Privacy
Policy

Effective Date: January 19, 2026

Last Updated: January 19, 2026

This Privacy Policy explains how I collect, process, store, and protect your personal data in compliance with the Data Privacy Act of 2012 (RA 10173) and the General Data Protection Regulation (GDPR).

Key Summary

Privacy shouldn't be complicated. Here's the simple version: I collect only what's necessary to respond to you and keep the site running. Your name, email, and some technical info about how you use the site. I don't sell your data, I don't track you across the web, and I don't collect anything sensitive. I keep everything encrypted and stored securely. You can delete your data anytime, and if something goes wrong, I'll tell you within 72 hours. This page has all the legal details, but the bottom line is: I respect your privacy and treat your data with care.

For the full legal requirements under Philippine Data Privacy Act (RA 10173) and GDPR, read the sections below.

1

Introduction & Scope

Summary: I'm committed to protecting your data. This policy explains what information I collect, why, and how I keep it safe.

This Privacy Policy explains how I ("Personal Information Controller" under RA 10173 and "Data Controller" under GDPR) collect, process, store, and protect your personal data when you interact with my portfolio website at engelgatus.com.

This policy applies to all visitors and users who submit information via contact forms, browse the site, or interact with analytics-enabled features.

Compliance Framework: This policy is designed to comply with:

·The Data Privacy Act of 2012 (RA 10173) – Philippine privacy law
·GDPR Articles 13/14 – EU transparency requirements
·Industry best practices for personal data protection

By using this website and submitting data via the contact form, you acknowledge that you have read and understood this policy.

1.5

Consent Recording & Audit Trail

Summary: When you submit the contact form, I record your consent along with technical details for legal protection and to prevent disputes.

To comply with RA 10173 Section 8 (informed, voluntary, specific consent) and GDPR Article 7 (demonstrable consent), I implement detailed consent recording:

What I Record When You Submit the Contact Form:

Timestamp: Exact date and time of form submission (UTC, stored as created_at in database).
IP Address: Your IP address at submission for verification and security purposes.
Country & City: Approximate geolocation derived from your IP via Cloudflare (included in CDN headers).
User Agent: Your browser type, version, and operating system (e.g., "Mozilla/5.0... Chrome/120.0").
Consent Flag: A boolean flag (consent_agreed = true) confirming you checked the privacy checkbox.
Consent Version: The version number of this Privacy Policy you agreed to (currently v1.0).

Why This Matters:

Under RA 10173 Section 8, consent must be documented and verifiable. Under GDPR Article 7(4), I must be able to demonstrate that:

·You were informed (Privacy Policy was disclosed before form submission).
·You explicitly consented (checkbox was checked before submission).
·Consent was given freely (no coercion; you could refuse and navigate away).
·Consent was specific (limited to contact form submission and business follow-up).

Consent Records Retention:

Consent audit trail data (timestamp, IP, user agent, consent version, geolocation) is retained for 24 months from submission date, or until you request deletion—whichever is sooner. This retention period allows for:

·Compliance audits and regulatory inspections
·Dispute resolution (proof that you consented)
·Security investigations if needed

Access & Security:

Only I (Engel Gatus) have direct access to consent records. This data is encrypted at rest and in transit. Consent records are never shared with third parties except if required by court order, law enforcement, or regulatory authority.

Your Right to Withdraw Consent:

You can withdraw consent at any time by emailing engelgatus@gmail.com. Upon withdrawal:

·I will cease processing your data for communications or optional purposes
·Your data will be securely deleted within 30 days (or per your deletion request)
·Historical consent records may be retained for legal/tax compliance (typically 3 years post-withdrawal under Philippine business record requirements)
2

What Personal Data I Collect

Summary: I collect your name, email, and some technical details about how you use the site. I never ask for sensitive information.

I collect the following categories of personal data:

Contact Form Data:

Name (First and Last Name)
Email address
Message content (what you write to me)

Client-Side Storage (Browser-Only):

Name and email are temporarily stored in your browser's localStorage during the contact form flow (see Section 2.1) for session management and user experience
No data is sent to my servers until you explicitly submit with consent
This temporary storage has a 1-hour inactivity timeout to prevent orphaned data

Technical & Behavioral Data:

IP address
Browser type, version, and operating system
Country, city, and timezone (derived from IP via Cloudflare CDN headers)
Pages visited, time spent on page, click behavior
Referring URL (where you came from)

Consent & Audit Data:

Timestamp and version of Privacy Policy agreed to
Consent flag and user agent at submission
Geolocation data at submission time

Analytics Data:

Non-personally identifiable analytics via Vercel Analytics (page views, bounce rates, etc.)

