V
Vihren Labs

/privacy

Privacy Policy

Last updated: 2026-06-05

Vihren Labs is operated by Vihren Labs EOOD, a Bulgarian limited liability company based in Sofia, Bulgaria, run by Petko Petkov. Vihren Labs EOOD is the data controller for any personal information collected through vihrenlabs.com under the EU General Data Protection Regulation (GDPR, Regulation 2016/679).

This page explains, in plain English: what personal information I collect, the legal basis I rely on, who I share it with, how long I keep it, and the rights you can exercise under the GDPR.

1. Who I am

Vihren Labs EOOD, a Bulgarian limited liability company run by Petko Petkov, Sofia, Bulgaria. Contact: hello@vihrenlabs.com. I read and answer every message personally; I do not use shared inboxes or third-party support platforms for personal data.

Because Vihren Labs operates as a solo business below GDPR Article 37 thresholds, I have not appointed a formal Data Protection Officer. I act as the privacy contact directly for any request under this policy.

2. What I collect, why, and the legal basis

  • Newsletter signups (email address only). Stored in my newsletter provider (Beehiiv; or Resend Audiences as a fallback during setup). Used to send the operator-brand newsletter and occasional product announcements you opted in to. Legal basis: consent (GDPR Article 6(1)(a)) — you provided your email and clicked subscribe. You can unsubscribe with one click from any email I send (Article 7(3) revocation).
  • Direct emails to me. When you email hello@vihrenlabs.com, I keep your message and email address to reply and to maintain a support history. I do not add you to the newsletter from this unless you explicitly ask. Legal basis: legitimate interest (Article 6(1)(f)) — replying to a message you sent me. Balancing test on file and available on request.
  • Basic, aggregate analytics. My hosting provider (Vercel) records aggregate, IP-anonymised pageview counts to keep the site operating. I do not run Google Analytics, Meta Pixel, TikTok Pixel, or other third-party behavioural trackers. If Pinterest claims this site, Pinterest may record referral click-through events to its own platform per Pinterest's own privacy terms. Legal basis: legitimate interest (Article 6(1)(f)) — operating a stable website.
  • Sales transactions (Etsy, Gumroad). When you buy a product through a shop link on this site, the storefront (Etsy or Gumroad) processes the transaction. They are the data controller for that purchase; I receive only the information they share with me as the seller (typically your name, order details, and a messaging address for delivery — never your full payment data). Legal basis: contract (Article 6(1)(b)) — fulfilling the sale you initiated.

3. Sub-processors and third parties

I rely on a small number of trusted services to operate the site. Each acts as a processor under Article 28 of the GDPR with appropriate Data Processing Agreements in place. I will publish material changes to this list at least 30 days before they take effect.

  • Beehiiv (newsletter delivery) — your email address only. Region: United States; international transfer protected under EU Standard Contractual Clauses. Beehiiv privacy policy.
  • Resend (transactional email + audience storage, fallback during setup) — your email address only. Region: United States; SCCs in place. Resend privacy policy.
  • Vercel (hosting + minimal aggregate analytics). Region: United States; SCCs in place. Vercel privacy policy.
  • Cloudflare (DNS, email routing for hello@vihrenlabs.com, edge caching). Region: global edge; SCCs in place. Cloudflare privacy policy.
  • Pinterest (when this site is claimed by my Pinterest business account, Pinterest tracks referral traffic). Pinterest privacy policy.
  • Gumroad (when you buy a product through a shop link, Gumroad is the data controller for that transaction; I receive seller-side order data only). Gumroad privacy policy.
  • Etsy (when you buy a product through an Etsy shop link, Etsy is the data controller for that transaction; I receive seller-side order data only). Etsy privacy policy.

I do not sell, rent, or trade personal data. I do not use it to build advertising profiles. I do not use customer data to train AI models, my own or third-party.

4. International transfers

Some of my sub-processors are located in the United States (Beehiiv, Resend, Vercel). Where personal data is transferred outside the European Economic Area, the transfer is protected by the 2021 EU Standard Contractual Clauses (Commission Decision C(2021)3969) and, where applicable, the EU–U.S. Data Privacy Framework. Copies of the relevant clauses are available on request.

5. How long I keep things

  • Newsletter email addresses: until you unsubscribe, then deleted within 30 days.
  • Direct emails to me: as long as needed to handle the conversation, plus 12 months of support history. Older threads are deleted unless you have an active subscription or open issue.
  • Analytics: aggregated only; no per-visitor record is retained beyond 30 days.
  • Sales records: 7 years for tax and accounting compliance (Bulgarian Accountancy Act and EU VAT requirements).

6. Your GDPR rights

Under the EU General Data Protection Regulation, you can ask me to:

  • Confirm whether I hold data about you, and give you a copy (Article 15).
  • Correct anything inaccurate (Article 16).
  • Delete your data (Article 17). The "unsubscribe" link in every newsletter does this for the email list.
  • Restrict or object to processing (Articles 18 and 21).
  • Receive your data in a portable format — typically a CSV or JSON export (Article 20).
  • Withdraw consent at any time for consent-based processing (Article 7(3)).

Email hello@vihrenlabs.com for any of the above. I will respond within 30 days; complex requests may take up to 60 days with a status update at the 30-day mark, as permitted by Article 12(3). There is no charge for the first request in any 12-month period.

You can also lodge a complaint with the Bulgarian data-protection regulator (Commission for Personal Data Protection), or with the supervisory authority in your country of residence, if you are not satisfied with how I have handled a request (Article 77).

7. Automated decision-making and profiling

I do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Article 22). The newsletter is not segmented or targeted based on behavioural profiles; everyone on the list receives the same issues.

8. Cookies

This site sets no marketing or analytics cookies of its own. Embedded third-party services (the Beehiiv signup form, Pinterest pin embeds if added later) may set cookies governed by their own privacy policies linked above. There is no behavioural advertising on vihrenlabs.com.

9. Data breach notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, I will notify the Bulgarian Commission for Personal Data Protection within 72 hours of becoming aware of the breach, in line with Article 33. Where the breach is likely to result in a high risk to you, I will notify you directly without undue delay (Article 34), via the email address on file.

10. Children

vihrenlabs.com is not directed at children under 16. I do not knowingly collect data from anyone in that age group. If you believe a minor has provided personal information through the site, email me at hello@vihrenlabs.com and I will delete it.

11. Changes to this policy

I may update this page when I add new sub-processors or change how I use data. Material changes will be announced in the newsletter and reflected in the "Last updated" date at the top of this page. Non-material wording fixes will be updated silently.

This policy is plain-English and intentionally short for a solo-operator business. If a clause needs more detail for an enterprise legal review (Data Processing Agreement, sub-processor register, ROPA, DPIA, breach-notification SOP, etc.), email me at hello@vihrenlabs.com and I will respond in writing within 5 business days.