Who we are

Our website address is https://annakreimes.com. The data controller is V-LON OÜ, contactable at tom@v-lon.com and Postal address: Harju maakond, Tallinn, Kesklinna linnaosa, Mere pst 4, 10111.

This Privacy Policy explains how V-LON OÜ collects, uses, and protects your personal data when you use https://annakreimes.com. It covers our compliance with the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Canada's PIPEDA, Australia's Privacy Act 1988, and other applicable privacy laws.
Important: Some sections of this website — specifically the Pattern Assessment quiz — process data related to your health. This is treated as special category data under GDPR Article 9 and requires your explicit consent before processing. See Section 6 for details.

1. Your Rights Under EEA GDPR and UK GDPR

As a resident of the European Economic Area (EEA) or the United Kingdom, you have specific rights regarding your personal data under GDPR and UK GDPR. These include:

• Right to Restrict Processing
• Right to Object to Processing
• Right to Data Portability
• Right to Withdraw Consent
• Right to Lodge a Complaint
• Right of Access: You have the right to obtain confirmation of whether we hold personal data about you, and to receive a copy of that data.
• Right to Erasure (“Right to be Forgotten”): You have the right to request deletion of your personal data under certain conditions.
• Right to Rectification: You have the right to have inaccurate personal data corrected.

2. Your Rights Under CCPA/CPRA (California)

If you are a resident of California, you are entitled to the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, as well as the sources of that data and how it is used.
• Right to Delete: You have the right to request that we delete any personal data we have collected from you, subject to certain exceptions (such as legal obligations).
• Right to Opt-Out of Data Sale: While we do not sell personal information, California residents have the right to opt out of any future sale of their personal information.
• Non-Discrimination: You will not be discriminated against for exercising your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: Your pattern result from our Pattern Assessment quiz may qualify as “sensitive personal information” under CPRA. You may request that we limit our use of this data to providing the services you requested.

3. If you are a resident of Canada, you are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). Your rights include:

• Right to Access: You can request access to the personal information we hold about you and understand how we use and share your data.
• Right to Challenge Accuracy: If your personal data is incorrect, you have the right to challenge its accuracy and have it corrected.

4. If you are a resident of Australia, you are protected by Australia’s Privacy Act 1988, which grants you the following rights:

• Right to Access: You have the right to access the personal information we hold about you and request that any inaccuracies be corrected.
• Right to Complain: If you believe we have breached the Privacy Act, you have the right to lodge a complaint with the Australian Information Commissioner.
• Data Collection and Processing

5. Data Collection and Processing

We collect personal data only when there is a clear legal basis to do so. Different sections of our website rely on different legal bases:

• Newsletter signup (general): Data (Email, name (if provided)), Legal Basis: Consent — GDPR Article 6(1)(a);
• Pattern Assessment quiz: Data: Email, dominant pattern label, IP address, timestamp; Legal Basis: Explicit consent for health-related data — GDPR Article 9(2)(a);
• Optional Pattern Letter newsletter: Data: Email, separate consent flag, Legal Basis: Consent — GDPR Article 6(1)(a);
• Website analytics: Data: None (cookie-less, no personal data); Legal basis: Legitimate interest — GDPR Article 6(1)(f);
• Comments on blog posts: Data: Name, email, IP address; Legal basis: Legitimate interest — GDPR Article 6(1)(f) and explicit consent for cookie storage;
• Contact form: Data: Name, email, message content; Legal basis: Legitimate interest in responding to enquiries — GDPR Article 6(1)(f);
• Affiliate links and tracking: Click-throughs (anonymised where possible); Legal basis: Legitimate interest — GDPR Article 6(1)(f).

We will not require you to provide consent for any unnecessary data processing as a condition of receiving our services.

a. Types of Data Collected

• Pattern Assessment data (the most sensitive category — see Section 6 below): your email address and your dominant pattern result.
• General personal information: your name, email address, and any details you provide when subscribing to our newsletter, leaving comments, or using our contact form.
• Analytics data: anonymised page-view information collected by Plausible Analytics. No cookies are set, and no personal data is collected. See Section 8 below.

6. Pattern Assessment Quiz — Special Category Data

If you complete the Pattern Assessment quiz on this website and submit your email address at the end, this section describes exactly what we collect, why, and how to control it. We have designed the assessment to minimise the personal data we hold.

