Privacy Policy.

Information I collect

The categories below describe everything I collect, and nothing else.

From you, when you contact me

• Identifiers. Your email address (required), and optionally your name, business name, and current website URL if you choose to provide them.
• Message content. Whatever you type into the message field of the form, or whatever you write to me by email.

Automatically, when any visitor loads a page

• Server log data. The hosting platform (Cloudflare) records short-lived server logs for security, abuse prevention, and performance: IP address, user agent string, timestamp, requested URL, referrer, and HTTP status code. These logs are not joined to anything else; I don't run a separate analytics tool that watches what you click.

From you, if you become a paying client

• Billing identifiers. Your billing name, billing email, billing address, and the invoice line items, kept inside Stripe and inside my email records of the invoice.
• Payment status. Stripe tells me whether an invoice was paid, refunded, or disputed. I never see or store full payment-card numbers. Stripe handles card data on its own PCI-compliant infrastructure.

I don't collect Social Security numbers, government identifiers, biometric data, precise geolocation, health information, or any of the other categories defined as "sensitive personal information" under California law. The form does not ask for them and I don't have a separate tool that captures them.

How I collect it

Three ways, all named above:

1. Directly from you through the contact form on this site or by email to [email protected].
2. Automatically through standard server logs at Cloudflare, which exist whether or not you interact with the form.
3. From Stripe, which sends me invoice and payment status when you pay an invoice.

Why I collect it

I collect and use the information above for these specific purposes:

• To respond to your message and continue the conversation by email.
• If you become a client, to deliver the agreed-on work, ask follow-up questions, and provide the deliverables.
• To send invoices, accept payments, and keep the financial records the IRS and Florida Department of Revenue require.
• To diagnose and fix problems with the site itself, by way of server logs.
• To detect and prevent abuse, including form spam and security attacks.
• To comply with legal obligations, respond to valid legal process, or enforce my Terms.

I don't use any of this information for behavioral advertising, profiling, or automated decisions that produce legal or similarly significant effects. I don't have a marketing list, a CRM that scores leads, or a tool that decides what to show you based on past behavior.

Who else handles it

Three companies process information on my behalf in the normal course of running this site. None of them gets a copy of anything more than what's needed to do its specific job.

• Cloudflare, Inc. hosts the site, the contact form's server pipeline, and DNS. Cloudflare receives server log data described in section 1 and the form payload it relays to my mail server. Cloudflare's privacy notice is at cloudflare.com/privacypolicy.
• PurelyMail hosts the [email protected] mailbox and delivers outgoing email when the contact form is submitted. PurelyMail's privacy policy is at purelymail.com/about/privacy.
• Stripe, Inc. processes invoicing and payments for clients. Stripe collects and stores billing details, including the payment card or bank account, on its own PCI-compliant infrastructure. Stripe's privacy policy is at stripe.com/privacy.

I do not sell, rent, lease, or trade your personal information. I do not share it with advertising networks, data brokers, or analytics providers. I do not transfer it to anyone except (a) the three processors named above for the purposes named above, (b) my own accountant and tax authorities for required tax reporting, and (c) where required by law, valid legal process, or to protect against fraud or imminent harm.

If I ever bring on a contractor (for example, to assist with a Custom Build), they sign a confidentiality agreement before they touch project files, and they get only the information needed to do the assigned work. As of the effective date above, no contractor relationships are active.

How long I keep it

• Inquiry emails and form submissions: kept in the hello@ inbox indefinitely so I can find earlier conversations, unless you ask me to delete them. On request I'll delete the message and confirm by reply.
• Server logs (Cloudflare): retained on Cloudflare's standard schedule, typically a small number of days for analytics-grade aggregate data and shorter for raw request logs. I don't extend or download these logs.
• Active client records: kept for the duration of the engagement and for at least four years after the last invoice, which is the federal IRS requirement for income-tax records and is also broadly aligned with Florida statute of limitations periods on contracts. After that, I dispose of them or anonymize them.
• Stripe billing records: retained inside Stripe according to Stripe's own policies and US tax law.

Cookies and tracking

As of the effective date, the site sets no cookies of its own. There is no Google Analytics, Meta Pixel, LinkedIn Insight Tag, advertising remarketing tag, or third-party tracker on these pages. You can verify this by opening your browser's developer tools and looking at the Network and Application panels.

Cloudflare may set short-lived security or load-balancing cookies (for example, to detect bot traffic). These are operationally necessary, contain no personal identifier I can read, and are not used for advertising.

