PRIVACY NOTICE

STEJARII” MOBILE APP

Applicable from 20.03.2025

I. IDENTITY AND CONTACT DETAILS OF THE CONTROLLER

Masterange Romania S.R.L., a company with registered office at 24-26 Nordului Street, District 1, Bucharest, registered with the Trade Register under no. J 40/3330/2003, having the Unique Identification Code RO 15262492 (hereinafter Masterange”/“Controller”), owns and manages “Stejarii Collection”, respectively “Stejarii Rezidential Club” (hereinafter “Stejarii”), owning and operating at the same time also the Stejarii mobile application (hereinafter “Stejarii App”, “App”), acts as a Data Controller in accordance with the General Data Protection Regulation (hereinafter “GDPR”).

In certain specific situations, for the purpose of managing Stejarii App, Masterange acts as a Joint Controller together with each of the following companies:

  1. Stejarii Universe S.R.L., with registered office at 24-26 Nordului Street, District 1, Bucharest, registered with the Trade Register under no. J2024051344009, having Tax identification code 51076380, as partner of Masterange Romania S.R.L.,
  2. Fergus Construct International S.R.L., with registered office at 24-26 Nordului Street, District 1, Bucharest, registered with the Trade Register under no. J40/20491/1994, having Tax identification code RO6435888, as administrator of Masterange Romania S.R.L. and manager of Stejarii Collection,
  3. ITH Management Office S.R.L., with registered office at 24-26 Nordului Street, District 1, Bucharest, registered with the Trade Register under no. J40/20487/1994, having Tax identification code RO6435918, as administrator of Masterange Romania S.R.L. and
  4. Hawkridge Imobiliare S.R.L., with registered office at 19 Nicolae Caramfil Street, District 1, Bucharest, registered with the Trade Register under no. J40/11948/2012, having Tax identification code RO30793013, as co-owner of Stejarii Collection and exclusively for the processing of Stejarii Collection residents’ data.

Masterange has entered into a personal data processing agreements with each of these Joint Controllers by which the purpose and means of the processing activities carried out jointly in connection with the management of  Stejarii App were defined, responsibilities were allocated in terms of ensuring transparency, lawfulness and fairness of processing activities, limiting the purposes of processing and minimizing data, ensuring data accuracy and limiting the storage period, as well as the responsibilities that the controllers have in order to ensure the security of personal data.

The Joint Controllers have decided to designate a single point of contact, so that, for any information or requests regarding the processing of personal data covered by this Notice or for exercising your rights as Data Subjects, as detailed below, you may contact our Data Protection Officer, using the following contact details:

ITH MANAGEMENT OFFICE S.R.L

Address: 24-26  Nordului Street, District 1, Bucharest

E-mail address: dataprotection@tiriacimobiliare.ro

Tel. 0040-21-4312149

In accordance with Art. 26 para. (3) of the GDPR, you have the possibility to exercise your rights vis-à-vis any of the Joint Controllers, and the  Joint Controller to whom you have addressed the request shall inform the other Joint Controllers of the request received.

II. TO WHOM THIS NOTICE IS ADDRESSED

This Privacy Notice (the Notice”), contains details about how and why we collect, use and disclose personal data when you choose to install and use Stejarii App, as residents of Stejarii, as well as the rights you have in relation to your personal data as a Data Subject.

For the use of Stejarii App there are several types of Accounts (the account is the access path in the Stejarii App): Main Accounts (i.e. Adult Account) and Associated Accounts (i.e. Child Account, Pet Account):

  1. Adult Account – can be created and used by the Tenant (the holder of the rental agreement/the representative of the Tenant who is a legal entity, having the capacity of legal representative/contractor/employee/trustee and who is simultaneously the holder of the right to use the rental unit under the rental agreement) and/or by the Occupant who is a natural person, to whom the Tenant has granted the right to use the rental unit under the rental agreement (hereinafter “Adult”);
  2. Child Account – can be created by the holder of an Adult Account by sending an invitation and can be used by the child to whom the Adult, as parent/guardian/legal representative, has decided to grant the right to create an account in Stejarii App (hereinafter “Child”).
  3. Pet Account – may be created and managed by an Adult and includes information about the Adult’s pet.

It is the Tenant’s obligation to inform the Concierge Office, if one of the occupants or children loses the right to access/use the rental unit, to deactivate the account.

III. SOURCE OF PERSONAL DATA

Personal data is collected either directly from you, as a Tenant/occupant when you request to open an account in the Stejarii App, but also indirectly from the Tenant (when verifying the right to use the rental space), from another Adult (when sending you the invitation to create an account) or when you interact with the App.

