Privacy Policy

Last updated: April 25, 2026

$ cat controller.txt

Data controller: Aldo · aldowebsitellc.xyz

This site is a personal portfolio, blog, and service offering. It is not operated by a company with a formal EU representative, but all requests from EU/EEA residents are honoured under GDPR.

$ cat data-processing.txt

Contact form submissions

Data: name, email address, message text.

Purpose: to respond to your inquiry.

Legal basis: legitimate interest (Article 6(1)(f) GDPR) — responding to an unsolicited message you initiated.

Retention: up to 12 months, then deleted.

Account registration & authentication

Data: email address, hashed password or OAuth provider ID, optional display name.

Purpose: to provide account-based features (comments, ratings).

Legal basis: performance of a contract (Article 6(1)(b) GDPR) — you requested an account.

Retention: until you delete your account, or after 24 months of inactivity.

Comments & ratings

Data: your comment text, star rating, and user ID. This content is publicly visible.

Purpose: to display user-generated discussion on blog posts.

Legal basis: consent (Article 6(1)(a) GDPR) — you actively submitted the content.

Retention: until deleted by you or by an administrator.

Payments

Data: purchase amount and Stripe session ID. No card numbers are stored on this site.

Purpose: to fulfil a purchased service.

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

Retention: 7 years (legal obligation for financial records).

Server & access logs

Data: IP address, browser type, pages visited, timestamp.

Purpose: security monitoring and operational diagnostics.

Legal basis: legitimate interest (Article 6(1)(f) GDPR) — keeping the site secure and operational.

Retention: 30 days (Vercel default), then automatically deleted.

$ cat cookies.txt

This site sets one cookie: an authentication session cookie used exclusively to keep you signed in. This is a strictly necessary cookie — it is required for the account feature to function and does not require your consent under GDPR or the ePrivacy Directive.

No analytics, advertising, or tracking cookies are used.

$ cat third-parties.txt

Data is shared with the following processors under Data Processing Agreements (DPAs). All are GDPR-compliant and cover international transfers via Standard Contractual Clauses (SCCs) where applicable.

→ Supabase Inc. (US) — database & auth. Privacy policy

→ Stripe Inc. (US) — payment processing. Privacy policy

→ Vercel Inc. (US) — hosting & CDN. Privacy policy

→ Google LLC — optional OAuth sign-in. Privacy policy

→ GitHub Inc. — optional OAuth sign-in. Privacy policy

No data is sold or shared with advertisers.

$ cat your-rights.txt

Under GDPR (and applicable national laws), you have the right to:

→ Access — request a copy of data held about you (Article 15)

→ Rectification — correct inaccurate data (Article 16)

→ Erasure — request deletion of your data (Article 17)

→ Restriction — limit processing in certain circumstances (Article 18)

→ Portability — receive your data in a machine-readable format (Article 20)

→ Object — object to processing based on legitimate interest (Article 21)

→ Withdraw consent — where processing is based on consent, you may withdraw at any time

To exercise any right, email hello@aldowebsitellc.xyz. Requests are handled within 30 days (extendable to 90 days for complex requests, with notice).

$ cat supervisory-authority.txt

If you are located in the EU/EEA and believe your data has been processed unlawfully, you have the right to lodge a complaint with your local data protection authority (DPA). A directory of EU DPAs is available at edpb.europa.eu.

$ cat changes.txt

This policy may be updated to reflect changes in our practices or applicable law. The “Last updated” date at the top reflects the most recent revision. For material changes, registered users will be notified by email where feasible.