What I keep, why I keep it, and when I throw it away.

1. Who I am

I'm one person running BoostProfits, and I'm the one who handles your data. No data team behind a curtain.

BoostProfits is a one-person copywriting and conversion service operating the website at boostprofits.org. When this policy says "I," it means me, the operator. The contact address for anything privacy-related is contact@boostprofits.org, and it reaches me directly.

2. What I actually collect

Less than you'd expect. The form asks for an email and a link. Everything else, you hand me on purpose.

I've deliberately kept this small. Here is the complete list of what I collect and where it comes from:

• Your email — when you submit the free-audit form, or when you email me directly.
• The page link you submit — the URL you want me to look at. It's about your business, not about you personally, but I'm listing it so the picture is complete.
• Your name — only if and when you give it to me, typically once we're actually working together and emailing back and forth.
• Your phone number — only if you choose to share it, because you'd rather we talk than email. It's never required.
• Your timezone — when you submit the form, your browser reports its timezone (for example, "Europe/London"). I store it so I know roughly when to expect you'll read my reply. It does not identify you.

I also run anonymous, aggregate analytics on the site itself — how long visitors spend on each section of the page — so I can see which parts of my own copy are working. This is tied to a random session ID stored in your browser, never to your name or email, and I can't reverse it to identify you. I'm telling you about it because I'd rather over-disclose than hide a single thing.

One unavoidable exception worth naming honestly: the company that hosts this site records standard server logs, which include the IP address of every visitor — that's how the web works, and it happens before my code runs. See Section 5 for who that host is and Section 6 for how long those logs live.

3. Why I need it

Every piece of data I hold maps to a thing I have to do for you. Nothing is collected "just in case."

I process your data only for these purposes:

• To send you the free audit you asked for (needs your email and the page link).
• To do the paid work you hired me for and deliver it (needs your email, your name, and whatever you share about your business).
• To reach you about your project, by phone instead of email if you asked for that (needs your number, which is why it's optional).
• To improve my own website using anonymous section-timing data.
• To meet my legal and tax record-keeping obligations.

The lawful bases I rely on, in GDPR terms, are: performance of our contract (doing the work), my legitimate interest (replying to your inquiry, improving my site with anonymous data), and legal obligation (tax records). Where I rely on consent — like an optional phone number — you give it freely and can withdraw it anytime.

4. How I use it

To talk to you and do your work. Full stop. Not to train models, not to sell, not to advertise.

Your data is used to deliver and discuss the service you came for, and nothing else. I want to be explicit about the things I deliberately don't do with it:

• I don't sell, rent, license, or trade your data to anyone, for any price.
• I don't use it to train AI models.
• I don't use it for targeted advertising or build advertising audiences from it.
• I don't send you marketing newsletters you didn't ask for. If I ever start a list, it'll be opt-in, separate, and easy to leave.

5. Who else touches your data

Three services help me run this. Supabase stores it, Resend sends your emails, and GitHub with Fastly hosts the site. That's the whole list.

I keep the vendor list short on purpose. Each one processes only the data it needs to do its job, and each is contractually bound to handle it only on my instructions:

• Supabase Inc. — database and storage (USA / EU regions). Processes: your email, the page link, your timezone, and the anonymous section-timing data. Data Processing Agreement: supabase.com/privacy.
• Resend (Plus Five Five, Inc.) — transactional email delivery (USA). Processes: your email address and the contents of the messages I send you. Privacy terms: resend.com/legal/privacy-policy.
• GitHub, Inc. and Fastly, Inc. — static site hosting and content delivery (USA). Process: standard server-log data, including IP address, automatically. Policy: GitHub Privacy Statement.

None of these vendors is authorized to use your data for their own purposes. If I ever add a sub-processor, this list gets updated before they touch anything.

6. How long I keep it

Four years of silence and it's gone. That's a hard cap, not a rolling clock I quietly reset.

