Privacy Policy
Last updated: April 4, 2026
1. Who We Are
Emaliz is operated by СислеЛабс ООД (SisleLabs OOD), ЕИК: 208739066, registered at с. Звъничево (4415), ул. Десета, 4, Bulgaria. We are the data controller for personal data processed through the Service.
Contact for data protection matters: [email protected]
2. What Data We Collect
Data from newsletter writers (account holders)
- Email address — used for authentication, account communications, and invoicing.
- Password hash — stored as a bcrypt hash; we never store plaintext passwords.
- Newsletter and campaign data — names, widget configurations, and settings you create.
- Billing information — processed and stored by Stripe; we do not store card numbers.
Data from newsletter readers (voters)
- Vote value — the emoji/option the reader clicked.
- Device type — mobile, tablet, or desktop (derived from the User-Agent header).
- Email client — e.g., Gmail, Outlook, Apple Mail (derived from the User-Agent header).
- Timestamp — when the vote or open event occurred.
We do not collect reader email addresses, IP addresses, names, or any directly identifying information from readers. Votes are anonymous.
3. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Processing votes and analytics | Legitimate interest (Art. 6(1)(f)) |
| Payment processing via Stripe | Contract performance (Art. 6(1)(b)) |
| Invoicing and tax compliance | Legal obligation (Art. 6(1)(c)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Cookie analytics | Consent (Art. 6(1)(a)) |
4. Data Retention
- Account data — retained while your account is active, deleted within 30 days of account deletion request.
- Vote and analytics data — retained while the associated campaign exists; deleted when the campaign or newsletter is deleted.
- Invoice and billing data — retained for 10 years as required by Bulgarian tax law (ДОПК чл. 38).
- Server logs — retained for up to 30 days for security and debugging purposes.
5. Third-Party Processors
We share personal data with the following processors, each of which has a Data Processing Agreement (DPA) in place:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, invoicing, tax calculation | US (EU SCCs) |
| Hetzner | Server hosting, database hosting | Germany (EU) |
| Vercel | Application hosting and deployment | US (EU SCCs) |
| Resend | Transactional email delivery | US (EU SCCs) |
6. Your Rights (GDPR)
As a data subject under the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — request limitation of processing in certain circumstances.
- Withdraw consent — where processing is based on consent, withdraw at any time.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (КЗЛД) or your local supervisory authority.
7. CCPA Notice (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to know — you may request the categories and specific pieces of personal information we have collected about you.
- Right to delete — you may request deletion of your personal information.
- Right to opt-out — you may opt out of the "sale" of personal information. We do not sell personal information.
- Non-discrimination — we will not discriminate against you for exercising your CCPA rights.
To exercise these rights, contact us at [email protected]. We will verify your identity before processing your request.
8. Cookies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time through our cookie consent banner.
9. Data Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), hashed passwords (bcrypt), and secure authentication sessions. However, no method of transmission or storage is 100% secure.
10. International Data Transfers
Where we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) with our US-based processors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions or data requests: [email protected]
СислеЛабс ООД (SisleLabs OOD)
ЕИК: 208739066
ДДС: BG208739066
с. Звъничево (4415), ул. Десета, 4, Bulgaria