All ZADIO apps › Vireks+ › Privacy policy
Privacy Policy
Last updated: 2026-07-11 · Effective: 2026-07-11 · Version: 1.0
This Privacy Policy describes how ZADIO EOOD ("Company," "we," "us," or "our") handles information when you use the Vireks+ mobile application ("App") and the Vireks+ website at https://zadio.bg/vireksplus/ ("Site"). We are committed to compliance with the GDPR, the ePrivacy framework, the Bulgarian LPDP, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the Children's Online Privacy Protection Act ("COPPA"), the UK Data Protection Act 2018, and the U.S. Digital Millennium Copyright Act ("DMCA") for takedown procedures (handled in the Terms of Service).
Data Protection Officer (DPO): Not appointed. Based on the nature, scope, context, and purposes of our processing, we are not required to designate a DPO under Article 37 GDPR. Privacy inquiries may be directed to app@zadio.bg.
1. Overview
Vireks+ is a private screen and camera recorder for Android. It captures the device screen or the front/back cameras and writes the result as a standard MP4 file to DCIM/vireks+/ on the device. There is no cloud service, no server, and no account. Vireks+ is designed to stay out of the way while capturing what is on the screen or in front of the camera, and to leave nothing behind on any server.
We do NOT:
- request the Android
INTERNETpermission (orACCESS_NETWORK_STATE) in the merged app manifest; - ship any analytics, telemetry, crash reporter, or A/B testing SDK in the release build;
- ship any advertising SDK, and we do not read the Android Advertising ID (
AD_ID); - display advertisements or in-app upsells beyond the single unlock prompt;
- collect your name, email, phone, address, or location;
- upload, transmit, or back up your recordings, photos, videos, or any other file;
- sell, rent, or share personal data with third parties for marketing;
- perform automated decision-making with legal or similarly significant effect (Art. 22 GDPR);
- process special-category data (Art. 9 GDPR).
The single third-party library included in the release build is Google Play Billing, which is used exclusively to process the one-time ~15 EUR unlock. The network call to settle that purchase happens inside the Google Play Store app on your device (a system component maintained by Google), not inside Vireks+.
2. Information we collect (and what we do not)
2.1 Personal data collected by the Vireks+ mobile app
None. The App does not collect or transmit any personal data. Its Android manifest does not request the INTERNET permission, so it is structurally incapable of sending any data to any server operated by us or by any third party. This is verifiable: run aapt dump permissions on the published APK / AAB and confirm the absence of android.permission.INTERNET.
2.2 On-device values Vireks+ reads (but does not transmit)
Some values are read locally on your device to make the free-quota counter work and to save your files. Because there is no network access, none of these values ever leaves your device.
ANDROID_ID- a per-device, per-signing-key identifier provided by Android. Vireks+ reads it on-device only, as part of an HMAC over the free-quota state stored in local DataStore, so a user cannot bypass the ten-recording free quota by clearing app data. The value does not identify you personally, and because Vireks+ has no network access, it cannot be sent anywhere.- Local free-quota counter - an integer between 0 and 10 stored in the App's private DataStore. When it reaches 0, the Start button is gated behind the one-time unlock. The counter is not associated with any account and is not synchronised across devices.
- Recording configuration - your preferences (resolution, bitrate, audio on/off, camera mode, fixed length) stored in DataStore for reuse across sessions. Local only.
- Media Store metadata for files Vireks+ wrote - the list of recordings you see inside the App is built by querying the Android
MediaStorefor entries whose owner package iscom.zadio.vireks.plus. Vireks+ never scans other apps' files.
2.3 Content you create with Vireks+
Your recordings (MP4 videos, derived time-lapse clips, and stills) are written directly to the standard Android media folder DCIM/vireks+/ on your device. Photos, Files, Gallery, and other media apps pick them up automatically. Vireks+ never uploads, transmits, or backs up recordings. Files leave your device only if you explicitly share them through the Android share sheet with another app of your choosing (in which case the receiving app is the data controller for what happens next).
