Skip to content

Privacy Policy

Version 2.0 · Effective 2026-04-20

1. About this Policy

This Privacy Policy describes how Blob Solutions LLC (Tax ID 02906081, registered in the Republic of Armenia — hereinafter "we", "us", "the Company") handles personal data in connection with the VCR.AM virtual cash register service (the "Service").

We act as the data controller for the personal data described below. Our contact for any privacy matter is support@vcr.am.

This Policy applies alongside the Public Offer and the Cookie Policy.

2. What we collect

2.1. Account data

  • Email address (required — used as your login identifier)
  • Display name (optional)
  • Profile image (optional, self-uploaded or from a linked identity provider)
  • Account role and status

2.2. Business entity data

For each legal entity or individual entrepreneur you register in the Service:

  • Taxpayer Identification Number (TIN)
  • Entity type and legal name
  • Registered address
  • Approval status received from the State Revenue Committee of the Republic of Armenia (SRC)
  • Encrypted credentials for interacting with the SRC reporting system on your behalf

2.3. Transaction data

For every sale, prepayment, or refund you register through the Service we store:

  • Transaction type, amounts (cash, non-cash), currency, and timestamps
  • Line items described on the receipt (goods or services, quantities, prices, taxes)
  • Optional buyer TIN
  • Optional receiver email address (for PDF receipt delivery)
  • Status of submission to the SRC

2.4. Session and authentication data

  • Session token (stored opaquely, marked HTTP-only and Secure)
  • Session expiration timestamp
  • User agent string of the device used to sign in
  • Sign-in and sign-out timestamps

2.5. Technical and infrastructure data

Our hosting and observability providers automatically record standard request logs: IP address, user agent, request path, response status code, and timestamp. These logs are used for operational purposes (security, debugging, abuse prevention) and are not used to build marketing profiles.

2.6. Analytics data

When you visit our public pages, we collect aggregated usage statistics through Vercel Analytics, Vercel Speed Insights, and Google Analytics 4 (GA4). See the Cookie Policy for the exact cookies used and how to opt out.

3. Why we process data and on what legal basis

The RA Law on Protection of Personal Data ("RA PDPA") and, where it applies to you, the EU General Data Protection Regulation ("GDPR") each set out when personal-data processing is lawful. Armenian law uses a narrower set of bases than the GDPR — primarily consent (including consent embodied in an agreement) or processing directly provided for by law (Articles 8 and 9 RA PDPA). Below we map the purposes of our processing to both frameworks.

PurposeRA PDPA basisGDPR basis
Creating and operating your account and providing the Service under the Public OfferConsent embodied in the agreement (Art. 9(4)(2) RA PDPA)Performance of a contract (Art. 6(1)(b))
Registering transactions with the State Revenue Committee and retaining fiscal recordsProcessing directly provided for by law (Art. 9(5) RA PDPA — RA Tax Code, Law on Accounting, Gov. Resolution No. 1976 of 03.12.2020)Compliance with a legal obligation (Art. 6(1)(c))
Issuing electronic receipts in PDF and emailing them to the buyerConsent embodied in the agreement (Art. 9(4)(2) RA PDPA)Performance of a contract
Securing the Service, detecting and preventing abuseProcessing provided for by law / consent in the agreementLegitimate interests (Art. 6(1)(f))
Product analytics and improvement (including cookies where required)Your consent (Art. 9 RA PDPA) — you can withdraw it at any timeConsent (Art. 6(1)(a))
Responding to your support requestsConsent embodied in the agreementPerformance of a contract / legitimate interests

Note on terminology: the RA PDPA calls the entity determining the purposes and means of processing the "processor of personal data" (Art. 3(5)) and uses "authorised person" for what the GDPR calls a "processor". In this Policy we follow the international convention and refer to ourselves as the data controller.

We do not carry out automated decision-making or profiling that produces legal effects on you (Art. 16 RA PDPA / Art. 22 GDPR).

4. Who we share data with

We do not sell or rent your personal data. We share data only in the cases below.

