Privacy Document

Privacy Policy

Version 3.1 | Updated March 2026 — PPL Amendment 13 & CCPA 2026 Compliant

Privacy At a Glance

24months

Lead data retention

60seconds

IP address TTL

72hours

Breach notification

30days

DSR response window

PPL Amendment 13CCPA / CPRA 2026GDPR-Aware

This website is operated by Daniel Mashkov, Licensed Business (Israel). This policy explains how I collect, use, retain, and protect personal data in accordance with the Israeli Privacy Protection Law 5741-1981 including Amendment 13 (in force from 2025), the Privacy Protection Regulations (Data Security) 2017, and the California Consumer Privacy Act (CCPA) as amended by CPRA 2026.

1Information I Collect

1.1 Information You Provide Directly

Contact form: Name, email address, phone number (optional), message content, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table).
Lead magnet form: Name, email address, consent acknowledgment, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table) with a 24-hour duplicate-suppression check.
Project intake form: Name, email address, company, current website, project goals, target audience, requested features, budget, timeline, additional details, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table, lead_type: intake).
Cost estimator: Name, email address, company (optional), project type, selected features, page count, tier preference, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table, lead_type: estimator).
ROI Calculator (Services page): Monthly visitor count, conversion rate, page load speed, and average order value — entered entirely at your discretion. All calculations are performed client-side in your browser. No input values are transmitted to our servers, stored in any database, or shared with third parties. No personal identifiers are collected or processed by this tool.

1.2 Information Collected Automatically

IP address: Collected and temporarily stored in Upstash Redis for rate limiting on API endpoints — automatically deleted after 60 seconds. Per PPA Q4 2025 guidance, IP addresses constitute personally identifiable information.
Google Analytics 4 (GA4): Usage events, referrer, browser and device metadata. Israeli visitors: active by default under Notice & Opt-out (PPL Am. 13). EU and other visitors: loaded only after explicit consent. Configured with anonymize_ip: true.
UTM / attribution data: Used for internal attribution analysis only. Not shared with advertising platforms.
Cookies & local storage: cookie-consent (localStorage, functional) stores your consent state ('all', 'il-notice', or 'essential'), securely logged for legal auditing under PPL Am. 13; cookie-consent-gpc records when a Global Privacy Control signal was honored; __vcountry (HTTP cookie, 1-hour TTL) identifies your country to select the appropriate consent model — never stored or shared.
Locale cookie: next-intl sets a session-scoped HTTP cookie to remember your language preference (en/he). No personal data is stored in this cookie.
Session storage: exit_intent_shown and converted_this_session prevent repetitive popups within a tab. calculator_intent pre-selects your last estimator project type. All keys expire when the browser tab is closed.
Vercel Speed Insights: Core Web Vitals performance metrics are sent to Vercel without requiring consent — they contain no personal user identifiers.

1.3 Especially Sensitive Data — PPL Am. 13 §3

Statutory classification — enhanced protection mandatory

IP address: Under Israeli PPA Q4 2025 guidance and the CJEU Breyer doctrine, IP addresses constitute "especially sensitive personal data" when linkable to an individual. On this site: stored in Upstash Redis with a strict 60-second TTL, excluded from all application logs, and never transmitted to marketing vendors.
Geolocation data: Coarse geolocation (country/city) derived from IP or GA4 is classified as location data under PPL Am. 13 §3. GA4 is configured with anonymize_ip: true and IP masking — reducing precision to the final two octets only, satisfying the PPA's data-minimisation principle.

Legal basis: Privacy Protection Law 5741-1981 §3 (sensitive data schedule) as expanded by PPL Amendment 13 (2025). Processing this category requires Records of Processing Activities (ROPA) documentation, a Data Protection Impact Assessment (DPIA), and enhanced technical safeguards.

2How I Use Your Information

Responding to your inquiries and delivering requested services
Preventing API abuse via rate limiting (3–5 requests / 60-second window per IP, varies by form endpoint)
Improving the site based on anonymized usage analytics
Internal attribution of traffic sources (UTM data, never shared externally)

I do not sell, rent, or share your personal information with third parties for marketing purposes.