Data I Do NOT Collect: ✗ Sensitive personal data (health, financial, biometric, race, religion, sexual orientation, genetic data) ✗ Payment information (you handle payments directly with third parties) ✗ Data you don't voluntarily provide ✗ Tracking pixels or third-party ad networks

2.1

Client-Side Storage & Contact Form Flow

Summary: Your information is stored temporarily in your browser during the contact process. It's never on our servers until you explicitly submit with consent.

To provide a seamless contact experience while protecting your privacy, I use a multi-step contact flow with client-side temporary storage and automatic expiration:

Contact Form Flow Explained:

Step 1 - Initial Capture (/start page):

·You enter your name and email address into the form
·This data is stored ONLY in your browser's localStorage (a temporary, client-side storage mechanism)
·A timestamp is recorded alongside this data for expiration tracking
·NO data is sent to my servers at this stage
·You have NOT yet agreed to the Privacy Policy
·localStorage storage is purely for user experience convenience

Step 2 - Message Composition (/contact page):

·Your name and email are retrieved from localStorage and pre-filled on the form
·The system checks if the data is still valid (within 1 hour of initial capture)
·If data has expired (older than 1 hour), localStorage is cleared and you're redirected to /start
·You add your project message and review your data
·You read the Privacy Policy link (which opens in a new tab)
·You must explicitly check the "I agree to share my information and understand it will be processed according to the Privacy Policy" checkbox before submission

Step 3 - Submission & Consent (/api/contact/submit):

·Only when you click "SEND MESSAGE" AND the consent box is checked does your data leave your browser
·Your name, email, message, and consent flag are transmitted to my servers via HTTPS/TLS encryption
·At this moment, I record the full audit trail: timestamp, IP address, user agent, geolocation, consent version
·Your data is now stored securely in Supabase (my encrypted database)

Step 4 - Cleanup:

·localStorage is immediately cleared after successful submission
·If you close your browser or navigate away without completing the form, localStorage automatically expires after 1 hour of inactivity
·No orphaned data persists on your device
·If the 1-hour window expires while you're viewing the /contact page, the form clears and you're redirected to /start with a session expiration notification

Why This Approach:

Privacy-First Design: Your data does NOT touch my servers until you explicitly consent and submit
User-Friendly: You don't re-enter your name and email across pages
Client-Controlled: localStorage is entirely within your browser; you can clear it anytime
Time-Limited: Data automatically expires after 1 hour, preventing accidental exposure if device is left unattended
Transparent: This policy fully discloses the process before submission

Your Control Over localStorage:

You can clear your browser's localStorage data anytime through:

·Browser Settings → Privacy → Cookies and Site Data → Clear Data
·Using "Clear Cache" in your browser history menu
·Using "Private/Incognito" browsing mode (no localStorage persists)

Clearing localStorage will remove your temporarily stored name and email; you'll need to re-enter them if you return to the contact form.

What localStorage Is NOT:

✗ localStorage is NOT a cookie ✗ localStorage is NOT shared with third parties ✗ localStorage CANNOT track you across websites ✗ localStorage is NOT linked to advertising networks ✗ localStorage is deleted when you clear browser cache or use Private mode ✗ localStorage expires after 1 hour, even if you don't manually clear it

3

Legal Basis for Processing

Summary: I process your data because you give me permission, because it's necessary for business, or to comply with the law.

