Legal
Privacy Policy
Effective date: March 10, 2026  ·  Last updated: March 10, 2026

This Privacy Policy explains how Onbit Media SRL collects, uses, and protects your personal data when you use the Onbit Backup service. We are committed to processing your data lawfully, transparently, and only to the extent necessary to provide the Service.

1. Data Controller

The data controller responsible for your personal data is:

Onbit Media SRL
Bd. Oituz, Nr. 13, Onești, Bacău, Romania
CUI: RO37027072
Email: support@onbit.ro

2. Data Protection Officer (DPO)

We have designated a Data Protection Officer who can be contacted for any questions regarding the processing of your personal data or the exercise of your rights under the GDPR:

Email: gdpr@onbit.ro

3. Data We Collect

We collect the following categories of personal data:

Category Data collected Source
Account data Email address, hashed password, account creation date, plan type Provided by you at registration
Site metadata WordPress site URL, domain, WordPress version, a non-reversible site identifier (fingerprint) Automatically collected by the Plugin
Backup content Encrypted ZIP archives containing your WordPress files and database export. This may include personal data of your website's users. Generated by the Plugin from your WordPress installation
Payment data Stripe customer ID, subscription ID, plan. Payment card details are processed exclusively by Stripe and are never transmitted to or stored by Onbit. Stripe payment processor
Technical / log data API request timestamps, IP address (in server access logs), HTTP method, endpoint accessed, HTTP status code Automatically collected by the server
Communication data Emails exchanged with support Provided by you

We do not collect data about your end-users beyond what is contained in your backup files. We do not use cookies for tracking or advertising on the main website.

4. Purposes and Legal Bases for Processing

Purpose Legal basis (GDPR Art. 6)
Providing the backup and restore service Art. 6(1)(b) — performance of a contract
Account management and authentication Art. 6(1)(b) — performance of a contract
Processing payments via Stripe Art. 6(1)(b) — performance of a contract
Sending transactional emails (backup notifications, restore alerts, password reset) Art. 6(1)(b) — performance of a contract
Security, fraud prevention, and abuse detection Art. 6(1)(f) — legitimate interests
Compliance with legal obligations (tax, accounting) Art. 6(1)(c) — legal obligation
GDPR consent and record-keeping Art. 6(1)(c) — legal obligation

5. Data Retention

We retain your personal data only for as long as necessary:

  • Account data: retained for the duration of your account. Upon account deletion (via the Client Portal or by request), account data is deleted immediately from our production systems.
  • Backup files: deleted immediately from our production storage when you delete a backup or close your account. However, copies may persist in our infrastructure-level backup systems (Proxmox Backup Server) for up to 30 days, after which they are permanently and irreversibly deleted.
  • Server access logs: retained for up to 90 days for security and operational purposes, then automatically deleted.
  • Payment records: retained as required by Romanian and EU tax law (typically 10 years).
  • Support communications: retained for up to 3 years from the last interaction.

6. Third-Party Processors

We share personal data with the following third-party processors, under contractual data processing agreements where required:

Processor Purpose Country
Stripe, Inc. Payment processing and subscription management USA (EU Standard Contractual Clauses apply)
Mail server (mail.onbit.ro) Transactional email delivery Romania (EU)

We do not sell, rent, or otherwise commercially share your personal data with any third parties for marketing purposes.

7. International Data Transfers

Onbit Backup is available worldwide. Our servers and data storage infrastructure are located in the European Union (Romania). If you access the Service from outside the EU/EEA, your data is still processed and stored within the EU.

Transfers to Stripe (USA) are conducted under the EU Standard Contractual Clauses (SCCs) as provided by Stripe's Data Processing Agreement.

8. Backup Content and Your Users' Data

Your WordPress backup files may contain personal data belonging to your website's users (e.g. names, email addresses stored in the WordPress database). In this context:

  • You act as the data controller for your users' data;
  • Onbit Media SRL acts as a data processor on your behalf with respect to that data;
  • You are responsible for ensuring you have a lawful basis to transfer your users' data to us via the backup;
  • You are responsible for informing your users about the use of backup services in your own privacy policy.

We access backup content only when technically necessary to operate the Service (e.g. storage and retrieval). We do not analyse, mine, or otherwise process the contents of your backups.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encrypted communications (HTTPS/TLS) for all data in transit;
  • Access controls and authentication (HMAC signatures, bcrypt-hashed passwords);
  • Server-level firewall and intrusion detection (UFW, Fail2ban);
  • Regular infrastructure-level backups of the server environment.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

10. Cookies

The Onbit Backup website (backup.onbit.ro) does not use tracking, analytics, or advertising cookies. The only cookie set is a session cookie used exclusively for authentication on the Client Portal, which is deleted when you log out or close your browser session.

The WordPress plugin does not set any cookies on your visitors' browsers.

11. Your Rights Under GDPR

If you are located in the European Economic Area (or in another jurisdiction that grants equivalent rights), you have the following rights regarding your personal data:

  • Right of access — you may request a copy of the personal data we hold about you;
  • Right to rectification — you may request correction of inaccurate or incomplete data;
  • Right to erasure ("right to be forgotten") — you may request deletion of your data. You can exercise this directly by deleting your account from the Client Portal;
  • Right to restriction of processing — you may request that we limit how we use your data in certain circumstances;
  • Right to data portability — you may request a copy of your data in a structured, machine-readable format;
  • Right to object — you may object to processing based on legitimate interests;
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact our DPO at gdpr@onbit.ro. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian supervisory authority (ANSPDCP) at dataprotection.ro, or with the supervisory authority of your country of residence.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The current version is always available at backup.onbit.ro/privacy.html.

13. Contact

For general privacy questions: support@onbit.ro

For GDPR requests and DPO contact: gdpr@onbit.ro

Onbit Media SRL
Bd. Oituz, Nr. 13, Onești, Bacău, Romania
CUI: RO37027072