If I add lightweight, cookieless analytics in the future (Cloudflare Web Analytics is the most likely option, since it does not use cookies and does not track visitors across sites), I will update this section before turning it on.

Do Not Track signals

Some browsers send a "Do Not Track" or "Global Privacy Control" signal indicating that the visitor does not want their browsing tracked. Because the site does not track visitors across sites and does not sell or share personal information for cross-context behavioral advertising, these signals do not change anything about how the site behaves. I respect them by default by not doing the thing they ask the site not to do.

How I protect it

The technical and organizational measures in place at the effective date:

• Encryption in transit. The site is served over HTTPS. The contact form posts to a same-origin endpoint over TLS. The mail relay between the contact form and PurelyMail uses implicit TLS.
• Access control. Only I have access to the hello@ inbox, the Cloudflare account, and the Stripe account. Each is protected with a strong unique password and two-factor authentication.
• Least privilege. Cloudflare API tokens are scoped to specific resources rather than account-wide.
• No third-party tracking. The fewer parties touch your data, the smaller the attack surface.

No system on the public internet is invulnerable. If something does happen, see the data breach notification section below.

Children's privacy

This site and the services Pinellas Web Studio offers are aimed at small-business owners, not children. The site is not directed to children under 13, and I do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and you believe a child under 13 has provided information through the contact form, please email [email protected] and I will delete it on receipt. This is consistent with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§6501 to 6506) and its implementing regulations.

Your rights

Regardless of where you live, you can ask me to do any of the following with the personal information I hold about you:

• Access. Tell you what I have on file.
• Correction. Fix anything that's inaccurate.
• Deletion. Delete it, subject to records I'm legally required to keep (mainly tax records on paid invoices).
• Portability. Send you a copy in a common, machine-readable format.
• Opt out of "sale" or "sharing". Already handled by default. I don't sell or share personal information for cross-context behavioral advertising.
• Withdraw consent. Stop further processing where the legal basis was consent.

The fastest way to exercise any of these is an email to [email protected]. I will reply within one business day to confirm receipt and act on the request within 30 days, or sooner where law requires. There is no formal request form. A sentence is enough. I will not retaliate or change pricing because you exercised these rights.

If you'd like to verify your identity before I act on a deletion request (for example, because you're worried someone else might impersonate you), reply from the same email address that originally contacted me, or include enough detail about a prior message that I can match it.

State and international laws

California (CCPA / CPRA)

Pinellas Web Studio does not currently meet the size or volume thresholds that make a business subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 and following). Even so, I extend the rights described in section 10 above to California residents on request.

Florida (FDBR)

The Florida Digital Bill of Rights (Fla. Stat. §501.71 and following) applies to controllers with more than $1 billion in global gross annual revenue meeting additional criteria. Pinellas Web Studio is a one-person studio that does not approach those thresholds and is therefore not a "controller" under the FDBR. I voluntarily honor access, correction, and deletion requests on the same plain-email basis described above.

Other US states

Several other states (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others) have enacted comprehensive consumer privacy laws with similar size thresholds. The studio is below those thresholds. Residents of those states can exercise the rights in section 10 by email and I'll honor them.

European Union, United Kingdom, and other regions

The site is operated from the United States and is aimed at customers in Pinellas County, Florida and the surrounding area. It is not intentionally directed to residents of the European Union, the United Kingdom, or other regions with comprehensive data-protection laws like the GDPR. If you contact me from one of those regions, I rely on your consent (for the form submission itself) and on legitimate interest (in answering you and, if you become a client, in performing the contract) as the legal bases for processing.

Data breach notification

If a security breach affecting your personal information occurs and a notification is required by the Florida Information Protection Act of 2014 (Fla. Stat. §501.171), I will notify affected individuals within 30 days of determining the breach occurred, and notify the Florida Department of Legal Affairs if the breach affects 500 or more Florida residents, as required by that statute. Where another applicable law (for example, a different state's notification law) requires faster notice, I'll meet the shorter deadline.

Changes to this policy

If I change this policy, the new "Last updated" date at the top of the page will reflect the change, and the prior version will remain available on request. Material changes (anything that meaningfully expands what I collect, who else handles it, or how it's used) will also be flagged in the site footer for at least 30 days so existing visitors and clients don't miss them. Continued use of the site after a change indicates acceptance of the revised policy.

How to contact me

Questions about this policy, requests to exercise the rights in section 10, or anything privacy-related go to:

Pinellas Web Studio
Attn: Privacy
Belleair Bluffs, FL, USA
[email protected]

I'll reply within one business day.