Graffitecs/Legal/Privacy
Privacy Policy · v3.1 · Effective 1 April 2026

Privacy
written like a human
wrote it.

Below is the long version. The short version: we collect the bare minimum, never sell anything, host in the EU and UAE, and you can ask us to delete your data at any time and we will, within 30 days.

01 · Plain summary

If you'd rather not read 1,800 words of legal prose, here it is in five lines:

  • We collect your name, email, and what you tell us — that's almost all of it.
  • We store it on Hetzner servers in Germany and on AWS me-central-1 in the UAE.
  • We never sell your data, full stop.
  • We share with a small list of processors (listed in §5) under written contracts.
  • You can ask us to delete everything at any time; we'll confirm within 30 days.

02 · Who we are

"Graffitecs", "we", "us" refers to Graffitecs Studio FZ-LLC, a free-zone limited liability company registered with the Dubai Multi Commodities Centre.

Where this policy refers to processing personal data of EEA, UK, or Swiss residents, our representative under Article 27 GDPR is EU Privacy Reps GmbH, Friedrichstraße 95, 10117 Berlin, Germany.

03 · What we collect

3.1 · When you visit our website

We use first-party analytics (Plausible, self-hosted) and collect only: page URL, referrer, country (from IP, then the IP is discarded), browser, and device type. We do not use cross-site tracking and do not set advertising cookies.

3.2 · When you contact us

We collect anything you put into our contact form or send by email — typically name, email, company, and the project description. We keep these conversations in a workspace on Linear and our email provider (Fastmail, Iceland).

3.3 · When you become a client

We collect billing information (company name, VAT number, billing address) as required for invoicing under UAE VAT Law and the laws of the country where you are tax-resident.

3.4 · When you apply for a job

CV, links you provide, take-home submission, and notes from interviews. Only the people directly involved in your hiring read this. If you don't get hired, we delete it after 12 months unless you ask us to keep it.

04 · Why we collect it (lawful basis)

  • To do what you've asked us to do (Art. 6(1)(b) GDPR — performance of contract): replying to your enquiry, doing the work, sending you invoices.
  • Because we have to (Art. 6(1)(c) — legal obligation): tax records, KYC where applicable.
  • Because it's reasonable for both of us (Art. 6(1)(f) — legitimate interest): server logs to keep things running, analytics in aggregate. You can object — see §8.
  • Because you said yes (Art. 6(1)(a) — consent): the newsletter. You can unsubscribe in one click.

05 · Who we share with

We use a deliberately small list of sub-processors. They are listed below; we'll update this page within 30 days of any change.

  • Hetzner Online GmbH (Germany) — primary hosting, EU data.
  • Amazon Web Services, Inc. (me-central-1, UAE) — backups, regional clients.
  • Fastmail Pty Ltd (Australia / Iceland) — email.
  • Linear Orbit Inc. (United States) — issue tracking, project management.
  • Plausible Insights OÜ (Estonia, self-hosted) — website analytics.
  • Stripe Payments Europe Ltd (Ireland) — invoicing, only when you pay by card.

We do not sell, rent, or barter personal data. We have not done so. We will not.

06 · Cookies

This website sets one cookie: gf_consent, used only to remember your cookie preference. We do not load Google Analytics, Facebook Pixel, or any cross-site tracker.

07 · How long we keep things

  • Analytics: 12 months in aggregate, no personal IDs.
  • Contact-form submissions: 24 months unless you ask us to delete sooner.
  • Active client records: duration of engagement + 7 years (UAE VAT requirement).
  • Job applications: 12 months after last contact.
  • Newsletter: until you unsubscribe.

08 · Your rights

Wherever you are, you can ask us — in writing, no special form needed — to:

  • Tell you what we have on you (access).
  • Correct anything that's wrong.
  • Delete it ("right to be forgotten"). Where law obliges us to keep it, we'll explain why.
  • Send it to another provider in a portable format (machine-readable JSON or CSV).
  • Stop processing while we work out a disagreement (restriction).
  • Object to processing based on our legitimate interests.
  • Withdraw your consent at any time, where consent was the basis.

We confirm receipt within 5 working days and complete the request within 30 days, free of charge. If we ever need longer (rare), we'll explain why.

09 · Contact & complaints

For anything in this policy, email [email protected] or write to the registered address in §2. Our internal data protection lead is Asma Pillai.

If you're unhappy with our response, you can complain to the supervisory authority where you live. EU residents: your national data protection authority. UK: the ICO (ico.org.uk). UAE: the UAE Data Office.

Last updated: 1 April 2026 · v3.1 · Previous versions available on request.