Privacy Policy
Privacy Policy
Data Controller: Class RDA Impex SRL · Jurisdiction: RO VAT / Registration No.: 29867320 · Address: Str. Pridvorului, nr.5, bl.6, Ap.1, Sector 4, București, RO Version: v2.1 · Effective from: 31 May 2026
This Privacy Policy describes how Class RDA Impex SRL collects, uses, stores, and protects your personal data within the 4PRO Biz application, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable law.
Please read this document carefully. If you have questions, you may contact our Data Protection Officer (DPO) at dpo@4pro.io.
1. Who is your data controller
Class RDA Impex SRL is the controller of personal data collected through 4PRO Biz.
| Name | Class RDA Impex SRL |
| Address | Str. Pridvorului, nr.5, bl.6, Ap.1, Sector 4, București, RO |
| VAT / Reg. No. | 29867320 |
| Jurisdiction | RO |
| DPO | dpo@4pro.io |
If your effective controller differs (e.g. based on your country of residence or the application you use), you will be notified at registration in accordance with our entity routing rules.
2. Data Protection Officer (DPO)
We have appointed an internal DPO to ensure GDPR compliance. You may contact the DPO at any time at dpo@4pro.io for:
- exercising your rights (access, erasure, portability, etc.);
- questions about how we process your data;
- complaints or concerns regarding data protection.
3. What data we collect
3.1 Identification and account data
When creating an account, we collect: full name, email address, phone number (optional), password (stored in hashed form, never in plain text). If you authenticate via SSO (Single Sign-On) from another application in the 4PRO ecosystem, we receive the session token and associated profile data.
3.2 Service usage data
We collect automatically: access logs (IP address, User-Agent, timestamp), in-app navigation events (pages visited, features used), account preferences, and action history.
3.3 Health and nutrition data (special category data — Art. 9 GDPR)
This section applies only where the 4PRO Biz application processes health data. Where it does, nutritional logging features may involve the processing of special category data under Art. 9 GDPR:
- Food images uploaded for AI analysis;
- Logged meals (foods consumed, quantity, calories, macronutrients);
- Nutritional goals (target calories, protein, carbohydrates, fat intake);
- Body weight and body composition goals (if you provide them);
- Discipline scores and progress generated by our system;
- Interactions with AI Coach (messages, responses, recommendations).
Where processed, this data is processed exclusively on the basis of your explicit consent (Art. 6(1)(a) + Art. 9(2)(a) GDPR), given by ticking the dedicated checkbox when activating the feature. Consent is voluntary and may be withdrawn at any time without negative consequences.
3.4 Communication data
If you opt in to WhatsApp, SMS, or email notifications: WhatsApp/SMS phone number and notification preferences.
3.5 Payment data
Payments are processed by certified third-party providers (Stripe, Revolut Business, etc.). We do not store card data. We receive only the transaction confirmation and a subscription identifier.
3.6 Technical data and cookies
IP address, browser type, operating system, screen resolution, session data and cookies — as described in our Cookie Policy.
4. Purposes and legal bases for processing
| Purpose | Data categories | Legal basis (GDPR) |
|---|---|---|
| Account creation and management | Identification data | Art. 6(1)(b) — contract performance |
| Providing core features of 4PRO Biz | Usage data, account data | Art. 6(1)(b) — contract performance |
| Nutritional analysis and AI coaching (where the app processes health data) | Health and nutrition data | Art. 9(2)(a) — explicit consent |
| Sending notifications (push, WhatsApp, email) | Contact data, preferences | Art. 6(1)(a) — consent; or Art. 6(1)(b) for essential account notifications |
| Payment processing and subscription management | Transaction data | Art. 6(1)(b) — contract performance |
| Security, fraud and abuse prevention | Technical data, logs | Art. 6(1)(f) — legitimate interests |
| Product improvement and usage analysis | Usage data (anonymised or pseudonymised) | Art. 6(1)(f) — legitimate interests; or Art. 6(1)(a) — consent, for personalised data |
| Compliance with legal obligations (accounting, audit) | Identification data, transaction data | Art. 6(1)(c) — legal obligation |
| Dispute resolution and defence of our rights | Relevant dispute data | Art. 6(1)(f) — legitimate interests |
Our legitimate interests (Art. 6(1)(f)) are assessed through a proportionality (balancing) test and do not override your fundamental rights. You may request a copy of the relevant balancing test by contacting the DPO.