IV. PERSONAL DATA PROCESSED, PURPOSES AND LEGAL BASIS FOR PROCESSING

We process the personal data described below solely for the purposes and on the grounds specified in this Notice. If we intend to process such data for other purposes, we will inform you accordingly in advance and take all necessary steps to comply with the provisions on the protection of personal data. Personal data are processed as follows:

A. Creating and setting up accounts in the App

  1. Adult Account

To create and set up an Adult Account there are two possibilities:

a. Making a request to the Concierge Office

In this case, a dedicated form will be filled in, based on which identification data will be collected (name, surname, address formula Mrs./Mr.), contact data (telephone number and e-mail address), the language chosen for communication, data concerning the accommodation unit (complex, apartment number and building number), the type of account (Adult) and the date of creation. This data is necessary for the account registration process.

To validate the account, you need to download Stejarii App from one of the online stores (App Store or Google Store, depending on the type of mobile device you own) and enter the unique id and the code received by SMS on the phone number, as well as set up the password to access the App.

b. Receiving an account creation invitation from an existing Adult Account

An existing Adult Account can send an invitation to create an account to another person who has the right to use the rental unit. In this case, we will process the Adult invitee’s identification data (first name, last name), contact data (e-mail address and phone number) and account type. These are necessary for sending the account activation invitation to the e-mail address indicated. Please make sure that, before filling in the invitee’s data, he/she has agreed to the creation of the Adult invitee account and the use of his/her data for this purpose.

Activation of the Adult invitee Account is performed by the Adult invitee by entering the unique code received by the Adult guest’s e-mail address in the App. After activation, it is necessary to establish and set his/her own access password in the App.

The data associated with the Adult invitee  account is not recorded in our App management system until the Adult invitee has activated the Account.

Authentication data (e-mail address and password) will be saved to access the Application. Password is protected by a hashing system, so we will never have clear access to the set password.

Data Subjects: Adult

Legal basis: this processing is carried out to take steps at your request with a view to concluding a contract, which is represented by the Terms and Conditions of using the App, as per art. 6 para. (1) letter b) of the GDPR, but also based on our interest to ensure the security of the use of the App, pursuant to art. 6 para. (1) letter f) of the GDPR.

Also, on the account setup page, Adult:

–  has the option to attach a photo if he/she wishes to personalize the account. Uploading the photo constitutes consent to this processing, for the sole purpose of personalizing the account, in accordance with art. 6 para. (1) letter a) of GDPR. The images thus used will not be used by Masterange for other purposes. If the Adult no longer wishes to have this data processed, the Adult may delete the attached picture at any time.

–  has the option to provide us with information such as date of birth/female/male/undeclared gender, so that we can send him/her greetings via the app on birthdays or holidays (e.g. Women’s Day), the basis for processing being the consent expressed by filling in the data, in accordance with art. 6 para. (1) letter a) of the GDPR.

There is also the option on the account configuration page to choose to receive push notifications* on the mobile device regarding offers, events, surveys published in the App.

Additionally, you will automatically receive push notifications on your mobile device regarding administrative information related to the rental unit/complex.

* A push notification is a message that appears on a mobile device that can be delivered at any time, without requiring users to be in the App or using their devices to receive such messages.

If consent is granted, when we send such notifications regarding offers, events, surveys, we will process identifying data (first name, last name), the unique ID associated with the mobile device (UDID), the option to receive or not to receive notifications, and the date and time of expressing the option. This processing takes place only to the extent that consent has been given by you, in accordance with art. 6 para. (1) letter a) GDPR by checking the boxes available on the account activation page or in the Notifications Settings section. It is also possible to withdraw consent at any time by accessing the “Account” – “Notification Settings page”.

In the case of notifications regarding administrative matters, these are sent based on our legitimate interest, according to art. 6 para. (1) letter f) of the GDPR, to inform you about important aspects related to the execution of contracts. However, you can still modify the settings and choose not to receive these notifications through the app by adjusting the ‘Notification Settings’ page.

  1. Child Account/Pet Account

An Adult Account has the possibility to send an invitation to create a Child Account for his/her child/children for whom he/she is acting as guardian/legal representative (Child Account). Details of the data processing will be described below.

An Adult Account may also create an account for his/her pet. In the latter case, information about the pet (e.g. breed, age, name) will be processed to send congratulatory messages or gifts to animals in our community, as well as to better organize the conditions in Stejarii to suit the needs of pets.

a. Child Account

Account creation for a Child is done by the Adult by completing the dedicated form available in the “Family Members” Section of the Adult Account. In this context, we will process the Child’s identification data (first name, last name), contact data (e-mail address, phone number) and account type. These are necessary for sending the invitation and associating the account with the person’s identity. To finalize the account registration process for the Child Invitee, the assigned Concierge ID will be sent to the Adult by SMS.

Activation of the Child Account is done by entering the Concierge ID provided by the Adult, respectively by entering the unique code received by the Child by e-mail. Subsequently, it is necessary to establish and set the access password in the App.

The data associated with the Account is not recorded in our App management system until the Account is activated.