Under RA 10173 (Philippine Data Privacy Act), I process your data based on:

Explicit Consent: For contact form submissions, you provide informed, voluntary consent by checking the privacy agreement checkbox
Legitimate Interest: To respond to your inquiries, maintain website security, prevent fraud, improve user experience, and comply with legal obligations
Contractual Necessity: If you contract with me for services, processing is necessary to perform that contract
Legal Compliance: To comply with Philippine tax law, business record-keeping requirements, and regulatory obligations

Under GDPR (European General Data Protection Regulation), the lawful bases are:

Consent (Article 6(1)(a)): Explicit, informed opt-in for data collection
Legitimate Interests (Article 6(1)(f)): To operate the website, prevent fraud, improve services, and ensure security
Performance of Contract (Article 6(1)(b)): If a services agreement exists
Legal Obligation (Article 6(1)(c)): To comply with law

Your data will NOT be processed for any purpose other than those stated in this policy without your prior, explicit consent.

4

How I Use Your Data

Summary: I use your information to respond to you, improve the site, keep it secure, and comply with the law. I never sell your data.

I use your personal data for the following purposes only:

Respond to Inquiries: Answer questions, provide information, clarify project requirements, and communicate about potential collaborations
Provide Services: If you engage me for freelance/contract work, deliver the contracted services and manage the client relationship
Website Improvement: Analyze usage patterns to improve site functionality, fix bugs, and optimize user experience
Security & Fraud Prevention: Detect and prevent unauthorized access, spam, abuse, malicious activity, or security threats
Legal Compliance: Fulfill obligations under RA 10173 (Data Privacy Act), Philippine tax law, and GDPR
Analytics: Understand user behavior using aggregated, non-personally identifiable data to enhance the site

I will NOT:

✗ Sell, rent, lease, or share your personal data with third parties for commercial purposes ✗ Use your data for automated decision-making or profiling without consent ✗ Use your data for targeted advertising or marketing without explicit consent ✗ Share your data with data brokers or ad networks ✗ Process your data for any purpose beyond those listed above

5

Data Retention Period

Summary: I keep your contact information for up to 12 months. After that, it's automatically deleted or anonymized.

I retain your personal data for as long as necessary to fulfill the stated purposes:

Contact Form Data (Name, Email, Message):

Retained for 12 months from submission date or until you request deletion (whichever is sooner)
If we enter a contractual relationship, retained for the contract duration PLUS 3 years post-termination (for legal, tax, and dispute resolution purposes under Philippine law)
Automatic deletion via scheduled job: Executed on the 1st of every month at 2 AM UTC
Deleted securely within 30 days of expiration notice

Consent Audit Trail (Timestamp, IP, User Agent, Consent Version, Geolocation):

Retained for 24 months from submission date
Provides legal evidence of consent and enables compliance audits
Automatic deletion via scheduled job: Same as contact form data (monthly cleanup)
Deleted securely after 24 months unless legal obligations require further retention

Technical & Analytics Data (Page Views, Browser Info, Aggregate Behavior):

Live analytics retained for 6 months
Anonymized aggregate data retained for 12 months
Deleted or permanently anonymized after retention period

localStorage (Client-Side Browser Storage):

Automatically cleared upon successful form submission
Automatically expires after 1 hour of user inactivity or session close
User can manually clear anytime via browser settings
Never persists across browser sessions or device transfers

Cookies & Tracking:

Session cookies: Retained for current session only
Analytics cookies: Retained per your browser settings (typically 6-12 months)

Automatic Retention Policy (Technical Details):

To ensure compliance, I maintain a scheduled monthly data deletion job:

Trigger: First day of every month at 2 AM UTC
Action: Automatically delete all contact_submissions and related consent records older than the specified retention period
Logging: Deletion events are logged for audit trail verification
Notification: Confirmation of cleanup sent to data controller for compliance documentation

If No Scheduled Job Exists: If I discover the automatic deletion job has failed or been disabled, I will manually execute the deletion query within 7 days of discovery and document this in the compliance log.

Third-Party Retention (Cloudflare Geolocation):

Cloudflare processes your IP address lookup according to their own privacy policy: https://www.cloudflare.com/privacypolicy/. I do not control Cloudflare's retention period. The geolocation result (country, city) is then stored in my Supabase database as part of the consent audit trail (24-month retention as stated above).

Post-Retention Handling:

After retention periods expire, data will be:

·Securely deleted using cryptographic deletion or data wiping
·Permanently anonymized if used for aggregate analytics
·Destroyed unless deletion is prohibited by law (e.g., tax records retained 3 years by law)

Legal Hold Exception:

If you submit a legal dispute, complaint, or court case related to your inquiry, data will be retained as necessary to defend the claim, even if retention period would normally expire.