What we collect:

• Your email address (provided by you)
• Your dominant pattern label — a single value such as “Pain-Dominant,” “Gut-Driven,” “Hormone-Sensitive (Neuroendocrine),” “Detox-Overload,” or one of two hormonal-route results, computed from your quiz answers
• Your IP address (captured automatically by our email service provider for technical operation)
• The timestamp of your submission

We do not collect:

• Your individual quiz answers (these are computed in your browser and destroyed when you close the tab)
• Your name, address, phone number, or other personal details
• Cookies or tracking identifiers specific to the quiz
• Behavioural data about how you interacted with the quiz

Why this matters

The dominant pattern label is information related to your health. Under EU GDPR Article 9, this is special-category data and requires explicit consent (a higher consent standard than ordinary marketing emails). We collect it only with your explicit, granular consent at the point of submission, via the dedicated checkbox on the quiz result page.

Legal basis

We process this data under:

• GDPR Article 9(2)(a) — explicit consent for the pattern label and the email-pattern association
• GDPR Article 6(1)(a) — consent for any optional marketing communications (the Pattern Letter newsletter, if you separately opt in)
• GDPR Article 6(1)(f) — legitimate interest, for technical metadata such as IP address and timestamp required to operate the email service

What we use it for

• To send you a one-off notification email when the full pattern protocol product becomes available
• Nothing else. We do not use the data for retargeting, behavioural advertising, sharing with third parties (other than our data processor; see below), profiling, or automated decision-making

If you separately opted in to receive The Pattern Letter (our weekly newsletter), the same email address is used to send that newsletter. Consent for the newsletter is separate, optional, and revocable independently of the Article 9 consent.

Who processes the data:

We use MailerLite as our email service provider. MailerLite acts as our data processor under GDPR Article 28.

• Operating entity: UAB MailerLite (Lithuania, EU) [CONFIRM WITH MAILERLITE — older accounts may be operated by US entity]
• Hosting region:EU Sub-processors: MailerLite uses sub-processors documented in their Data Processing Agreement (DPA), which we have signed.
• Their privacy policy:https://www.mailerlite.com/legal/privacy-policy

We use MailerLite as our email service provider. MailerLite acts as our data processor under GDPR Article 28.

If MailerLite hosts our data in the US, the transfer is covered by Standard Contractual Clauses (SCCs) under the EU Commission's 2021 implementing decision.

How long do we keep your data:

We retain your email address and pattern label until one of the following happens first:

• You unsubscribe via the link in any email — immediate removal from active marketing list, plus 30 days in archive for deliverability records
• 3 years pass with no engagement (open, click) — at which point we delete the record automatically
• You ask us to delete it (see “Your rights” below)

Technical metadata (IP address, timestamps) follows MailerLite's standard retention policy.

Your rights specific to this data

You have all the rights described in Section 1 above. To exercise them with respect to your Pattern Assessment data specifically:

• Access: email [CONTACT EMAIL] — we will provide a copy of your stored data within 30 days
• Erasure (“right to be forgotten”): email info@annakreimes.com — we will delete your record from MailerLite within 30 days
• Withdraw consent: click the unsubscribe link in any email, or email info@annakreimes.com— your consent withdrawal is processed immediately
• Lodge a complaint with your local data protection authority. For users in Germany, this is the data protection authority of your federal state. For other EU countries, your national DPA.

Withdrawing consent does not affect the lawfulness of processing that happened before the withdrawal.

Important — the quiz is not diagnostic

The Pattern Assessment is not a medical diagnostic tool. It does not diagnose endometriosis or any other medical condition. The framework is a literature-derived heuristic intended to inform non-pharmacological supportive care alongside guideline-based clinical management. See our Wellness Disclaimer for full details.

7. Cookies Policy

Important: We use no analytics cookies and no third-party tracking cookies on this website. We use Plausible Analytics, a privacy-respecting service that does not set cookies. The cookies described below are limited to functional cookies for blog comments and login (if you have an account).

We use cookies on this website to enhance your user experience and improve our services. Cookies are small text files that are placed on your device to collect standard internet log information and visitor behaviour information.

Comments: If you leave a comment on our website, the comment and its metadata are stored indefinitely. This allows us to recognise and approve any follow-up comments automatically, without holding them in a moderation queue.

User Profiles: For users who register on our site (if applicable), we store the personal information they provide in their user profile. All users can view, edit, or delete their personal information at any time, except for their username. Website administrators can also view and edit user information.

Cookies for the login page and User Accounts, Cookies for Content Publishing and Cookie Management are strictly necessary for the basic functionality of the site (commenting, logging in). Under the ePrivacy Directive and GDPR, strictly necessary cookies do not require consent. You can manage or delete them through your browser settings at any time.

8. Analytics

We use Plausible Analytics to understand which pages of our site are most useful to readers. Plausible is a privacy-respecting analytics service operated by Plausible Insights OÜ (Estonia, EU).