Authentication data (e-mail address and password) will be saved to access the App. Please note that the password is protected by a hashing system, so we will never have access to the password in clear.

The child will have access to limited functionality and actions in the context of using the App. So, he/she will be able to access the sections: Unlock Door, Events which are for the entire community regardless of age (e.g. no adults events will be displayed), Privilege Program, Offers and Services.

Data Subjects: Adult, Child

Legal Basis: This processing is carried out in order to take steps at the request of the Adult in order to conclude a contract, which is represented by the Terms and Conditions of using the App on behalf of and for the Child, as per art. 6 para. (1) letter b) of the GDPR, but also in our interest to ensure the security of the use of the App, pursuant to art. 6 para. (1) letter f) of the GDPR.

Submission of the account creation invitation also constitutes parental/guardian/legal representative consent for the Child’s personal data to be processed as detailed in this Notice.

Also, on the Child’s account creation form, the Adult can select options regarding push notifications* that the Child may receive regarding the events and offers available on the App. In case of consent to receive such notifications, when sending them, we will process the identification data (first name, last name), the unique ID associated to the mobile device (UDID) used by the Child to be able to send this type of notifications, the consent expressed by the parent, and the type of account (Child).

* A push notification is a message that appears on a mobile device that can be delivered at any time, without users needing to be in the App or using their devices to receive such messages.

This processing takes place only to the extent that the Adult has given consent in accordance with art. 6 para. (1) letter a) GDPR by ticking the boxes available in the Invitation creation form.

In the case of notifications regarding administrative matters, these are sent based on our legitimate interest, according to art. 6 para. 1) letter f) of the GDPR, to inform you about important aspects related to the execution of contracts. However, you can still modify the settings and choose not to receive these notifications through the app by adjusting the ‘Notification Settings’ page.

Following the creation of the Account, only the Adult has the possibility to update the settings regarding the transmission of push notifications, by accessing the icon related to the Child account. The Adult can also delete the Child Account at any time by accessing the Child Account icon.

In the account setup page, the Adult is informed and can decide what actions the Child can do, such as:

– the option to attach a photo if he/she wishes to personalize the account. The uploading of the photo constitutes the Adult’s parental consent to this processing, for the sole purpose of personalizing the account, in accordance with art. 6 para. (1) letter a) of the GDPR. The images will not be used by Masterange for other purposes. The attached picture can be deleted from the Child’s account at any time.

– the option to provide us with information such as date of birth/female/male/undeclared gender, so that we can send him/her greetings via the app on birthdays or holidays (e.g.: the child’s birthday), the processing being carried out in the interest of the consent expressed by the data insertion, in accordance with art. 6 para. (1) letter a) of the GDPR.

b. Pet Account

The data entered by the Adult in this account, respectively the information about the pet (e.g. breed, age, name), will be processed to send congratulatory messages or gifts to the animals, but also to better organize the conditions in Stejarii to suit the needs of pets.

B. Application Functionalities

The App has some functionalities which, inter alia, also involve the processing of personal data. For some of them, the legal basis for the processing is the performance of the contract consisting in the Terms and Conditions of use of the App itself. However, for certain processing activities, we have identified another legal basis, in which case it will be duly indicated below.

a. Submitting a request to Concierge through your Adult Account

When you choose to submit a request to us via the App we will process, as appropriate, identification data (first name, surname), the date, subject, category and details of the request (as well as any other data which by association may constitute personal data), contact data (telephone number), the date of the appointment (if you request an intervention in the property), data related to the person who will provide access to the property or the option for the intervention to be carried out in absentia, the status of the request (resolved or in the process of being resolved) and the response provided.

It is possible to attach photos to the submitted requests. In this case, the App will ask for consent to access the camera or photo album on the mobile device used. The resident shall ensure that he/she does not upload any personal or private photos or photos containing personal data (e.g. images of people, documents containing names, e-mail addresses or any other details that may represent personal data that do not belong to him/her or are not necessary for the processing of the application).

Also, when requesting a specific means of transportation or transportation to the airport, we will process identification data (name, surname), date, subject, category and details of the request (as well as any other data that by association may represent personal data), contact data (telephone number), date of the appointment (e.g. an intervention in the building).

Data Subjects: Adult

Legal basis: we will process this personal data to fulfill your request, pursuant to art. 6 para. (1) letter f) of the GDPR, our legitimate interest to take and process your requests. If the request pertains to the execution of the rental agreement or the provision of separate services through the Concierge Office or other service providers, the legal basis for processing will be the performance of the contract, according to art. 6 para. (1) letter b) of the GDPR.

In the App, Adult account holders have at their disposal the history of the requests submitted and how they have been resolved.

Adult account holders could also provide feedback on how their request has been dealt with, in which case we will process the details of the feedback provided to analyze and improve our services. Concierge Office may contact the Adult to clarify any dissatisfaction, in which case we will also process the contact details (telephone number).

