Awarely
AwarelyMonitor

Privacy Policy

Last Updated: July 12, 2026Effective Date: July 26, 2026

PFA, trading as AWARELY ("Company", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Awarely Monitor CVE monitoring service ("Service"). It is intended to help you understand our processing under Regulation (EU) 2016/679 (GDPR), Romanian Law 190/2018, and the cookie/storage rules implemented in Romania, including Law 506/2004.

Privacy Summary

  • We collect only data necessary to provide the CVE monitoring service
  • Core service data for this deployment is hosted primarily in the EU
  • We never sell your personal data to third parties
  • You can use self-service tools for some requests, including export and account deletion
  • Awarely may act as controller or processor depending on the customer relationship and processing context
  • Some data may still be retained where law, security, or operations require it

1. Data Controller Information

Data ControllerPFA (trading as AWARELY) is the independent controller responsible for the personal data it collects and uses for its own account, security, compliance, and business operations through the Service.
Legal EntityPersoană Fizică Autorizată (PFA) registered under OUG 44/2008 in Romania
Legal NameMUNTEANU C. D. MIHAI PERSOANĂ FIZICĂ AUTORIZATĂ
Tax IdentifierCUI: 53962936 (Romanian clients) · VIES: RO54197611 (EU clients outside Romania)
Registered AddressBucurești, Sector 1, Bulevardul Bucureștii Noi, Nr. 136, Cod poștal 012366, România
LocationRomania, European Union
Contact Emailmonitor@awarely.ro (Data Protection inquiries)
Websitehttps://monitor.awarely.ro
Legal BasisWe process personal data under Article 6(1) GDPR based on: (a) contract performance, (b) legitimate interests, (c) legal obligations, and (d) consent where applicable.
Controller and Processor Role SplitAwarely may act either as independent controller or as processor, depending on the processing context. For organization customer service data handled on behalf of the customer, Awarely may act as processor under a signed DPA. For Awarely's own account management, authentication, security, fraud prevention, legal compliance, and direct billing records, Awarely acts as controller.
Billing ControllerAwarely acts as controller for all billing and invoice records for B2B customers.

2. Personal Data We Collect

We collect only the minimum personal data necessary to provide our Service:

2.1 Account InformationEmail address, account identifier, and account profile data associated with authentication. Authentication is handled via AWS Cognito (email/password or Google OAuth). Passwords are managed by Cognito and are not stored by us in plain text.
2.2 Google OAuth DataIf you sign in with Google, we receive your name, email address, and profile picture URL from Google. We do not receive your Google password.
2.3 Billing InformationAwarely may process business contact details, subscription terms, invoice details, payment status, and accounting records under its own controller obligations for B2B customers. We do not collect or store full payment card details.
2.4 Usage DataLogin and logout timestamps, audit events generated by the Service, and analytics events such as page views or general interaction data when you consent to analytics.
2.5 Technical Data and Browser StorageIP address, browser type, device information, request/security metadata, and browser-side storage used for authentication continuity, invite continuation, language preference, and dashboard visit hints.
2.6 Alert and Integration ConfigurationEmail addresses; Slack, Microsoft Teams, and generic webhook URLs; browser-push subscription endpoints; and Jira or Linear configuration that you choose to configure. Integration credentials are treated as confidential configuration data and are intentionally excluded from the self-service account-data export.
2.7 Communication DataContent of support requests and correspondence with our team. An in-app support request includes the message, account contact details, the page from which it was sent, and limited request metadata needed to handle the request.

3. How We Use Your Data

We process your personal data for the following purposes:

3.1 Service ProvisionTo create and manage your account, provide access to the CVE monitoring dashboard, and deliver alerts.
3.2 Billing and Contract AdministrationTo manage subscription state, maintain billing or accounting records under our control, administer self-serve and direct contracts, and support payment-related customer service (legal basis: contract performance, legitimate interests, and legal obligations, as applicable).
3.3 Service ImprovementTo understand aggregated usage and improve the Service. Analytics cookies/Google Analytics rely on consent; non-cookie diagnostics and abuse prevention may rely on legitimate interests.
3.4 SecurityTo detect and prevent fraud, abuse, and security incidents (legal basis: legitimate interests and legal obligations).
3.5 Communication and SupportTo send service announcements, security alerts, team invitations, and respond to support requests (legal basis: contract performance or legitimate interests, depending on context). Support is handled on a best-effort basis and is not subject to a commercial SLA unless a separately negotiated written agreement expressly says otherwise; see the Terms.
3.6 Legal ComplianceTo comply with applicable laws, regulations, and legal processes (legal basis: legal obligations).