6

Data Security Measures

Summary: Your data is encrypted, stored on secure servers, and protected by industry-standard security practices. Breaches are reported within 72 hours.

I implement comprehensive organizational, physical, and technical safeguards to protect your data:

Encryption:

In Transit: All data transmissions use HTTPS/TLS 1.2+ encryption
At Rest: Personal data in Supabase is encrypted using AES-256 encryption
Sensitive Fields: Email addresses and messages are encrypted before storage when possible

Access Control:

Limited Access: Only I (Engel Gatus) have access to personal data; no unnecessary third-party access
Need-to-Know Basis: Data access is restricted to individuals and purposes necessary for business operations
Authentication: Strong authentication requirements for accessing databases and admin panels

Infrastructure Security:

SOC 2 Type II Certification: Supabase (database) and Vercel (hosting) maintain SOC 2 Type II compliance
DDoS Protection: Cloudflare provides DDoS mitigation and security filtering
Regular Updates: Security patches and updates applied within 30 days of release
Monitoring: 24/7 uptime monitoring and security alert systems

Auditing & Testing:

Vulnerability Assessments: Periodic security reviews and vulnerability assessments
Access Logs: Database access is logged for audit and investigation purposes
Incident Response: Documented procedures for breach detection and containment (see /docs/INCIDENT_RESPONSE.md)

Breach Notification Commitment:

In the event of a confirmed data breach, I will:

1. Investigate and verify the breach (within 24 hours) 2. Assess scope: number of affected individuals, data categories, exposure duration 3. Notify affected individuals within 72 hours of confirmation 4. Notify the National Privacy Commission (NPC) within 72 hours if required by RA 10173 5. Document the incident with timeline, scope, containment measures, and remediation steps 6. Implement preventive measures to avoid recurrence

Confirmed Data Breach Definition:

A data breach is considered "confirmed" when:

·Unauthorized access to personal data is verified and confirmed through audit logs, alerts, or third-party notification
·Data integrity or confidentiality is compromised affecting 3 or more individuals
·A third-party audit, security researcher, or law enforcement confirms the breach
·Internal investigation reveals unauthorized access with evidence

Minor incidents (failed login attempt, temporary service outage without data exposure, single-user access error) are NOT treated as confirmed breaches, but are documented in security records for pattern analysis.

Breach Notification Details:

When notifying affected users, the notification will include:

·Clear explanation of what happened and when
·What personal data was affected
·What measures I've taken to contain the breach
·Recommended actions users should take to protect themselves
·Contact information for questions (engelgatus@gmail.com)
·Reference to data subject rights (access, deletion, portability)

When notifying NPC:

·Detailed incident description and timeline
·Number and categories of affected individuals
·Description of the unauthorized access
·Measures taken to contain and remediate
·Preventive measures implemented

Limitations:

No security system is 100% impenetrable. While I implement industry-standard protections, I cannot guarantee absolute security. By using this website, you assume some inherent risk of online data transmission.

7

Sharing & Disclosure

Summary: I don't share your data with others unless I have to, like with the company hosting my website, or if the law requires it.

I will NOT share your personal data with third parties except in these limited circumstances:

Authorized Service Processors (Data Processors):

I may share data with trusted service providers who act as Data Processors under binding Data Processing Agreements (DPAs):

·Supabase: Database hosting and storage (DPA: https://supabase.com/dpa)
·Cloudflare: DNS, CDN, and security services (DPA: https://www.cloudflare.com/trust-hub/compliance-resources/)
·Vercel: Website hosting and deployment (DPA: https://vercel.com/legal/privacy-policy)

These providers are contractually prohibited from using your data for any purpose other than serving my website. All processors maintain security certifications (SOC 2 Type II, ISO 27001, or equivalent).

Legal Obligation & Law Enforcement:

If required by law, court order, government request, or legal process (e.g., tax authorities, law enforcement, regulatory investigation), I will disclose data as legally required. I will:

·Notify you of the request whenever legally permissible
·Request the minimum data necessary
·Disclose only data specifically requested
·Document all legal requests for compliance records

Business Transfer:

If my business is sold, merged, acquired, or undergoes bankruptcy proceedings, your data may be transferred as part of that transaction. Such transfers would:

·Be subject to this Privacy Policy or similar privacy terms
·Include notification to you if practical
·Not be used for purposes incompatible with this policy

With Your Explicit Consent:

I will share your data with third parties only if you explicitly consent in writing or by electronic acknowledgment.