Data Subjects: Adult

Legal basis: based on our legitimate interest in improving the services offered, pursuant to art. 6 para. (1) letter f) of the GDPR.

When requesting the provision of services such as recommendations and reservations (restaurants, suppliers, services, chef staff), ordering and delivery of products, taxi orders, we will use external Third Parties service providers. In this case, the Concierge Office will intermediate the provision of the service in question and will therefore transmit to the providers the data related to the request as provided by Adult. The Concierge Office will store the data requested by the providers only for the purpose of providing the intermediation services.

Please note that these providers act as Independent Controllers and are individually responsible for the way they process your personal data. For more details on how they process your data, please contact them directly.

b. Calling Concierge Office

In order to provide you with assistance or help, by calling the Concierge Office, we will process your identification data (first name, surname), request details (as well as any other data that by association may represent personal data), contact data (telephone number).

Data Subjects: Adult

Legal Basis: We will process these personal data to fulfill the request, pursuant to art. 6 para. (1) letter f) of the GDPR, our legitimate interest to retrieve and process requests.

For more details regarding the Call Center service, please consult the dedicated Privacy Notice, available here.

c. Unlocking the door

The functionality is available for accessing the entrance to the Stejarii – Residential Club, Stejarii Collection or the building in which the rental unit is located. This functionality is made available through the integration in the Stejarii App of an independent application, called “Green Access”, which can be activated by requesting from the Concierge Office the unique code to be entered in the page opened in the Stejarii App. Activating the functionality will result in the allocation of a virtual access card.

Therefore, when using this functionality, the Green Access App will ask for consent to query the Bluetooth/the approximate position of the mobile device. The interrogation is necessary for this functionality to connect to the application available on the equipment installed at the entrance of the complex/building to activate your access right. The activation of the access right is realized through the communication of unique identifiers between the two applications (Green App and Access Control System), namely the unique code received from the Concierge Office and the serial number associated to your virtual access card. The unique identifiers will be stored throughout the use of the App by any user of the App. We will not store information related to the position of the mobile device. These will only be queried specifically for granting access. They will not be processed for any purpose other than granting access, in order to prevent unauthorized remote access.

When using this functionality to access the complex/building, the access control equipment will query the unique identifiers allocated for granting access and record the date and time of entry into the building/complex.

The registration of access rights implies the registration of your personal data in our access control systems (i.e. name, surname, serial number associated with the virtual access card, access rights – rental unit, company that concluded the rental contract). We will also record information on access to the complex/building (date and time of entry), i.e. logs captured in these systems.

Data is retained in accordance with the Controller’s internal policies and in accordance with applicable legal provisions. Further information on these processing operations will be made available to you, separately, by means of a dedicated Privacy Notice.

Data Subjects: Adult, Child

Legal Basis: Unique identifiers are processed solely for the use of this functionality. Thus, the legal basis for the processing is the provision of a service to facilitate access, in accordance with art. 6 para. (1) letter b) of the GDPR, respectively your consent to access the Bluetooth/ the approximate position of the mobile device, pursuant to art. 6 para. (1) letter a) of the GDPR.

Data related to access rights and access to the complex/building are processed, on the one hand, in order to ensure the peaceful and useful use of the rented property, but also to ensure the security of the objectives, goods, valuables and the protection of persons, respectively for the preparation and keeping of the Registers of Access of Persons, in accordance with the obligations laid down for us by Law 333/2003 on the guarding of objectives, goods, valuables and the protection of persons (“Law 333/2003”), the Methodological Norms for the implementation of Law 333/2003 and Instructions 9/2013 on the performance of physical security risk analyses of establishments subject to Law no. 333/2003, according to art. 6 para. (1) letter c) of the GDPR. The data may also be processed for the purpose of handling complaints and incidents, based on our legitimate interest in ensuring the security of our objectives, property, assets, valuables and the protection of individuals, pursuant to art. 6 para. (1) letter f) of the GDPR.

As a Tenant, you are obliged to inform the Concierge Office of the withdrawal of an Adult/Child’s right of access to the complex/premises when such a situation arises (e.g. no longer living in the Stejarii).

d. Organization of events

Masterange will publish in the App details of events it organizes for residents. For a good organization we will also analyze the open statistics of these communications, based on our legitimate interest to organize events of interest to Stejarii community.

If you wish to participate, we will also process identification data (first name, surname), the number of participants (adults and children), as well as other information relating to the event, where applicable and which, by association, may represent personal data (for example, the location of the event, details on the specifics of the event etc.).

Event history and calendar will be available in the App.

Data Subjects: Adult

Legal basis: the basis for the processing is our legitimate interest in providing the best experiences for the residents and to and ensuring the good organization of events, according to art. 6 para. (1) letter f) of the GDPR.