4.1. State Revenue Committee of the Republic of Armenia

All transactions you register through the Service are transmitted to the SRC as required by Government Resolution No. 1976 of 03.12.2020. This transfer is mandatory and is the primary purpose of the Service.

4.2. Sub-processors (service providers acting on our instructions)

  • Vercel Inc. (United States) — application hosting, edge network, Vercel Analytics, Vercel Speed Insights.
  • Neon Database Inc. (European Union — Frankfurt region) — managed PostgreSQL database.
  • Amazon Web Services, Inc. (United States) — outbound email delivery (SES) and document storage (S3).
  • Fly.io, Inc. (United States / regional edges) — SRC gateway and certificate issuance services.
  • Google LLC (United States) — Google Analytics 4 (pseudonymous usage analytics), Google Cloud Translation (on-demand, for optional translation features).
  • Sentry (United States) — application error and performance monitoring.

An up-to-date list with categories of processed data and regions is published at /legal/sub-processors.

4.3. Law enforcement and regulators

We may disclose data to law-enforcement and governmental authorities of the Republic of Armenia where we are required to do so under applicable law, or to defend our legal rights. We assess every such request for validity and minimise the scope of what we hand over.

4.4. In the context of a corporate event

If the Company undergoes a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity under equivalent privacy commitments. You will be notified before any such transfer takes effect.

5. International transfers

Some of our sub-processors are located outside the Republic of Armenia and outside the European Economic Area. Where personal data is transferred outside the RA or EEA, we rely on one or more of the following safeguards, depending on the destination:

  • The destination country has been recognised as providing adequate protection.
  • The provider offers Standard Contractual Clauses (SCCs) or equivalent data-protection agreements.
  • Technical measures (encryption in transit and at rest, pseudonymisation) that reduce the impact of the transfer.

If you would like a copy of the specific safeguards in place for a given transfer, write to support@vcr.am.

6. How long we keep your data

CategoryRetention
Account dataWhile your account is active. Deleted or anonymised within 30 days of account closure, except where continued retention is required by law.
Transaction data (fiscal records)At least 5 years from the end of the relevant tax period, as required by the RA Tax Code and the Law on Accounting.
SRC credentials (encrypted)While the related business entity is active in the Service. Erased on entity removal.
Session and authentication dataUntil the session expires or you sign out. Logs of authentication events: up to 12 months for security-audit purposes.
Infrastructure logsRolling window of 30–90 days at the provider level.
Support correspondenceUp to 3 years from the last message, for dispute resolution.
BackupsEncrypted backups are retained for up to 35 days and then overwritten. Data deleted from the live system is purged from backups on the next rotation.

7. Security measures

We apply a layered set of technical and organisational measures, including:

  • TLS 1.2+ for all data in transit.
  • Encryption at rest for the primary database and for stored SRC credentials (AES-based encryption using per-entity keys).
  • HTTP-only and Secure cookies for session tokens; strict same-site configuration.
  • Role-based access control inside the Service; isolation of data per business entity.
  • Principle of least privilege for internal administrative access; multi-factor authentication on all administrative accounts.
  • Continuous error and anomaly monitoring; regular dependency security audits.
  • Security-incident procedures. In the event of a personal-data breach, we will notify the affected users, the Personal Data Protection Agency and the Police of the Republic of Armenia as required by Article 21(4) RA PDPA (immediately upon discovery) and — where GDPR applies — the competent EU supervisory authority within 72 hours (Art. 33 GDPR).

No system is perfectly secure. We commit to acting transparently and quickly if a security incident materially affects your data.