Data I Will NEVER Share:

✗ Your data will NOT be sold to data brokers or advertisers ✗ Your data will NOT be shared with marketing agencies or telemarketing companies ✗ Your data will NOT be shared with social media platforms for ad targeting ✗ Your data will NOT be disclosed to competitors or unrelated businesses

8

Your Data Subject Rights

Summary: You have the right to see your data, correct it, delete it, and transfer it. You can file complaints with privacy authorities.

Under RA 10173 (Data Privacy Act of 2012) and GDPR, you have the following legal rights:

Right to Access (RA 10173 Sec 3; GDPR Art 15):

Request confirmation of whether I process your data
Request a copy of your personal data in clear, understandable format
Request a machine-readable copy for portability (if applicable)
Response time: Within 30 days of receipt

Right to Correction (RA 10173 Sec 3; GDPR Art 16):

Request correction of inaccurate or incomplete data
Request updating or supplementing of your information
Response time: Within 30 days of receipt

Right to Erasure / "Right to be Forgotten" (RA 10173 Sec 3; GDPR Art 17):

Request deletion of your data under certain circumstances:
·Data is no longer necessary for the purpose it was collected
·You withdraw consent and there is no other legal basis for processing
·You object to processing and there is no overriding legitimate interest
·Data is retained unlawfully
Exceptions: Data may be retained if required by law (e.g., tax records, contract history)
Response time: Within 30 days of receipt; deletion within 30 days of approval

Right to Data Portability (GDPR Art 20):

Request your data in a structured, commonly-used, machine-readable format (e.g., CSV, JSON)
Request transfer of your data to another provider
Response time: Within 30 days of receipt

Right to Object (RA 10173 Sec 3; GDPR Art 21):

Object to processing for direct marketing, profiling, or automated decision-making
Request restriction of processing pending verification
Response time: Within 30 days of receipt

Right to Lodge a Complaint:

If you believe your data has been misused or your privacy rights violated:

National Privacy Commission (Philippines):

Email: complaints@privacy.gov.ph
Website: https://privacy.gov.ph/
Hotline: +63 (2) 8 920-1090
Address: 3rd Floor, Yuchengco Tower, RCBC Plaza, 6819 Ayala Avenue, Makati City 1200, Philippines

GDPR Supervisory Authority (if you are in the EU/EEA):

File a complaint with your local data protection authority
Find your authority: https://edpb.ec.europa.eu/about-edpb/board/members_en

How to Exercise Your Rights:

To request access, correction, deletion, portability, or to lodge a complaint, contact me:

Email: engelgatus@gmail.com
Include: Your full name, email address, clear description of your request, and any supporting information
I will acknowledge receipt within 3 business days
I will respond within 30 days (or notify you of extension if complex)
Responses will be provided at no cost, unless your request is manifestly unfounded or excessive

Identity Verification:

To protect your privacy, I will verify your identity before processing data subject rights requests. This may include asking for:

·Email confirmation
·Name and contact details
·Last inquiry date or message reference
·Photo ID (for high-sensitivity requests only)
9

Third-Party Services & Analytics

Summary: I use Vercel, Supabase, and Cloudflare to run this website. All are trustworthy and certified.

My website uses the following third-party services that may collect or process technical data:

Database & Backend Services:

Supabase (https://supabase.com/privacy): Hosts all contact form submissions, audit trail data, and user information. SOC 2 Type II certified. Data encrypted at rest (AES-256) and in transit (TLS 1.2+).

Web Hosting & CDN:

Vercel (https://vercel.com/legal/privacy-policy): Hosts website code, assets, and provides analytics. SOC 2 Type II certified.
Cloudflare (https://www.cloudflare.com/privacypolicy/): Provides DNS resolution, content delivery, security services, and geolocation data via CDN headers. SOC 2 Type II certified.

Analytics:

Vercel Analytics (https://vercel.com/legal/privacy-policy): Provides anonymized website performance metrics (page views, bounce rates, device types). No personally identifiable analytics data is collected or stored by Vercel Analytics.

