Legal
Legal, privacy and cookie policy
This page combines the main legal, privacy and cookie information for balasslabs.com. BalassLabs is the public brand of the site, while the current operator is Robert Balassan as an individual operator.
1. Operator details
BalassLabs is not currently incorporated as a separate company. If the legal structure changes in the future, this page will be updated with the new company details.
2. Scope of this page
This page applies to balasslabs.com and related services operated through it, including project pages, downloads, contact forms, account registration, login, profile management and associated account-security features.
3. Acceptable use
You agree not to:
- abuse, attack, scrape, reverse engineer or disrupt the platform;
- attempt unauthorized access to accounts, systems or data;
- upload or transmit malicious code, spam or unlawful content;
- misuse downloads, APIs or identity features in ways that violate applicable law.
4. Accounts, downloads and content
If you create an account, you are responsible for keeping your login details confidential and for activity carried out through that account. BalassLabs may suspend or terminate access where there is abuse, fraud or repeated policy violations.
Downloadable files are provided on an "as available" basis for legitimate personal, evaluation or internal testing use unless a project-specific license states otherwise. Third-party platforms linked from the site, such as social platforms or external video pages, remain subject to their own terms and policies.
5. Age restriction
BalassLabs services are not directed to children. To create an account on balasslabs.com you must be at least 16 years old. By registering you confirm that you meet this age requirement. If BalassLabs becomes aware that an account was created by a person under 16, the account will be removed and any associated personal data deleted.
6. What personal data BalassLabs may process
- account details such as username, display name, email address and encrypted authentication data;
- optional profile information you choose to add, such as avatar, first name, last name or phone number;
- contact form submissions;
- download request details, including IP address, request timing and file metadata;
- service security and operational data such as IP addresses, refresh-token records, audit logs and request metadata;
- while a verification, password-reset or email-change message is pending, its recipient address and message content;
- while an account-erasure request is running, a random workflow identifier, an internal account locator, any legacy username needed to find older API records, and the owned avatar filename;
- a pseudonymous SHA-256 digest of the internal account identifier used only to serialize account-linked API writes with erasure and prevent stale requests from recreating deleted rows;
- privacy-choice records stored in browser storage;
- optional analytics consent choices stored locally in the browser.
7. Why this data is processed
- to provide requested services such as account access, profile management and downloads;
- to respond to messages sent through the contact form;
- to send account-related emails such as verification, password reset and credential-change security notices;
- to secure the site, prevent abuse, rate-limit suspicious traffic and investigate incidents;
- to make an accepted erasure request converge safely across in-flight requests and separate databases;
- to understand site usage through analytics, but only when optional analytics consent is granted.
Depending on the feature, the main legal basis is performance of requested services, taking steps requested by you before using an account feature, the operator's legitimate interest in securing and running the site, or your consent for optional analytics storage.
Some data is necessary to provide the requested service. For example, account and authentication details are needed to create and secure an account, contact details are needed to reply to a message, and certain security and request metadata are needed to deliver downloads and protect the site against abuse. If you do not provide required data for a specific feature, BalassLabs may not be able to provide that feature.
8. Cookies and browser storage
Essential storage is used for privacy choices and sign-in continuity. After login, the site may use a secure HttpOnly refresh-token cookie together with a local session hint so that the account session can be restored.
The on-site privacy banner currently covers Analytics only. If you allow analytics, BalassLabs loads Google Analytics to measure visits and site usage. That may involve cookies or similar identifiers and technical information associated with your visit, such as page views, interaction events, browser or device details and request-related identifiers used by Google's measurement tooling.
BalassLabs may also use Google AdSense to display advertising on balasslabs.com. Where advertising is active, Google and its partners act as third-party vendors and may set or read advertising cookies and similar identifiers to serve, measure and limit the frequency of ads. In regions that require it, ads are served only in line with your consent choices, which are collected through Google's own consent message, and you can withdraw or change those choices at any time. Personalized advertising is used only where you have given the corresponding consent; otherwise non-personalized ads may be shown. For details on how Google uses information from sites that use its services, see Google's advertising policies.
