1. Introduction
Amaze Media & Production S.R.L. and Amaze Podspace S.R.L. (hereinafter referred to as "Amaze Studio", "we", or "our") respect the privacy of your personal data. This privacy policy explains how we collect, use, and protect your information when you use our platform accessible at clients.a-maze.ro.
2. Account Types and Data Collected
The platform offers two types of accounts, each with different features and data collected:
2.1 Client Account (with contract)
Client accounts are created by Amaze Studio administrators after signing a service contract. Clients have full access to the portal, including:
- View and track podcast productions
- View and download invoices
- Online payment of invoices via NETOPIA
- Manage studio recording session bookings
- Access to documents and contracts
- YouTube statistics for delivered productions
- Access to community and educational resources
2.2 Content Creator Account (free, no contract)
Content Creator accounts can be created through public registration, without signing a contract. These accounts offer limited access to:
- Connect YouTube channel for performance monitoring
- View video statistics (views, likes, comments)
- Access to public educational resources
- Demo productions to explore the platform
Note: Content Creator accounts do NOT have access to: invoices, studio bookings, documents/contracts, or full client portal features.
3. Data Collected
We collect the following types of personal data:
3.1 Identification Information
- Full name
- Email address
- Phone number (Clients only)
- Profile photo (if using Google OAuth)
3.2 Company Information (Clients only)
- Company name
- Tax identification number (VAT/CUI)
- Trade register number
- Registered address
- Banking details for invoicing
3.3 Authentication Data
- Email address for authentication
- Google OAuth connection data (if used)
- Session and password reset tokens
- Date and time of last login
3.4 Usage and Activity Data
- Access logs and platform actions
- Usage preferences and settings
- Booking and interaction history (Clients only)
3.5 Payment Data (Clients only)
- Invoiced and paid amounts
- Transaction history
- NETOPIA transaction IDs (card data is processed directly by NETOPIA and not stored by us)
3.6 Public Form Data
- Information submitted through platform forms
- IP address and device user agent
- Date and time of form submission
3.7 YouTube and Social Media Data
For both account types that connect a YouTube channel:
- Connected YouTube channel ID
- YouTube API access tokens
- Video statistics (views, likes, comments) - temporarily cached
- Channel information (name, image, subscriber count)
4. Purpose of Processing
We use your data for:
- Providing podcast production services and client relationship management
- Managing bookings and recording schedules (Clients only)
- Issuing, tracking, and collecting invoices (Clients only)
- Processing online payments (Clients only)
- Communication regarding projects and our services (email and SMS)
- Generating and electronically signing documents (Clients only)
- Displaying production performance statistics (via YouTube API)
- Improving services and user experience
5. Legal Basis
We process your data based on:
- Contract performance concluded with you for providing services (for Clients)
- Legal obligations (invoicing, accounting, tax reporting)
- Legitimate interest to improve services and prevent fraud
- Your consent for connecting YouTube account, registering a Content Creator account, and receiving marketing communications
6. Sharing Data with Third Parties
Your data may be shared with the following third parties, strictly for the purposes mentioned:
6.1 Booking and Calendar Services (Clients only)
- Cal.com — for booking management (name, email, phone, booking date and time)
6.2 Invoicing Services (Clients only)
- SmartBill — for invoicing and receipts (company data, amounts, products/services)
6.3 Payment Services (Clients only)
- NETOPIA Payments — for payment processing (amount, currency, description, IP for 3D Secure verification). Card data is processed exclusively by NETOPIA.
6.4 Authentication and Analytics Services
- Google — for authentication (Google OAuth) and document storage (Google Drive - Clients only)
- YouTube Data API — for displaying video statistics (requires explicit consent for connection) - for both account types
6.5 Communication Services
- Brevo — for email and SMS communications (email address, phone number, message content)
6.6 Document Services (Clients only)
- DocuSeal — for electronic document signing (name, email, signer IP)
- Carbone — for document generation (data included in contracts and documents)
6.7 Project Management Services (Clients only)
- ClickUp — for production workflow synchronization (project name, status, deadlines)
6.8 Verification Services
- OpenAPI.ro — for verifying Romanian company data (VAT/CUI for auto-fill)
- BNR — for official exchange rates (no personal data)
7. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Data encryption in transit — all connections use HTTPS/TLS
- API key encryption — third-party access keys are encrypted with AES-256-GCM
- Password hashing — passwords are stored using bcrypt (irreversible)
- Role-based access control — different access levels (Admin, Client, Content Creator)
- Regular backups — daily database backups
- Monitoring and logging — activity logs and audit trails
- Session expiration — authentication sessions expire after 24 hours
8. Your Rights
Under GDPR, you have the following rights:
- Right of access — to request a copy of your data
- Right to rectification — to correct inaccurate data
- Right to erasure — to request deletion of data (except those required for legal obligations)
- Right to restriction — to limit data processing
- Right to portability — to receive data in a structured format (JSON or CSV)
- Right to object — to oppose data processing in certain cases
- Right to withdraw consent — you can disconnect your YouTube account or delete your Content Creator account at any time
9. Retention Period
We retain your data according to the following rules:
- Contractual data (Clients): for the duration of the contractual relationship + legal prescription period
- Tax documents: minimum 10 years according to Romanian law
- Inactive Content Creator accounts: 12 months of inactivity, then notification and deletion
- Activity logs: up to 14 days (system logs) or indefinitely (audit trails)
- YouTube data: 24-hour cache; tokens until disconnection
9.1 Logging and Monitoring
For security, debugging, and service improvement, the Platform automatically logs various types of data. Sensitive data is automatically sanitized.
Server location: All data and logs are stored on servers located in Germany, within the European Economic Area (EEA), ensuring GDPR compliance.
10. Cookies and Sessions
The Platform uses only essential cookies for maintaining authentication (JWT with 24-hour expiration).
We do not use: marketing cookies, Google Analytics, or third-party profiling cookies.
11. International Transfers
Some third-party services may process data outside the EEA. In such cases, we ensure appropriate safeguards are in place (standard contractual clauses or European Commission adequacy decisions).
12. Changes
We reserve the right to update this policy. We will notify you of significant changes via email or through the platform.
13. Contact
For any questions regarding your personal data:
14. Supervisory Authority
If you believe that the processing of your data violates current legislation, you have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP):