PRIVACY POLICY

Effective date: 2025-10-13

Controller: PIXELCOMMERCE LLC (“we”, “us”, “our”)
Website: https://nirosto.com/
Contact: support@nirosto.com

1. Introduction

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit or purchase digital products from nirosto.com (the “Service”). It is designed for compliance with the EU GDPR, the UK GDPR, the ePrivacy rules (including cookie consent), and relevant US state privacy laws (including the California Consumer Privacy Act as amended by the CPRA).

By using the Service, you agree to this Policy. If you do not agree, please do not use the Service. Capitalised terms used but not defined here have the meanings given in our Terms & Conditions.

2. Key Definitions

  • Personal Data: Information that identifies or can reasonably identify you.
  • Usage Data: Technical/analytics information about how you use the Service.
  • Cookies & Similar Technologies: Files or code (e.g. pixels, tags, SDKs) that store or access information on your device.
  • Controller: The party deciding why and how Personal Data is processed (that’s us).
  • Processor: A service provider that processes data on our behalf.
  • EEA: The European Economic Area. UK: The United Kingdom.

3. What We Collect

We collect the following categories of data:

  • Identity & Contact: name, email, billing address, country/region, phone (optional).
  • Account: login credentials (hashed), preferences, downloads/purchase history, license keys.
  • Transaction: order details (product, price, currency, VAT), payment status (success/failure), refund/chargeback metadata (we do not store full card numbers).
  • Support: messages, attachments, tickets, satisfaction ratings.
  • Marketing: your consent choices, newsletter subscription status, campaign attribution (UTM, referrer).
  • Usage/Device: IP address, browser type, device type, OS, language, time zone, cookie identifiers, pages viewed, session duration, clicks, approximate location (city/country level).

4. How We Use Your Data (Purposes & Legal Bases)

PurposeExamplesLegal Basis (EU/UK)Typical Retention
Provide the Service & fulfill purchasesAccount creation, download delivery, license/keys, updatesContract (Art. 6(1)(b))For life of account + 6 years (tax/audit)
Payments & fraud preventionVerify transactions, risk scoring, chargeback handlingLegitimate interests (Art. 6(1)(f)); Legal obligation for taxUp to 10 years (statutory/tax) or as required to resolve disputes
Customer supportTicketing, troubleshootingContract; Legitimate interests3 years after last interaction (unless law requires longer)
Analytics & service improvementMeasure traffic, fix bugs, improve UXConsent for non-essential cookies (Art. 6(1)(a)); Legitimate interests for strictly necessary analytics6–24 months (aggregated/anonymised thereafter)
MarketingEmail newsletters, promotional offers, remarketingConsent (Art. 6(1)(a)) for email/ads; Legitimate interests for similar-products emails to customers (opt-out always)Until you unsubscribe or withdraw consent; evidence of consent kept 6 years
Legal & complianceTax/VAT, accounting, regulatory requestsLegal obligation (Art. 6(1)(c))As required by law (typically 6–10 years)

5. Cookies & Consent

We use the following categories of cookies/technologies:

  • Strictly Necessary (essential for checkout, licensing, security) – always active.
  • Functional (preferences, remembering choices) – consent in EU/UK.
  • Analytics (traffic and performance) – consent in EU/UK unless strictly necessary and privacy-preserving.
  • Advertising/Remarketing (personalised ads) – consent required in EU/UK; opt-out available elsewhere.

In the EEA/UK, non-essential cookies run only after you consent via our cookie banner. You can change or withdraw consent at any time via “Cookie Settings” in the site footer. Blocking cookies may impact some features (e.g., staying logged in, smooth checkout).

6. Payments & Digital Delivery

We sell downloadable digital products. After successful payment, we provide download links, licenses or access credentials. We process payments via third-party processors (e.g., Stripe, PayPal, Paddle) who act as independent controllers or processors. We do not store full card data on our servers.

For fraud prevention and chargeback handling, payment partners may use risk signals (e.g., IP, device, velocity). Where required, we rely on your consent for marketing-related profiling and on our legitimate interests for fraud prevention.

7. Sharing Your Data (Disclosures)

We share Personal Data with:

  • Processors/Service Providers: hosting (cloud), CDNs, analytics, email/SMS providers, payment gateways, license/DRM systems, support tools. They may access data strictly to perform services for us and are bound by contract.
  • Business Transfers: in a merger, acquisition, or sale of assets, data may transfer to the new owner under this Policy.
  • Legal/Compliance: where required by law or to protect rights, safety, and prevent fraud/abuse.

