Privacy Policy
Last updated: July 2026
This policy explains how your personal data is collected, processed, and protected when you interact with this website. It is written to comply with the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).
1. Data Controller
2. What Data We Collect — Notice at Collection (CCPA)
We collect only the minimum data necessary to respond to client inquiries and provide services: name, work email, company name, business bottleneck description, estimated manual hours per week, budget range, project timeline, and referral source. No special category data (health, race, political opinions, precise geolocation) is collected, and no data is sold.
Categories of personal information collected (CCPA 1798.110): Identifiers (name, email), professional/employment information (company, role), commercial information (service inquiries).
3. Lawful Basis for Processing (GDPR Art. 6)
- Consent (Art. 6(1)(a)): You consent by submitting the intake form. You may withdraw consent at any time by emailing the data controller — withdrawal does not affect the lawfulness of processing before withdrawal.
- Contract (Art. 6(1)(b)): Data processing is necessary to respond to your service inquiry and negotiate a potential engagement.
- Legitimate Interest (Art. 6(1)(f)): We retain minimal contact data to follow up on your inquiry within a reasonable period. You may object to this processing at any time (see Section 8).
4. How Data Is Processed & Stored
Your data flows through the following processors:
- Next.js Serverless Functions (Vercel): Temporarily processes form data in memory during submission. No data is persisted at the serverless layer.
- Resend: Transmits email notifications (admin alert + client confirmation). Email logs are retained per Resend's standard retention policy (30 days).
- Airtable: Stores submitted lead data in a private base. Data can be exported or deleted upon request (see Section 8).
- n8n (Self-Hosted / Cloud): Optional automation webhook for lead enrichment and routing.
- Google AI (Gemini API): Anonymized text classification only — no personally identifiable information (PII) is sent to Gemini. Classification occurs server-side in memory.
5. Cookies & Tracking
This website uses only strictly essential cookies required for site functionality (Next.js framework operation). No analytics cookies, advertising cookies, or third-party tracking scripts are loaded unless you explicitly accept via the cookie consent banner.
Cal.com scheduling widget loads only after you submit the intake form and is restricted to https://cal.com. No user data is shared with Cal.com beyond the name, email, and company information you voluntarily provide in the form.
Essential cookies set by this site: Next.js session/navigation cookies only. No cookie identifiers are used for tracking, profiling, or advertising.
6. Data Retention
Lead data is retained in Airtable for the duration of client engagement plus 12 months for legitimate business follow-up. You may request earlier deletion at any time (see Section 8).
- Airtable: Lead records — duration of engagement + 12 months
- Resend: Email logs — 30 days (automatic expiry per Resend policy)
- Vercel: Serverless function logs — ephemeral (no persistent storage)
- Cal.com: Booking data — per Cal.com's own retention policy (independent controller for booking data)
7. Data Sharing & International Transfers
We do not sell personal data. Data is processed by the following sub-processors, all of which participate in the EU-US Data Privacy Framework (DPF) or provide equivalent safeguards:
- Vercel Inc. (US) — DPF certified. Hosting provider.
- Airtable Inc. (US) — DPF certified. Lead database.
- Resend Inc. (US) — DPF certified. Email delivery.
- Cal.com Inc. (US) — DPF certified. Scheduling widget.
- Google LLC (US) — DPF certified. Gemini API for classification.
8. Automated Decision-Making (GDPR Art. 22)
9. Your Rights (GDPR Art. 7, 15–22 / CCPA 1798.100–125)
You have the following rights regarding your personal data:
- Access (SAR): Request a copy of all personal data stored about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure (Right to be Forgotten): Request permanent deletion of your data.
- Restriction: Limit how we process your data.
- Portability (CCPA): Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent (GDPR Art. 7(3)): Withdraw your consent at any time — this does not affect processing carried out before withdrawal.
- Non-Discrimination (CCPA 1798.125): We will not discriminate against you for exercising any of your CCPA rights.
To exercise any of these rights, email francispaulfloresai@gmail.com. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). No fee is charged for reasonable requests.
Right to Lodge a Complaint (GDPR Art. 77):If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In the UK: Information Commissioner's Office (ICO). In the EU: your member state's data protection authority.
10. Data Security
11. Changes to This Policy
Questions or SAR requests: francispaulfloresai@gmail.com
This website does not handle financial transactions. All project billing and payments are processed through separate invoicing outside of this site.