Privacy Policy

The data controller for Site-level processing described below is Terry Brazil, trading as HRDNOX Labs, reachable at hrdnoxlabs@gmail.com. Rocky Road Designs is a branding lane for website services—not a separate legal controller unless we expressly say so in contracting with you later.

This policy covers the informational website and inquiry forms—not completed written client agreements or offline records.

When you navigate to unrelated third-party sites linked from portfolios, storefronts, or partners, review their notices independently.

Typical web hosting emits server logs capturing IP address rough geolocation inferred by providers, timestamps, URLs, user-agent fragments, referrer headers, HTTPS status codes, byte counts—used for security forensic review, diagnosing misconfigurations, rate-abuse spotting, uptime monitoring, lawful requests, aggregated capacity planning—not for selling raw access logs commercially.

This Site codebase does not currently embed first-party marketing analytics pixels documented here. If added later—Plausible, Umami, Google Analytics—we will revise this policy and expose configuration choices where legally required before collecting new categories.

Cookies / local storage presently serve essential technical functions (preventing duplicated spam submits when server adds them, honoring theme/session preferences if implemented). Marketing cookies absent until declared.

HRDNOX Labs general inquiry: name, email, optional company, topic selection, free-text message, honeypot field (should remain blank), hidden routing metadata (form kind, return URL). Submissions post to the Next.js route /api/contact, which sends mail over SMTP configured on the server (no PHP).

Rocky Road Designs project form: name, email, optional phone, business/project identity, optional current site URL, site-type selection, approximate budget tier, textual timeline aspiration, descriptive project paragraphs, honeypot, hidden routing metadata.

You should avoid sending payment card numbers, government ID numbers, health data, minors' identifiers, privileged legal materials, unreleased trade secrets unrelated to quoting, malware-laden attachments (attachments not supported deliberately), or excessively sensitive dossiers—we did not engineer intake for HIPAA-level or financial KYC ingestion.

For visitors in the EU/UK, we rely on:

• Legitimate interests. Run, secure, and improve the Site; spot abuse; keep light operational correspondence archived. Not used for profiling that produces legal or similarly significant effects on you solely by automation. You may object as described below.
• Steps before a contract. Read your form submissions when we prepare quotes or engagements.
• Consent. Applied only where a specific feature needs it (no broad marketing newsletter signup is live today).
• Legal obligation. Preserve or disclose records where U.S. or other competent law reasonably requires it.

We triage inbound messages to:

• Reply with clarifying questions, availability, or politely decline,
• Draft scopes, estimates, or calendar holds where appropriate,
• Coordinate referral or collaborator introduction if mismatched,
• Detect duplication, spoofing attempts, phishing, or scripted abuse,
• Train internal shorthand notes about demand patterns aggregated without selling personal dossiers,

No automated decision denies human rights exclusively by unsupervised silicon scoring—we read context.

We disclose information only narrowly:

• Hosting / email transport providers processing mail relays, SMTP, spam filtering intermediaries inherent to deliverability pipelines,
• Authorities when legally compelled upon good faith review with counsel proportionality,
• Successor operators if the studio assigns assets underpinning continuity of unfinished conversations with your notice where feasible,
• Professional advisors (CPA, attorneys) bound by confidentiality for structuring deals or audits.

We do not sell personal information for monetary consideration as “sale” commonly defined under US state privacy statutes.

Server logs inherit hosting default rotation windows (often tens of days rolling—confirm with live provider SLA). Genuine business correspondence stemming from submissions may linger in mailboxes reasonable for accounting, contractual limitation defenses, reputational archival, taxation, dormant lead follow-ups—typically up to roughly several years absent earlier mutually agreed purge—unless law demands longer preservation for specific threads.

We implement TLS in transit wherever hosting supports it opportunistically, password-protected workstation disk encryption for operator machines where practical, phishing awareness, segmented accounts, MFA on primary mail, restricted repo access—not ISO 27001 certified formalism but proportionate safeguards for boutique studio scale.

Across US states enacting privacy rights broadly (examples: Virginia, Colorado, Connecticut, Montana, forthcoming wave): residents may possess access, portability, deletion, correction, objection to certain processing, appeal rights—vary by enactment—we honor substantiated authenticated requests respecting fraud prevention balancing.

California (CPRA/CalOPPA-aligned summary): You may ask which categories traveled; request deletion / correction subject exceptions (unfinished transactions, detect security incidents); request we not discriminatorily withhold service post exercise—financial incentives absent here; “Do Not Sell”—we do not sell personal information in common dictionary sense; Shine the Light disclosures not triggered by contemplated commercial sharing lanes absent.

European Economic Area / UK GDPR-style: You may complain to your supervisory authority, request access / rectify / erase / restrict / port / object—we respond within timeframe law prescribes—or escalate politely if unsatisfied—we prefer goodwill resolution first.

Canadian PIPEDA / provincial analogues: Similar transparency, accountability, accuracy, challenge rights—email us articulating specifics.

To exercise:
Email hrdnoxlabs@gmail.com titled “Privacy request” referencing approximate submission date/name domain used—authenticate reasonably—responses usually within thirty calendar days absent complexity/backlog spikes.

The Site is not directed toward children under 13 (United States COPPA framing) nor under 16 for EU minors without lawful guardian involvement. We do not knowingly solicit personal data directly from minors. If you believe a minor wrongly submitted data, instruct us to purge promptly—we verify context first to avoid sabotage removals.

Servers and mailbox providers used to operate this Site may be located in the United States or other jurisdictions. Where EU/UK law applies, appropriate safeguards—such as standard contractual clauses negotiated by regulators or supplementary measures as case law evolves—support transfers proportional to lightweight marketing-site traffic and contact mail threads.

You should ensure emailed details remain accurate—we cannot telepathically update stale phone numbers drifting post-form.

Embedded storefront badges link out—privacy there not duplicated exhaustively—you click intentionally.

We edit this Privacy Policy intermittently—“Last updated” surfaces above. Meaningful substantive processing evolution triggers re-review; minor clarifications silently patch. Continuing after posting implies awareness—high-sensitivity rethink any continued outreach if dissatisfied.

Privacy questions or regulatory correspondence:
hrdnoxlabs@gmail.com

Separate legal relationship terms reside in our Terms of Service.