GDPR Rights and Procedures

The GDPR gives you specific rights over the personal data we hold about you. You may request:

• Access — a copy of the personal data we hold about you (Art. 15)
• Rectification — correction of inaccurate or incomplete data (Art. 16)
• Erasure — deletion where the legal conditions are met (Art. 17)
• Restriction — temporary limitation of processing (Art. 18)
• Portability — machine-readable export of data you provided (Art. 20)
• Objection — to processing based on legitimate interests (Art. 21)
• Withdrawal of consent — for any processing that relied on consent (Art. 7(3))
• Complaint — to ANSPDCP or your local supervisory authority (Art. 77)

Send your request to privacy@noda.energy. Tell us which right you want to exercise and any details that help us locate the record (account email, subscription ID, approximate dates).

You can also use self-service tools in your workspace once it opens: export account data, delete the account, and update profile fields.

To protect your data we verify the requester is the data subject. For active accounts we send a verification email to the address on file. For closed accounts we may ask for additional confirmation (two of: the work email previously used, a recent invoice number, signed identification redacted to the machine-readable zone). Excess data sent for verification is discarded after the request closes.

We respond within 30 calendar days from verified intake, free of charge for normal requests. We may extend by a further 60 days for complex or numerous requests; we will notify you within the first 30 days and explain the reason. Manifestly unfounded or excessive requests may carry a reasonable fee or be refused, and we will tell you why.

Some data is held under legal obligations and cannot be deleted on request. In particular, invoices, billing records, and VAT data are retained for 10 years under Romanian Law 82/1991 and Article 25 of the Fiscal Code. Where we cannot fulfil an erasure request we explain why and we erase the rest of your record (account fields, audit logs, report inputs) on the standard schedule.

We follow Articles 33 and 34 GDPR. If we detect a personal data breach that is likely to result in a risk to your rights and freedoms, we notify ANSPDCP within 72 hours. If the breach is likely to result in a high risk to you, we notify you directly without undue delay.

Our current sub-processor list is at noda.energy/legal/subprocessors. We sign data processing agreements with each, including Standard Contractual Clauses where personal data flows outside the EEA. We give at least 15 days' notice before adding a new sub-processor to the list.

The Romanian Data Protection Authority is:

• Name: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
• Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
• Email: anspdcp@dataprotection.ro
• Phone: +40 318 059 211
• Web: dataprotection.ro