Data Processing Agreements (DPA):

All third-party services are bound by Data Processing Agreements ensuring:

·Data is processed only on my instructions
·Industry-standard security controls are implemented
·Data is not repurposed or shared without consent
·The processor assists with data subject rights requests
·Data is deleted or returned upon contract termination

DPA copies are available upon request.

What I Do NOT Use:

✗ Google Analytics or similar invasive tracking ✗ Meta Pixel or Facebook ad networks ✗ Third-party ad exchanges ✗ Data brokers or data resellers ✗ Behavioral tracking for profiling

10

International Data Transfers

Summary: Your data may be stored in the US because my hosting is US-based. This is protected by international agreements.

Since my infrastructure is hosted on US-based platforms (Vercel, Supabase, Cloudflare), your data may be transferred to, processed in, and stored in the United States.

GDPR Compliance:

If you are an EU/EEA resident, such transfers are conducted under legal mechanisms required by GDPR Article 46:

Standard Contractual Clauses (SCCs): Supabase and Vercel use SCCs for data transfer to the US
Processor Certification: All processors maintain SOC 2 Type II compliance
Supplementary Measures: Encryption and access controls provide additional safeguards

Copies of relevant SCCs and adequacy documentation are available upon request.

RA 10173 Compliance:

Under RA 10173 Section 16, international data transfers require "appropriate safeguards." Transfers to SCC-protected processors and SOC 2 Type II-certified providers are considered compliant.

Your Consent:

By using this website and submitting the contact form, you consent to such international data transfers under the protections described above.

11

Children's Data

Summary: This website isn't for people under 18. If I find out I've collected data from a minor, I'll delete it immediately.

My portfolio website is not intended for individuals under 18 years old.

I do not knowingly collect personal data from minors without proper parental or guardian consent.

If I become aware that I have collected personal data from an individual under 18 without proper parental consent, I will:

·Promptly delete such data
·Notify the parent or guardian
·Take steps to prevent future collection from that individual

Compliance:

Under RA 10173, processing of minors' personal data requires parental/guardian consent.

Under GDPR (Article 8), parental consent is required for children under 16 in most EU member states (or the age set by that member state, typically 13-16).

If you are a parent or guardian and believe your child has submitted data to this website, contact me immediately at engelgatus@gmail.com.

12

Data Controller & Contact Information

Summary: I'm fully responsible for protecting your data under Philippine law. Contact me with any privacy questions or concerns.

As a Personal Information Controller under RA 10173 (Data Privacy Act of 2012), I am fully subject to all DPA requirements regardless of registration status with the National Privacy Commission (NPC).

While formal NPC registration may not be required at my current scale of data processing, I maintain full compliance with all RA 10173 requirements including:

·Informed, voluntary, specific consent management
·Industry-standard security standards (RA 10173 Section 12)
·Documented data subject rights processes
·72-hour breach notification procedures
·Annual compliance reviews
·Automatic data retention and deletion policies

Contact Information for Privacy Inquiries:

Email: engelgatus@gmail.com
Response Time: Within 3 business days of receipt; full response within 30 days
Location: Makati City, Metro Manila, Philippines
Subject Matter: Privacy questions, data subject rights requests, breach reports, complaints

Formal Complaints to Authorities:

If you wish to file a formal complaint, contact:

National Privacy Commission (NPC):

Email: complaints@privacy.gov.ph
Website: https://privacy.gov.ph/
Hotline: +63 (2) 8 920-1090
Address: 3rd Floor, Yuchengco Tower, RCBC Plaza, 6819 Ayala Avenue, Makati City 1200, Philippines
Filing Fee: PHP 500 (as of 2026)

GDPR Supervisory Authority (EU/EEA):

Contact your local data protection authority
Find your authority: https://edpb.ec.europa.eu/about-edpb/board/members_en
13

Cookie Policy & Tracking

Summary: I use minimal cookies for functionality. You can turn off analytics cookies. No ads or sneaky tracking here.