You can reject optional storage, allow analytics or review the current privacy controls shown on the site.
Project video players are not loaded during an ordinary page visit. If you explicitly open a video series, BalassLabs loads YouTube's privacy-enhanced embedded player from youtube-nocookie.com. That connection can disclose request and device information such as your IP address and browser details to Google/YouTube, and interaction with the player remains subject to Google's privacy policy.
- __Host-balass-refresh-balasslabs-v1 — first-party HttpOnly cookie used to restore signed-in BalassLabs sessions; expires after up to 7 days unless rotated or revoked earlier. The legacy refreshToken name may be read briefly while existing sessions migrate.
- balasslabs_auth_hint — first-party local storage flag used to know whether silent session restoration should be attempted; cleared on logout.
- balasslabs_session_revision_v1 and balasslabs_session_event_v1 — non-secret local storage records that order session changes across tabs; they never contain an access or refresh token.
- balasslabs_pending_logout_v1 — a durable server-sign-out retry record used only when revocation could not be confirmed. It contains the expected account identifier, pending status and attempt timestamps, never a bearer or refresh token, and is removed after revocation converges.
- balasslabs_cookie_consent_v2 — first-party local storage entry containing privacy-choice state and the last update timestamp; remains until you change it or clear browser storage.
- balasslabs:chunk-recovery:v1 — short-lived session storage timestamp that permits one safe reload when application files change during an update and prevents a reload loop; removed after the application remains stable or after an explicit retry.
- Google Analytics storage — only loaded after analytics consent is granted; may set Google-managed cookies or similar identifiers for measurement purposes.
- Google AdSense storage — when advertising is active, Google and its partners may set or read advertising cookies and similar identifiers, subject to your consent, to serve and measure ads.
9. Sharing and recipients
Personal data may be shared only where needed to operate the site and related services, for example with infrastructure and hosting providers, the transactional email provider used for account and contact mail, Google Analytics when analytics consent has been granted, Google AdSense and its advertising partners where advertising is active and the corresponding consent applies, or Google/YouTube when you explicitly open an embedded project video. Data may also be disclosed where required by law or to protect the site, its users or the operator against abuse or fraud.
BalassLabs does not sell personal data.
10. International transfers
Depending on the provider and its infrastructure, some processing may involve systems located outside Romania or outside the EU/EEA. Where personal data is transferred outside the EU/EEA, BalassLabs relies on either an adequacy decision adopted by the European Commission under Article 45 GDPR, or on appropriate safeguards under Article 46 GDPR, in particular the Standard Contractual Clauses (SCCs) approved by the European Commission. Where required, supplementary technical and organizational measures are applied to protect the affected data. You can request a copy of the safeguards used for a specific transfer by contacting the operator at the address listed in the Contact section.
