Privacy Policy

This Privacy Policy explains how SIA BSEC ("we," "us," "our") collects, uses, stores, and protects your personal data when you use the BSEC.LV DNS security services ("Services"). This policy is designed to comply with the EU General Data Protection Regulation (GDPR - Regulation 2016/679), the Latvian Personal Data Processing Law (Fizisko personu datu apstrādes likums), and other applicable data protection legislation.

Šī Privātuma politika izskaidro, kā SIA BSEC vāc, izmanto, glabā un aizsargā jūsu personas datus, kad jūs lietojat BSEC.LV DNS drošības pakalpojumus. Šī politika ir izstrādāta atbilstoši ES Vispārīgajai datu aizsardzības regulai (GDPR) un Latvijas Fizisko personu datu apstrādes likumam.

1Data Controller / Pārzinis

The data controller responsible for your personal data is:

SIA BSEC

Reģistrācijas Nr.: [Registration Number]

[Street Address]

Rīga, LV-[Postal Code], Latvija

Data Protection Contact:
Email: privacy@bsec.lv

For the purposes of GDPR Article 4(7), SIA BSEC determines the purposes and means of processing your personal data.

2Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data (Required for Registration)

Data Type	Purpose	Retention
Email address	Account identification, communications	Until account deletion
Password hash	Authentication (bcrypt, 12 rounds)	Until account deletion
Privacy consent flag	Legal compliance (GDPR Art. 7)	Until account deletion
Marketing consent flag	Optional marketing communications	Until withdrawn

2.2 Session and Security Data

Data Type	Purpose	Retention
Session tokens	Authentication state management	7 days or logout
IP addresses	Security, rate limiting, fraud prevention	90 days
User agent strings	Device recognition, security monitoring	90 days
MFA secrets (encrypted)	Two-factor authentication	Until MFA disabled
Session fingerprint	Session hijacking detection	Session duration

2.3 DNS Query Data (Optional, User-Controlled)

DNS query logging is DISABLED by default. You control whether to enable it.

Data Type	Purpose	Retention
DNS queries (domains)	Analytics, filtering effectiveness	User-configurable (default 30 days)
Query timestamps	Usage patterns, debugging	User-configurable
Client IP (hashed/encrypted)	Profile association	User-configurable
Block reasons	Filtering analytics	User-configurable

2.4 Billing Data (Subscribers Only)

Data Type	Purpose	Retention
Stripe customer ID	Payment processing	7 years (tax law)
Subscription details	Service provision, billing	7 years (tax law)
Transaction history	Accounting, disputes	7 years (tax law)

Note: Full payment card details are processed by Stripe and never stored on our servers.

3Purposes of Processing

We process your personal data for the following purposes:

A
Service Provision: To create and manage your account, provide DNS resolution services, process DNS queries, and apply your configured filtering rules.
B
Security: To protect our Services and users from unauthorized access, fraud, abuse, and cyberattacks through rate limiting, session management, and security monitoring.
C
Communications: To send essential service notifications (verification emails, password resets, security alerts) and, with consent, marketing communications.
D
Billing: To process subscription payments, manage billing cycles, and maintain accounting records as required by Latvian tax law.
E
Legal Compliance: To comply with legal obligations, respond to lawful requests from authorities, and establish or defend legal claims.
F
Service Improvement: To analyze anonymized usage patterns and improve our Services (only with your consent when personal data is involved).

4Legal Basis for Processing (GDPR Article 6)

Processing Activity	Legal Basis	GDPR Article
Account creation and management	Contract performance	Art. 6(1)(b)
DNS query processing	Contract performance	Art. 6(1)(b)
DNS query logging (when enabled)	Consent	Art. 6(1)(a)
Security monitoring and fraud prevention	Legitimate interest	Art. 6(1)(f)
Essential service communications	Contract performance	Art. 6(1)(b)
Marketing communications	Consent	Art. 6(1)(a)
Payment processing	Contract performance	Art. 6(1)(b)
Tax and accounting records	Legal obligation	Art. 6(1)(c)
Response to legal requests	Legal obligation	Art. 6(1)(c)
Analytics (anonymized)	Legitimate interest	Art. 6(1)(f)

Legitimate Interest Assessment: Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting privacy@bsec.lv.

5Data Sharing and Third Parties

We share your personal data with the following categories of recipients:

5.1 Service Providers (Data Processors)

Provider	Purpose	Data Shared	Location
Stripe, Inc.	Payment processing	Email, subscription data, payment details	USA (SCCs)
Resend (Loops, Inc.)	Email delivery	Email addresses, email content	USA (SCCs)
Vercel Inc.	Hosting, analytics, file storage	Usage data, uploaded files	USA (SCCs)
Neon Inc.	Database hosting	All stored user data (encrypted)	EU (Germany)
Upstash Inc.	Rate limiting, caching	Session tokens, rate limit data	EU

All processors are bound by Data Processing Agreements (DPAs) compliant with GDPR Article 28.

