Privacy Policy

How we collect, use and protect your personal data when you engage with Duces.

Introduction

This policy explains, in plain terms, how Duces handles the personal data we collect through our websites and in the course of our work.

Last updated: 16 June 2026

Scope of this policy

Duces ("Duces", "we", "us" or "our") is a boutique technology consulting firm, organised as a partnership and specialised in three areas: Data & AI, Digital products and platforms, and Enterprise Apps & Platforms. We deliver business-to-business professional services through senior, partner-owned teams based in central and eastern Europe.

This Privacy Policy applies to the personal data we process through our website, duces.co, and to the business contacts we engage with in the ordinary course of marketing and managing our relationships. It does not replace any specific data protection terms agreed in a client engagement (see "How we act" below).

Who we are & how to reach us

Duces operates from 256 Bd. Basarabia, Bucharest, Romania. For any question about this policy or about how we handle your personal data — including to exercise your rights — you can contact us at contact@duces.co or by post at the address above.

How we act under the GDPR

Because we are established in the European Union, our processing of personal data is governed by the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and applicable Romanian data protection law. We act as a data controller for the personal data we collect about website visitors and business contacts. When we deliver a client engagement and process personal data on a client's behalf and instructions, we act as a data processor; that processing is governed by the data processing terms in the relevant engagement agreement rather than by this policy.

Data we collect

We collect only what we need to respond to enquiries, run our website and maintain our professional relationships. We never sell or rent your personal data.

Information you provide

When you submit our "Hire Us" contact form, we collect the details you choose to share — typically your name, email address and the content of your message, together with any company name, phone number or subject line you add. We use this solely to understand and respond to your enquiry.

Business contact data

In the course of business development and account management we may hold limited contact details of clients, prospects, partners and suppliers — for example name, role, employer, business email and phone number — sourced from you directly, from your organisation, or from public professional channels.

Technical & usage data

Like virtually all websites, our hosting infrastructure automatically records standard server logs when pages are requested — such as IP address, browser type, referring page and timestamp. We use these for security, diagnostics and to keep the site running reliably.

Cookies

Our website is largely static and does not use advertising or cross-site tracking cookies. If we introduce privacy-respecting, aggregate analytics in the future, we will update this policy and, where required, ask for your consent first. You can always manage cookies through your browser settings.

How & why we use your data

We process your data for clearly defined purposes and always rely on a valid legal basis under the GDPR.

Purposes of processing

We use the personal data described above to:

  • respond to your enquiries and scope potential engagements;
  • manage our relationships with clients, prospects, partners and suppliers;
  • send relevant business communications where you have asked to hear from us;
  • operate, secure, maintain and improve our website; and
  • comply with our legal, accounting and regulatory obligations.

Our lawful bases

Depending on the situation, we rely on one or more of the following lawful bases under Article 6 of the GDPR:

  • Legitimate interests — to respond to enquiries, run our business development, and keep our website secure, balanced against your rights and expectations;
  • Performance of a contract — to take steps at your request before entering into, and to perform, an engagement with you or your organisation;
  • Consent — where we ask for it, for example for certain optional communications; you may withdraw consent at any time; and
  • Legal obligation — where processing is necessary to comply with the law.

Sharing, transfers & retention

We share personal data only with trusted providers who help us operate, and we keep it no longer than necessary.

Service providers & sub-processors

We rely on a small number of carefully selected providers to run our website and communicate with you. These currently include our website hosting provider and Resend, which delivers the emails generated by our contact form. These providers process personal data only on our instructions and under contractual data protection terms, and may not use it for their own purposes.

We may also disclose personal data to professional advisers (such as legal or accounting advisers) or to authorities where we are required to do so by law. We do not sell personal data.

International transfers

We aim to keep personal data within the European Economic Area (EEA). Where a provider processes data outside the EEA, we ensure an appropriate safeguard is in place — such as an adequacy decision or the European Commission's Standard Contractual Clauses — so that your data continues to receive a comparable level of protection.

Data retention

We retain personal data only for as long as needed for the purpose it was collected, after which we delete or anonymise it. Enquiry correspondence is kept while it is useful for our relationship and to address any follow-up; business records are kept for the periods required by applicable law. Where there is no continuing purpose or legal requirement, we remove the data.

Your rights

The GDPR gives you meaningful control over your personal data. We are committed to honouring these rights.

Your rights under the GDPR

Subject to the conditions in the law, you have the right to:

  • Access the personal data we hold about you;
  • Rectify data that is inaccurate or incomplete;
  • Erase your data ("right to be forgotten") in certain circumstances;
  • Restrict how we process your data;
  • Port your data to another provider in a structured, machine-readable form;
  • Object to processing based on our legitimate interests; and
  • Withdraw consent at any time, without affecting prior processing.

How to exercise your rights

To exercise any of these rights, email contact@duces.co. We will respond within the timeframes required by applicable law, normally within one month. We do not charge a fee for a reasonable request and may ask you to confirm your identity before we act.

Complaints

We would always prefer to resolve any concern with you directly, so please contact us first. You also have the right to lodge a complaint with a supervisory authority — in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP), or the authority in your country of residence or work.

Security, changes & contact

We take the protection of personal data seriously and keep this policy current.

Security

We maintain appropriate technical and organisational measures to protect personal data against loss, misuse and unauthorised access — including encryption in transit, access controls and the principle of least privilege. No method of transmission or storage is completely secure, but we work continuously to safeguard the data entrusted to us.

Children's data

Our website and services are intended for businesses and the professionals who work for them. They are not directed at children, and we do not knowingly collect personal data from children.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. We will post any updated version on this page and revise the "last updated" date above; where changes are significant, we will take additional steps to inform you.

Contact us

For any privacy question, or to reach the person responsible for data protection at Duces, contact us at contact@duces.co, call +40 314 190 222, or write to Duces, 256 Bd. Basarabia, Bucharest, Romania.