Privacy Policy

1. Introduction

This Privacy Policy explains how nastasiu.ro (the “Site”), operated by NASTASIU HOLDING SRL (the “Operator”, “we”, “us”), collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Romanian data protection legislation.

Effective date: March 8, 2026

2. Data Controller

The data controller responsible for your personal data is:

NASTASIU HOLDING SRL
EUID: ROONRC.J22/2796/2021
DUNS: 448860249
VAT ID: RO44775939
Email: andrei@nastasiu.ro

3. Data We Collect

3.1 Contact Form

When you submit the contact form, we collect your email address and message content. This data is sent directly to the Operator via email and is not stored in any database.

3.2 iOS App Store Checker

When you use the iOS App Store Checker, we collect the following data for each analysis:

  • The App Store URL or App ID you submit.
  • Your IP address, approximate location (country, city, region as provided by network headers), browser user agent, referrer URL, and preferred language.

This data is included in notification emails sent to the Operator to monitor usage and detect abuse. It is not stored in any database. No personal data is sent to Apple — only the App ID and country codes are used to query Apple's public APIs.

3.3 Referral Tracking

If you arrive at the Site via a link containing a ?ref= parameter, the referral source value along with your IP address, user agent, referrer, and language are sent to the Operator via email. This is used to understand how visitors discover the Site.

3.4 Cloudflare Turnstile

The Site uses Cloudflare Turnstile for bot detection. When you access the Site, Turnstile processes browser signals, your IP address, and device attributes to verify you are a human visitor. This data is processed by Cloudflare on their servers. We receive only a pass/fail verification result. Please refer to Cloudflare's Privacy Policy for details.

3.5 Analytics

The Site uses Google Analytics 4 (GA4) with Consent Mode v2. Before you grant consent, GA4 operates in cookieless mode — it sends anonymous pings to Google without setting cookies or using identifiers. After you explicitly accept analytics via the cookie banner, GA4 sets standard analytics cookies and collects usage data such as pages visited, session duration, and device information.

Advertising features are permanently disabled. The ad_storage, ad_user_data, and ad_personalization consent signals remain denied at all times.

3.6 Server Logs and Rate Limiting

Your IP address is used for rate limiting to prevent abuse of the Site's services. Rate limit data is held in server memory only and is automatically cleared after the rate limit window expires (up to 24 hours). IP addresses may also appear in standard server logs managed by the hosting provider.

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

  • Consent (Art. 6(1)(a)) — for analytics cookies (Google Analytics 4). You can withdraw consent at any time by clearing your browser storage or declining via the cookie banner.
  • Legitimate interest (Art. 6(1)(f)) — for security measures including rate limiting, Cloudflare Turnstile verification, HMAC token validation, and security event logging. Our legitimate interest is to protect the Site from abuse and ensure its availability.
  • Contract performance (Art. 6(1)(b)) — for processing contact form submissions in order to respond to your inquiry.

5. Cookies and Local Storage

Cookies

The Site itself does not set any cookies. If you accept analytics via the cookie banner, Google Analytics 4 sets the following cookies:

  • _ga — distinguishes users (expires after 2 years).
  • _ga_* — maintains session state (expires after 2 years).

These cookies are only set after you explicitly grant consent. If you decline, no cookies are set.

Local Storage

The Site uses browser local storage for the following purposes. This data is stored only on your device and is never sent to our servers:

  • analytics-consent — stores your cookie consent preference.
  • appStoreCheckHistory — stores your recent iOS App Store Checker search history (app names and IDs only, up to 20 entries).

Session Storage

turnstileVerified — a temporary flag indicating you have passed the Turnstile verification. This is cleared when you close your browser tab.

6. Third-Party Services

We use the following third-party services that may process data:

ServicePurposeData Shared
Google Analytics 4Usage analyticsCookieless pings before consent; standard analytics data after consent
Cloudflare TurnstileBot detectionBrowser signals, IP address, device attributes
Apple APIsApp data retrievalApp ID and country codes only (no personal data)
DataHost (hosting)Web hosting infrastructureAll data passes through their servers as part of hosting

7. Data Retention

  • Rate limit data — held in server memory only, automatically cleared after the rate limit window expires (maximum 24 hours).
  • Server logs — managed and retained by the hosting provider (DataHost) according to their policies.
  • Notification emails — retained by the Operator in their email account.
  • Analytics data — retained by Google according to the GA4 data retention settings configured by the Operator.

The Site does not use a database to store personal data. No user data is persisted on disk by the application itself.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your personal data.
  • Right to restriction — request that we limit processing of your data.
  • Right to data portability — request your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — withdraw your analytics consent at any time by clearing browser storage or declining cookies.

To exercise any of these rights, contact us at andrei@nastasiu.ro. We will respond within 30 days.

You also have the right to lodge a complaint with the Romanian supervisory authority: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP).

9. International Data Transfers

Some of the third-party services we use are based in the United States:

  • Google (Analytics) — transfers are covered under the EU-US Data Privacy Framework.
  • Cloudflare (Turnstile) — transfers are covered under the EU-US Data Privacy Framework and Standard Contractual Clauses.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the effective date at the top of this page. We encourage you to review this page periodically.

11. Contact

For any questions or requests regarding this Privacy Policy or your personal data, contact us at andrei@nastasiu.ro.