2.4 Purchase records
The one-time ~15 EUR unlock is a non-consumable Google Play in-app product. The purchase itself is processed by Google Play Billing inside the Google Play Store app on your device. Google receives and processes the payment; Vireks+ does not see, store, or transmit your payment instrument, name, email, or billing address. Vireks+ receives from Google Play only a boolean-shaped entitlement token that says "this Google account has purchased vireks_plus_unlock_lifetime", which Vireks+ caches locally so the unlock persists across app restarts. The purchase is restored on any device signed into the same Google account.
2.5 Information collected by the Vireks+ website (this Site)
The Site at zadio.bg/vireksplus/ is a static HTML site. When you load a page, our EU-based hosting provider records a standard web-server access log (IP address, timestamp, requested path, user-agent, referrer) on the legitimate-interests basis (Art. 6(1)(f) GDPR) for security and abuse investigation. Logs are retained for up to 14 days and then rotated / deleted. No cookies are set by the Site. The Site uses Plausible Analytics, a privacy-friendly, cookieless service that hashes visitor IPs with a daily-rotated salt and discards them; only aggregate metrics are stored. See § 5.3.
2.6 Information we do NOT collect
- your name, email address, phone number, postal address, or any account credentials;
- location data (GPS, IP-based, Wi-Fi, cell-tower, or otherwise) from the App;
- contacts, call logs, SMS, or messages;
- photos or videos other than the ones you asked Vireks+ to write;
- audio recordings, except when you explicitly enable microphone audio for a session, in which case the audio is muxed into your local MP4 on device;
- camera frames, except during a camera session you initiated, in which case the frames are encoded to your local MP4 on device;
- advertising identifiers (Android Advertising ID / GAID, IDFA, etc.);
- browsing history, keystroke data, screen recordings of you using other apps;
- biometric, health, financial, ethnic, religious, or any "special category" data (Article 9 GDPR).
3. Purposes and legal bases (GDPR Article 6)
Because the App does not process any personal data on our side, the vast majority of Article 6 does not apply to us as controller. The table below covers the very short list of processing operations we are involved in.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Google Play purchase record (unlock entitlement) | Deliver the paid unlock; restore the purchase across your devices without you paying again | Art. 6(1)(b) contract with the user | Held and controlled by Google Play. Vireks+ caches only a boolean entitlement locally. |
| Invoice / VAT-collection record generated by Google Play | Bookkeeping & tax | Art. 6(1)(c) legal obligation (BG Accounting Act, Art. 12; EU VAT OSS/IOSS rules) | 10 years (Bulgarian statutory retention) |
| Site access logs (IP, timestamp, path, user-agent, referrer) | Security, abuse prevention, error diagnosis for the static website | Art. 6(1)(f) legitimate interest (Recital 47) | Up to 14 days at the hosting provider |
| Aggregated Site analytics (page views, referrers) via Plausible | Understand website traffic without profiling visitors | Art. 6(1)(f) legitimate interest (aggregated, cookieless, no personal data) | Retained by Plausible in aggregated form; no individual profiles |
Legitimate-interests balancing test (LIA). We have conducted an LIA for the two legitimate-interest bases above and concluded they are necessary, proportionate, and do not override your rights because (i) data is aggregated, pseudonymised, or short-lived; (ii) no profiling is performed; (iii) the App is entirely offline; and (iv) you are transparently informed here. A summary is available on request at app@zadio.bg.
4. Data storage, security & hosting
4.1 Local (on-device) storage
Vireks+ stores your preferences, the free-quota counter, and the cached unlock entitlement in app-private storage. That storage is accessible only to the Vireks+ app and is removed when you uninstall. Recordings are written to the shared DCIM/vireks+/ gallery folder so other media apps can find them; that folder persists after uninstall in accordance with Android's Media Store semantics (you can delete individual files at any time through Files, Photos, or the Vireks+ recordings drawer).
