Legal

Privacy Policy

Last updated: July 2026

This policy explains how your personal data is collected, processed, and protected when you interact with this website. It is written to comply with the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

1. Data Controller

Francis Paul C. Flores (sole proprietor) is the data controller for personal data collected through this website. Contact: francispaulfloresai@gmail.com.

2. What Data We Collect — Notice at Collection (CCPA)

We collect only the minimum data necessary to respond to client inquiries and provide services: name, work email, company name, business bottleneck description, estimated manual hours per week, budget range, project timeline, and referral source. No special category data (health, race, political opinions, precise geolocation) is collected, and no data is sold.

Categories of personal information collected (CCPA 1798.110): Identifiers (name, email), professional/employment information (company, role), commercial information (service inquiries).

3. Lawful Basis for Processing (GDPR Art. 6)

  • Consent (Art. 6(1)(a)): You consent by submitting the intake form. You may withdraw consent at any time by emailing the data controller — withdrawal does not affect the lawfulness of processing before withdrawal.
  • Contract (Art. 6(1)(b)): Data processing is necessary to respond to your service inquiry and negotiate a potential engagement.
  • Legitimate Interest (Art. 6(1)(f)): We retain minimal contact data to follow up on your inquiry within a reasonable period. You may object to this processing at any time (see Section 8).

4. How Data Is Processed & Stored

Your data flows through the following processors:

  • Next.js Serverless Functions (Vercel): Temporarily processes form data in memory during submission. No data is persisted at the serverless layer.
  • Resend: Transmits email notifications (admin alert + client confirmation). Email logs are retained per Resend's standard retention policy (30 days).
  • Airtable: Stores submitted lead data in a private base. Data can be exported or deleted upon request (see Section 8).
  • n8n (Self-Hosted / Cloud): Optional automation webhook for lead enrichment and routing.
  • Google AI (Gemini API): Anonymized text classification only — no personally identifiable information (PII) is sent to Gemini. Classification occurs server-side in memory.

5. Cookies & Tracking

This website uses only strictly essential cookies required for site functionality (Next.js framework operation). No analytics cookies, advertising cookies, or third-party tracking scripts are loaded unless you explicitly accept via the cookie consent banner.

Cal.com scheduling widget loads only after you submit the intake form and is restricted to https://cal.com. No user data is shared with Cal.com beyond the name, email, and company information you voluntarily provide in the form.

Essential cookies set by this site: Next.js session/navigation cookies only. No cookie identifiers are used for tracking, profiling, or advertising.

6. Data Retention

Lead data is retained in Airtable for the duration of client engagement plus 12 months for legitimate business follow-up. You may request earlier deletion at any time (see Section 8).

  • Airtable: Lead records — duration of engagement + 12 months
  • Resend: Email logs — 30 days (automatic expiry per Resend policy)
  • Vercel: Serverless function logs — ephemeral (no persistent storage)
  • Cal.com: Booking data — per Cal.com's own retention policy (independent controller for booking data)

7. Data Sharing & International Transfers

We do not sell personal data. Data is processed by the following sub-processors, all of which participate in the EU-US Data Privacy Framework (DPF) or provide equivalent safeguards:

  • Vercel Inc. (US) — DPF certified. Hosting provider.
  • Airtable Inc. (US) — DPF certified. Lead database.
  • Resend Inc. (US) — DPF certified. Email delivery.
  • Cal.com Inc. (US) — DPF certified. Scheduling widget.
  • Google LLC (US) — DPF certified. Gemini API for classification.

8. Automated Decision-Making (GDPR Art. 22)

This website does not subject you to decisions based solely on automated processing that produce legal effects. The process classification demo on /demos/classification uses a simple keyword-matching algorithm on text you voluntarily provide — it does not use your personal data and does not produce legal or similarly significant effects.

9. Your Rights (GDPR Art. 7, 15–22 / CCPA 1798.100–125)

You have the following rights regarding your personal data:

  • Access (SAR): Request a copy of all personal data stored about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure (Right to be Forgotten): Request permanent deletion of your data.
  • Restriction: Limit how we process your data.
  • Portability (CCPA): Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent (GDPR Art. 7(3)): Withdraw your consent at any time — this does not affect processing carried out before withdrawal.
  • Non-Discrimination (CCPA 1798.125): We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, email francispaulfloresai@gmail.com. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). No fee is charged for reasonable requests.

Right to Lodge a Complaint (GDPR Art. 77):If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In the UK: Information Commissioner's Office (ICO). In the EU: your member state's data protection authority.

10. Data Security

All API keys are server-side only and never exposed to the client bundle. Form submissions use HTTPS/TLS encryption. Airtable base access is restricted to the owner. No credit card or financial payment data is collected or stored on this website — all billing is handled through separate invoicing.

11. Changes to This Policy

This policy may be updated periodically. The 'Last updated' date at the top of this page reflects the most recent revision. Material changes will be communicated via email to active contacts.

Questions or SAR requests: francispaulfloresai@gmail.com

This website does not handle financial transactions. All project billing and payments are processed through separate invoicing outside of this site.