I keep your personal data for a maximum of four (4) years from our last meaningful contact. That window exists for real reasons: continuity if you come back, accurate billing and project history, and tax record-keeping obligations.

After four years of silence, your personal data is deleted or irreversibly anonymized within ninety (90) days. There's no automatic renewal — the clock only resets if we're actually in contact again.

Two specifics:

• Server logs (the IP addresses the host records) are short-lived and purged on the host's standard rotation, well inside 30 days. I don't keep my own copy of them.
• Anonymous analytics have no identity attached, so they fall outside the personal-data clock — but they're aggregate section timings, not anything traceable to you.

7. Your rights

It's your data. You can see it, fix it, take it, or tell me to delete it — and I'll actually do it.

Depending on where you live, you have some or all of these rights, and I honor them regardless of jurisdiction because it's the right way to operate:

• Access — ask for a copy of what I hold about you.
• Correction — tell me to fix anything inaccurate.
• Deletion — tell me to erase your data; I'll do it within 30 days.
• Portability — get your data in a clean, machine-readable file (JSON or CSV).
• Restriction and objection — tell me to limit or stop certain processing.
• Withdraw consent — anytime, where I relied on your consent.

To use any of these, email contact@boostprofits.org with "Data request" in the subject. I'll respond within 30 days. I may need to confirm it's really you before I act, to protect your data from someone impersonating you.

8. Security

Encrypted in transit, encrypted at rest, locked down by database-level access rules. No method is perfect, and I won't pretend otherwise.

Your data travels over HTTPS (TLS) and is encrypted at rest by Supabase. Access is restricted by row-level security policies, so the public site can write a lead but can't read anyone else's. Only I, signing in with a privileged account, can read the stored data.

No system is 100% secure, and anyone who tells you theirs is should worry you. What I can promise is that I take it seriously and I keep the attack surface small by collecting little in the first place.

9. Cookies and local storage

No tracking cookies. None. The only thing I store in your browser is a random ID for anonymous analytics.

I don't use advertising or cross-site tracking cookies, which is also why you don't see a cookie-consent banner — there's nothing non-essential to consent to. The site uses your browser's local storage for exactly two things: a random anonymous session ID for the section-timing analytics, and a short timestamp to stop the audit form from being submitted twice by accident. Neither identifies you, and you can clear both anytime by clearing your browser storage.

10. International data transfers

My vendors are mostly US-based, so your data may be processed in the United States. That's covered by standard legal safeguards.

Because Supabase, Resend, GitHub, and Fastly operate from the United States, your data may be stored or processed there. Where data moves out of the European Economic Area or the UK, the transfer relies on Standard Contractual Clauses or equivalent safeguards approved by the relevant authorities. A summary of those safeguards is available on request.

11. Children's privacy

This is a service for businesses. It's not built for, or aimed at, anyone under 16.

I don't knowingly collect data from anyone under the age of 16. If you're a parent or guardian and you believe a child has sent me their information, email contact@boostprofits.org and I'll delete it promptly.

12. If something goes wrong

If your data is ever exposed in a way that puts you at risk, I tell you fast. Within 72 hours.

In the event of a data breach that poses a risk to your rights, I'll notify affected people without undue delay and within 72 hours of becoming aware of it, along with what happened and what I'm doing about it. Where the law requires it, I'll notify the relevant supervisory authority too. I'd rather tell you an uncomfortable truth quickly than manage a quiet one.

13. Changes to this policy

If I change something that matters, I'll tell the people it affects before it takes effect.

I may update this policy as the service evolves. If a change materially affects how I handle your data, I'll email registered clients at least 14 days before it takes effect. The version number and "last updated" date at the top always reflect the current version, and prior versions are available on request.

14. Contact

One address, and it reaches me, not a ticket queue.

Anything about your privacy — a question, a request, a complaint — goes to contact@boostprofits.org. I aim to reply within two business days. If you're in the EU or UK and you're not satisfied with how I've handled something, you also have the right to complain to your national data protection authority.