Plausible:

• Does not use cookies
• Does not collect personal data
• Does not set tracking identifiers
• Does not engage in behavioural profiling
• Does not require a cookie consent banner

The only information Plausible collects is anonymised, aggregated page-view data: which pages are visited, in what order, from which country (country-level only — never city or precise location), and via which referrer (e.g., search engine, social media). All data is processed within the EU.

Full details of Plausible's data policy are at https://plausible.io/data-policy.

Legal basis: GDPR Article 6(1)(f) legitimate interest in understanding website performance, with the data minimisation safeguards above ensuring this does not override user rights.

9. Data Retention

Comments: Stored for 3 years from the date of the comment, after which they are anonymised (the comment text remains, but the commenter's identifying details are removed).

Account-related data is retained for the duration of your account plus 1 year after closure for security and audit purposes.

Pattern Assessment data: see Section 6 above for specific retention rules.

Analytics data: Plausible retains aggregated, anonymised data indefinitely. No personal data is collected, so retention is not subject to GDPR data subject rights.

10. Your Rights Over Your Data

• Access and Portability: If you have an account on this website, or if you have left comments, you can request an exported file of the personal data we hold about you, including any information you have provided to us.
• Erasure: You may also request that we erase any personal data we hold about you. However, this does not apply to data we are legally required to retain for administrative, legal, or security purposes.
• To exercise any of these rights, email info@annakreimes.com. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with your local data protection authority.

11. Data Sharing and Transfers

We share your personal data with the following processors:

• MailerLite (UAB MailerLite), Role: Email service provider; located in EU; Data shared: Email, pattern label, IP, timestamp; Safeguards: DPA signed; Standard Contractual Clauses for any non-EEA transfers.
• Plausible (Plausible Insights OÜ), Role: Anonymised analytics; located in Estonia, EU; Data shared: Anonymised page-view data (no personal data); Safeguards: EU processor, no transfer mechanism needed.
• WPX Hosting, Role: Website hosting; EU-based; Data shared: Server logs, technical metadata; Safeguards: DPA/hosting agreement in place.

For transfers outside the European Economic Area (EEA) or United Kingdom, we use the European Commission's Standard Contractual Clauses (SCCs) or equivalent legally approved mechanisms.

Where We Send Your Data

Visitor comments may be checked using an automated spam-detection service (Akismet). In all cases where data is transferred to processors in countries that do not have an “adequate level” of data protection (as defined by GDPR), we ensure that transfers are covered by Standard Contractual Clauses or another legally approved mechanism.

12. Data Security

We take reasonable measures to protect your personal data from unauthorised access, use, or disclosure. However, no method of data transmission over the internet is completely secure, and we cannot guarantee the absolute security of your data.

Specific measures: Our website is served exclusively over HTTPS (TLS encryption). MailerLite's infrastructure is ISO 27001 certified. Access to personal data is restricted to V-LON OÜ and authorised processors only. We do not store credit card or payment information on this site.

13. Data Breach Procedures

In the event of a data breach, we will notify the appropriate authorities within 72 hours of becoming aware of the breach, as required by GDPR or UK GDPR. If a breach is likely to result in a high risk to your rights or freedoms (e.g., exposure of your email address tied to your pattern result), we will notify you directly via email within 72 hours, in plain language, describing: the nature of the breach, the data affected, the likely consequences, the measures we have taken to address it, and the steps you can take to protect yourself. This is required by GDPR Article 34.

14. Automated Decision-Making and Profiling

We do not engage in automated decision-making with legal or similarly significant effects as defined under GDPR Article 22.

The Pattern Assessment quiz uses an algorithm to compute your dominant pattern from your quiz answers. This algorithmic categorisation is educational in nature, not diagnostic, and does not produce legal or similarly significant effects. It does not qualify as Article 22 automated decision-making. The result is provided for your own information and does not affect your access to medical care, insurance, employment, or any other significant rights.

15. Contact Information

For all data protection matters, please contact:

V-LON OÜ Email: tom@v-lon.com Postal address: Harju maakond, Tallinn, Kesklinna linnaosa, Mere pst 4, 10111.

We respond to data subject requests within 30 days as required by GDPR Article 12(3).

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any updates will be posted on this page, and we encourage you to review this policy regularly.

Material changes will be communicated by email to affected users where feasible.

17. Children

This website is not directed at children. We do not knowingly collect personal data from children under 16 (European Economic Area) or under 13 (United States and other jurisdictions). If you believe a child has provided personal data to us through any feature of the website — including the Pattern Assessment quiz — please email tom@v-lon.com, and we will delete the data immediately.