Illustrative list (update to your actual stack): Cloud hosting (e.g., AWS/Cloudflare), Analytics (e.g., Plausible/GA4), Email (e.g., MailerLite/Klaviyo), Payments (e.g., Stripe/PayPal/Paddle), Error monitoring (e.g., Sentry), Support (e.g., HelpScout/Intercom).

8. International Transfers

We are based in Canada and may process data in Canada and other countries. Where we transfer Personal Data from the EEA/UK to countries without an adequacy decision, we implement appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Addendum (IDTA/UK Addendum)
  • Technical measures (encryption in transit/at rest, access controls)

EU/UK Representative (Article 27): If required, our appointed representative contact details will be published here:
EU Rep: [Company Name], [Address], [Email]
UK Rep: [Company Name], [Address], [Email]

9. Data Security

We use administrative, technical, and physical safeguards appropriate to the risk, including HTTPS/TLS, encryption at rest for sensitive data where feasible, least-privilege access, MFA for admin panels, regular patching, and vendor due diligence. No system is 100% secure.

10. Retention

We retain Personal Data only as long as necessary for the purposes outlined, including legal, tax, and accounting requirements. When no longer needed, we will delete or irreversibly de-identify data.

11. Your Rights

EEA/UK (GDPR/UK GDPR): You have the right to request access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interests, and to withdraw consent at any time (this does not affect past lawful processing). You also have the right to lodge a complaint with your local supervisory authority (e.g., CNIL, ICO, BfDI, etc.).

Submit requests to: support@nirosto.com. We may need to verify your identity before completing a request.

US – California (CPRA): California residents may request (i) to know/access specific pieces and categories of Personal Information, (ii) correction, (iii) deletion, and (iv) to opt-out of “selling” or “sharing” (for cross-context behavioral advertising). We do not sell Personal Information for money. If we “share” for ads, we will honour opt-out signals (including GPC where applicable). We do not discriminate for exercising rights.

12. Marketing Preferences

We send marketing emails only with your consent or as permitted to existing customers about similar products (opt-out anytime). Click “unsubscribe” in any email or contact us. In the EEA/UK, we will not send non-essential marketing without prior consent.

13. Analytics, Ads & Remarketing

Subject to consent where required, we may use privacy-centric analytics and limited remarketing technologies. You can manage cookie preferences via our banner and browser settings. Some ad networks also provide their own opt-outs. In the EEA/UK, remarketing runs only after consent.

14. Automated Decision-Making & Profiling

We do not make decisions with legal or similarly significant effects based solely on automated processing. We may use limited profiling to segment customers for marketing (with consent where required) and to prevent fraud (legitimate interests).

15. Children’s Privacy

The Service is intended for persons aged 18+. We do not knowingly collect data from children. If you believe a child has provided Personal Data, contact us to delete it.

16. Third-Party Links

Our Service may link to external sites. Their privacy practices are not covered by this Policy. Please review their policies.

17. Do Not Track

Some browsers offer a “Do Not Track” (DNT) setting. There is no common industry standard for DNT responses. We honour applicable consent and opt-out mechanisms (e.g., cookie preferences, GPC where supported) and will update this section if standards emerge.

18. Changes to This Policy

We may update this Policy from time to time. The “Effective date” will be updated, and where changes are material, we will provide additional notice (e.g., banner or email).

19. Contact

Questions or requests: support@nirosto.com

Annex A — Data Subject Request (DSR) Workflow (Summary)

  1. Submit request via support@nirosto.com.
  2. We verify identity (email confirmation and/or additional info).
  3. We respond within the statutory timeframe (generally 1 month EU/UK; 45 days CA, extendable).
  4. We fulfil, deny (with justification), or seek clarification; records of requests are retained.

Annex B — Processor List (Examples — replace with your actual vendors)

  • Hosting/CDN: [e.g., Cloudflare, AWS]
  • Payments: [e.g., Stripe, PayPal, Paddle]
  • Email/CRM: [e.g., MailerLite, Klaviyo]
  • Analytics: [e.g., Plausible, GA4]
  • Support Desk: [e.g., HelpScout, Intercom]
  • Error Monitoring: [e.g., Sentry]

Scroll to Top