Privacy Policy.

1. What We Collect

• Form submissions: name, email, phone, message, and any fields you fill in voluntarily on the Work With Me intake or other forms.
• Technical metadata: IP address, approximate country/city (derived from IP), browser type, operating system, referrer URL, UTM parameters, and timestamps.
• Analytics: privacy-friendly pageview counts, Core Web Vitals (LCP, INP, CLS), and aggregate traffic source data. No cross-site tracking.

2. How We Use It

• Respond to your project inquiry or message.
• Prevent spam, abuse, and API abuse.
• Improve site performance and content.
• Comply with legal obligations.

We never use your information for advertising, profiling, or sale to third parties.

3. Legal Basis (GDPR)

For visitors in the EU/UK, processing is based on (a) your consent when you submit a form, (b) our legitimate interest in operating and securing the site, or (c) contractual necessity when you engage services.

4. Retention

Form submissions are retained indefinitely unless deletion is requested. Server access logs and analytics rotate after 90 days. Project files governed by service agreements are retained per the project contract.

5. Sharing & Subprocessors

We do not sell or rent personal data. Service providers process data only to operate the site:

• Vercel — hosting & CDN
• Neon — database (form submissions)
• Resend — transactional email delivery
• Google Fonts — typeface delivery (no cookies)

Each provider operates under its own privacy/security commitments and processes data on our behalf.

6. Your Rights

Under GDPR (EU/UK), CCPA/CPRA (California), Quebec Law 25, the UK Data Protection Act, and similar laws, you have the following rights regarding your personal data:

• Right of access — request a copy of all personal data we hold about you.
• Right of rectification — correct inaccurate or incomplete data.
• Right of erasure ("right to be forgotten") — request deletion of your personal data.
• Right to restrict processing — limit how we use your data while a dispute is being resolved.
• Right to object — object to processing based on legitimate interest, including direct marketing.
• Right to data portability — receive your data in a structured, machine-readable format and transfer it elsewhere.
• Right to withdraw consent — at any time, with no effect on the lawfulness of prior processing.
• Right not to be subject to automated decision-making — including profiling. We don't do this.
• Right to opt out of sale or sharing of personal information — we do not sell or share personal information.
• Right to lodge a complaint with a supervisory authority (e.g. the ICO in the UK, your country's Data Protection Authority in the EU, or the California Privacy Protection Agency).

To exercise any of these rights: email [email protected] with the right you'd like to exercise and the email address associated with your data. We will verify your identity and respond within 30 days, free of charge. If we need to extend the response window for complex requests, we'll tell you within 30 days and explain why.

You can also use the contact form at /contact with "GDPR Request" in the subject. No formal language required — just tell us what you'd like.

If you're not satisfied with our response, you have the right to file a complaint with your local supervisory authority. For UK residents, that's the Information Commissioner's Office (ICO). For EU residents, find your DPA at edpb.europa.eu. For California residents, contact the California Privacy Protection Agency.

7. Cookies

We use a minimal preference cookie to remember your consent choice. We do not use third-party tracking cookies, advertising cookies, or fingerprinting. The site functions fully without cookies.

8. Children's Privacy

The site is not directed to children under 13 (or 16 in the EU/UK). We do not knowingly collect data from minors. If you believe a minor has submitted information, contact us and we will delete it.

9. International Transfers

Our subprocessors may store or process data in the United States. Where required by GDPR, transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards.

10. Security

We use TLS encryption in transit, encrypted database storage at rest, and access controls limiting personal data to authorized representatives. No system is perfectly secure; we cannot guarantee absolute security.

11. DMCA / Copyright Takedown

If you believe content on this site infringes your copyright, send a DMCA notice to our designated agent meeting the requirements of 17 U.S.C. § 512(c)(3): (1) your signature, (2) identification of the copyrighted work, (3) the URL of the allegedly infringing material, (4) your contact information, (5) a statement of good-faith belief, and (6) a statement under penalty of perjury that the information is accurate.

Designated Agent: [email protected]
We respond to valid notices within 10 business days. Repeat infringers will be terminated under our policy.

12. Changes to This Policy

We may update this Privacy Policy at any time. The "Last updated" date above reflects the current version. Material changes will be posted on this page; continued use of the site constitutes acceptance.

13. Contact

For privacy requests, GDPR/CCPA rights exercises, or any data-protection question, email [email protected] or use the contact form. We respond within 30 days. For copyright/DMCA matters, see Section 11 or our Copyright & Credits page. For cookie-specific questions, see Cookie Notice. For accessibility questions, see Accessibility Statement.