4. Data Security Measures

We implement technical and organizational measures designed to protect personal data:

4.1 Encryption and Transport SecurityWe use transport security and vendor-provided security controls appropriate to the Service environment.
4.2 Access ControlsStrict role-based access controls limit who can access personal data.
4.3 Password SecurityPassword-based authentication is handled by Cognito. We do not store your password in plain text in our application code or database.
4.4 InfrastructureThe Service is hosted primarily on AWS infrastructure in the EU region used by this deployment.
4.5 MonitoringWe maintain logging, monitoring, and review processes proportionate to the Service.
4.6 Incident ResponseWe maintain incident-response procedures and assess notification obligations under GDPR and other applicable law on a case-by-case basis.

5. Data Sharing, Sub-processors, and International Transfers

We share personal data only with trusted partners necessary to provide the Service:

5.1 AWS (Infrastructure and Service Email)Amazon Web Services hosts our infrastructure. This deployment is configured primarily in the EU (Frankfurt, eu-central-1). AWS also provides Amazon SES for Service email such as configured alerts, reports, invitations, and related service communications. AWS provides these services under its contractual terms and data-processing commitments.
5.2 AWS Cognito (Authentication)Amazon Cognito handles user authentication and identity management for sign-in, session handling, and related account flows.
5.3 Google Analytics (Analytics)Google LLC provides analytics services WITH YOUR CONSENT ONLY (via Cookiebot). We use GA4 for aggregated analytics, with no advertising features intentionally enabled in this site code. Google may process analytics data under Google's applicable terms and international transfer mechanisms.
5.4 Google OAuth (Authentication)If you choose Google sign-in, Google provides authentication services. We receive only: name, email, profile picture. Google's privacy policy applies to their handling of your Google account data.
5.5 Cookiebot (Awarely Site/App Consent)Cybot A/S (Cookiebot) manages cookie and storage consent for Awarely's own site/app operation. Cookiebot stores consent choices and related compliance records according to its service configuration and legal documentation.
5.6 Slack (Support and Customer-Configured Alerts)An in-app support request is sent to an Awarely-configured private Slack destination so it can be handled. If you configure a Slack alert destination, the relevant alert content is also sent to the channel you selected. Do not include passwords, API keys, payment-card data, or unnecessary sensitive data in support requests. Slack's handling of data is subject to its own terms and privacy documentation.
5.7 Customer-Configured External DestinationsYou may configure alert delivery or ticket creation to external destinations, including browser-push subscription endpoints, Microsoft Teams, generic webhooks, Jira, and Linear. Enabling an integration or browser-push delivery instructs us to transmit the relevant configured content to that destination. You are responsible for ensuring that you are authorised to configure the destination and for the privacy, security, and contractual settings of the destination service.
5.8 Customer Processor ArrangementsFor organization customers, Awarely may process customer account, usage, alert, audit, and support data on the customer's behalf in order to provide the Service. Where applicable, those processor-side obligations are governed by the relevant customer contract and any signed DPA.
5.9 Legal RequirementsWe may disclose personal data when required by law, court order, or government request, or where necessary to protect our legal rights.
5.10 Business TransfersWe may disclose relevant data in connection with a merger, acquisition, or sale of assets, with appropriate data protection safeguards and notice to you where required.
5.11 No Sale of DataWe do NOT sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

6. Data Retention

We retain personal data only as long as necessary:

6.1 Account DataRetained while your account is active. After an account deletion request, access is removed and data under our control is reviewed for deletion, anonymization, restriction, or retention where required by law, security, fraud-prevention, or operational needs.
6.2 Billing and Accounting RecordsInvoices stored in Awarely’s invoice storage are configured to expire after 2,557 days (approximately seven years). Other billing and accounting records are retained for the period required by applicable tax, accounting, limitation, and legal-record obligations. A current schedule can be requested from monitor@awarely.ro.
6.3 Service Audit, Activity, and Report RecordsService audit records are configured with a 90-day retention period for Free/Starter-tier records and 365 days for Pro-tier records. Generated report records and report storage are configured for 365 days. Login and logout events have a 12-month retention target. DynamoDB TTL deletion is asynchronous, so physical deletion can occur after the configured expiry time.
6.4 In-App Support MessagesThe in-app history keeps at most 10 support messages and removes messages older than 30 days when the history is normalised. A support request can also create a Service audit record, which follows the applicable audit-retention period. Records held by email or third-party support destinations may have separate retention under their relevant service configuration and legal terms.
6.5 Consent RecordsCookie and analytics consent records are retained for as long as needed to document consent choices and comply with applicable law, subject to the active Cookiebot configuration.
6.6 Backup DataBackup and recovery copies may persist for limited periods before overwrite or deletion according to the operational setup in use at that time.

7. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

7.1 Right of Access (Art. 15)Request a copy of your personal data we process. You can download your data from Settings > Privacy & Data, including account profile, subscription metadata, and billing history metadata we process.
7.2 Right to Rectification (Art. 16)Request correction of inaccurate personal data through your account settings or by contacting us.
7.3 Right to Erasure (Art. 17)Request deletion of your personal data ("right to be forgotten"). Settings > Privacy & Data > Delete Account removes sign-in access and initiates our cleanup workflow for data under our control, subject to lawful retention exceptions.
7.4 Right to Restriction (Art. 18)Request restriction of processing in certain circumstances.
7.5 Right to Portability (Art. 20)Receive your data in a structured, machine-readable format (JSON). Available via Settings > Privacy & Data. Export includes billing metadata under Awarely's control.
7.6 Right to Object (Art. 21)Object to processing based on legitimate interests, including profiling.
7.7 Automated Decision-Making (Art. 22)We do not make decisions based solely on automated processing that significantly affect you.
7.8 Right to Withdraw ConsentWhere processing is based on consent, you may withdraw it at any time through Cookiebot or the relevant consent control we make available.

8. Exercising Your Rights

To exercise your data protection rights:

Self-ServiceSome rights can be exercised directly through Settings > Privacy & Data in your account, including data export and account deletion.
Email RequestSend a request to monitor@awarely.ro with subject line "GDPR Request".
Payment and Billing ScopeFor billing records and payment-related data requests, contact Awarely at monitor@awarely.ro.
B2B Processor ScopeOrganization customers may also contact us regarding processor-side support under a signed DPA where Awarely handles customer service data on the organization's behalf.
VerificationWe may need to verify your identity before processing requests to protect your data.
Response TimeWe aim to respond within one month. Where GDPR permits an extension, we will inform you accordingly.
No FeeExercising your rights is free. We may charge a reasonable fee for manifestly unfounded or excessive requests.
Supervisory AuthorityYou have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro.

9. Cookies, Tracking, and Consent Management

We use Cookiebot (by Cybot A/S) to manage cookie consent in compliance with GDPR and ePrivacy Directive:

9.1 Consent-First ApproachNon-essential cookies are NOT set until you provide explicit consent via the Cookiebot consent banner. You can change your preferences at any time by clicking the cookie icon or visiting cookie settings.
9.2 Essential Cookies / Storage (Always Active)Required for authentication, session continuity, invite acceptance continuity, security, and basic operation of the Service. These cannot be disabled if you want to use authenticated parts of the Service. Legal basis under GDPR depends on the relevant processing purpose; storage rules follow the applicable cookie/storage laws.
9.3 Functional Cookies / Storage (Consent Required)Preference storage used to remember items such as language choice and dashboard visit hints is enabled only after the relevant consent category is granted. Legal basis: consent.
9.4 Analytics Cookies (Consent Required)Google Analytics 4 cookies help us understand how you use the Service to improve it. The site code does not intentionally enable Google advertising features. You must consent before analytics resources are loaded. Legal basis: consent.
9.5 No Advertising/Marketing CookiesWe do NOT use advertising, retargeting, or cross-site tracking cookies. We do not participate in advertising networks.
9.6 Cookie / Storage DetailsStorage used on this site may include: Cookiebot consent records, authentication/session-related items, invite-continuation items, and preference/analytics items. Analytics storage is loaded only under the Cookiebot statistics consent category. Specific vendor names, keys, and durations may change over time as the implementation evolves.
9.7 Google Analytics Consent ControlsCookiebot controls whether Google Analytics resources are loaded based on your consent choices. If you decline statistics consent, Google Analytics should not be loaded by the site code.
9.8 Consent RecordsCookiebot stores consent records for compliance purposes. The exact fields and retention depend on Cookiebot configuration and applicable law.

10. International Data Transfers

The Service is configured to use AWS eu-central-1 for primary application processing. Third-party providers and customer-configured destinations can process data under their own service arrangements. Where a transfer outside the EU/EEA is applicable, we will use an applicable Chapter V GDPR transfer mechanism and provide current information on request:

10.1 Primary Application RegionThe repository configuration and deployment documentation identify AWS Frankfurt (eu-central-1) as the primary application region. This does not mean that every provider or customer-configured destination processes data solely in the EU.
10.2 AWSAWS provides infrastructure and authentication services for the Service. Current AWS processing and transfer information is governed by the applicable AWS contractual documentation.
10.3 GoogleGoogle provides optional sign-in and, only with statistics consent, analytics resources. Current Google processing and transfer information is governed by the applicable Google contractual and privacy documentation.
10.4 Cookiebot, Slack, and Customer-Configured DestinationsCookiebot manages consent. Slack receives in-app support requests, and integrations such as Slack, Microsoft Teams, Jira, Linear, or generic webhooks can receive data when configured by you. Their processing locations and transfer mechanisms are governed by their applicable terms and your configuration.
10.5 Current Transfer InformationInternational transfer mechanisms and vendor commitments can change over time. You may contact us if you need the current information relevant to your data.
10.6 Your RightsYou can request information about specific transfer mechanisms used for your data by contacting monitor@awarely.ro.

11. Children's Privacy

Age RequirementThe Service is not intended for children under 16 years of age.
No Knowing CollectionWe do not knowingly collect personal data from children under 16.
Parental NoticeIf you believe a child has provided us with personal data, please contact us immediately and we will delete it.

12. Changes to This Policy

NotificationWe may notify you of material changes via email and/or prominent notice on the Service before they take effect, especially where those changes materially affect how we process personal data.
ReviewWe encourage you to review this policy periodically. The "Last Updated" date indicates when the policy was last revised.
Continued UseWhere the law requires renewed consent or another specific acceptance mechanism, we will rely on that mechanism instead of assuming acceptance from continued use alone.

13. Security Incident Notification

GDPR ComplianceWhere GDPR Article 33 or other applicable law requires it, we will notify the competent supervisory authority within the legally required timeframe.
User NotificationIf a breach is likely to result in high risk to your rights and freedoms, we will notify you directly without undue delay.
Incident DetailsNotifications will include the nature of the breach, likely consequences, and measures taken or proposed.

14. Contact Us

For privacy-related questions, data protection inquiries, or to exercise your GDPR rights:

MUNTEANU C. D. MIHAI PERSOANĂ FIZICĂ AUTORIZATĂ

Trading as: AWARELY

CUI: 53962936 · VIES: RO54197611

București, Sector 1, Bulevardul Bucureștii Noi, Nr. 136, Cod poștal 012366

Data Protection Contact

monitor@awarely.ro

Romania, European Union

Romanian Data Protection Authority (ANSPDCP): www.dataprotection.ro

Organization customers may request our standard DPA for processor-side service data handling where relevant to their use case.

For our complete terms of use, please review our Terms and Conditions.

For refunds and cancellations, please review our Refund Policy.

For organization customer processor terms, please review our Data Processing Agreement.