Privacy Policy

Analytics & Data Collection

We use Firebase Analytics (provided by Google) to understand how visitors interact with our website. This helps us improve the user experience, measure engagement, and understand which content is most valuable.

Analytics data is collected only with your explicit consent and includes:

• Page views and navigation patterns (which pages you visit and how you move through the site)
• Device and browser information (device type, browser version, screen resolution)
• General location data at country/city level (never precise location)
• Time spent on pages and session duration
• Referrer information (which site you came from)
• Engagement metrics (scrolling, interactions, form submissions - without form content)

We do NOT collect: Your name, email address, IP address (stored in raw form), form content, messages, or any other personally identifiable information (PII) through our analytics system.

Your Consent & How It Works

When you first visit our site, you'll see a consent banner asking for permission to collect analytics data. Analytics tracking is disabled by default until you grant consent.

You have two options:

• Accept - Allow analytics tracking to help us improve the site. Your consent is stored locally in your browser and is valid for 365 days.
• Decline - Browse the site without any analytics tracking. We respect your choice and will not collect any data.

Consent Storage: Your consent choice is stored in your browser's localStorage (not a cookie) and expires after 365 days. After expiration, you'll be asked again. You can change your preference at any time by clearing your browser data or waiting for the consent to expire.

No Consent = No Tracking: If you decline or don't respond to the consent banner, no analytics data will be collected during your visit.

Data Retention Period

Analytics data collected through Firebase Analytics is retained for 14 months by default, in accordance with Google's Firebase Analytics data retention policy.

After this period, the data is automatically deleted from Firebase's servers. Aggregated reports may retain summary statistics (e.g., "500 visitors last month") but without any individual user data.

Security Event Tracking

To protect our site and users from malicious activity, we track certain security events using Firebase Analytics (only with your consent). These events help us identify and respond to potential security threats.

Security events tracked:

• Rate Limiting: When too many requests are made from the same source in a short time. IP addresses are hashed using SHA-256 before logging (never stored in raw form).
• Prompt Injection Detection: When potentially malicious input is detected in form submissions. Only risk scores and pattern counts are logged - never the actual input content.
• SQL Injection Attempts: When SQL injection patterns are detected in form fields. Only the field name and pattern type are logged - never the malicious input.
• XSS (Cross-Site Scripting) Sanitization: When HTML/script tags are removed from user input. Only the field name and number of tags removed are logged - never the actual tags.

Privacy Protection: All security event logging is designed to exclude personally identifiable information. We track patterns and threat indicators, not individual users or their input content.

Data Storage & Security

Analytics data is processed and stored by Google Firebase in secure data centers in accordance with Google's Firebase Privacy Policy and security standards.

Our security measures:

• All PII fields are automatically removed before logging events
• IP addresses are hashed using SHA-256 (one-way encryption) before storage
• Regular validation to detect and block PII patterns (email, phone, credit card numbers, etc.)
• TypeScript type safety to prevent PII at compile time
• Consent verification before any analytics operations

We do not sell, rent, or share your analytics data with third parties beyond Google Firebase's infrastructure, which is required to provide the analytics service.

Your Rights Under GDPR & CCPA

Under the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), you have the following rights:

• Right to Access: You can request information about what data we have collected about you (though we collect minimal anonymized analytics data with consent).
• Right to Deletion: You can request deletion of your data. Since we don't collect personally identifiable information, clearing your browser's localStorage will remove your consent preference, and declining consent prevents future data collection.
• Right to Opt-Out: You can opt-out of data collection at any time by declining consent or clearing your browser data. Analytics tracking stops immediately when consent is revoked.
• Right to Data Portability: You can request a copy of your data in a machine-readable format, though due to the anonymized nature of our analytics, individual user data is not identifiable.
• Right to Object: You can object to the processing of your data at any time by revoking consent through your browser settings.
• Right to Rectification: You can request correction of inaccurate data, though we only collect anonymized technical data, not personal information.

To exercise any of these rights, please contact us using the information below.

Third-Party Services

We use the following third-party services:

• Google Firebase Analytics: For anonymized usage analytics (with consent). See Firebase Privacy Policy.
• Sanity.io: For content management (no user tracking). See Sanity Privacy Policy.

Each service has its own privacy policy governing how they handle data. We encourage you to review their policies if you have concerns about third-party data handling.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.