If the events are organized in collaboration with various Partners, it is possible that we may ask the consent of the residents through the App to transmit certain personal data to them (for example, email address to contact you about their products and services). In this regard, we will inform you separately through a dedicated event Privacy Notice before asking you whether you want this processing to take place. This processing will only take place to the extent that you give your consent in accordance with art. 6 para. (1) letter a) of the GDPR.

Also, to organize the events and display them in the App, Masterange will process the first and last names associated with the accounts and perform certain segmentations in the database to personalize the invitations and to publish events of interest for each category of residents. Specifically, events dedicated to women will not be displayed in the accounts of male residents, events dedicated to adults (e.g. wine tasting) will not be displayed in the accounts of children, in which case information will be processed regarding the type of account, respectively gender (female/male).

Data Subjects: Adult, Child

Legal basis: the processing is carried out based on our legitimate interest to provide residents with the best possible stay by organizing Relevant Community events, in accordance with art. 6 para. (1) letter f) of GDPR.

e. Privilege Program

In order to provide residents with certain benefits to ensure comfort and multiple amenities, we negotiate offers and discounts with various partners and popularize them to residents through the Privilege Program. Residents can enroll by accessing the Privilege Program section of the App. Enrollment is finalized with the allocation of a virtual card with a unique code.

The offers and discounts available are not personalized but are generally applicable to the entire community of  Stejarii Residential Club and Stejarii Collection. Residents may withdraw from the Program at any time, in which case the unique code assigned to the card will no longer be associated with the resident’s identity.

In case residents are interested in the offers and services available in the Privilege Program, in the dedicated section of the App, they have the possibility to contact our Partners’ representatives by phone by using the telephone numbers available in the App. In this case, the call is made through the resident’s mobile operator, as in the case of any other call.

Data Subjects: Adult, Child

Legal basis: The basis of the processing is to carry out steps at the request of residents in order to conclude a contract, which is represented by joining the Privilege Program, according to art. 6 para. (1) letter b) of the GDPR. We will also carry out statistics on the number of participants in the Program, based on our legitimate interest in analyzing the extent to which this Program is of interest to the community, in accordance with art. 6 para. (1) letter f) of the GDPR.

f. Offers and Services

In case you are interested in the offers and services available in these sections of the App, you have the possibility to contact our Partners’ representatives by telephone by using the telephone numbers available in the App. In this case, the call is made through your mobile operator, as with any other call.

g. Request for Shiseido SPA appointment

In order to benefit from the facilities offered by Stejarii Country Club, through the App, you have the option to make an appointment request for massage and therapy services provided at Shiseido SPA.

In order to benefit from a massage or therapy session, it is necessary to make an appointment request in the App based on the available services and slots. After all appointment requests made by residents are gathered, all registered requests will be automatically verified, and appointments will be allocated according to the procedure detailed in the Terms and Conditions of the App.

For the registration of an appointment request, we will process identification data (first name, last name), as well as information about the requested appointment (type of SPA session for which the appointment is requested, date and time, notes regarding the preference for the therapist – female or male).

For the verification of appointment requests and the allocation of appointments, we will process identification data (first name, last name), as well as information about the requested appointment (type of SPA session for which the appointment is requested, date and time, notes regarding the preference for the therapist – female or male –, information regarding appointments allocated in the last 90 days). After the appointment allocation process, each appointment will be assigned a unique appointment code.

Before the appointment date, you have the option to cancel an allocated appointment. In this case, we will process identification data (first name, last name), as well as information about the appointment (unique appointment code, date and time of the appointment, type of SPA session).

Legal basis: the processing is carried out in order to execute a contract and to grant access to certain facilities of Stejarii Country Club, under the conditions established in the Terms and Conditions of the App, according to art. 6 para. (1) letter b) of the GDPR. We will also carry out statistics regarding the appointment requests made, as well as the appointments honored, based on our legitimate interest in analyzing to what extent this benefit is of interest to the community, according to art. 6 para. (1) letter f) of the GDPR.

After completing the process of verifying and allocating the appointment requests, we will send you a push notification to inform about the reservation allocation, or about the non-allocation of the reservation.

Additionally, at least one day before the appointment date, we will send you a push notification to remind about the upcoming appointment.

When we send you such push notifications, we will process: identification data (first name, last name), as well as the unique ID associated with the mobile device (UDID). This processing takes place based on our legitimate interest, according to art. 6 para. (1) letter f) of the GDPR, in order to inform you about important aspects related to the execution of concluded contracts, considering that, in this case, push notifications are related to administrative matters. However, you can still modify the settings and choose not to receive these notifications through the App, from the “Notification Settings” page.