5. Special health data — additional safeguards
This section applies only where the 4PRO Biz application processes health data. Where it does, the processing of health and nutrition data (Art. 9 GDPR) is subject to additional safeguards:
- Granular consent: you can independently enable/disable food logging, weight tracking, and AI Coach access;
- Withdrawal of consent: withdrawing consent for health data leads to the deactivation of the associated features and deletion of that data within 30 days, without affecting the lawfulness of prior processing;
- Restricted access: health data is accessible only to you, the DPO team, and, in anonymised form, the technical team for debugging purposes;
- No sale: we do not sell or commercialise your health data to any third party;
- No AI model training: your special category (health) data sent to AI providers for analysis is not used to train or improve their models; it is processed solely to return the result you requested.
6. Recipients and data processors
We may share your data with third parties exclusively in the contexts below:
6.1 Processors (acting on our behalf)
| Processor | Role | Location | Transfer safeguard |
|---|---|---|---|
| Hosting provider (VPS / cloud) | Server infrastructure | EU/EEA | Not applicable (processing within the EEA) |
| Stripe / Revolut Business | Payment processing | EU/EEA and USA | USA: Standard Contractual Clauses, Decision (EU) 2021/914; EU-US Data Privacy Framework where the provider is certified |
| Meta Platforms (WhatsApp Business API) | WhatsApp notifications | USA | Standard Contractual Clauses, Decision (EU) 2021/914; EU-US Data Privacy Framework where Meta is certified |
| AI providers (e.g. Google Gemini, Anthropic, Groq) | Food image analysis, coaching generation | EU/EEA and USA | USA: Standard Contractual Clauses, Decision (EU) 2021/914; EU-US Data Privacy Framework where the provider is certified |
| Transactional email service | Sending system emails | EU/EEA and, as applicable, USA | USA: Standard Contractual Clauses, Decision (EU) 2021/914; EU-US Data Privacy Framework where the provider is certified |
All processors are contractually bound to comply with GDPR through Data Processing Agreements (DPAs). Where we transmit special category (health) data to AI providers, they are contractually bound not to use the data to train their models.
6.2 Public authorities
We share data with public authorities only when required by law (e.g. tax authorities, courts), strictly within the scope of the request.
6.3 Other controllers in the 4PRO ecosystem
If you use multiple applications in the 4PRO ecosystem (e.g. 4PRO Client, 4PRO Pro), account data may be shared via SSO for unified authentication. Each application operates its own features as a distinct controller.
Where two or more applications jointly determine the purposes and means of a given processing, they act as joint controllers within the meaning of Art. 26 GDPR. In that case, the essence of the arrangement between the joint controllers (allocation of responsibilities for meeting GDPR obligations, in particular the exercise of your rights, and a single point of contact for exercising your rights) is made available to you, and you may exercise your rights against any of the joint controllers.
We do not sell your personal data.
7. International data transfers
Your data controller is an entity established in Romania/the EU; there is no international transfer at controller level. However, certain recipients and sub-processors process data outside the European Economic Area (EEA) — in particular the AI and communications providers listed below. We ensure that these transfers are carried out exclusively on the basis of a valid legal mechanism under Art. 46 GDPR:
- Stripe / Revolut Business (payment processing, USA) — Standard Contractual Clauses, Decision (EU) 2021/914, supplemented by the EU-US Data Privacy Framework where the provider is certified;
- Meta Platforms / WhatsApp (notifications, USA) — Standard Contractual Clauses, Decision (EU) 2021/914, supplemented by the EU-US Data Privacy Framework where Meta is certified;
- AI providers — e.g. Google Gemini, Anthropic, Groq (image analysis, coaching, USA) — Standard Contractual Clauses, Decision (EU) 2021/914, supplemented by the EU-US Data Privacy Framework where the provider is certified;
- Transactional email service / hosting — where this involves processing outside the EEA — Standard Contractual Clauses, Decision (EU) 2021/914, or a European Commission adequacy decision.