4.2 Cloud storage and hosting region
Vireks+ has no cloud backend. There is no Firebase project, no S3 bucket, no CDN, no analytics server, and no crash-reporting server behind the App. The only network traffic that ever concerns Vireks+ is the Google Play Billing purchase call, which is issued by the Google Play Store app on your device and is subject to Google's own privacy practices.
The marketing Site is hosted at Spatiul.com (cPanel / LiteSpeed) in the EU (Bucharest, Romania). Server access logs may briefly retain IP address, timestamp, path, and user-agent for security and anti-abuse on a legitimate-interest basis (Art. 6(1)(f) GDPR). Logs are typically retained for 14 days.
4.3 Security measures (GDPR Art. 32)
- App-private local storage for all local data;
- No network I/O in the App (structural, enforced by the manifest);
- HMAC over the free-quota state so it is tamper-resistant;
- Site served over HTTPS/TLS 1.2+ only, with HSTS at the host root;
- Modern security headers on every Site response (CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS);
- Principle of least privilege on the hosting account (dedicated cPanel user, no shell access from CI);
- Data minimisation - no name, email, phone, or location asked at any point.
4.4 Personal data breach notification
In the unlikely event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection (CPDP) without undue delay and, where feasible, within 72 hours (GDPR Art. 33). High-risk breaches will also be communicated to affected data subjects without undue delay (GDPR Art. 34). Because the App has no network I/O and no server-side database, the realistic scope of a breach is limited to Site access logs at the hosting provider.
5. Third-party services & sub-processors
5.1 Google Play - distribution and billing
The App is distributed exclusively through the Google Play Store. The ~15 EUR one-time unlock is processed by Google Play Billing (a system component running inside the Google Play Store app on your device). Google Ireland Limited / Google LLC is the merchant of record for EU/EEA end-user purchases. Google's privacy practices: policies.google.com/privacy. Google Play's own data handling for purchases: play.google.com/about/play-terms/.
5.2 Hosting provider (Spatiul.com)
The static Site is served by Spatiul.com (cPanel / LiteSpeed) from EU data centres (Bucharest, Romania). Spatiul.com processes only web-server access logs on our behalf as a Data Processor under Article 28 GDPR.
5.3 Plausible Analytics (Site only - aggregated, cookieless)
The Site uses Plausible Analytics, an EU-hosted, privacy-friendly analytics service. Plausible sets no cookies, uses no cross-site tracking, and stores no personal data. IP addresses are hashed with a daily-rotated salt and discarded; only aggregate metrics remain. See plausible.io/data-policy. Plausible is not integrated into the mobile App.
5.4 Other sub-processors
We do not integrate any additional third-party sub-processors beyond Google Play Billing (for the one-time unlock) and the hosting provider that serves this static website. There is no analytics SDK, no crash reporter, no ad network, no Firebase, no Sentry, and no CDN in the mobile app.
5.5 Data Processing Agreements
Where applicable, we have entered into a Data Processing Addendum with each processor under Article 28 GDPR (Google Cloud DPA covering Play; Spatiul.com's DPA covering hosting). We maintain a current sub-processor list and notify users of material changes through this Privacy Policy.
6. International data transfers (GDPR Chapter V)
The App does not itself transfer any data anywhere - because it has no network I/O. The only outbound flows that touch third countries are:
- the Google Play purchase call, which may involve Google LLC (United States) and other Google entities. Transfers to Google LLC are covered by the EU-U.S. Data Privacy Framework (adequacy decision C(2023) 4745 of 10 July 2023) and, as a supplementary safeguard, by the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914);
- aggregated Site analytics via Plausible, which is EU-hosted (no transfer);
- outbound linked pages you may follow from the Site (e.g., Google Play), which are subject to the third party's own privacy practices.
You may request a copy of the safeguards applied by emailing app@zadio.bg.
7. Your choices, permissions & controls
7.1 Opting out of analytics
The App has no analytics. There is nothing to opt out of. For the Site, Plausible respects privacy signals (DNT, GPC) and, being cookieless, requires no consent banner under Article 5(3) of the ePrivacy Directive.