11. Retention
- download logs are scheduled for cleanup after up to 30 days;
- download access tokens are short-lived and expire automatically after roughly 5 minutes;
- account action links for verification, password reset or email change expire automatically after roughly 30 minutes;
- refresh-token cookies expire after 7 days unless replaced or revoked earlier;
- security audit logs are scheduled for cleanup after up to 180 days;
- actionable verification/reset/change-email outbox content has the same roughly 30-minute delivery deadline as its link and is scrubbed instead of being sent after that deadline;
- pending credential-security notice content is scheduled to be scrubbed at seven days (an active delivery lease or service outage can delay the scheduled job); recipient, subject and body are erased when delivery is durably recorded or the message reaches terminal failure, while the content-free idempotency record is scheduled for deletion after 90 days; a cleanup-worker outage can delay physical deletion;
- cookie-consent preferences remain stored until you change them or clear browser storage;
- when an authenticated account-erasure request is accepted, sign-in credentials and sessions are revoked, profile/email data is anonymized, consent records and account-action links are deleted, and pending security-notice content is scrubbed in the same Identity-database transaction;
- linked download/access-token/share records in the separate API database and an owned avatar file are erased by an idempotent retry workflow with an operational completion target of 24 hours. Account-linked API writers use the same database fence, requests are time-bounded, and a final sweep follows the ordinary in-flight window; infrastructure outages can delay completion, remain visible as an operational alert, and do not cause the workflow to abandon the request;
- account-linked identifiers and request metadata in Identity security-audit rows are anonymized during the erasure workflow; the remaining non-identifying event record follows the up-to-180-day audit retention;
- the completed Identity erasure workflow replaces its subject locator with a fresh random value and keeps only a content-free idempotency/SLA tombstone that is scheduled for deletion after 90 days; a cleanup-worker outage can delay physical deletion;
- the API anti-recreation fence is pseudonymous personal data, not anonymous data: after erasure it retains only the SHA-256 internal-account digest and timestamps, solely to reject stale or already-authorized writes. It is scheduled for automatic deletion after seven days; a cleanup-service outage can delay the physical deletion and remains an operational issue to be repaired;
- deletion from live systems does not rewrite offline disaster-recovery backups synchronously. Any restored backup must have completed erasure requests reapplied before normal service, and backup/provider retention remains outside the live 24-hour workflow;
- account data is generally kept while the account remains active, unless deletion or cleanup is requested;
- contact messages are not currently deleted on a fixed automatic timer; they are kept only as long as reasonably necessary to answer, follow up and maintain a record of the communication.
12. Your choices and rights
You can manage optional cookies from the privacy controls, clear browser storage, sign out, request a password reset, update profile details or delete your BalassLabs account from the account area.
If analytics consent was previously granted, you can withdraw it at any time from the privacy controls. Withdrawal does not affect processing that already took place before the change.
Subject to applicable law, and in particular the GDPR, you have the following rights in relation to personal data processed about you:
- the right of access (Art. 15);
- the right to rectification (Art. 16);
- the right to erasure, also known as the "right to be forgotten" (Art. 17), subject to the legal exceptions in Article 17(3), for example where retention is required by law or necessary for legal claims;
- the right to restriction of processing (Art. 18);
- the right to data portability (Art. 20);
- the right to object to processing based on legitimate interests or for direct marketing (Art. 21);
- the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal (Art. 7(3));
- the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you (Art. 22);
- the right to lodge a complaint with a supervisory authority, in particular the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) for users in Romania.
To exercise any of these rights, contact the operator at the address listed in the Contact section.
Processing is carried out in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and, for users in Romania, Romanian Law no. 190/2018 implementing the GDPR.
13. Security of your data
BalassLabs uses industry-standard measures to protect personal data, including HTTPS in transit, HSTS, a strict Content Security Policy, HttpOnly refresh-token cookies, server-side hashing of authentication secrets, rate limiting on sensitive endpoints and routine cleanup of expired tokens and logs. No online service can be completely secure, so BalassLabs also maintains security audit logs and reviews suspicious activity.
14. Data breach notification
If BalassLabs becomes aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, the relevant supervisory authority will be notified within 72 hours of awareness, in line with Article 33 of the GDPR. Where the breach is likely to result in a high risk to you, BalassLabs will also notify affected users directly without undue delay, in line with Article 34 of the GDPR, using the email address on file for the account.
15. Intellectual property
Unless stated otherwise, BalassLabs content, branding, visuals and code samples are protected by applicable intellectual-property laws. You may not copy, republish or commercially reuse them without prior permission.
16. Availability and liability
Services are provided on an "as is" and "as available" basis. BalassLabs aims to keep the site reliable and secure, but uninterrupted availability cannot be guaranteed. To the maximum extent permitted by law, BalassLabs is not liable for indirect, incidental or consequential damages arising from use of the website, downloads or third-party links.
17. Changes
BalassLabs may update this page from time to time to reflect product, security or legal changes. The date at the top shows the latest revision.
18. Contact
For legal, privacy or policy questions, contact Robert Balassan at [email protected] or use the Contact page on this site.
