Privacy Policy

Last updated: 17.03.2026

1. Who We Are

The data controller for personal data is:

LOGISTIC MANGO RM S.R.L.
Tax ID (CIF): RO42880296
Trade Register: J35/2129/2020
Registered address: Str. Loichita Vasile nr. 1-3, Timișoara, Romania
Email: support@tirminator.com
Website: tirminator.com

In this policy, we refer to ourselves as "Tirminator", "we", or "the controller". This policy describes how we process personal data through the Tirminator platform (website, mobile applications, and associated APIs).

2. Scope of Application

This policy applies to:

visitors to tirminator.com;
users who create an account on the platform (drivers or companies);
representatives of companies accessing commercial services (subscriptions, add-ons);
persons who contact us via forms, email, or support.

3. What Data We Process

Depending on your interaction with the platform, we may process the following categories of data:

3.1 Identification and Contact Data

Email address;
Phone number;
First and last name (for drivers);
Company name and contact details;
Address, country, city.

3.2 Account and Authentication Data

Password in hashed form (we never store passwords in plain text);
OTP codes and their expiration times;
Email / phone verification status;
Authentication and refresh tokens in secure (hashed) format.

3.3 Professional and Profile Data

For drivers: driving experience, licence categories, licence issue date, types of equipment operated, employment status, current and preferred location, uploaded documents (licence, certificates), profile photo, languages spoken.

For companies: name, registration number, tagline, size, founding date, address, description, profile and cover photos, required driving licences, details about published job listings.

3.4 Platform Communication Data

Chat messages between companies and drivers (including attachments, if sent);
Support requests (subject, description, correspondence history);
Operational emails (account confirmation, OTP, password reset, notifications).

3.5 Payment and Billing Data

Information about active subscriptions and their history;
Stripe identifiers (customer ID, subscription ID, product ID, price ID);
Amount paid and currency;
Details about purchased add-ons.

Note: Full payment card details are processed exclusively by our payment provider (Stripe) and are not stored by us.

3.6 Technical and Security Data

IP address and HTTP request data;
Technical logs for operations and security;
Abuse prevention data: rate limiting, blocking of compromised or revoked tokens;
Technical error events for maintaining platform stability.

3.7 Behavioral and Usage Data

We may process data about how users interact with the platform, including:

Pages visited, session duration, actions performed in the interface;
Device and browser information;
Anonymised or pseudonymised session data for improving the experience;
Session recordings or heatmaps (if such tools are activated, exclusively with your consent).

These data are collected via technical tools described in sections 6 and 10 below.

4. Purposes and Legal Bases (GDPR)

We process data on the basis of one or more of the following legal grounds:

a) Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR)

Creating and managing your account;
Authentication and secure access;
Providing platform features: driver-company matching, job applications, job listings, chat, support;
Managing subscriptions and payments.

b) Legal obligations (Art. 6(1)(c) GDPR)

Financial and tax compliance;
Responding to lawful requests from competent authorities;
Maintaining mandatory records.

c) Legitimate interests (Art. 6(1)(f) GDPR)

Infrastructure security and detection of fraud or abuse;
Technical monitoring for stability and debugging;
Monitoring service performance to ensure quality;
Defending our rights in potential legal proceedings.

d) Consent (Art. 6(1)(a) GDPR)

Non-essential cookies and similar technologies (analytics, behavioural, marketing);
User behaviour analysis tools (e.g. session recording, heatmaps, behavioural analytics);
Marketing communications, if activated.

Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Sources of Data

Data comes from:

directly from you (registration forms, profile, interactions);
from your use of the services (account activity, technical events);
from integrations necessary for operation (e.g. confirmations from the payment processor);
from technical monitoring and analytics tools described below.

6. Technical Monitoring and Behavioral Analytics

We use and may use in the future technical tools to monitor the platform and understand how it is used. This section describes the categories of tools and their legal basis.

6.1 Technical Monitoring and Error Tracking (currently active)

We use Sentry (Sentry.io, Inc., USA) for error tracking and performance monitoring. Sentry may process:

Data about errors occurring on the platform;
Context data for correlating errors (e.g. user identifier, role, technical request data);
API performance data (tracing, profiling).

Safeguards applied: sensitive data (passwords, tokens, card details, phone numbers) are automatically redacted before transmission to Sentry.

Legal basis: legitimate interest (technical security and stability).
Sentry Privacy Policy: https://sentry.io/privacy/

6.2 Behavioural Analytics and Traffic (potentially future)

We may integrate tools for user behaviour analysis, such as (without limitation):

Google Analytics / Google Tag Manager;
Hotjar or Microsoft Clarity (heatmaps, session recording);
Mixpanel or Amplitude (in-product event analysis);
Facebook Pixel or other advertising platforms.

