Privacy Policy
Version 1.0 · Effective 20 June 2026
This Privacy Policy explains how "VEZOFT" EOOD — a private limited liability company incorporated in Bulgaria (EU), company No. (EIK) 202823109 ("Vezoft", "we", "us") — handles personal data in connection with this website, vezoft.com (the "Site").
It is short for a simple reason: this Site is a static marketing website. It has no user accounts, no database, and no application back-end of its own. It runs no analytics, no advertising, and no tracking, and it sets no non-essential cookies. The only personal data involved is the limited technical data needed to serve the Site, and any message you choose to send us.
Looking for TimerOS? TimerOS — our time-tracking platform — is a separate service with its own account system, infrastructure, and legal documents (a dedicated Privacy Policy, a Data Processing Agreement for employers, a sub-processor list, and product terms), published with the product. This policy does not cover TimerOS. See Section 6 below.
1. Who is responsible
Vezoft is the controller for the limited personal data described here.
| Controller | "VEZOFT" EOOD, Kardzhali, Bulgaria (EU) — full details in the Imprint |
| Contact for privacy questions and data requests | hello@vezoft.com |
| Formal legal correspondence | legal@vezoft.com |
| EU representative (Art. 27 GDPR) | Not required — Vezoft is established in Bulgaria, an EU Member State. |
| Data Protection Officer | Not appointed — Vezoft is below the thresholds in GDPR Art. 37(1). |
2. What this Site collects
2.1 Serving the Site (server / CDN logs)
Like virtually every website, when your browser requests a page our hosting and content-delivery provider processes standard technical request data so the Site can be delivered and kept secure. We do not use this data to build profiles or to track you across other sites.
| Data | Purpose | GDPR legal basis | Retention |
|---|---|---|---|
| IP address, user agent, page/asset requested, timestamp, referrer | Deliver the Site; protect it against abuse and attack (CDN security) | Legitimate interests (Art. 6(1)(f)) | Short-lived edge and security logs (typically days); only aggregate, non-identifying counts thereafter |
2.2 If you contact us
When you send the "Start a project" form, your message is delivered to us by email through a serverless function (a Cloudflare Pages Function) and our email provider (Resend) — it is not saved in any database on this Site. A privacy-friendly bot check (Cloudflare Turnstile) runs on submit to keep out spam; it does not use tracking cookies. You can also email us directly instead. We use whatever you send only to read and respond.
| Data | Purpose | GDPR legal basis | Retention |
|---|---|---|---|
| Your name, email address, company, and the project details you choose to fill in (type, budget, message) | Read and respond to your enquiry | Legitimate interests (Art. 6(1)(f)); or pre-contract steps (Art. 6(1)(b)) if you are asking about working together | Kept while we are in contact and for a reasonable follow-up period, then deleted |
That is the entirety of the personal data this Site is involved in. There is no account registration, no payment processing, and no product data on this Site.
3. No cookies, no analytics, no advertising
At the date of this version, the Site:
- sets no non-essential cookies and uses no storage for tracking;
- runs no analytics (no Google Analytics, Meta Pixel, Mixpanel, Segment, or similar);
- carries no advertising and does no cross-context behavioural advertising;
- does not sell or "share" personal data within the meaning of the CCPA/CPRA.
If any of this changes, we will update this page and add a consent mechanism wherever the law requires one.
4. Who we share data with
We do not share your data except with the infrastructure providers that make the Site and our email work, acting as our processors, and only as needed:
| Recipient | Role | Where | Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | DNS, CDN, security (reverse proxy, TLS, DDoS protection), hosting (Pages), and the cookieless Turnstile bot check on the contact form | Global edge; EU-safeguarded | DPA in place; EU Standard Contractual Clauses (and EU-US Data Privacy Framework where applicable) |
| Plus Five Five, Inc. (Resend) | Delivers your contact-form message to our inbox by email | EU (Ireland) | DPA in place; US-incorporated, so EU Standard Contractual Clauses + EU-US Data Privacy Framework apply |
| Zoho Corporation B.V. (Zoho's EU service) | Our EU business mailboxes — receives the message and any direct email | EU (Netherlands / Ireland) | DPA in place; EEA Standard Contractual Clauses |
We may also disclose personal data where we are required to by valid legal process; we push back on overbroad requests and notify you where lawful. We do not transfer your data to anyone else for their own purposes.
5. International transfers
For EU/EEA/UK visitors, any transfer to a country without an EU adequacy decision (for example, where a provider is a US-incorporated entity) is covered by the European Commission's Standard Contractual Clauses, supplemented by the EU-US Data Privacy Framework where the recipient is certified, plus technical measures (encryption in transit). The providers above either process EU data in the EU or carry these safeguards.
6. TimerOS is a separate service
TimerOS is Vezoft's time-tracking platform. It is a separate service with its own account system, infrastructure, and legal documents — a dedicated Privacy Policy, a Data Processing Agreement for employers, a sub-processor list, and product terms — all published with the product.
TimerOS is not yet generally available; it is currently in a pre-launch waitlist. When it launches, customers and their own clients will use TimerOS (including its client portal) directly, under the TimerOS agreements — not through this marketing Site. Nothing you do on this Site creates a TimerOS account or sends any data into TimerOS.
For questions about how TimerOS processes data, please refer to the TimerOS product site and its own Privacy Policy.
7. Your rights
Because we are the controller of the limited data described above, you can exercise the following rights by emailing hello@vezoft.com.
Under the GDPR / UK GDPR:
- Access (Art. 15) — a copy of any personal data we hold about you and how we use it.
- Rectification (Art. 16) — correction of inaccurate data.
- Erasure (Art. 17) — deletion, subject to limited legal exceptions.
- Restriction (Art. 18) — pause processing while a question is resolved.
- Objection (Art. 21) — object to processing based on our legitimate interests.
- Portability (Art. 20) — a machine-readable copy of data you provided; in practice this rarely applies here, since the only data we hold is your correspondence.
- Lodge a complaint with your local data protection authority. Vezoft's lead authority is the Commission for Personal Data Protection of the Republic of Bulgaria (CPDP / KZLD), www.cpdp.bg. You do not need to contact us first. A list of EU authorities is at edpb.europa.eu.
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects (GDPR Art. 22), and where we ever rely on consent for a purpose, you can withdraw it at any time (Art. 7(3)).
For California residents (CCPA/CPRA) and residents of other US states with comprehensive privacy laws: you have the right to know what we collect and why, to access and delete it, and to non-discrimination for exercising those rights. As stated above, we do not sell or share personal data for cross-context behavioural advertising.
We respond to verifiable requests within the statutory time (within one month under the GDPR; within 45 days under the CCPA — each extendable where reasonably necessary). To protect you, we verify requests against the email address on file.
8. Security
This Site is served over HTTPS (TLS), behind Cloudflare's CDN with DDoS protection and configurable security filtering. Because the Site holds no accounts and no database, the attack surface is deliberately small. If you ever spot a security issue, email legal@vezoft.com.
9. Children
This Site is aimed at businesses and professionals. It is not directed to children, and we do not knowingly collect personal data from anyone under 16.
10. Changes to this Policy
If we change how this Site handles data, we will post the updated Policy at this URL with a new version number and effective date. This is Version 1.0 — the first published version.
11. Contact
- Privacy questions and data requests: hello@vezoft.com
- Formal legal correspondence: legal@vezoft.com
- Postal: VEZOFT EOOD, Kardzhali, Bulgaria — see the Imprint for the full registered address.