This website is operated by Daniel Mashkov, Licensed Business (Israel). This policy explains how I collect, use, retain, and protect personal data in accordance with the Israeli Privacy Protection Law 5741-1981 including Amendment 13 (in force from 2025), the Privacy Protection Regulations (Data Security) 2017, and the California Consumer Privacy Act (CCPA) as amended by CPRA 2026. Privacy at a glance — Lead data retention: 24 months. IP address TTL: 60 seconds. Breach notification: 72 hours. DSR response window: 30 days. Compliance: PPL Amendment 13, CCPA / CPRA 2026, GDPR-aware.
1. Information I Collect
1.1 Information You Provide Directly
- Contact form: Name, email address, phone number (optional), message content, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table).
- Lead magnet form: Name, email address, consent acknowledgment, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table) with a 24-hour duplicate-suppression check.
- Project intake form: Name, email address, company, current website, project goals, target audience, requested features, budget, timeline, additional details, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table, lead_type: intake).
- Cost estimator: Name, email address, company (optional), project type, selected features, page count, tier preference, and attribution data (referrer URL, page path, UTM source / medium / campaign). Persisted to Supabase (leads table, lead_type: estimator).
- ROI Calculator (Services page): Monthly visitor count, conversion rate, page load speed, and average order value — entered entirely at your discretion. All calculations are performed client-side in your browser. No input values are transmitted to our servers, stored in any database, or shared with third parties. No personal identifiers are collected or processed by this tool.
1.2 Information Collected Automatically
- IP address: Collected and temporarily stored in Upstash Redis for rate limiting on API endpoints — automatically deleted after 60 seconds. Per PPA Q4 2025 guidance, IP addresses constitute personally identifiable information.
- Google Analytics 4 (GA4): Usage events, referrer, browser and device metadata. Israeli visitors: active by default under Notice & Opt-out (PPL Am. 13). EU and other visitors: loaded only after explicit consent. Configured with anonymize_ip: true.
- UTM / attribution data: Used for internal attribution analysis only. Not shared with advertising platforms.
- Cookies & local storage: cookie-consent (localStorage, functional) stores your consent state ('all', 'il-notice', or 'essential'), securely logged for legal auditing under PPL Am. 13; cookie-consent-gpc records when a Global Privacy Control signal was honored; __vcountry (HTTP cookie, 1-hour TTL) identifies your country to select the appropriate consent model — never stored or shared.
- Locale cookie: next-intl sets a session-scoped HTTP cookie to remember your language preference (en/he). No personal data is stored in this cookie.
- Session storage: exit_intent_shown and converted_this_session prevent repetitive popups within a tab. calculator_intent pre-selects your last estimator project type. All keys expire when the browser tab is closed.
- Vercel Speed Insights: Core Web Vitals performance metrics are sent to Vercel without requiring consent — they contain no personal user identifiers.
1.3 Especially Sensitive Data — PPL Am. 13 §3
Statutory classification — enhanced protection mandatory.
- IP address: Under Israeli PPA Q4 2025 guidance and the CJEU Breyer doctrine, IP addresses constitute "especially sensitive personal data" when linkable to an individual. On this site: stored in Upstash Redis with a strict 60-second TTL, excluded from all application logs, and never transmitted to marketing vendors.
- Geolocation data: Coarse geolocation (country/city) derived from IP or GA4 is classified as location data under PPL Am. 13 §3. GA4 is configured with anonymize_ip: true and IP masking — reducing precision to the final two octets only, satisfying the PPA's data-minimisation principle.
Legal basis: Privacy Protection Law 5741-1981 §3 (sensitive data schedule) as expanded by PPL Amendment 13 (2025). Processing this category requires Records of Processing Activities (ROPA) documentation, a Data Protection Impact Assessment (DPIA), and enhanced technical safeguards.
2. How I Use Your Information
- Responding to your inquiries and delivering requested services
- Preventing API abuse via rate limiting (3–5 requests / 60-second window per IP, varies by form endpoint)
- Improving the site based on anonymized usage analytics
- Internal attribution of traffic sources (UTM data, never shared externally)
I do not sell, rent, or share your personal information with third parties for marketing purposes.
3. Subprocessors
I use the following third-party services to process data on my behalf:
- Vercel Inc.: Website hosting, CDN, edge functions — USA / EU (edge).
- Supabase Inc.: Site-form submissions (contact / lead magnet / intake / estimator, leads table, RLS enforced) — USA / EU-West.
- Airtable Inc.: CRM lead sync — Account + Engagement records for contact / intake / estimator submissions — USA.
- Resend Inc.: Transactional email delivery — USA.
