// Legal · Privacy

Privacy Policy

// Effective 2026-05-05 · v1.0 · GDPR-compliant

We're a small studio and we don't want your data either. This page tells you exactly what we collect, why, and how to make us delete it. It's written to comply with the EU General Data Protection Regulation (GDPR) and Lithuanian data protection law.

Data controller

Piruz Afruz, MB (data controller)
Registration code: 306655229
Laisvės pr. 60, LT-05120 Vilnius, Lithuania
Privacy contact: privacy@piruzlabs.com

What we collect

Data	Lawful basis	Why we need it	How long
Email address	Contract performance (Art. 6(1)(b) GDPR)	Send your licence; reset access	Until account deletion
Name (optional)	Contract performance	Personalise emails & receipts	Until account deletion
Stripe payment ID	Legal obligation (tax law)	Reconcile refunds; tax records	10 years (Lithuanian tax law)
Hashed machine fingerprint	Legitimate interest (Art. 6(1)(f) — anti-piracy)	Enforce 3- or 5-machine limit	Until licence expires + 90 days
Anonymous traffic stats	Legitimate interest (improving the site)	Understand which pages help people buy	30 days (Plausible)
Newsletter subscription	Consent (Art. 6(1)(a))	Send "lab notes" updates	Until you unsubscribe

What we don't collect

Your card number — Stripe handles all payment data; we never see it.
Your raw MAC address, hardware serials, or IP — we hash these on your machine before they leave it.
Your audio. Ever. The plugin never sends audio anywhere.
Tracking cookies. The site uses no cookies for tracking purposes.
Usage telemetry from inside the plugin — there is none.

Third parties (sub-processors)

These services process data on our behalf. We have data-processing agreements (DPAs) with each, and they are GDPR-compliant.

Service	Purpose	Region
Stripe — payments	Process card payments	Ireland (EU) for EU customers
Postmark — email	Send licence + magic-link emails	USA (Standard Contractual Clauses)
Buttondown — newsletter	Manage opt-in newsletter	USA (SCCs); only if you subscribe
Plausible — analytics	Aggregated, anonymous traffic stats	Germany (EU)
Cloudflare — CDN/DNS	Serve the website	Global; SCCs for EU data
Hetzner — hosting	Run our license server	Germany (EU)

Your rights under GDPR

You have the right to:

Access — get a copy of all data we hold about you.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — have us delete your data.
Restriction — limit how we process your data.
Portability — receive your data in a machine-readable format.
Object — to processing based on legitimate interests.
Withdraw consent — for newsletter or other consent-based processing.
Lodge a complaint with the Lithuanian State Data Protection Inspectorate (ada.lt) or your local supervisory authority.

To exercise any of these rights, email privacy@piruzlabs.com. We respond within 30 days as required by GDPR Article 12(3), usually within one working day.

What we keep after deletion

If you ask us to delete your account, we erase everything except:

Stripe payment records (10-year retention required by Lithuanian tax law). Tied to a payment ID, not your contact details.
Aggregated, fully-anonymised stats with no PII linked.

Children

Our products are not directed at children. We do not knowingly collect personal data from anyone under 16. If a parent or guardian believes a minor has provided data to us, contact privacy@piruzlabs.com and we'll delete it without delay.

International transfers

When we transfer EU personal data to non-EU sub-processors (Stripe, Postmark, Buttondown, Cloudflare US infrastructure), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary measures appropriate to the data involved.

Security

We use industry-standard practices including HTTPS everywhere, RSA-2048 licence signing, hashed machine fingerprints, encrypted database backups, and least-privilege access controls. We will notify affected users within 72 hours of becoming aware of any data breach involving personal data, as required by GDPR Article 33.

Changes to this policy

If we change anything material, we'll email everyone with an active licence and post a notice on this page. The version number above indicates the current revision.

Contact

Privacy questions, deletion requests, complaints:
Piruz Afruz, MB · Reg. 306655229
Laisvės pr. 60, LT-05120 Vilnius, Lithuania
Email: privacy@piruzlabs.com

Lithuanian supervisory authority: State Data Protection Inspectorate (VDAI) · A. Juozapavičiaus g. 6, LT-09310 Vilnius