7.2 Push notifications
The App does not send push notifications. Android may show a foreground-service notification while a recording is in progress; that notification is mandatory under Android's foreground-service policy and is generated locally by the OS. You can dismiss it (Android may re-show it while the service is alive) or stop the recording to remove it.
7.3 Uninstall
Uninstalling the App stops all local data collection and removes all app-private data from your device. Existing recordings in DCIM/vireks+/ are preserved because they are your files; delete them yourself through Files, Photos, or Gallery if you wish. Google Play retains its record of your purchase (so you can restore it if you ever reinstall).
7.4 Device permissions Vireks+ requests
FOREGROUND_SERVICE,FOREGROUND_SERVICE_MEDIA_PROJECTION,FOREGROUND_SERVICE_CAMERA,FOREGROUND_SERVICE_MICROPHONE- required to host the capture pipeline while the user navigates to the app being recorded.RECORD_AUDIO(runtime, optional) - only when the user turns audio on for a session; audio is muxed into the local MP4 on device.CAMERA(runtime, optional) - only when the user selects a camera session; frames are encoded to the local MP4.MODIFY_AUDIO_SETTINGS- temporarily mutes the media stream during a microphone-only session so device audio does not bleed into the microphone capture.POST_NOTIFICATIONS(runtime, API 33+) - required to show the mandatory foreground-service notification.SYSTEM_ALERT_WINDOW(special access, granted once via a system settings screen) - hosts the fully transparent overlay that catches the corner-tap Stop gesture during a screen session. The overlay draws zero pixels.
7.5 Permissions explicitly not requested
The following permissions are explicitly absent from the merged manifest: INTERNET, ACCESS_NETWORK_STATE, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, READ_CONTACTS, READ_SMS, READ_PHONE_STATE, READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, READ_MEDIA_VIDEO, READ_MEDIA_IMAGES, READ_MEDIA_AUDIO, and com.google.android.gms.permission.AD_ID. The Google Play Billing library's transitive INTERNET declaration is explicitly stripped by the Android manifest merger via a tools:node="remove" rule; CameraX's transitive ACCESS_NETWORK_STATE is stripped the same way.
8. Data retention and deletion
8.1 Retention periods
Concrete retention periods are in the table in § 3. Because the App does not process personal data, retention is trivial: nothing exists to retain beyond your locally-stored preferences, and those disappear on uninstall.
8.2 Local data
All locally stored preferences, the free-quota counter, and the cached unlock entitlement are deleted when you uninstall the App. Recordings in DCIM/vireks+/ are user files; delete them through Files / Photos / Gallery.
8.3 Google Play purchase record
Google retains its record of your purchase indefinitely so that you can restore the unlock at any time. That record is controlled by Google, not by us; see Google's privacy practices for how to have it deleted.
8.4 Deletion requests
Email app@zadio.bg. Because we hold no personal data about you, a deletion request is nearly always resolved by pointing you to the correct sub-controller (Google for purchase data, Spatiul.com for Site logs) and confirming that we hold nothing else. We respond within 30 days (extendable by two months under Art. 12(3) GDPR).
9. Children's privacy
The App is not directed at children. Per Article 8 GDPR and Bulgarian LPDP Art. 25v, the minimum age for consent to information-society services in Bulgaria is 14 years. In other EU/EEA Member States the minimum age is between 13 and 16 as set by national law. In the United States we comply with COPPA (15 U.S.C. §§ 6501-6506); we do not knowingly collect data from children under 13 - in fact, we do not collect data from users of any age. Users under 18 must have permission from a parent or legal guardian to make in-app purchases. If you believe a child has provided us with personal data, contact app@zadio.bg and we will investigate promptly.
10. Your rights
10.1 EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)
- Right of access (Art. 15);
- Right to rectification (Art. 16);
- Right to erasure / "right to be forgotten" (Art. 17);
- Right to restrict processing (Art. 18);
- Right to data portability in JSON format (Art. 20);
- Right to object (Art. 21) - to processing based on legitimate interests;
- Right to withdraw consent at any time (Art. 7(3));
- Right not to be subject to automated decision-making (Art. 22) - we perform none;
- Right to lodge a complaint with a supervisory authority (Art. 77).