For recipients in countries covered by a European Commission adequacy decision, the transfer relies on that adequacy decision. You may request a copy of the applicable safeguards by contacting the DPO at dpo@4pro.io.
8. Retention periods
| Data category | Retention period |
|---|---|
| Account data (active) | Duration of active account + 90 days after deletion |
| Health and nutrition data | Duration of active account + 30 days after withdrawal of consent or account deletion |
| Access and security logs | 12 months |
| Transaction and billing data | 10 years (legal obligation — tax law) |
| DPO communications | 5 years (defence of legal rights) |
| Marketing data (with consent) | Until withdrawal of consent |
| Inactive accounts | 24 months of inactivity → notification → 30 days → deletion |
Upon expiry of the retention period, data is permanently deleted or irreversibly anonymised.
9. Your rights under GDPR
Under GDPR, you have the following rights, which you may exercise by contacting dpo@4pro.io:
Right of access (Art. 15): You may request a copy of your personal data that we process and information about how it is processed.
Right to rectification (Art. 16): You may request the correction of inaccurate data or the completion of incomplete data.
Right to erasure — "right to be forgotten" (Art. 17): You may request the erasure of your data when: the purpose of processing has ceased, you have withdrawn your consent, you have objected to processing and there are no overriding legitimate grounds, processing was unlawful, or there is a legal obligation to erase. Exceptions: data necessary for legal obligations or the defence of rights in legal proceedings.
Right to restriction of processing (Art. 18): You may request restriction of processing in certain circumstances (e.g. when contesting the accuracy of data).
Right to data portability (Art. 20): You may receive the data you have provided in a structured, commonly used, machine-readable format (JSON/CSV), and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
Right to object (Art. 21): You may object at any time to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights. You have an unconditional right to object to processing for direct marketing purposes.
Right to withdraw consent (Art. 7(3)): Consent may be withdrawn at any time, as easily as it was given, without affecting the lawfulness of prior processing. Withdrawal can be done from Settings → My Account or by contacting the DPO.
Right not to be subject to automated decision-making (Art. 22): We do not apply automated decisions with significant legal effects based solely on automated processing without human involvement. Discipline scores and AI recommendations are advisory and produce no legal effects.
Response time: We will respond to your request within 30 calendar days of receipt. This period may be extended by 60 days in complex cases, with prior notice to you.
10. Data security
We implement appropriate technical and organisational measures to protect your data:
- Encrypted transmission: all communications use TLS 1.2+;
- Secure storage: passwords are stored hashed with bcrypt (cost factor ≥ 12); sensitive data is encrypted at rest;
- Limited access: need-to-know principle for employees and contractors;
- Monitoring: access logs and intrusion detection systems;
- Breach notification procedures: in case of an incident affecting your rights, we will notify you within 72 hours of discovery (or as soon as reasonably practicable), in accordance with Art. 33-34 GDPR.
11. Cookies
We use cookies as described in our Cookie Policy, which forms an integral part of this Privacy Policy.
12. Children and minors
The Service is not intended for children under 16. We do not knowingly collect data from minors below this age. If you become aware that a minor has provided us with data without adequate parental consent, please contact us at dpo@4pro.io and we will promptly delete the relevant data.
13. Changes to this Policy
This Policy may be updated periodically. Significant changes will be communicated via an in-app banner and/or email at least 14 days before taking effect. The date of the last update is indicated in the document header.
Continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.
14. Right to lodge a complaint with the supervisory authority
If you believe your data is being processed in breach of GDPR, you have the right to lodge a complaint with the competent supervisory authority:
Romania — ANSPDCP (National Supervisory Authority for Personal Data Processing) Bd. G-ral. Gheorghe Magheru, nr. 28-30, Sector 1, Bucharest, Postal code 010336 Phone: +40.318.059.211 Email: anspdcp@dataprotection.ro Web: https://www.dataprotection.ro
You also have the right to contact the supervisory authority in the EU member state where you have your habitual residence, place of work, or the place of the alleged infringement.
Exercising this right does not affect your right to seek judicial remedies.
Contact
Class RDA Impex SRL Str. Pridvorului, nr.5, bl.6, Ap.1, Sector 4, București, RO DPO Email: dpo@4pro.io
Automatically generated by Legal Hub · Version v2.1 · Effective from 31 May 2026