If you wish to view future appointments in the calendar of your mobile device, you can choose to synchronize the Stejarii App with your device. To do this, you will need to enable the calendar synchronization permission for the Stejarii App in your phone’s settings. If you have enabled the calendar synchronization permission, after being notified about the approval of the appointment, you will have available the “Add to calendar” button. In this case, the information regarding the allocated appointment will be automatically transmitted to the calendar of your mobile device. The legal basis for processing personal data for the purpose of calendar synchronization is your consent, given by enabling the calendar synchronization permission in your phone’s settings, followed by adding the allocated appointment to the calendar, according to art. 6 para. (1) letter a) of the GDPR.

In the App, you have access to the appointment history in the form of past appointments and future appointments.

In order to provide as many residents as possible with the opportunity to benefit from the massage and therapy services offered at Shiseido SPA, if you have been allocated an appointment but did not honor it or canceled the appointment less than 24 hours before the scheduled time, you will no longer be able to benefit from these services according to the criteria established in the Terms and Conditions of the App. In this case, we will process identification data (first name, last name), appointment information (unique appointment code, date and time of the appointment, type of SPA session), as well as information about the reason that led to the withdrawal of the benefits.

Legal basis: the processing is carried out in our legitimate interest in granting access to certain facilities of Stejarii Country Club, under the conditions established in the Terms and Conditions of the App, according to art. 6 para. (1) letter f) of the GDPR.

Data Subjects: Adult

For more information regarding the terms and conditions for allocating an appointment, please refer to the Terms and Conditions of the App.

Please consult the documents provided by Stejarii Country Club for accessing the scheduled massage and therapy services, as well as regarding the processing of personal data in order to provide these services.

h. Financial Information

In the “Financial Information” section, you will find information on the duration of the rental contract, invoices and information on the next due date of your payment obligations (contract in pdf format, downloadable at any time).

Data Subjects: Tenant, holder of the Rental Contract

Legal basis: our legitimate interest in providing you with information regarding the details of the payment obligations, as per the rental contract, respectively in an easy and accessible way, via the App, in accordance with art. 6 para. (1) letter and f) of the GDPR.

i. Participation in satisfaction surveys

During your stay, we may ask for your opinion on certain aspects of what we offer in the residential complexes, to analyze the level of satisfaction of our community so that we can implement measures to improve their experience and meet the needs and expectations of our residents.

Thus, in Stejarii App, in the “Stejarii Questionnaires” section, surveys will be posted and available to all residents. We may also inform you of their availability in the App by sending you a push notification if you have given your consent. It is not compulsory to complete any survey, but residents who complete it will help us to improve services and design benefits that we want to offer to as many residents as possible.

Residents’ consent will be recorded by the App when they press the “Get Started” button, by completing and submitting their answers to the respective questionnaire.

Therefore, we will process identification data (name, surname), contact data (telephone number), data related to the housing unit (apartment, building), ratings / answers provided in the survey questionnaire, date of interaction, the degree of satisfaction.

Data Subjects: Adult

Legal basis: the consent expressed in the satisfaction survey submission form, pursuant to art. 6 para. (1) letter a) of the GDPR.

j. Biometric authentication

If you want to access the App using the “Biometric Authentication” feature set on the device you own, the processing of identification data is performed using only the operating system functions of the device used by the resident. The application does not save, access, modify, transmit, or otherwise process this biometric data. To enable authentication, the operating system of the mobile device sends a validation token to the Stejarii App, which is not stored, but is validated to enable access to the App.

k. Use of the App

When you use the App, we collect technical information relating to: the date of access to the App (date and time of access), session data (number of sessions and their duration), the language in which the information is displayed (Romanian/English), the settings you have configured within the App, information on the version of the operating system of your mobile device, and the version of the App.

This information is processed to ensure the proper functioning and optimization of the App, i.e. to identify possible errors and correct them efficiently, pursuant to art. 6 para. (1) letter b) of the GDPR, for the performance of the contract consisting in the provision of the App. It is possible to delete any account by going to the “Account” Section – “App Settings” – “Delete Account”.

Important to remember!

Deleting your account is not the same as deleting your personal data. For details regarding the duration of the processing of personal data, please read Section VII below.

Data Subjects: Adult, Child

l. Links to other websites

The App includes links to other websites that are operated by our partners. Any click on one of these links redirects the resident user to these websites. For information on the processing of data by partners, residents should consult the privacy notice corresponding to each website to which they have been redirected to understand what information will be processed by the partners, acting as independent controllers. For redirections to any of these websites we will process personal data to comply with the (technical) request to visit the respective website.

m. Compliance with legal provisions

In order to comply with the GDPR, to document the technical and organizational measures, respectively the rights of data subjects, we will keep track of opt-outs, consents to receive push notifications and requests to exercise rights submitted to us (e.g. requests for access to personal data) and, as necessary, we will process identification data (first name, surname), contact data (e-mail address, telephone number), data relating to the requests made (date of communication, subject and date of the request, data recorded in the systems used – logs), data relating to the language spoken.

