Privacy Policy
Last Updated: November 6, 2025
Welcome to Company Name ("we," "us," "our"). Your privacy is important to us, and this Policy explains how we collect, use, disclose, and protect your personal information when you interact with our website. By using our website, you agree to this Policy.
1. Who We Are & Contact
Company Name is located in [Your City, State/Province, Country]. We are the data controller (under GDPR) and the business (under CCPA/CPRA). For any privacy-related questions or requests, contact us via email at support@company.org.
2. Information We Collect
We collect the following categories of personal information when you use our website or contact us:
| Category | Examples | Purpose |
|---|---|---|
| Contact Information | Name, email address, message contents | To respond to contact form inquiries |
| Network Data | IP address, timestamp | Security and rate limiting |
| Browser & Device Data | User-Agent, screen size, timezone, referrer URL | Error tracking and diagnostics |
| Captcha Data | Cloudflare Turnstile token and browser telemetry | Bot and spam prevention |
| Error Logs | Stack traces and event metadata | Service maintenance and debugging |
We do not collect: Payment data, behavioral tracking, or sensitive categories (health, biometric, political opinions, etc.).
3. How We Use Your Data
We process personal data only for the following purposes: responding to your contact form submissions, maintaining website security and reliability, preventing spam and abuse through rate limiting, monitoring and fixing technical errors, and fulfilling legal and regulatory obligations. We do not sell your personal information or share it for advertising purposes.
4. Third-Party Service Providers
We rely on trusted third parties to provide secure infrastructure. All third parties act as service providers/data processors under binding contracts and Data Processing Agreements (DPAs):
| Service | Purpose | Location / Transfer | Privacy Policy |
|---|---|---|---|
| Resend | Email delivery for contact submissions | United States | Privacy Policy |
| Sentry | Error tracking and performance monitoring | United States | Privacy Policy |
| Upstash Redis | Temporary rate-limiting data store | United States | Privacy Policy |
| Cloudflare Turnstile | Bot detection / captcha | Global network | Privacy Policy |
5. Data Retention
We retain personal data only as long as necessary for the purposes outlined in this policy. Contact messages are retained until we reply and resolve your inquiry (typically within 90 days). IP addresses and rate-limit data are automatically deleted after 1 minute to 1 hour (based on rate limiting windows). Error logs in Sentry are automatically deleted after 90 days. Captcha data is used once for verification and immediately discarded. We retain data longer only when legally required (e.g., to investigate abuse or comply with law enforcement requests).
6. International Data Transfers
We may process data of visitors from the European Economic Area (EEA), United Kingdom, and other international locations. Your data may be transferred to and processed in the United States, where our service providers are located. Where applicable, we use Standard Contractual Clauses (SCCs), Data Privacy Framework certifications, or equivalent safeguards to ensure your data is protected in accordance with GDPR requirements.
7. Your Privacy Rights
Under CCPA/CPRA (California Residents)
California residents have the following rights: Right to Know what personal information we collect, use, disclose, and sell; Right to Delete your personal information (with certain exemptions); Right to Correct inaccurate personal information; Right to Opt-Out of the sale or sharing of personal information (we do not sell or share data); Right to Limit use of sensitive personal information (we do not collect sensitive data); and Right to Non-Discrimination (we will not discriminate against you for exercising your privacy rights).
How to exercise your rights: Email support@company.org with your request. We will verify your identity and respond within 45 days (extendable to 90 days for complex requests).
Under GDPR (EU/UK Visitors)
If you are in the European Economic Area or United Kingdom, you have the following rights: Right of Access to request a copy of your personal data; Right to Rectification to correct inaccurate or incomplete data; Right to Erasure to request deletion of your data ("right to be forgotten"); Right to Restriction to limit how we process your data; Right to Data Portability to receive your data in a machine-readable format; Right to Object to processing based on legitimate interests; and Right to Lodge a Complaint with your local supervisory authority.
How to exercise your rights: Email support@company.org with your request. We will verify your identity and respond within 1 month (extendable to 3 months for complex requests).
8. Legal Bases for Processing (GDPR)
Under GDPR, we process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Responding to contact form messages | Legitimate interest / pre-contractual steps |
| Security, rate-limiting, error logging | Legitimate interest (technical necessity) |
| Legal compliance (security/abuse logs) | Legal obligation |
9. Data Security
We implement industry-standard security measures to protect your personal information. All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. Environment variables and API keys are managed securely via Doppler with limited access. Redis-based rate limiting prevents abusive activity and protects against denial-of-service attacks. Cloudflare Turnstile captcha prevents automated abuse. We collect only the minimum data necessary for each purpose. Sentry receives error logs including user context data (IP addresses, user agents, and metadata) with 90-day retention. While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
10. Data Breach Notification
In the unlikely event of a data breach that affects your personal information, we are committed to transparency and will take immediate action to protect your data and notify affected individuals.
What Constitutes a Data Breach
A data breach occurs when personal information is accessed, disclosed, lost, or stolen without authorization. This includes unauthorized access to our systems or databases, accidental disclosure of personal information, loss or theft of devices containing personal data, and security incidents at third-party service providers.
Our Response Process
If a data breach occurs, we will take immediate steps to contain the breach and prevent further unauthorized access, conduct a thorough investigation to determine the scope and impact, report the breach to relevant supervisory authorities within 72 hours (GDPR requirement) or as required by applicable law, notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms, and implement measures to prevent similar breaches in the future.
How We Will Notify You
If a data breach affects your personal information and poses a high risk to you, we will notify you via email sent to the email address you provided when contacting us. The notification will include a description of the nature of the breach, categories and approximate number of individuals affected, types of personal data involved, likely consequences of the breach, measures we have taken or plan to take to address the breach, recommended steps you can take to protect yourself (e.g., password changes, monitoring for suspicious activity), and contact information for further inquiries (support@company.org).
Your Rights After a Breach
Following a data breach, you retain all rights outlined in Section 7 (Your Privacy Rights), including the right to request detailed information about the breach and its impact on your data, request deletion of your personal information, file a complaint with your local data protection authority, and seek compensation if you suffered damages as a result of the breach (where applicable under GDPR Article 82).
Prevention Measures
To minimize the risk of data breaches, we maintain the security measures described in Section 9 (Data Security), including encryption, rate limiting, bot protection, and regular security monitoring.
11. Cookies & Similar Technologies
We use minimal cookies and tracking technologies on our website. We do not use analytics cookies (no Google Analytics, etc.), marketing or advertising cookies, social media tracking pixels, or third-party behavioral tracking.
| Cookie / Token | Provider | Purpose | Expiration |
|---|---|---|---|
| Turnstile token | Cloudflare | Validate human user | Session only |
| Rate-limit key | Upstash Redis | Prevent abuse | 1 minute to 1 hour |
If we add analytics or marketing cookies in the future, we will display a consent banner and update this policy accordingly.
12. Children's Privacy
Our services are not directed to children under 13 years of age (United States) or 16 years of age (European Union). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@company.org, and we will promptly delete such information.
13. Updates to This Policy
We may revise this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of our website after changes are posted constitutes your acceptance of the revised policy.
14. Contact for Privacy Requests
For any privacy-related questions, concerns, or requests (access, deletion, correction, etc.), please contact us at support@company.org. Please include your full name, the email address you used to contact us (if applicable), the type of request (e.g., access my data, delete my data, correct my data), and any additional details that will help us locate your information. We may verify your identity before fulfilling requests to protect your privacy and security.