Privacy Policy

Created on 4 May, 2026Legal • 3,322 views • 5 minutes read

Last updated: 2026-05-04 — How rzx.bio handles personal data under GDPR.

1. Who We Are

AVi Kairos Srl ("we", "us", "rzx.bio") is the data controller for the personal data processed in relation to https://rzx.bio.

Registered office: Strada Lungă 188, Corp C, Ap. 2, Brașov 500051, Romania.
CUI: 52477194 — EUID: ROONRC.J2025068492002.
Contact: [email protected].

2. Scope of This Policy

This Privacy Policy explains how we collect, use and protect personal data of:

  1. rzx.bio account holders ("you" / "users") — the people who sign up and use the Platform;
  2. visitors to the public rzx.bio website and to bio pages, short URLs, QR codes, vCards, file links and splash pages published by our users.

If you are a visitor to a bio page or other resource published on rzx.bio by one of our users, that user is the data controller for any personal data they collect from you (for example through contact forms, payment blocks or third-party tracking pixels they have configured). We act as data processor for them under our Data Processing Addendum.

3. Personal Data We Collect

3.1 Account holders

  • Account data: name, username, email, password (hashed), language and timezone, profile picture if you upload one;
  • Billing data: when you purchase a paid plan, billing name, email, country, VAT number where applicable. Card details are processed directly by Paddle (see section 8) and are never stored on our servers;
  • Content you create: bio pages, short URLs, QR codes, vCards, file uploads, splash pages, project structure, custom domains;
  • Statistics on your resources: clicks, views, geolocation at country/city level, device and browser type, referrer of visitors interacting with your links, pages and QR codes;
  • Technical/security data: IP address, user-agent, login times, login device fingerprints, support communications;
  • reCAPTCHA signals: when you sign up, sign in, or submit our contact form, Google reCAPTCHA collects technical signals to distinguish humans from bots (see section 7).

3.2 Visitors of public bio pages and links

When a visitor opens a bio page, follows a short URL, scans a QR code, downloads a file link or interacts with a splash page, our internal analytics engine records:

  • truncated IP address (used to derive country/city; not stored long-term in raw form);
  • browser and device type;
  • referrer URL;
  • timestamp.

This data is shown to the user who owns the resource and is used to operate the Platform. We do not enrich it with data from third parties, and we do not share it with advertising networks or data brokers.

If the user who owns the resource has configured their own tracking pixels (Meta, Google, LinkedIn, X, TikTok or similar), those pixels run on their resources and process visitor data under their privacy policy, not ours.

4. How We Use Personal Data — Lawful Bases

PurposeLawful basis (GDPR Art. 6)
Create and operate your accountPerformance of contract (b)
Provide the Platform features (bio pages, links, QR, vCard, files, splash, pixels, analytics)Performance of contract (b)
Process paid subscriptions and invoicingPerformance of contract (b) and legal obligation (c)
Prevent fraud and abuse, including bot detection via reCAPTCHALegitimate interest (f)
Service notifications, security alerts, transactional emailsPerformance of contract (b)
Marketing emails about rzx.bioConsent (a) — you can unsubscribe at any time
Analytics on your own usage of rzx.bio (internal product metrics)Legitimate interest (f)
Comply with legal obligations and respond to authoritiesLegal obligation (c)

5. How Long We Keep Personal Data

  • Account data: while your account is active, plus up to 30 days after deletion to handle reversal requests, then permanently deleted or anonymised.
  • Billing and tax records: 10 years after the end of the relevant tax year, in line with Romanian tax law.
  • Statistics on links, pages and QR codes: as long as the resource exists; deleted with the resource.
  • Logs and security data: up to 12 months.
  • Support communications: up to 24 months after the last interaction.

6. Sharing — Sub-processors

We only share personal data with carefully selected service providers acting on our behalf:

ProviderRoleLocation
Paddle.com Market LimitedMerchant of Record for paid subscriptions; billing, taxes, fraud, invoicingIreland / United Kingdom
Cloudflare, Inc.CDN, DDoS protection, DNSGlobal (with EU edge)
Google LLC — reCAPTCHABot detection on signup, login and contact formEU/USA (SCCs in place)
Hosting infrastructure providerServer hosting in the EUEU
Email delivery providerTransactional and account emailsEU

Where personal data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and on additional safeguards as needed.

7. Cookies and Similar Technologies

rzx.bio uses a small number of cookies, listed in detail in our Cookie Policy:

  • Strictly necessary: session, authentication, CSRF protection, theme (light/dark);
  • Functional: language preference, cookie consent state;
  • Security: Google reCAPTCHA on signup, login and contact form.

We do not use third-party advertising cookies, behavioural retargeting or cross-site tracking on rzx.bio's own pages. Tracking pixels that account holders attach to their own resources are governed by section 9 of our Terms & Conditions and by the privacy policy of the resource owner.

8. Payments

Payments for paid subscriptions are processed by Paddle.com Market Limited ("Paddle") as Merchant of Record. We never see or store your full card number, expiry date or CVV. Paddle's privacy policy applies to the payment data they process: https://www.paddle.com/legal/privacy.

For invoicing in EUR via SEPA bank transfer, payment is made directly to the AVi Kairos Srl bank account; the relevant data (your billing details and the transfer reference) is processed by us and our bank under standard banking confidentiality.

9. Your Rights (GDPR)

You have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased ("right to be forgotten") where applicable;
  • restrict or object to processing;
  • data portability;
  • withdraw consent at any time, where processing is based on consent;
  • lodge a complaint with the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) in Romania, or with the supervisory authority in your country of residence.

To exercise these rights, write to [email protected] or use our Data Request Form. We will respond within one month.

10. Children

rzx.bio is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact [email protected] and we will delete it.

11. Security

We apply technical and organisational measures appropriate to the risk: encrypted connections (TLS), hashed passwords, encrypted backups, access controls, periodic review of permissions, and activity logging. No system is fully secure; if you become aware of a security issue please contact [email protected] immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date below indicates the latest version. Where changes materially affect you, we will notify you by email or in-product notice.

13. Contact

AVi Kairos Srl
Strada Lungă 188, Corp C, Ap. 2, Brașov 500051, Romania
📧 [email protected]

Last updated: 2026-05-04