Privacy Policy
Last updated: 4 May 2026
1. What this Policy covers
This Policy describes the personal data we collect when you visit the website, the legal bases on which we process it, how long we keep it, who we share it with, and the rights you have over it. It applies to all visitors regardless of where you are located.
If you do not agree with this Policy, please stop using the website.
For information about who we are, our legal status, and how to reach us, see §11 About us and contact at the end of this Policy.
2. Data we collect
We have intentionally minimised what we collect. We do not use Google Analytics, Facebook Pixel, third-party advertising trackers, fingerprinting libraries, or any cross-site tracking technology.
2.1 Automatically collected (every visit)
When you load any public page, our self-hosted analytics records:
| Data | What it actually is |
|---|---|
| Page path | e.g. /work/datagram |
| Hashed IP | A salted SHA-256 hash of your IP address. We do not store the raw IP. The hash is one-way and cannot be reversed without our server-side secret. |
| Approximate location | Country and city, resolved offline from your IP using MaxMind's GeoLite2 database. No data is sent to MaxMind during this lookup. |
| Device class | mobile / tablet / desktop |
| Browser & OS | e.g. "Chrome on macOS" |
| Referrer | The previous page URL, if your browser sent one |
| UTM parameters | If the URL contains ?utm_source=… |
| Time on page | How long you stayed on the page (seconds) |
| Scroll depth | How far you scrolled (0–100 %, in 25 % buckets) |
| CTA clicks | If you click an allow-listed call-to-action button (e.g. "Book a call"), we record which one and the destination URL. We do not track clicks on regular content links. |
2.2 Information you submit voluntarily
If you fill in a form on the website (e.g. the booking form or contact form), we store:
- Your name, email, optionally phone and company
- Any message or notes you write
- The time of submission and the UTM/referrer of your originating session (so we can understand which marketing channel brought you in)
If you book a call, we additionally store the scheduled time and timezone and create a corresponding event in our own Google Calendar; the Google Calendar event ID is stored against your booking record.
2.3 How form submissions are used (our CRM)
Every form submission becomes a "lead" record in our internal CRM (Customer Relationship Management) database. The CRM is self-hosted on our own server — we do not use HubSpot, Salesforce, Pipedrive, or any other third-party CRM SaaS. Your data stays under our direct control.
For each lead, we track:
- Everything you submitted in the form (see 2.2 above);
- A status reflecting where the conversation stands (e.g. "new," "contacted," "qualified," "won," "lost");
- A source tag (e.g. "booking-form," "contact-form") so we know which entry point you came through;
- A link to your booking record, if you scheduled a call.
We use this information to:
- Prepare for and conduct the call you booked;
- Send a meeting confirmation and reminders by email;
- Follow up after the call about the service you enquired about (proposal, quote, scheduling next steps) — typically by email, occasionally by phone if you provided a number;
- Keep an internal record of our conversation for accounting, dispute resolution, and to remember context if you re-engage with us later.
We do not use this data for cold outreach to people who haven't contacted us, nor do we share it with sales partners, lead-generation services, or any third party. If at any point you want us to delete your lead record, email us (see §11 below) and we will do so within 30 days.
2.4 Cookies
We set exactly one first-party cookie. It is encrypted with our server-side secret (so the contents are unreadable to you, your browser extensions, or any third party) and is session-scoped — your browser deletes it when you close the window.
| Cookie | Type | Duration |
|---|---|---|
| _portfolio_ |
First-party, encrypted, strictly necessary | Session |
The encrypted payload contains, at most, the following:
- A CSRF token — protects forms (booking, contact) from cross-site request forgery attacks
- An internal session identifier — used to link your page views together in our self-hosted analytics so we can see, for example, that one visitor read three pages
- A stability flag (
_pv) — ensures the session identifier exists on first visit - First-touch UTM parameters (
utm_source,utm_medium,utm_campaign) — only stored if you arrived via a tagged URL; helps us attribute leads to the marketing channel that brought you in - First referrer URL — only stored if your browser sent a
Refererheader - An admin flag — set only if you log into the admin panel; regular visitors never have this
Cookie consent: Under the EU ePrivacy Directive (Directive 2002/58/EC, Article 5(3)) and equivalent national laws, cookies that are strictly necessary for the security of the website and the delivery of a service the user has explicitly requested are exempt from the consent requirement. Our session cookie qualifies on both grounds (CSRF protection and basic site operation), which is why this website does not show a cookie banner.
We do not set advertising, marketing, or social-media cookies. We do not embed third-party widgets that would set their own cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking technologies.
