Pleroma

Privacy

Minimal by design, explained in full

Last updated: April 11, 2026

Pleroma collects only what it needs to deliver the teachings, the products, and the Inner Circle — and nothing else. This page tells you exactly what we collect, why, where it goes, how long we keep it, and how to make us delete it.

Who runs Pleroma

Pleroma is operated by Stefans Alkimia, a natural person based in Bulgaria, as data controller under GDPR. There is no registered company behind the site — it is a solo operator's personal project that sells digital teachings. For anything data-related, write to pleroma@stefansalkimia.com and you reach the only person with the keys.

What we collect and why

Each row below lists one category of data, where it comes from, why we process it, and the legal basis under Art. 6(1) GDPR.

Email address and language preference

You type it into the newsletter form or the checkout form.

To send the teachings, deliver the Grimoire and Protocol PDFs, and run the Inner Circle.

Consent (Art. 6(1)(a)) for the newsletter. Contract performance (Art. 6(1)(b)) for purchases.

Purchase records

Stripe webhooks — product, amount, timestamp, Stripe customer ID.

Fulfil the order, honour refunds, and comply with tax/accounting obligations.

Contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).

IP address at the moment you subscribe

Your browser's HTTP headers.

Prevent signup flooding. We hash the IP with a daily-rotating salt, store only the hash, and never link it back to a person.

Legitimate interest (Art. 6(1)(f)) — keeping the list honest.

Anonymous usage stats

Google Analytics 4 and Vercel Web Analytics — only after you accept analytics in the cookie banner.

Understand what's read and what isn't, and improve the site.

Consent (Art. 6(1)(a)) plus ePrivacy Art. 5(3).

Email delivery telemetry

Resend — sent / opened / bounced / clicked events.

Keep the list clean and honour your unsubscribes.

Legitimate interest (Art. 6(1)(f)).

We do NOT collect your real name, postal address, phone number, payment card data, location, social-media data, or any special-category data (Art. 9 GDPR — health, religion in the strict sense, etc.).

Where your data goes

We use a small, deliberate stack. Each of these is a data processor under Art. 28 GDPR and each has a Data Processing Agreement in place. Transfers outside the EU rely on the EU-US Data Privacy Framework; if any processor loses DPF adequacy we fall back to Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914.

  • Stripe, Inc. — payment processing (US, EU-US DPF).
  • Resend — email delivery (US, EU-US DPF).
  • Supabase Inc. — database for subscribers and purchase records.
  • Vercel Inc. — hosting and CDN (US, EU-US DPF for logs).
  • Google LLC — Google Analytics 4, only loaded after you consent (US, EU-US DPF).

How long we keep it

  • Active subscriber: until you unsubscribe, then 30 days for audit, then hard-deleted.
  • Unsubscribed subscriber: 30 days, then deleted.
  • Purchase records: 10 years from purchase (Bulgarian accounting law, Zakon za Schetovodstvoto Art. 12).
  • Rate-limiting IP hash: 24 hours.
  • Analytics data: Google 14 months, Vercel rolling 30 days.
  • Email delivery logs: 12 months.

Your rights

Under GDPR you have, at any time, the right to:

  • Access the data we hold about you (Art. 15).
  • Correct anything inaccurate (Art. 16).
  • Erase it entirely (Art. 17).
  • Restrict how we process it (Art. 18).
  • Port it somewhere else in a common format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, without affecting the lawfulness of processing already done (Art. 7(3)).
  • Complain to the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни) at www.cpdp.bg.

To exercise any of these rights, email pleroma@stefansalkimia.com. We answer within 30 days, as Art. 12(3) GDPR requires.

Automated decision-making

None. Nothing on Pleroma makes a decision about you automatically.

Children

Pleroma is not intended for anyone under 16. We do not knowingly collect data from anyone under that age. If you believe we have, write to the address above and we will delete it.

Changes

If we change this policy we'll date it at the top. For any material change affecting the newsletter, we'll email subscribers before the change takes effect.

Contact

For any privacy-related question or data request, write to pleroma@stefansalkimia.com.