1. Who we are
Z3R Studio (“we”, “us”) operates https://studio.z3r.io and related service communications. Controller / operator: Z3R Studio (trading as Z3R).
Contact for privacy requests: privacy@z3r.io. General contact: hello@z3r.io.
Effective date: 2026-07-18. Last updated: 2026-07-18.
This notice is provided for transparency and does not constitute legal advice. Mandatory consumer and data-protection rights in your country of residence always prevail.
2. Scope and jurisdictions
This Policy applies to visitors and enquirers from the European Union / EEA, United Kingdom, United States, Russian Federation, New Zealand and other regions where we make the site available.
We design controls to meet core obligations under the EU/UK GDPR, Russia’s Federal Law No. 152-FZ “On Personal Data”, California CCPA/CPRA (and similar US state laws), New Zealand’s Privacy Act 2020, and the EU ePrivacy rules for cookies/storage.
- European Union / EEA (GDPR)
- United Kingdom (UK GDPR)
- United States (CCPA/CPRA and applicable state laws)
- Russian Federation (Federal Law No. 152-FZ)
- New Zealand (Privacy Act 2020)
- Other jurisdictions where we offer services
3. Data we collect
We minimise collection. Depending on how you use the site, we may process:
- Identity and contact data you submit (name/company, Telegram or email, message content).
- Technical data needed to deliver the site (IP address truncated or processed by hosting, user-agent, security logs).
- Preference data you choose to store locally (theme, language, announcement dismiss) — only after consent for the Preferences category.
- Consent records (cookie choices, timestamps, consent version).
- Analytics or marketing identifiers — only if you opt in; none are loaded by default in the current build.
4. Purposes and legal bases
We process personal data for the following purposes:
- Responding to enquiries and preparing proposals — contract steps / legitimate interests / your consent (as applicable).
- Operating, securing and improving the website — legitimate interests; for RU residents also applicable 152-FZ grounds including consent where required.
- Storing preference and analytics/marketing storage — consent (GDPR Art. 6(1)(a); ePrivacy; 152-FZ where consent is required).
- Complying with law, defending claims — legal obligation / legitimate interests.
- CCPA/CPRA: we do not “sell” personal information. We do not “share” it for cross-context behavioural advertising unless you opt in to Marketing. You may opt out via Your Privacy Choices or Global Privacy Control (GPC).
5. Cookies and similar technologies
We use cookies and localStorage as described in our Cookie Policy. Strictly necessary storage (including your consent record) does not require consent. Preferences, analytics and marketing require prior opt-in in the EEA/UK/RU and similar regimes. You can change choices anytime via “Your Privacy Choices” in the footer.
6. International transfers
Hosting, email and tooling may process data in regions outside your country (including EU, US, and other locations used by our providers). Where GDPR applies, we rely on adequacy decisions or Standard Contractual Clauses (or equivalent). For 152-FZ, cross-border transfers follow Russian law requirements, including notices and restrictions where applicable. NZ overseas disclosures follow Privacy Act 2020 safeguards.
7. Retention
Enquiry messages: kept as long as needed to handle the request and related legitimate interests (typically up to 24 months, unless a longer period is required for a contract or dispute).
Security logs: short-term, typically 30–90 days unless investigating an incident.
Consent records: retained to demonstrate compliance.
Local preference storage: until you clear it, withdraw consent, or change browser data.
8. Your rights
Depending on your location, you may have rights to access, rectify, erase, restrict, object, port data, withdraw consent, and lodge a complaint with a supervisory authority (e.g. an EU DPA, UK ICO, Roskomnadzor, NZ Privacy Commissioner, or a US state AG).
California residents may request know/access, delete, correct, and opt out of sale/share; we will not discriminate for exercising rights. You may use an authorised agent as permitted by law.
To exercise rights, email ${meta.privacyEmail}. We may need to verify your request.
9. Children
The site is not directed to children under 16 (or the higher age required in your jurisdiction). We do not knowingly collect children’s data. Contact us if you believe we have, and we will delete it.
10. Security
We apply organisational and technical measures appropriate to the risk (TLS in transit, access control, least privilege, dependency hygiene). No method of transmission or storage is perfectly secure.
11. Changes
We may update this Policy. Material changes will be reflected by updating the “Last updated” date and, where required, seeking fresh consent.