What we know about you. What we don't.
A plain-English account of the data we collect, why we collect it, and what we'll never do with it. Last updated June 2026.
Only what's needed to deliver the project or respond to your inbound.
Encrypted, in EU/US-based infrastructure, for the minimum useful window.
Never sold. Shared only with named processors we're bound to by DPA.
On request, end of engagement, or by automated retention policy.
What happens when data hits us.
A live trace of how a single form submission is processed — captured, masked, encrypted, and logged. Every interaction with data leaves a trail you can audit.
Data we hold.
Every item below is tied to a specific reason. If we can't justify keeping a field, we don't keep it.
- 01mailContact details
To reply to your inbound, send proposals, and run the engagement.
Name · Email · WhatsApp · Company
3 years from last contact - 02descriptionProject artefacts
Documents, briefs, content, and credentials you share so we can build.
Briefs · API keys · Access tokens · CMS exports
Through engagement + 90 days, then deleted - 03analyticsSite analytics
Anonymised page views and Core Web Vitals to improve this site.
Country · Browser · Page · Referrer (no IP retention)
13 months rolling - 04receipt_longBilling records
Issued invoices and payment confirmations.
Invoice line items · Payoneer references
10 years (Egyptian commercial law)
Lines we don't cross.
- blockWe will never sell your data to third parties.
- blockWe will never use your private project content to train third-party AI models without explicit written consent.
- blockWe will never email-spam you. No newsletters unless you actively opt in.
- blockWe will never track you across other sites with cross-domain identifiers.
- blockWe will never retain login credentials for your systems beyond the project lifecycle.
From collection to deletion.
Every data point moves through these four stages. You can ask for deletion at any of them.
Captured at point of consent — form submit, contract signing, or platform connect.
Encrypted at rest in EU/US infrastructure. Access limited to named team members on the engagement.
Used only for the stated purpose. Logged so we can audit who accessed what.
Removed on the retention schedule above, or on your explicit request — typically within 30 days.
What you can ask us to do.
Get a full export of the data we hold on you.
Have inaccurate data corrected.
Have your data deleted (subject to legal retention).
Receive your data in a portable format.
Object to processing on legitimate-interest grounds.
Restrict processing while a dispute is resolved.
Named third parties we share with.
Each is bound by a Data Processing Agreement. Adding a new sub-processor updates this list within 14 days.
- 01VercelHosting & edge runtimeGlobal · US-DE
- 02CloudflareCDN & DNSGlobal · US
- 03ResendTransactional emailEU
- 04PayoneerBilling & invoicingUS · EU
- 05OpenAI / AnthropicLLM inference (with no-training flags)US · EU
Where we stand.
Snapshots of our compliance posture across the frameworks our clients ask about.
Right to be forgotten.
Privacy regulation gives you the right to ask us to delete everything we hold on you. Here's the button. Press it.
You're not logged in. We don't know who you are. If you've worked with us before, email our DPO from the address on file and we'll process a formal deletion request within 30 days.
Questions, complaints, requests.
Reach our data protection contact. We respond within 5 business days for most requests, 30 days for formal access/deletion.