Exercise your rights: app@zadio.bg. We respond within 30 days, extendable per Art. 12(3) GDPR.
10.2 Supervisory authority - Bulgaria
You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or the place of the alleged infringement.
10.3 California (CCPA / CPRA)
California residents have the right to know, delete, opt out of the sale or sharing of personal information (we do not sell or share), limit use of sensitive personal information (we collect none), and a non-discrimination right. Because the App collects no personal information, the "Do Not Sell or Share My Personal Information" link required by CPRA § 1798.135 is not applicable. Contact app@zadio.bg with any CCPA / CPRA request.
10.4 Brazil (LGPD), Quebec (Law 25), and other jurisdictions
Residents of Brazil, Quebec, and other jurisdictions with comparable data-protection laws have similar rights to access, correct, delete, anonymise, and port their data. Because the App is currently distributed within the EU/EEA only, requests from other jurisdictions will typically confirm that we hold no data about you. Contact app@zadio.bg.
11. Cookies, trackers & similar technologies
This section is the cookie / tracker disclosure for both the Site and the App, issued pursuant to Article 5(3) of Directive 2002/58/EC (ePrivacy Directive), Article 4b of the Bulgarian Electronic Communications Act, and Articles 13-14 GDPR.
11.1 Categories of trackers and legal bases
| Category | Purpose | Consent required? | Used by us? |
|---|---|---|---|
| Strictly necessary | Technical delivery of a service the user explicitly requested | No | Minimal (Site TLS session, HTTP request handling) |
| Functional / preferences | Remember language, region, display preferences | Yes, unless strictly necessary | No |
| Analytics | Measure audience and app usage | Yes (opt-in) | Site only: Plausible - cookieless, aggregated, no personal data. App: none. |
| Advertising / marketing | Targeted advertising, frequency capping, profiling | Yes | No - ever |
| Social media / third-party embeds | Widgets, pixels, external services | Yes | No |
11.2 Trackers used on the Site
- No first-party cookies are set.
- No third-party advertising or cross-site tracking is loaded.
- Plausible Analytics (privacy-friendly, cookieless, aggregated) is loaded; it sets no cookies and stores no personal data. See § 5.3.
- Fonts use the operating system's native font stack - no external font CDN is contacted.
- Server access logs may briefly retain IP address and user-agent for security/anti-abuse on a legitimate-interest basis (Art. 6(1)(f) GDPR). Logs are typically retained for 14 days.
11.3 Trackers used in the App
- App-private local storage (preferences, free-quota counter, cached unlock entitlement). Removed on uninstall. Required for the App to function (Art. 6(1)(b) GDPR / § 5(3) ePrivacy strictly-necessary exception).
- Google Play Billing for the one-time unlock. Purchase call is issued by the Google Play Store app; Vireks+ receives only an entitlement token.
There are no other SDKs. There is no Firebase. There is no analytics library. There is no crash reporter.
11.4 Managing your preferences
Site: use your browser's settings to block or delete cookies. Because we set no cookies on this Site, most users will have nothing to delete from our domain. We honour privacy-enhancing browser signals (DNT, GPC) where technically feasible.
App: nothing to disable. Delete all local storage by uninstalling. Purchase records are controlled by Google Play.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date and version number, and where appropriate notifying you through the App or the Site. Continued use after changes constitutes acceptance. Prior versions are available on request at app@zadio.bg.
13. Contact
ZADIO EOOD · EIK 201209745 · VAT BG201209745 · DUNS 503679175
Registered seat: sq. Han Kubrat 1, fl. 2, apt. 1, 7000 Ruse, Bulgaria
Email: app@zadio.bg · Phone: +359 879 655 188
Hours: Monday-Friday, 09:00-18:00 EET/EEST (Sofia time), excluding Bulgarian public holidays
Website: https://zadio.bg/vireksplus/
EU Online Dispute Resolution platform: ec.europa.eu/consumers/odr