- Upstash Inc.: Rate limiting (Redis, 60-second TTL) — USA.
- Google LLC (GA4): Usage analytics (consent-gated) — USA.
- Sentry Inc.: Error monitoring and performance — USA.
- Vercel Speed Insights: Performance monitoring — Core Web Vitals (always active) — USA.
- Cal.com, Inc.: Appointment scheduling (on-demand, user-initiated) — USA.
Cross-border transfers are documented vendor by vendor. Where a processor offers a DPA and SCCs, those safeguards are used; where they are unavailable on a free tier (such as Airtable / Resend), that limitation is disclosed explicitly in the privacy inventory and compliance documentation.
4. Data Retention
- 24 months — Site-form submissions (Supabase): Automatically purged after this period.
- 24 months — Airtable CRM lead records (Accounts + Engagements): Monthly purge removes stale site-form leads; worked engagements are preserved.
- 60 seconds — IP addresses (Upstash Redis): Automatically deleted by Redis TTL.
- 14 months — GA4 data: Google's default retention setting.
- Until cleared — Cookie consent state: Stored in localStorage.
- 5 years — Consent audit log (consent_logs, Supabase): Anonymous audit records required by GDPR Art. 7 & PPL Am. 13 — no IP, no email stored.
- 5 years — DSR requests (dsr_requests, Supabase): Retained for legal audit trail — no IP stored.
5. Your Rights — PPL Amendment 13 (Israeli Law)
- Right of access: Request information about what personal data I hold about you — response within 30 days.
- Right to correction: Request correction of inaccurate personal data.
- Right to deletion: Request deletion of your personal data before the end of the retention period.
- Right to object: Object to processing of your data for marketing purposes.
To exercise any of these rights, use our secure form — see the Submit a DSR Request button below.
6. Data Security
- HTTPS encryption on all connections
- Strict nonce-based Content Security Policy (CSP)
- Rate limiting on all form API endpoints (3–5 requests / 60-second window per IP, varies by endpoint)
- Supabase Row-Level Security (RLS) — anon key scoped to INSERT only on the leads table
- Server-side input validation and HTML escaping on all user-provided content
- Access to personal data restricted to Daniel Mashkov only
7. Cookies and Consent
Essential functionality uses a locale cookie (next-intl, HTTP session cookie) and localStorage keys for consent state (cookie-consent) and GPC detection (cookie-consent-gpc). Session storage keys expire on tab close. Analytics cookies (GA4) are loaded based on your location: visitors from Israel receive a Notice & Opt-out model (analytics active by default under PPL Am. 13); visitors from the EU and rest of world receive a hard opt-in dialog. You may change or withdraw your consent at any time via "Cookie Settings" in the site footer.
8. Do Not Sell or Share My Personal Information (CCPA 2026 — California Residents)
I do not sell, rent, or share the personal information of California residents with third parties for cross-context behavioral advertising or targeted advertising purposes. California residents have the right to: know what data is collected, request deletion, request correction, opt out of sale/sharing, and non-discrimination for exercising these rights. Use the Submit a DSR Request button below to opt out.
9. 72-Hour Data Breach Notification Protocol
PPL Amendment 13 §17c mandates notification to the PPA within 72 hours of discovery. The following protocol governs my response:
Phase 1 — Detect & Contain (0–4 h)
- Immediate isolation of affected systems
- Initial documentation of breach scope and vector
- Activation of security incident response procedures
Phase 2 — Assess Severity (4–24 h)
- Identify categories of data affected and number of individuals
- Assess risk level to data subjects' rights and freedoms
- Document in ROPA and internal security incident register
Phase 3 — Notify PPA (24–72 h)
- Submit formal notification to the Israeli Privacy Protection Authority (PPA)
- Include: nature of breach, data categories, number of individuals, measures taken
- Copy retained by Daniel Mashkov as personally accountable operator (CPRA § 1798.199.90)
Phase 4 — Notify Individuals (without undue delay)
- Individual notice to affected parties facing high risk
- Content: what occurred, data exposed, recommended actions, contact point
- Notify CERT-IL if breach involves critical infrastructure components
This protocol complies with PPL Amendment 13 §17c, the Privacy Protection Regulations (Data Security) 2017, and CERT-IL cyber incident reporting guidelines.
10. Changes to This Policy & Contact
I may update this policy from time to time. Material changes will be posted on this page with a new "Last updated" date. Continued use of the site after an update constitutes acceptance of the revised policy.
Contact
For privacy-related questions or data subject requests, use the Submit a DSR Request button below, or email privacy@danielmashkov.com.
This alias is configured and may be pending DNS activation. For urgent requests: info@danielmashkov.com.