Privacy Policy
Effective date: 21 June 2026
This Privacy Policy explains how Ghiu Alexandru-Nicolae Persoană Fizică Autorizată ("Onwardz", "we", "us", or "our") collects, uses, and protects information about you when you use the Onwardz platform.
Onwardz is a developer API platform. This policy applies to developers and businesses who create an account on Onwardz. It does not directly govern the end users of applications built using our SDK — those users' data is controlled by our customers under their own privacy policies. Where we process end users' personal data on a customer's behalf, we act as a processor under the customer's instructions; a Data Processing Agreement is available to customers on request at hello@onwardz.com.
1. Data Controller
The data controller for personal data processed under this policy is:
Ghiu Alexandru-Nicolae Persoană Fizică Autorizată
Romania
hello@onwardz.com
2. Information We Collect
We collect the following information when you use Onwardz:
- Email address — used to create and authenticate your account via one-time login codes
- Payment information — billing is processed by Stripe. We do not store card details; Stripe holds payment data under their own privacy policy
- API usage data — room IDs, participant-minutes consumed, and timestamps, used for billing and usage reporting
- IP address — processed transiently for rate-limiting, abuse prevention, and network connectivity (TURN/NAT traversal), and recorded in operational logs (legal basis: our legitimate interest in securing the Service)
- Feedback — if you submit feedback through the dashboard or our applications, we store the rating and any comment you provide
We do not collect names, phone numbers, or physical addresses unless you provide them voluntarily when contacting us. We do not use third-party analytics tools.
Call content: Onwardz does not have access to the content of video calls or chat messages. Once peers connect, media and chat flow directly between participants; when a direct connection is not possible, they are relayed through a TURN server for connectivity. In either case the media is end-to-end encrypted (WebRTC/DTLS) and we cannot access its content.
3. Legal Basis for Processing (GDPR)
As a Romanian entity, we process personal data under the General Data Protection Regulation (GDPR). Our legal bases are:
- Contract performance — processing your email and usage data is necessary to provide the Service and manage your account
- Legal obligation — retaining financial records as required by Romanian accounting law
- Legitimate interests — detecting and preventing abuse of the platform
4. How We Use Your Information
- Authenticate you via passwordless email sign-in
- Provide and maintain your account and API access
- Calculate and report your usage for billing purposes
- Process subscription payments through Stripe
- Respond to support requests and feedback
- Detect and prevent misuse of the platform
5. Data Sharing
We do not sell your personal data. We share data only with the following third-party service providers, and only to the extent necessary to operate the Service:
- Stripe — payment processing. Stripe is the data controller for payment information. See Stripe's Privacy Policy
- Amazon Web Services (SES) — sends one-time login codes to your email address
- Hetzner — hosting and encrypted database backups for the Service
- BetterStack — operational logging and uptime monitoring
- Grafana Cloud — aggregate performance metrics (no message content; not used for marketing analytics)
We may also disclose your information if required to do so by law or in response to a valid legal request from a competent authority.
6. Data Retention
We retain your personal data for as long as your account is active. Upon account deletion:
- Personal data (email address, API keys, usage records) is permanently deleted within 30 days
- Financial records (invoices, transaction history) are retained for 5 years as required by Romanian accounting law (Legea nr. 82/1991)
7. Your Rights
Under GDPR you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your account and personal data
- Restriction — request that we restrict processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
To exercise any of these rights, contact us at hello@onwardz.com. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian data protection authority (ANSPDCP) at dataprotection.ro.
8. Cookies & Local Storage
We do not use tracking cookies or third-party analytics. To understand traffic to our marketing and documentation pages we run our own cookieless, privacy-friendly analytics (Umami), self-hosted on our own infrastructure — it counts page views and referrers in aggregate, sets no cookies, does not track you across sites, and collects no personal data.
The dashboard stores your session token in sessionStorage (cleared when you close your browser tab) to keep you signed in during your session.
9. Security
We take reasonable technical and organisational measures to protect your data, including:
- All data transmitted over HTTPS (TLS)
- API keys and session tokens stored as cryptographic hashes — plaintext values are never retained
- One-time login codes expire after 15 minutes and cannot be reused
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes we will notify you by email. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact
For any privacy-related questions or requests, contact us at hello@onwardz.com.