5.2 Legal Disclosures

We may disclose your data when required by:

Latvian law or EU regulations
Valid court orders or legal process
Requests from law enforcement (we will notify you unless legally prohibited)
Protection of our legal rights or safety of others

5.3 We Do NOT Sell Your Data

We do NOT sell, rent, or trade your personal data to third parties for marketing or any other purpose.

6Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

Data Category	Retention Period	Basis
Account data	Until account deletion + 30 days	Contract + grace period
Session data	7 days (active), 90 days (logs)	Security
DNS query logs	User-configurable (7-365 days)	User preference
Security audit logs	1 year	Legitimate interest
Billing records	7 years	Latvian tax law
Email delivery logs	90 days	Troubleshooting
Privacy consent records	Duration of relationship + 5 years	GDPR compliance evidence

You can configure your data retention preferences in your account privacy settings. When you delete your account, we will delete or anonymize your data within 30 days, except where longer retention is required by law.

7Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

Encryption

AES-256-GCM for sensitive data at rest
TLS 1.3 for data in transit
bcrypt (12 rounds) for password hashing
Encrypted DNS (DoH/DoT) support

Access Controls

Multi-factor authentication (MFA)
Session fingerprinting
Rate limiting on all endpoints
Principle of least privilege

Monitoring

Security event logging
Anomaly detection
Privacy audit trails
Automated threat detection

Infrastructure

EU-based primary data storage
Regular security assessments
Secure development practices
Incident response procedures

Data Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Latvian Data State Inspectorate (Datu valsts inspekcija) within 72 hours and inform affected individuals without undue delay, as required by GDPR Articles 33-34.

8Your Data Protection Rights

Under GDPR and Latvian data protection law, you have the following rights:

Right of Access (Article 15)

Request a copy of your personal data and information about how we process it.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure / Right to be Forgotten (Article 17)

Request deletion of your personal data in certain circumstances.

Right to Restriction (Article 18)

Request limitation of processing in certain circumstances.

Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format.

Right to Object (Article 21)

Object to processing based on legitimate interest or for direct marketing.

Right to Withdraw Consent (Article 7)

Withdraw consent at any time where processing is based on consent.

Right to Lodge a Complaint

File a complaint with the Latvian Data State Inspectorate (Datu valsts inspekcija) at www.dvi.gov.lv or email info@dvi.gov.lv.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@bsec.lv. We will respond within 30 days. For complex requests, this may be extended by an additional 60 days with notice. We may request identification to verify your identity before processing your request.

9Cookies and Similar Technologies

We use cookies and similar technologies to operate our Services:

Cookie Name	Type	Purpose	Duration
session	Strictly Necessary	Authentication session management	7 days
__Host-csrf	Strictly Necessary	CSRF protection token	Session
sidebar:state	Functional	UI preference storage	Persistent

Local Storage

Key	Purpose
language	User language preference

Third-Party Analytics

We use Vercel Analytics to understand general usage patterns. This service collects anonymized data about page views and does not use cookies for tracking. You can opt out of analytics in your privacy settings.

Strictly necessary cookies cannot be disabled as they are essential for the Services to function. For more information, see our Cookie Policy.

10International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States, where some of our service providers are located.

When transferring data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all non-EU processors (GDPR Article 46(2)(c))
Adequacy Decisions: Where available, we rely on EU adequacy decisions
Supplementary Measures: Additional technical and organizational measures as recommended by the EDPB

You may request a copy of the safeguards we use by contacting privacy@bsec.lv.

11Children's Privacy

Our Services are not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13.

For users between 13 and 16 years of age in the EU (or the age of digital consent in your country), parental consent is required for processing personal data, in accordance with GDPR Article 8.

If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly.

Parents or guardians who believe their child has provided personal data without consent should contact us at privacy@bsec.lv.

12Contact Us

Privacy Inquiries

Email: privacy@bsec.lv

Response time: Within 30 days

Supervisory Authority

Datu valsts inspekcija

Elijas iela 17, Rīga, LV-1050

info@dvi.gov.lv

www.dvi.gov.lv

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email and/or prominent notice on our website at least 30 days before taking effect.

The "Last Updated" date at the top of this policy indicates when the most recent changes were made. We encourage you to review this policy periodically.

Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.

Your privacy is important to us. We are committed to protecting your personal data and being transparent about how we use it.

Jūsu privātums mums ir svarīgs. Mēs apņemamies aizsargāt jūsu personas datus un būt atklāti par to izmantošanu.

Privacy at a Glance / Privātums īsumā