Data Subjects: Adult, Child

Legal basis: based on our legitimate interest to demonstrate compliance with the provisions relating to the rights that residents have in relation to personal data, pursuant to art. 6 para. (1) letter f ) of the GDPR.

We will keep logs on the action of reading and accepting the Terms and Conditions of using the App, respectively reading the Privacy Notice.

n. Other purposes

In addition to the above, we may process the personal data indicated above and for the purposes described below:

  1. in order to ensure the security of the systems, networks and equipment used, or to ensure their maintenance, where appropriate; the processing is carried out pursuant to art. 6 para. (1) letter f) of the GDPR, to comply with national and European legal provisions regarding the security of users in the online and electronic environment, but also to achieve our interest in ensuring the security and proper functioning of the systems, equipment and networks.
  2. for the purpose of compiling statistics and reporting to develop and improve our products and services, streamlining the way we operate, optimizing processes, centralizing operations and maintaining internal databases, analyzing and minimizing the risks to which the company is exposed in connection with the provision of services and products; the processing is carried out on the basis of our legitimate interest in ensuring the efficiency, continuity and improvement of the business, pursuant to art. 6 para. (1) letter f) of GDPR.
  3. for compliance with our legal obligations under the law, including reporting to certain institutions and/or public authorities; the processing is carried out to comply with our legal obligations under art. 6 para. (1) letter c) of the GDPR.
  4. for the defense, exercise or establishment of rights or the settlement of disputes; the processing is carried out based on our legitimate interest to request the establishment of rights, to exercise or defend our rights, pursuant to art. 6 para. (1) letter f) of the GDPR.
  5. carrying out risk checks on company procedures and processes, as well as conducting company audits or investigations. The processing is carried out on the basis of our legitimate interest to ensure the proper management of the business in accordance with art. 6 para. (1) letter f) of the GDPR.

If we intend to process personal data for purposes other than those for which we originally collected them and which are not compatible or related to the original purposes, we will inform you in advance and provide you with all relevant information, with further processing being carried out only to the extent that there is a legal basis for doing so, including compliance with the principles of lawfulness.

V. DATA RECIPIENTS

Personal data may be disclosed, strictly to the extent necessary for the purposes detailed above or where required by law or where we have a legitimate interest that is duly justified, to the following categories of recipients who may be independent controllers/joint controllers or processors, as follows:

  1. Joint Controllers indicated in the introductory part of this Notice;
  2. Other service providers such as:
  • business management and consulting services;
  • personal data protection services;
  • services for the development and provision of technical support and maintenance of systems (i.e. the Stejarii App), networks and IT equipment;
  • cyber security services;
  • electronic communication services, to be able to send you push notifications;
  • integrated services with Stejarii App;
  • telephone and internet services;
  • marketing services;
  • archiving services;
  • audit services;
  • cloud/hosting services;
  • access control systems maintenance services;
  • services such as: repairs, servicing, maintenance, interior design, depending on your specific requests;
  1. External consultants we contact in specific situations (e.g. lawyers, consultants, experts);
  2. Authorities and public bodies, namely investigative bodies and courts or institutions with powers to carry out inspections and checks on the activity and assets of the controller, to the extent that the transmission of data to them is required by law and/or is necessary in the event of litigation or dispute settlement, as well as in the case of checks where we are obliged to make them available (for example, the National Supervisory Authority for the Processing of Personal Data – “ANSPDCP”);
  3. Persons expressly indicated by you;
  4. Third parties acquirers, to the extent that our business would be transferred (in whole or in part) and the data of the Data Subjects would be inherently linked to the assets that are the subject of such transaction.

The personal data that Masterange discloses to third parties is limited to the minimum information necessary to the necessity of the disclosure and with the imposition of certain obligations on third parties in relation to the processing of the data, such as the obligation not to use the personal data for any purpose other than that for which it was disclosed.

VI. TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

As a rule, we will not transfer personal data outside the European Economic Area. In exceptional circumstances and only if necessary, the transfer of personal data outside the European Economic Area will be made at the request of the resident concerned, at the request of the bodies and authorities of the state of nationality or residence, but we will apply appropriate safeguards in accordance with the specific legal provisions on the protection of personal data in Europe and, unless otherwise provided by law, with appropriate information to the resident concerned.

By way of exception, the technical data (UDID) related to the communication of push notifications will be transmitted to the integrator with whom we collaborate and who provides the transmission to the mobile device used, whose headquarters are in the USA. In case of such a transfer the security of personal data is ensured by the European Commission’s Decision of 10.07.2023 on the Adequacy of the Level of Data Protection provided by the new legal framework for the transfer to the U.S. – Data Privacy Framework. This decision can be consulted by visiting the European Commission’s website.