My website uses minimal cookies for essential functionality and analytics:

Essential Cookies (Required for Site Function):

Session cookies: Maintain your browsing session and form state
Security cookies: Prevent CSRF attacks and unauthorized access
Cannot be disabled without breaking core functionality

Analytics Cookies (Non-Essential; Opt-Out Available):

Vercel Analytics: Measure traffic, user flow, and performance
Non-personally identifiable (aggregate data only)
You can opt-out by:
·Disabling analytics in browser privacy settings
·Requesting opt-out via email: engelgatus@gmail.com
·Using browser "Do Not Track" settings (if enabled)

Third-Party Cookies:

Minimal use; none for advertising or cross-site tracking
Cloudflare may set security-related cookies

Cookie Management:

You can manage cookies via your browser settings:

·Chrome: Settings → Privacy and Security → Cookies and other site data
·Firefox: Settings → Privacy & Security → Cookies and Site Data
·Safari: Preferences → Privacy → Manage Website Data
·Edge: Settings → Privacy → Clear browsing data

Disabling cookies may affect site functionality but will not prevent access to content.

Cookie Consent:

By continuing to use this site after reading this notice, you consent to analytics tracking. You may withdraw this consent at any time by adjusting your browser settings or contacting me at engelgatus@gmail.com.

14

Updates to This Policy

Summary: I'll update this policy if needed and let you know about big changes. Check the 'Last Updated' date.

I may update this Privacy Policy to reflect:

·Changes in data practices or security measures
·New legal requirements or regulatory changes
·Technology improvements
·Clarifications or corrections

Material Changes:

If I make material changes (e.g., new data collection, new purposes, new third-party processors), I will:

Notify you via email (if you have provided an email)
Post a prominent notice on the website
Provide a summary of changes with effective date

Non-Material Updates:

Minor clarifications, grammar fixes, or formatting updates may be made without advance notice.

Continued Use:

Your continued use of the website after policy updates constitutes acceptance of the revised policy. The "Last Updated" date at the top of this page reflects the most recent revision.

Historical Versions:

You may request previous versions of this Privacy Policy by contacting engelgatus@gmail.com. I retain previous versions for compliance audit purposes.

15

Data Deletion & Account Cleanup

Summary: You can request complete deletion of your data anytime. I'll securely erase it within 30 days.

You have the right to request complete deletion of your personal data at any time, subject to legal exceptions.

How to Request Deletion:

Email engelgatus@gmail.com with:

Subject: "Data Deletion Request"
Your full name and email address
The inquiry or submission you want deleted
Clear confirmation that you understand the consequences

Deletion Process:

1. [ ] I will acknowledge receipt within 3 business days

2. [ ] I will verify your identity (to prevent unauthorized deletion requests)

3. [ ] Upon confirmation, I will securely delete:

·Your name, email, and message content
·Personal data from Supabase database
·Backups (within 30 days of backup retention cycle)

4. [ ] I will send confirmation of deletion within 30 days

Legal Exceptions to Deletion:

Your data may be retained if:

Required by law (e.g., Philippine tax records retained 3 years, RA 9646 Electronic Commerce Act)
Needed to defend a legal claim or dispute
Necessary for business record-keeping as required by regulatory authority
Data has been anonymized (no longer personally identifiable)

Retention After Deletion Request:

Even after deletion, I may retain:

Anonymized aggregate data (used for analytics and statistics)
Backup copies for data recovery (retained 30 days then destroyed)
Legal/audit records (if required by law)
Consent audit logs (reduced to anonymized format)
16

Legal Disclaimer

Summary: This policy follows the law, but it's not legal advice. Consult a lawyer if you have specific questions.

This Privacy Policy is designed to comply with RA 10173 (Data Privacy Act of 2012), GDPR (General Data Protection Regulation), and relevant international privacy standards. However, this policy is not a substitute for professional legal advice.

If you have specific concerns about data privacy compliance, legal obligations, or require guidance on your personal data rights, consult a qualified data privacy attorney licensed in the Philippines or your jurisdiction.

Disclaimer of Liability:

While I take reasonable steps to protect your data, I cannot guarantee absolute security or uninterrupted service. By using this website, you assume inherent risks associated with online data transmission and internet services.

Questions?

If you have questions about this Privacy Policy, how I handle your data, or to exercise your data rights, please reach out. I'm committed to protecting your privacy and ensuring compliance with all applicable laws.

Contact Me