Legal

Privacy policy

This policy describes how ASE Consultings S.R.L. collects, uses, and protects personal data across our water, energy, and automation services — and the rights you have under the EU GDPR, UK GDPR, Nigeria Data Protection Act 2023, and Ghana Data Protection Act 2012. Last updated 14 May 2026.

Data controller

The data controller responsible for personal data processed under this policy is:

ASE Consultings S.R.L.
Str. Grigore Ionescu, Nr. 63, Bl. T73, Sc. 2, Et. 4, Ap. 42, Camera 1
Sector 2, București, România
Fiscal Registration Code (C.I.F.): RO51782920

Email: info@aseconsultings.com
Telephone: +44 7403 055183
Web: www.aseconsultings.com

For privacy enquiries, write to info@aseconsultings.com with the subject “Privacy request”. We will respond within one month, with one further extension of up to two months where the request is complex, as permitted by EU GDPR Article 12(3).

Scope of this policy

This policy applies to personal data we collect when you:

visit aseconsultings.com or any subdomain we operate;
submit an enquiry, intake form, residential system selector, capability deck request, newsletter sign-up, or any other form on the site;
exchange email, WhatsApp messages, calls, or documents with our delivery teams in connection with a project or proposal;
are named in project documentation supplied to us by a client where ASE Consultings acts as a processor (in which case our Data Processing Addendum also applies).

Service contracts may set additional, project-specific terms. Where a project agreement is signed, those terms prevail over this policy for that engagement.

Legal frameworks we comply with

We process personal data in accordance with the following frameworks, whichever applies to you:

EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. As a Romanian-incorporated entity, our lead supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP) of Romania.
UK GDPR & Data Protection Act 2018: The Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (UK GDPR), where you are a UK data subject. The supervisory authority is the Information Commissioner's Office (ICO).
Nigeria Data Protection Act 2023 (and NDPR): The Nigeria Data Protection Act 2023 (which supersedes the Nigeria Data Protection Regulation, NDPR 2019), where you are a Nigerian data subject or your data is processed in Nigeria. The supervisory authority is the Nigeria Data Protection Commission (NDPC).
Ghana Data Protection Act 2012: The Data Protection Act, 2012 (Act 843), where you are a Ghanaian data subject. The supervisory authority is the Data Protection Commission of Ghana (DPC).

Categories of personal data we collect

We collect only what is needed for the purposes set out below.

Identity & contact: Name, role or title, organisation, email, telephone or WhatsApp number, and country or city. Collected when you submit a form, request a capability deck, sign up to the newsletter, or correspond with us directly.
Project & site information: Location of the site, system descriptions, technical readings (water analyses, tariff or load profiles, instrumentation data), photographs of the site where you supply them, and any project-specific requirements you share. Where you supply a client's data to us under a project, that data is held under our Data Processing Addendum.
Communication content: Email and WhatsApp message bodies, attached documents, call notes, and meeting notes — including the content you choose to share with us during the engagement lifecycle.
Technical & usage data: When analytics is enabled, we collect IP address, device type, browser, referring page, pages viewed, and timestamps. We use this to understand which pages support the practice and to fix performance issues.
Cookies: Strictly necessary cookies for site operation (session, security, language). If you have not opted out, we also set analytics cookies. See Cookies & analytics below.
Newsletter & preferences: Email address, sign-up timestamp, source page, and unsubscribe events. Held only for as long as you are subscribed.

Special category data: we do not seek to collect special category data (e.g. health, religious belief, biometric data). If you choose to disclose health-related information (for example, in a residential water context where a health condition is relevant to the system specification), we will process it only on the basis of your explicit consent under EU GDPR Article 9(2)(a), and delete it once the purpose is fulfilled.

Purposes and lawful bases

We process personal data for the following purposes, each justified by a lawful basis under EU/UK GDPR Article 6 (and corresponding provisions in the Nigerian and Ghanaian frameworks):

Purpose	Lawful basis
Responding to an enquiry, proposal, or intake — including providing scope briefs, capability materials, and quotations.	Steps to enter a contract at your request — Article 6(1)(b).
Delivering an engaged project — surveys, lab analyses, design, installation, commissioning, handover, and on-call support.	Performance of a contract — Article 6(1)(b); for client-supplied personal data, controller‑to‑processor terms under Article 28 (see DPA).
Maintaining audit-ready operational and compliance records (project files, handover documentation, regulatory filings).	Legal obligation — Article 6(1)(c); legitimate interests in operating an auditable, defensible delivery practice — Article 6(1)(f).
Sending you service updates, newsletter, capability memoranda, and other direct communications about our practice.	Consent — Article 6(1)(a) — for the newsletter; legitimate interests with a clear opt-out for transactional and existing-client updates — Article 6(1)(f).
Site performance, security, fraud prevention, and abuse detection.	Legitimate interests — Article 6(1)(f).
Complying with our legal, tax, accounting, and regulatory obligations.	Legal obligation — Article 6(1)(c).

Sub-processors

We engage a small number of trusted third parties to deliver this site and our services. We disclose them by category here; the named-vendor list is maintained internally and is available on request to clients with a signed engagement or NDA.

Hosting and infrastructure providers: Run the website, the content management system, and our internal delivery tooling. Production infrastructure is located in the European Union.
Email delivery providers: Deliver transactional and direct email — for example, intake confirmations, newsletter sends, and document deliveries.
Web analytics providers: Provide aggregated traffic analytics. Only enabled when analytics consent applies, or where pseudonymous measurement is permitted under our lawful basis. We retain analytics data for fourteen (14) months.
Contact channel providers: Where you contact us via WhatsApp, your message content is processed by the operator of that platform under their own terms.
Document, laboratory, and field-services partners: Independent contractors and laboratories engaged to deliver elements of a project — for example, accredited water-analysis labs, installation crews, and equipment suppliers. They process data only as needed to perform the engagement.
Professional advisors: Auditors, accountants, insurers, and legal counsel where required to comply with our own legal obligations.

