How we handle your data.
Plain English. EU-only data hosting. No third-party tracking beyond what's listed below. If you'd rather not be tracked, the cookie banner has a Decline button on every marketing page — your visit is still welcome.
Effective 18 May 2026 · v1.0
What we collect
- Analytics events via PostHog (EU): page views, button clicks, and a handful of custom events for the proposal experience (chapter viewed, scope picked, signature submitted). No content of any proposal, comment, or annotation is sent to PostHog.
- Session replay on the atelier proposal pages only. Replays mask the proposal body text, your signature, and any comments — we see how you moved through the document, not what it said.
- Activity log on our own database: who opened the proposal, which chapters they dwelt on, when they signed. Used to drive the studio team's view of an engagement.
- Email + magic-link tokens when you sign in. Tokens expire in 15 minutes.
- Signed PDF + signature image when you sign a proposal. Stored on our database for audit + integrity verification.
Why
Analytics tells us which chapters land and which don't, so the next proposal reads better. Activity log proves to ourselves and to you that the engagement is real and the signature is intact. Email is how we send the link to your inbox.
Where it lives
All data is stored in the EU: Supabase (Frankfurt), PostHog Cloud EU, Fly.io (Amsterdam). Nothing crosses into the US or any other jurisdiction. Email infrastructure is Google Workspace (also EU-resident for our account).
How long
Active engagement data stays until the engagement is archived. Archived engagements are retained for 7 years for tax + legal compliance, then purged. Session replays auto-expire after 30 days. You can ask us to delete sooner at any time (see Your rights, below).
Your rights (GDPR)
If you're in the EU/UK, you have the right to:
- Access — ask for a copy of everything we hold about you.
- Rectification — ask us to correct anything wrong.
- Erasure — ask us to delete it all.
- Portability — ask for a machine-readable export.
- Restriction / objection — ask us to stop processing.
Email privacy@studio-8.dev from the address you want to exercise these rights for. We respond within the 30-day window required by GDPR Article 12.
Cookies
On the marketing site (this page, the landing page, services pages) we set one PostHog cookie if you accept the banner. Declining leaves no cookies set beyond a small flag remembering your choice. The atelier proposal pages are gated by a magic-link sign-in, so signing in counts as consent to the session replay described above — this is documented in the engagement letter alongside your proposal.
Sub-processors
- Supabase — database hosting (EU)
- PostHog — analytics (EU Cloud)
- Fly.io — application hosting (EU)
- Google Workspace — email infrastructure
Contact
privacy@studio-8.dev — questions, requests, complaints. We read every email and reply within a working week.