Privacy Policy

How kruza.ro collects, uses, and protects your personal data.

Template notice. This document is a starting point, not legal advice. Have a Romanian or EU privacy lawyer review and adapt it before publishing.

Last updated: 14 May 2026

This Privacy Policy describes how Andrei Kruza ("I", "me", "we") collects, uses, and protects your personal data when you visit kruza.ro or use any service offered through this site.

1. Data controller

The data controller is:

Andrei Kruza — freelance full-stack developer, Bucharest, Romania. Email: hello@kruza.ro · Phone: +40 729 203 767

If you need a contact for privacy-related questions, use the email above with the subject "Privacy".

2. What data I collect

You give me data when you:

  • Fill in the contact form (/contact): name, email, project type, budget range, message, and consent flag.
  • Subscribe to a newsletter: email and consent flag. Double opt-in: a confirmation email is sent to your address, and you must click the link inside before being added to the list.
  • Email or call me directly.

Data collected automatically:

  • Server logs kept by my hosting provider (Vercel) for security and operations: IP address, user agent, request path, response status, timestamp. Retained per Vercel's policy.
  • Vercel Analytics and Vercel Speed Insights: aggregated, cookieless metrics about page views and Core Web Vitals. No personal identifiers are stored. Documentation: vercel.com/docs/analytics.
  • Google Analytics 4 (G-1739CLDPCV): set to "denied" by default via Consent Mode v2. No analytics cookies are written until you click "Accept" in the cookie banner. If you accept, GA4 may set cookies (_ga, _ga_*) and process your data per Google's terms.

3. Purpose and legal basis

| Data | Purpose | Legal basis (GDPR Art. 6) | |------|---------|---------------------------| | Contact form | Reply to your inquiry, prepare an estimate | Pre-contractual measures + your consent (Art. 6(1)(a) and (b)) | | Newsletter | Send the emails you signed up for | Your consent (Art. 6(1)(a)) — double opt-in | | Server logs | Site security, fraud prevention, debugging | Legitimate interest (Art. 6(1)(f)) | | Vercel Analytics | Aggregate site usage, no identifiers | Legitimate interest (Art. 6(1)(f)) | | Google Analytics 4 | Aggregate site usage, conversion measurement | Your consent (Art. 6(1)(a)) — only loaded after opt-in |

4. Recipients and processors

I do not sell your data. I share it only with the following sub-processors who provide infrastructure:

  • Vercel Inc. — hosting, edge runtime, analytics. EU and US data centers.
  • Resend — transactional email (contact form replies, newsletter delivery, lead-magnet downloads). EU and US.
  • Google LLC — Google Analytics 4. Only when you have given consent. Standard Contractual Clauses apply.

5. International transfers

Some sub-processors operate in the United States. Where data is transferred outside the EU/EEA, transfers rely on Standard Contractual Clauses approved by the European Commission.

6. Retention

  • Contact-form messages: kept for 24 months after our last exchange, then deleted, unless we are in an active contractual relationship.
  • Newsletter list: kept until you unsubscribe. You can unsubscribe at any time via the link at the bottom of every email.
  • Server logs: per the hosting provider's retention policy (typically 30 days).
  • GA4 data: per Google's default retention (currently 14 months).

7. Your rights

Under the GDPR you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time without affecting prior lawful processing
  • Lodge a complaint with the Romanian supervisory authority (ANSPDCP)

To exercise any right, write to hello@kruza.ro with the subject "GDPR Request". I will reply within 30 days.

8. Cookies

This site uses a small number of cookies:

  • Strictly necessary (no consent needed): a single localStorage entry storing your cookie-banner choice (kr_analytics_consent_v1) so you are not asked again on every visit.
  • Analytics (consent required): _ga, _ga_* set by Google Analytics 4, only when you accept the analytics option in the banner.

To withdraw consent later, clear your site data in your browser and reload — the cookie banner will appear again.

9. Children

The site is not directed at children under 16. I do not knowingly collect data from minors.

10. Changes to this policy

I may update this policy. The "Last updated" date at the top reflects the latest revision. Material changes will be announced on the homepage or via newsletter.