VII. DURATION OF PROCESSING OF PERSONAL DATA

The personal data indicated in the above sections will be processed for the entire duration of use of the App. More specifically, either until the date of deletion of the account, according to the Resident’s will, or until the termination of the rental contract. In both cases, the data associated with the account will be kept thereafter for the duration of the 3-year statute of limitations to be able to defend our rights and interests, if necessary, plus the time necessary for the deletion process (no more than 6 months from the date of expiration of the above-mentioned time limits).

Additionally, if you submit a request for account deletion, but there is personal data collected through interaction with the App (e.g., requests submitted through the App) that is relevant to the performance of the contract, this data will be retained for a period equal to the contractual duration, or if this information constitutes supporting financial documentation, it will be retained for the duration required by fiscal legislation.

Personal data processed in the context of disputes will be processed for the entire duration of their resolution, as well as afterward, in accordance with the applicable statute of limitations, which is a minimum of 3 years.

Thereafter, we will remove or delete personal data from our systems and records and/or take steps to anonymize it so that identification will no longer be possible. We will also take all reasonable steps to ensure the erasure of personal data transmitted to third parties for the above purposes.

*Except where it is necessary to protect our legitimate interests or where legislative changes to the legal retention obligations intervene. In such cases, we will act in accordance with the law, including informing data subjects.

VIII. RIGHTS CONCERNING PERSONAL DATA

Except the cases in which Romanian law or GDPR provides otherwise, you have the following rights:

  1. Right to be informed, as per the art. 13 and art. 14 of the GDPR, as per this Notice.
  2. Right of access, as per the art. 15 of the GDPR.
  3. Right to rectification, as per the art. 16 of the GDPR.
  4. Right to erasure/right to be forgotten, as per the art. 17 of the GDPR.
  5. Right to restriction of processing, as per the art. 18 of the GDPR.
  6. Right to data portability, as per the art. 20 of the GDPR.
  7. Right to object, as per the art. 21 of the GDPR.
When you send us a request to exercise this right, please also state the reasons relating to your particular situation. We will no longer process personal data, unless we can demonstrate (i) compelling legitimate grounds for processing which override your interests, rights and freedoms or (ii) the purpose of processing is the establishment, exercise or defend a right in court.

We also ask residents to bear in mind that they can object at any time, free of charge and without any justification, to the processing of their data for direct marketing purposes.

 
  1. Right not to be subject to a decision based solely on automated processing, including profiling, as per the art. 22 of the GDPR.

The personal data referred to in this Notice is not subject to automated decision-making processes.

Please note that these rights are not absolute, which means that there are certain exceptions to their exercise. These rights are applicable on a case-by-case basis.
  1. Right to withdraw your consent, according to art. 13 para. (2) letter c) and art. 14 para. (2) letter d) of the GDPR.
This right is applicable where personal data is processed based on your consent. In the case of push notifications, residents may change consent at any time by accessing the “Account” – “Notification Settings” section of the App.

They can also send an email to: dataprotection@tiriacimobiliare.ro  or send the request by post to the address: 24-26 Nordului Street, District 1, Bucharest.

Withdrawal of consent does not affect the lawfulness of the processing carried out based on consent prior to its withdrawal. Withdrawal of consent to the processing of personal data shall have the effect of cessation of processing for the future.
  1. Right to lodge a complaint, according to art. 13 para. (2) letter d) and art. 14 para. (2) letter e) of the GDPR.

Without prejudice to the right to contact ANSPDCP at any time, please contact us in advance in connection with the exercise of the above rights.

Residents who feel that we have not resolved all their requests or are dissatisfied with our responses, may contact ANSPDCP to file a complaint using the following contact details:

  • headquarters: Bucharest, 28-30 Gen. Gheorghe Magheru Bv., District 1, CP 010336,
  • telephone: +40.318.05.92.11.11,
  • fax: +40.318.05.96.02,
  • e-mail: anspdcp@dataprotection.ro,
  • website: dataprotection.ro

or they can complain to the competent court.

We ask residents to keep in mind the following aspects related to exercising their rights as a data subjects:

  • How to exercise: You can contact us using the contact details available above.
  • Time Period: We will endeavor to resolve the request within one month, which may be extended with two months for specific reasons related to the complexity of the request. In all cases, if this time limit is extended, we will inform the submitting resident of the length of the extension and the reasons for the extension.
  • Identification: When submitting a request, we ask residents to provide us with the necessary identification data: name, surname, e-mail address, with the indication that, to the extent that we cannot identify the person based on this information alone, we will ask for additional information to allow correct identification.
IX. CONSEQUENCES OF REFUSAL OF PROCESSING

Failure to provide the personal data necessary for the conclusion and execution of the contract, respectively the fulfillment of the legal obligations that we have leads to the impossibility of finalizing and executing the contract, respectively the provision of Stejarii App.

X. SECURITY OF PERSONAL DATA

We constantly use reasonable efforts to protect personal data in our possession or under our control by establishing reasonable security measures to prevent unauthorized access, collection, use, disclosure, copying, modification or deletion of data, and other similar risks.