Privacy Policy

For the purposes of GDPR (EU/EEA), the UK GDPR, and Russian Federal Law 152-FZ "On Personal Data," the controller is:

Nikita Petrov — an individual residing in the Russian Federation, operating foliobin.com as a personal project. Email: hello@foliobin.com

I am not a registered legal entity. There is no DPO requirement under GDPR or 152-FZ for an operation of this size, but you can address all privacy questions directly to the email above.

EU representative under GDPR Article 27: Not yet designated. EU/EEA data subjects can address requests directly to hello@foliobin.com.

Under Russian Federal Law 152-FZ, the corresponding bases are: contract (ст. 6 ч. 1 п. 5), consent (ст. 6 ч. 1 п. 1), and the operator's legitimate interests (ст. 6 ч. 1 п. 7).

Foliobin features some designers who did not submit their portfolios. I add them because their work is publicly available, professionally relevant, and useful for the design community to see. I only use publicly available professional information: name, current job title, current employer, and screenshots or embeds of work that's already public on the web. I do not include personal details (home address, personal contact info, family information) and I do not include special-category data (health, political views, etc.).

The legal basis under GDPR is legitimate interest (Art. 6(1)(f)). I have weighed my interest in curating a public design gallery against your right to privacy. Because the information is professional and public, the processing is proportionate, and because you have an immediate, no-friction right to be removed, I believe the balance is reasonable. Under Russian 152-FZ the corresponding basis is ст. 6 ч. 1 п. 7.

If you are featured and want to be removed: Email me at hello@foliobin.com. I will remove your listing and any associated data. No reason needed. Target turnaround: 72 hours.

You can ask me to confirm in writing that the data has been deleted, and I will. This is your GDPR Article 21 right to object combined with Article 17 right to erasure. Under 152-FZ it is your right under ст. 14 and ст. 21.

When Google Analytics is enabled, Foliobin uses it to measure traffic. Google Analytics may set cookies and process data that can be considered personal data under GDPR. If you are in the EU/EEA, I am working toward a cookieless analytics setup; until then, analytics cookies may be used.

I use strictly necessary cookies — for example, the session cookie that keeps you logged in if you have an account. These are exempt from consent requirements under ePrivacy Article 5(3) in most jurisdictions.

If I switch to a cookieless analytics tool (for example Plausible Analytics), I will update this policy and remove unnecessary cookie banners where applicable.

• Vercel (hosting / frontend) — United States — https://vercel.com/legal/privacy-policy
• Sanity (content management, portfolio data, session logs) — United States / EU — https://www.sanity.io/legal/privacy
• Resend (transactional and newsletter emails) — United States / EU — https://resend.com/legal/privacy-policy
• Google Analytics (Google LLC) — when enabled — https://policies.google.com/privacy
• OAuth providers — Google, LinkedIn, X — only when you choose to sign in with them

The list above is updated when processors change. For questions about sub-processors, email me.

Because I rely on services hosted outside Russia and outside the EU/EEA, your data may be transferred internationally. For EU/EEA users:

• Transfers to the US (Vercel, Resend, Sanity, Google) rely on the EU–US Data Privacy Framework where the processor is certified, and on Standard Contractual Clauses (SCCs) where it is not.
• I do not transfer data to countries outside the EU/EEA for purposes other than the technical operation of the Service.

For Russian users, I disclose honestly: Foliobin's primary infrastructure is hosted outside the Russian Federation. Foliobin is an international project not directed primarily at the Russian Federation. The Service is in English and Russian, is free of charge, does not accept payments in roubles, and does not target Russian users specifically. If you are a Russian citizen and choose to use the Service, your data is processed in the same way as for all other international users, on the infrastructure described above. Cross-border data transfer takes place to the United States and the European Union for the operation of the Service.

• Account data — for as long as your account exists. Deleted within 30 days of account closure.
• Newsletter subscription — until you unsubscribe. After unsubscribe, your email is removed within 14 days, except for a hashed record kept so I don't accidentally re-add you.
• Submitted portfolios — for as long as they are published, plus 12 months in archived form, then deleted.
• Featured designers' listings — for as long as published, until you ask for removal.
• Server logs — typically 30 days, longer if needed for security investigations.
• Analytics — aggregated only; no individual data retained beyond Google Analytics defaults.

Under GDPR (EU/EEA) and UK GDPR: access, rectification, erasure ("right to be forgotten"), restriction, portability, objection (especially to processing based on legitimate interest, including the featured-designers practice), withdrawal of consent, and the right to lodge a complaint with your local supervisory authority.

Under Russian Federal Law 152-FZ: access (ст. 14), correction (ст. 21), blocking and erasure (ст. 21), withdrawal of consent, objection to direct-marketing processing (ст. 15), complaint to Roskomnadzor or to a court.

Under California CCPA/CPRA: Foliobin does not meet the applicability thresholds for the current compliance year; to the extent applicable, California residents have the right to know, to delete, to correct, to opt out of "selling" or "sharing" of personal information (I do not sell or share your personal information in the CCPA sense), and to non-discrimination.

To exercise any of these rights, email hello@foliobin.com. I will respond within 30 days. For straightforward removal requests, I aim for 72 hours.

Foliobin is not intended for children under 16. I do not knowingly collect data from anyone under 16. If you believe a child has provided me with personal data, please contact me and I will delete it.

I use reasonable technical and organizational measures: TLS in transit, encrypted storage at rest (provided by Vercel / Sanity / Resend), access controls, and minimal data collection. No system is perfectly secure; if there is a personal data breach affecting you, I will notify you and the relevant supervisory authority as required by Art. 33–34 GDPR.

I'll update this policy when things change. The "Last updated" date at the top will reflect the most recent change. For material changes, I'll notify newsletter subscribers and account holders by email.

For anything privacy-related — questions, rights requests, removal requests, complaints — email hello@foliobin.com.

You can complain to your local supervisory authority. In Russia, that is Roskomnadzor (https://rkn.gov.ru). In the EU/EEA, find your authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.