Document 03

Privacy Policy

Effective: April 26, 2026 Version: 1.0
This Privacy Policy describes data we collect from visitors to veklom.com. It does not describe data flowing through Your self-hosted Veklom deployment — that data never reaches Veklom and is governed by Your privacy program, not ours.

§ 1The principle

We collect the minimum data necessary to operate this website and respond to commercial inquiries. We do not sell, rent, or share Your personal data with third parties for marketing purposes. We do not use third-party advertising trackers. We do not use behavioral fingerprinting. We do not set cookies for analytics or tracking.

§ 2What we collect from website visitors

CategorySourcePurposeRetention
IP address (anonymized)Cloudflare network logsSecurity, abuse mitigation30 days
Page-view countsCloudflare Web Analytics (privacy-respecting, no cookies)Aggregate traffic understanding6 months
Referring URLHTTP referrer header (when present)Understanding inbound channels6 months
User-agent stringHTTP headerCompatibility, abuse mitigation30 days
Email address & correspondenceYou, when You email usResponding to Your inquiry, sales records7 years (tax/contract retention)

§ 3What we do not collect

  • We do not use third-party advertising networks (no Google Ads, Facebook Pixel, LinkedIn Insight Tag, etc.);
  • We do not use cookies for tracking or analytics. The Cloudflare Web Analytics beacon is cookie-less by design;
  • We do not use heat-mapping, session-replay, or behavioral-fingerprinting tools;
  • We do not collect biometric data, location data beyond country-level inferred from IP for traffic analytics, or payment-card data on this site (payment processing happens at Stripe under their privacy policy);
  • We do not collect data from visitors under the age of 16, and the website is not directed at children.

§ 4Data flowing through Your Veklom deployment

Veklom is self-hosted. Customer data passing through Your deployment is processed inside Your environment. Veklom does not receive, store, transmit, or have access to such data. For purposes of GDPR, You are the Controller; for purposes of HIPAA, You are the Covered Entity; for PCI-DSS, You are the Data Owner. Veklom is not a Processor or Business Associate for self-hosted deployments.

This is the structural design of the product. Our privacy posture for the website is described in this document; Your privacy posture for Your deployment is described in Your own privacy program.

§ 5Legal bases for processing (GDPR Art. 6)

Where GDPR applies:

  • Article 6(1)(b) — Performance of a contract: Processing email correspondence to respond to Your commercial inquiry;
  • Article 6(1)(f) — Legitimate interests: Server logs, abuse mitigation, aggregate analytics. Our legitimate interest is operating a secure, performant website. The data is minimal and unauthenticated, and Your privacy interests are not overridden;
  • Article 6(1)(c) — Legal obligation: Retention of correspondence for tax and contract recordkeeping.

§ 6Your rights

Depending on Your jurisdiction (GDPR, CCPA/CPRA, LGPD, PIPEDA, etc.), You have rights including:

  • Access: Request a copy of the personal data we hold about You;
  • Rectification: Correct inaccurate data;
  • Erasure: Request deletion (subject to retention obligations under tax and contract law);
  • Restriction: Limit how we process Your data;
  • Portability: Receive Your data in a structured, machine-readable format;
  • Objection: Object to processing based on legitimate interests;
  • Non-discrimination: Exercise rights without retaliation;
  • Lodge a complaint with Your national data-protection authority.

To exercise these rights, email [email protected]. We respond within 30 days.

§ 7International transfers

Cloudflare's global network may route Your traffic through data centers in jurisdictions other than Your own for performance and security purposes. This is a transit-only routing — content is not stored at intermediate locations. Cloudflare is certified under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework. Standard Contractual Clauses are available on request.

§ 8Security

The website is served over HTTPS with HSTS preload. Strong Content Security Policy and other security headers are enforced. Account systems are not exposed to the public website. We use defense-in-depth practices to protect operational systems.

If You believe You have discovered a security vulnerability, please email [email protected]. We follow coordinated disclosure and aim to acknowledge within 2 business days.

§ 9Changes to this Policy

We may update this Privacy Policy. The "Effective" date at the top reflects the most recent version. Material changes are announced on the Site for at least 30 days before they take effect.

§ 10Contact

Privacy inquiries: [email protected]

Security disclosures: [email protected]

General legal: [email protected]