3. Why we collect this data and the legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Operating the website (delivering pages, preventing CSRF, protecting against abuse) | Legitimate interest — Art. 6(1)(f) |
| Aggregated analytics (which pages are popular, where visitors come from, which CTAs work) on the basis of pseudonymised data | Legitimate interest — Art. 6(1)(f) |
| Responding to your form submissions, scheduling calls, sending booking confirmations | Performance of a contract — Art. 6(1)(b) |
| Sending follow-up emails about a service you enquired about | Legitimate interest / consent |
| Complying with tax, accounting, and similar legal obligations | Legal obligation — Art. 6(1)(c) |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Who we share data with
We share personal data only with carefully chosen processors, and only as far as needed to operate the service:
| Processor | What they do | Their access to your data | Where |
|---|---|---|---|
| Hetzner Online | Web and database hosting | Operator of the underlying server. Has theoretical access to the live database disk; bound by data-processing agreement and EU data-protection law. | Germany (EU) |
| Cloudflare | Off-site database backups (R2 object storage) | None. Backups are GPG-encrypted client-side on our server before upload. The private key required to decrypt them is never stored on Cloudflare's infrastructure — Cloudflare holds the encrypted blob and cannot read its contents. | EU region |
| Resend | Sending transactional emails (booking confirmations, replies) | Sees the contents of emails routed through them — recipient address, subject line, and body. No access to the rest of our database. | USA |
| Google Calendar event creation when you book a call | Sees the data we put into the calendar event — your name, email, scheduled time, and any notes you wrote on the booking form. No access to the rest of our database. | USA |
We do not sell, rent, or trade your personal data. We do not share it with advertisers or data brokers.
We may also disclose personal data when required by law (court order, lawful request from a competent authority) or to defend our legal rights.
5. International data transfers
Some of our processors are based outside the European Economic Area (notably the United States). When we transfer your data to those countries, we rely on:
- The European Commission's adequacy decisions (where applicable, e.g. the EU-US Data Privacy Framework for participating US processors)
- Standard Contractual Clauses approved by the European Commission
- The processors' own GDPR-equivalent compliance programmes
You can request a copy of the safeguards in place by emailing us.
6. How long we keep data
| Category | Retention |
|---|---|
| Page views, click events, time-on-page, scroll depth | 24 months |
| Form submissions (contact form, lead records in CRM) | 5 years from last contact, or until you ask us to delete |
| Booking records | 3 years after the scheduled date |
| Encrypted off-site backups | 40 days maximum |
| Server access logs | 30 days |
We may keep data longer where required by Georgian or applicable EU tax/accounting law.
7. Your rights
If GDPR, UK GDPR, or Georgian data-protection law applies to your data, you have the following rights:
- Right of access (GDPR Art. 15) — receive a copy of the personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate or incomplete data
- Right to erasure / "right to be forgotten" (Art. 17) — ask us to delete your data
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — including objecting to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3))
- Right to lodge a complaint with your supervisory authority — for Georgian residents, the Personal Data Protection Service of Georgia (personaldata.ge)
To exercise any of these rights, email chernov.dv@gmail.com with "Data Subject Request" in the subject line. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.
If you are a California resident and the CCPA/CPRA applies to your data, you also have the right to opt out of any "sale" or "sharing" of personal information — note that we do not sell or share personal information as those terms are defined under California law.
8. Security
We protect your data with industry-standard measures, including:
- TLS 1.3 for all traffic to the website (HTTPS only)
- Salted SHA-256 hashing of IP addresses (we never store raw IPs)
- Encrypted off-site backups using GPG with an Ed25519/Cv25519 keypair; the private key is never stored on the server
- Immutable backup storage that cannot be deleted or overwritten by a compromised server (object lock)
- Scoped access tokens for backup storage
- Regular security updates of operating system, framework, and dependencies via automated CI
No system is perfectly secure. If we ever discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, in accordance with GDPR Articles 33–34.
9. Children
This website is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected such data, please contact us and we will delete it.
10. Changes to this Policy
We may update this Policy from time to time to reflect changes in the website, our services, or applicable law. The "Last updated" date at the top of this page will reflect the most recent revision. For material changes, we will display a prominent notice on the website for at least 30 days.
We recommend reviewing this Policy periodically.
11. About us and contact
This website (dmitrychernov.com) is operated by Dmitry Chernov, Individual Entrepreneur (Georgian Individual Entrepreneur, ID No. 302261362), with a registered office in Tbilisi, Georgia. Throughout this Policy "we," "us," and "our" refer to this entity.
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the Georgian Law on Personal Data Protection (2011, as amended), we are the data controller of personal data collected through this website.
For data-protection enquiries, please put "Data Subject Request" or "Privacy" in the subject line.
This Privacy Policy is governed by Georgian law and, where applicable, by the EU General Data Protection Regulation. Nothing in this Policy limits any non-waivable rights you have under the law of your country of residence.