8. Your rights

Under the RA Law on Protection of Personal Data and, where it applies to you, the EU GDPR, you have the following rights:

  • Information and access — confirmation of whether we process your personal data, a description of what we hold, the purposes, recipients, and time limits (Art. 15 RA PDPA / Art. 15 GDPR).
  • Rectification — correction of inaccurate or incomplete data (Art. 15(2) RA PDPA / Art. 16 GDPR).
  • Blocking and destruction (erasure) — blocking or destruction of personal data that is inaccurate, outdated, unlawfully obtained, or no longer necessary (Art. 15(2) RA PDPA / Art. 17 GDPR), subject to lawful retention requirements (in particular fiscal records).
  • Withdrawal of consent — where processing is based on consent, including consent embodied in an agreement, you may withdraw it (Art. 9(3) RA PDPA / Art. 7(3) GDPR). Processing prior to withdrawal remains lawful; some services may become unavailable after withdrawal.
  • Objection to automated decisions — object to decisions producing legal effects on you that are based solely on automated processing (Art. 16 RA PDPA / Art. 22 GDPR).
  • Portability — receive your data in a commonly used, machine-readable format (Art. 20 GDPR, where applicable).
  • Right to appeal — appeal our actions or inaction before the Personal Data Protection Agency or through judicial procedure (Art. 17 RA PDPA).
  • Lodge a complaint — file a complaint with a supervisory authority:
    • Personal Data Protection Agency of the Ministry of Justice of the Republic of Armeniapdpa.am · Building 54b, Komitas Ave., Yerevan 0051 · +374 10 594 194.
    • Your local EU data-protection authority (if you are in the EEA).

How to exercise your rights

Email support@vcr.am from the address associated with your account, with the subject line "Privacy request". For written requests validated by a handwritten or electronic digital signature:

  • Response to access, rectification, and blocking requests: within 5 working days of receipt, as required by Article 20(1) RA PDPA.
  • Confirmation of destruction: within 3 working days of destruction, as required by Article 20(2) RA PDPA.
  • For requests governed solely by the GDPR: within 30 calendar days, extendable once by a further 60 days for complex requests.

We respond free of charge. We may refuse or charge a reasonable administrative fee for requests that are manifestly unfounded or excessive (for example, repetitive requests for the same data).

9. Children

The Service is intended for businesses and individual entrepreneurs. It is not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe we have collected data from a child, contact support@vcr.am and we will delete it.

10. Transparency report

We publish a short transparency report covering government data-disclosure requests received and how we handled them.

  • Since the Service launched and through 2026-04-20: 0 government requests received, 0 accounts affected, 0 records disclosed.

We will update this section if that ever changes, and archive historical periods at /legal/transparency.

11. Changes to this Policy

We may update this Policy to reflect changes in the Service, our practices, or the law. The current version and effective date are shown at the top of this page.

  • Material changes (for example, new categories of data, new sub-processors, reduced user rights) will be announced by email to account holders at least 14 days before they take effect.
  • Non-material changes (clarifications, typos, structural reformatting) will be reflected by updating the "Last reviewed" date.

Changes in this version

  • v2.0 — 2026-04-20
    • Rewrote the categories of collected data to match the actual Service (account, business entity, transactions, sessions, infrastructure, analytics).
    • Added legal bases mapped to the specific articles of the RA Law on Protection of Personal Data (Art. 9(4)(2), 9(5)) and the GDPR (Art. 6).
    • Named the sub-processors (Vercel, Neon, AWS, Fly.io, Google, Sentry) and their regions; introduced a dedicated sub-processors page.
    • Added retention periods, including the 5-year fiscal-record retention required by the RA Tax Code.
    • Added international-transfer safeguards and a transparency-report section.
    • Documented the breach-notification procedure: immediately to the PDPA and Police of Armenia (Art. 21(4) RA PDPA), and within 72 hours to the competent EU supervisory authority where GDPR applies (Art. 33 GDPR).
    • Replaced the next-auth cookie descriptions with the current first-party session cookie (moved to the Cookie Policy).
    • Corrected user-rights response times: 5 working days under Art. 20(1) RA PDPA; 30 calendar days under GDPR.
    • Removed claims about data we do not actually collect (phone number; separate "first and last name" fields).

12. Contact

Blob Solutions LLC Tax ID: 02906081 Jurisdiction: Republic of Armenia Email: support@vcr.am

For privacy-specific requests, write to support@vcr.am with the subject line "Privacy request".