These tools may collect: pages visited, interface actions, session duration, device and browser data, IP address.
Legal basis: your explicit consent, given through the cookie consent banner. We do not activate these tools without your consent. If and when we activate them, we will update this policy and the Cookie Policy with specific details.

7. Recipients and Processors

We may share data, to the extent strictly necessary, with:

Infrastructure & hosting	Microsoft Azure (backend hosting, file storage — Azure Blob Storage)
Communications	SendGrid (transactional email: account confirmation, OTP, notifications) Twilio (phone number verification via OTP/SMS)
Payments	Stripe (payment processing, subscriptions, webhooks)
Technical monitoring	Sentry (error and performance monitoring — details in section 6.1)
Tax validation	VIES API / viesapi.eu (VAT number validation, if the feature is used)
Behavioural analytics	Tools described in section 6.2, only with your consent and if/when activated
Others	Legal, audit, or accounting consultants, subject to confidentiality obligations; Public authorities, where required by law.

We do not sell your personal data or transfer it for commercial purposes without your explicit consent.

8. International Transfers

Some of our providers (e.g. Sentry, Stripe, SendGrid, Twilio) are companies headquartered in the USA or operate servers outside the European Economic Area (EEA).

In such cases we apply appropriate safeguards, including:

Standard Contractual Clauses (SCCs) adopted by the European Commission;
Appropriate certification mechanisms (e.g. the EU-US Data Privacy Framework, where applicable);
Additional technical and organisational measures, as necessary.

Data is not transferred to countries without an adequate level of protection without appropriate safeguards in place.

9. How Long We Retain Data

Active account data: for the duration of the contractual relationship and thereafter, in accordance with applicable legal obligations.
Financial and accounting data: in accordance with tax and accounting legislation (generally a minimum of 5–10 years under Romanian regulations).
Tokens and technical security data: until expiry or revocation, plus a reasonable period for security auditing.
Support communications and chat: as long as necessary to manage the relationship, resolve requests, and defend legal rights.
Analytics and monitoring data: in accordance with the policies of the respective providers and the retention settings we configure.
Deleted account data: we apply a logical deletion (isDeleted flag), followed by removal or anonymisation of data after retention periods expire.

When data is no longer needed and there is no legal obligation to retain it, we delete or anonymise it securely.

10. Cookies and Similar Technologies

We use cookies and similar technologies (local storage, pixels, tracking scripts) in accordance with our Cookie Policy, published separately on tirminator.com.

The Cookie Policy includes information about categories, duration, consent management, and the third-party tools we use.

11. Data Security

We apply appropriate technical and organisational measures to protect data, including:

Secure authentication and role-based access control;
Hashing of passwords and sensitive tokens (bcrypt);
Token expiry and revocation upon logout;
Rate limiting and anti-abuse protection for OTP and authentication;
Encrypted communications (HTTPS / TLS, HSTS);
Automatic redaction of sensitive data before transmission to monitoring systems;
Monitoring, logging, and incident detection measures;
Data minimisation and pseudonymisation where applicable.

No electronic transmission or storage can be guaranteed 100% secure. However, we constantly work to reduce risks and improve our security measures.

12. Your Rights

Under GDPR, you have the right to:

Information: to know how we process your data (this policy).
Access: to obtain a copy of the data we process about you.
Rectification: to correct inaccurate or incomplete data.
Erasure ("right to be forgotten"): to request deletion of your data, under the conditions provided by law.
Restriction of processing: to limit how we use your data.
Data portability: to receive your data in a structured format and transfer it to another controller.
Objection: to object to processing based on legitimate interest or for marketing purposes.
Withdrawal of consent: at any time, for processing based on consent, without affecting the lawfulness of prior processing.
Lodge a complaint with the supervisory authority.

To exercise any right, please contact us at: support@tirminator.com

We will respond within the statutory period under GDPR (maximum 30 days, extendable by a justified additional 30 days in complex cases).

National supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, 010336, Bucharest, Romania
Email: anspdcp@dataprotection.ro
Website: https://www.dataprotection.ro

13. Data About Minors

The Tirminator platform is intended exclusively for users aged 18 and over, in a professional context (drivers and employers in the transport sector).

We do not intentionally collect data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it immediately.

14. Policy Updates

We may periodically update this policy to reflect legislative, operational, or technical changes (including the addition of new monitoring or analytics tools).

The updated version will be published on tirminator.com with the date of the new update. In the event of significant changes, we will notify you through the available contact channels (e.g. email, in-app notification).

This version entered into force on 17.03.2026.