for GDPR compliance, local processing
- UpdraftPlus — site backup; data stored on server or configured cloud services
- WP Job Openings — careers listings management; data processed locally (when active)
Reviews & social proof:
- Trustindex.io / Widgets for Google Reviews — displaying Google reviews; public data sourced from Google · privacy policy
Automations & internal AI:
- n8n — internal workflow automations; data processed on our own or cloud server
- Anthropic Claude API (USA) — AI assistance in internal processes · transmitted data is anonymised or pseudonymised · privacy policy
Other sharing situations:
- Public authorities — when legally required (tax authorities, courts, data protection authority)
- Technical subcontractors — we may partially subcontract technical services; subcontractors are contractually obligated to comply with GDPR
Note: Providers marked as "planned" are not currently active. They will be noted in this policy before activation, in accordance with Art. 13 GDPR.
5. International data transfers
Some providers (Web3Forms, Cal.com, Google, Meta, Anthropic) are located in the USA. Transfers are carried out with appropriate safeguards under GDPR: Standard Contractual Clauses (SCC) approved by the European Commission, or via the EU-US Data Privacy Framework where providers are certified.
MailerLite and Brevo are located in the EU (Lithuania and France respectively) — no additional international transfer safeguards are required.
6. Your rights (GDPR)
- Right of access (Art. 15) — to receive a copy of the data we hold about you
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data
- Right to erasure (Art. 17) — the "right to be forgotten", under the conditions set out by law
- Right to restriction of processing (Art. 18) — in certain circumstances provided for by GDPR
- Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format
- Right to object (Art. 21) — to processing based on legitimate interests or direct marketing
- Withdrawal of consent (Art. 7) — at any time, without affecting the lawfulness of processing prior to withdrawal
To exercise any right, contact us at contact@kstagency.com. We respond within a maximum of 30 calendar days. The request is free of charge.
7. Right to lodge a complaint
If you believe your data is being processed incorrectly, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
- Website: www.dataprotection.ro
- Email: anspdcp@dataprotection.ro
- Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
You may also lodge a complaint with the supervisory authority in your country of residence within the EU.
8. Data security
We implement appropriate technical and organisational measures: HTTPS/TLS encrypted connections, Wordfence firewall, restricted data access, two-factor authentication for administrative accounts, regular backups via UpdraftPlus, and GDPR clause agreements with all providers.
No data transmission over the internet can be guaranteed 100% secure. In the event of a security incident affecting your rights, we will notify you within the timeframes prescribed by GDPR — 72 hours to the supervisory authority and without undue delay to affected individuals.
9. External links
The website may contain links to third-party sites (Google, Meta, consumer protection platforms, social media). KST Invictus is not responsible for the privacy practices of these sites. We encourage you to read their policies before providing personal data.
10. Policy updates
We reserve the right to update this policy as we add new services or providers. The date of the last update appears in the header of this document. Significant changes will be announced prominently on the website.