3Subprocessors

I use the following third-party services to process data on my behalf:

Service	Purpose	Location
Vercel Inc.	Website hosting, CDN, edge functions	USA / EU (edge)
Supabase Inc.	Site-form submissions (contact / lead magnet / intake / estimator, leads table, RLS enforced)	USA / EU-West
Airtable Inc.	CRM lead sync — Account + Engagement records for contact / intake / estimator submissions	USA
Resend Inc.	Transactional email delivery	USA
Upstash Inc.	Rate limiting (Redis, 60-second TTL)	USA
Google LLC (GA4)	Usage analytics (consent-gated)	USA
Sentry Inc.	Error monitoring and performance	USA
Vercel Speed Insights	Performance monitoring — Core Web Vitals (always active)	USA
Calendly Inc.	Appointment scheduling (on-demand, user-initiated)	USA

Cross-border transfers are documented vendor by vendor. Where a processor offers a DPA and SCCs, those safeguards are used; where they are unavailable on a free tier (such as Airtable / Resend), that limitation is disclosed explicitly in the privacy inventory and compliance documentation.

4Data Retention

24 months

Site-form submissions (Supabase)

Automatically purged after this period

24 months

Airtable CRM lead records (Accounts + Engagements)

Monthly purge removes stale site-form leads; worked engagements are preserved

60 seconds

IP addresses (Upstash Redis)

Automatically deleted by Redis TTL

14 months

GA4 data

Google's default retention setting

Until cleared

Cookie consent state

Stored in localStorage

5 years

Consent audit log (consent_logs, Supabase)

Anonymous audit records required by GDPR Art. 7 & PPL Am. 13 — no IP, no email stored

5 years

DSR requests (dsr_requests, Supabase)

Retained for legal audit trail — no IP stored

5Your Rights — PPL Amendment 13 (Israeli Law)

Right of access: Request information about what personal data I hold about you — response within 30 days.
Right to correction: Request correction of inaccurate personal data.
Right to deletion: Request deletion of your personal data before the end of the retention period.
Right to object: Object to processing of your data for marketing purposes.

To exercise any of these rights, use our secure form: Submit a DSR Request

6Data Security

HTTPS encryption on all connections
Strict nonce-based Content Security Policy (CSP)
Rate limiting on all form API endpoints (3–5 requests / 60-second window per IP, varies by endpoint)
Supabase Row-Level Security (RLS) — anon key scoped to INSERT only on the leads table
Server-side input validation and HTML escaping on all user-provided content
Access to personal data restricted to Daniel Mashkov only

7Cookies and Consent

Essential functionality uses a locale cookie (next-intl, HTTP session cookie) and localStorage keys for consent state (cookie-consent) and GPC detection (cookie-consent-gpc). Session storage keys expire on tab close. Analytics cookies (GA4) are loaded based on your location: visitors from Israel receive a Notice & Opt-out model (analytics active by default under PPL Am. 13); visitors from the EU and rest of world receive a hard opt-in dialog. You may change or withdraw your consent at any time via "Cookie Settings" in the site footer.

8Do Not Sell or Share My Personal Information (CCPA 2026 — California Residents)

I do not sell, rent, or share the personal information of California residents with third parties for cross-context behavioral advertising or targeted advertising purposes. California residents have the right to: know what data is collected, request deletion, request correction, opt out of sale/sharing, and non-discrimination for exercising these rights.

Submit a DSR Request

972-Hour Data Breach Notification Protocol

PPL Amendment 13 §17c mandates notification to the PPA within 72 hours of discovery. The following protocol governs my response:

Phase 1 — Detect & Contain (0–4 h)

Immediate isolation of affected systems
Initial documentation of breach scope and vector
Activation of security incident response procedures

Phase 2 — Assess Severity (4–24 h)

Identify categories of data affected and number of individuals
Assess risk level to data subjects' rights and freedoms
Document in ROPA and internal security incident register

Phase 3 — Notify PPA (24–72 h)

Submit formal notification to the Israeli Privacy Protection Authority (PPA)
Include: nature of breach, data categories, number of individuals, measures taken
Copy retained by Daniel Mashkov as personally accountable operator (CPRA § 1798.199.90)

Phase 4 — Notify Individuals (without undue delay)

Individual notice to affected parties facing high risk
Content: what occurred, data exposed, recommended actions, contact point
Notify CERT-IL if breach involves critical infrastructure components

This protocol complies with PPL Amendment 13 §17c, the Privacy Protection Regulations (Data Security) 2017, and CERT-IL cyber incident reporting guidelines.

10. Changes to This Policy

I may update this policy from time to time. Material changes will be posted on this page with a new "Last updated" date. Continued use of the site after an update constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions or data subject requests:

Submit a DSR Request

Or email: privacy@danielmashkov.com

This alias is configured and may be pending DNS activation. For urgent requests: info@danielmashkov.com