Each sub-processor is bound by a written agreement that requires them to process personal data only on our instructions, maintain confidentiality and appropriate security measures, and return or delete personal data on termination — in line with the requirements of EU GDPR Article 28.

International transfers

Our practice operates across the European Union and West Africa. Personal data may be transferred between these regions where needed to deliver a project or to operate the website.

Within the EEA and the UK: transfers are governed by EU GDPR and UK GDPR. No additional transfer mechanism is required.
From the EEA / UK to Nigeria and Ghana:where personal data of EEA or UK subjects is transferred to our delivery teams or sub-processors in Nigeria or Ghana, we rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) or the UK's International Data Transfer Agreement, together with case-specific supplementary measures where required.
From Nigeria or Ghana to the EU: these transfers are made under the contracts and consents that govern the underlying engagement, and in compliance with the Nigeria Data Protection Act 2023 and the Ghana Data Protection Act 2012 respectively.
To other jurisdictions: we will not transfer personal data to jurisdictions outside the EEA, the UK, Nigeria, or Ghana without first putting in place an adequate transfer mechanism and informing you.

A copy of the relevant transfer safeguards can be requested by writing to info@aseconsultings.com.

How long we keep personal data

We hold personal data only for as long as needed to fulfil the purpose for which it was collected, to comply with our legal obligations, or to resolve disputes and enforce agreements. Our standard retention schedule is:

Data category	Retention period
Website enquiry and intake form submissions	24 months from the last contact, unless an engagement is signed.
Capability deck and document-request records	24 months from the request date.
Newsletter subscriber records	Until you unsubscribe, plus 12 months of opt-out logs (so we can prove the opt-out was actioned).
Project delivery records (designs, surveys, handover documentation)	7 years from project completion — aligned with audit, regulatory, and professional indemnity requirements.
Laboratory analyses and instrumentation reports	10 years from the analysis date, where the data is required for compliance evidence (water quality, GMP-aligned environments, etc.).
Email and communication records	For the lifetime of the relationship, plus the period required by tax, accounting, and contractual record-keeping obligations.
Web analytics data	14 months (Google Analytics 4 default retention).
Server access logs	30 days for security and abuse detection; longer where actively investigating an incident.

At the end of the applicable period, we either delete the data or anonymise it so that it can no longer be associated with you.

Security

We apply technical and organisational measures appropriate to the risk, including:

encryption of data in transit (TLS 1.2 or higher);
role-based access controls and least-privilege provisioning;
logged administrative access and periodic access reviews;
regular backups, with restore tests;
vulnerability monitoring and dependency updates;
an incident response procedure that includes notifying the relevant supervisory authority within 72 hours under EU GDPR Article 33, and affected individuals without undue delay under Article 34 where there is a high risk to their rights;
vendor due diligence and written agreements for every sub-processor named above.

No system can be guaranteed entirely secure. If you have reason to believe an incident has occurred, please write to info@aseconsultings.com with as much detail as you can share.

Cookies & analytics

We use a small number of cookies, grouped into two categories:

Strictly necessary: Required for the site to function — session management, security, and CSRF protection. These cannot be disabled.
Analytics: If you have not opted out, we use Google Analytics 4 to understand which pages are useful and where performance can be improved. GA4 anonymises IP addresses by default and we retain the data for 14 months.

You can disable analytics at any time using your browser's “Do Not Track” or privacy controls, or by writing to info@aseconsultings.com.

Your rights

You have the following rights in respect of your personal data:

Access — confirmation that we hold your data and, where we do, a copy of it (EU/UK GDPR Art. 15).
Rectification — correction of inaccurate or incomplete data (Art. 16).
Erasure — deletion of your data where the legal grounds set out in Art. 17 apply.
Restriction — limit further processing in defined circumstances (Art. 18).
Portability — receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20).
Objection — object to processing carried out under legitimate interests, including for direct marketing (Art. 21).
Withdraw consent — at any time, without affecting the lawfulness of processing carried out before the withdrawal (Art. 7(3)).
Not be subject to automated decisions — we do not make decisions that produce legal or similarly significant effects solely by automated means (Art. 22).

Data subjects in Nigeria and Ghana have equivalent rights under the Nigeria Data Protection Act 2023 and the Ghana Data Protection Act 2012 respectively. We will honour the strongest applicable protection.

To exercise any of these rights, please email info@aseconsultings.com. There is no charge for a routine request; we may charge a reasonable fee or decline manifestly unfounded or repetitive requests, in line with EU GDPR Article 12(5).

If you are not satisfied with our response, you may lodge a complaint with your supervisory authority:

Romania — National Supervisory Authority for Personal Data Processing (ANSPDCP): dataprotection.ro.
United Kingdom — Information Commissioner's Office (ICO): ico.org.uk.
Nigeria — Nigeria Data Protection Commission (NDPC): ndpc.gov.ng.
Ghana — Data Protection Commission (DPC): dataprotection.org.gh.

Children

Our services are directed at adult professionals, principals, and household decision-makers. We do not knowingly collect personal data from children under 16 (or the local age of digital consent, where higher). If you believe a child has provided personal data to us, write to info@aseconsultings.com and we will delete it promptly.

Changes to this policy

We may update this policy from time to time to reflect changes to our practice, our sub-processors, or the regulatory environment. The current version is always available at this URL, and material changes are notified to clients and newsletter subscribers by email.

Last updated: 14 May 2026