Legal

Privacy policy

Last updated · June 1, 2026 · Effective immediately · Version 3.0

1. Short version

We collect almost nothing. We don't use third-party analytics, advertising trackers, or session-replay tools. We don't sell, rent, or share personal data with anyone — for any reason. The only data we hold is what you give us directly (e.g. a contact form submission or an email thread), and we keep it only as long as we need to do the work you hired us for.

Concretely, this means:

  • We never share your data with advertisers, data brokers, or marketing platforms.
  • We never use your data to train AI models — including our own.
  • We never collect more data than we need for the specific purpose you contacted us about.
  • We delete data on a strict schedule, even if you forget to ask.
  • We don't fingerprint your browser or device, ever.

The rest of this document spells out the details in plain language. If anything below is unclear, please email us at support@gzyuans.com with the subject "Privacy question".

2. Who we are

The data controller for this website and our services is:

gzyuans, Lda.
Rua das Flores 42, 1200-194 Lisbon, Portugal
VAT PT515678901
Email: support@gzyuans.com

For data-protection questions specifically, you can also reach our Data Protection Officer (DPO) at the same address, with the subject line prefixed "DPO — ".

If you are in the European Economic Area, the United Kingdom, or Switzerland, gzyuans, Lda. is the controller responsible for your personal data. If you are in California, we are the "business" under the CCPA/CPRA. If you are in Brazil, we are the "controlador" under the LGPD.

3. Scope of this policy

This policy applies to:

  • Your use of gzyuans.com and any subdomains (the "Site")
  • Your communications with us by email, phone, video call, or any other channel
  • Your participation in our events, surveys, or research
  • Any professional services we provide to you under a Statement of Work

It does not apply to third-party sites we link to. Those sites have their own policies, which we encourage you to read.

4. What we collect

The data we collect falls into four categories. We've tried to be exhaustive — if something is missing, that's because we don't collect it.

4.1 Data you give us

  • Information you submit through the contact form (name, email, company, message, optional budget and topic)
  • Information you send us by email or messaging apps
  • Information you share during a project kickoff, design review, research interview, or sales call (notes, recordings only with consent)
  • Billing information (handled by our payment processor — we never see your card number)
  • Files, code, designs, and other content you provide as part of an engagement

4.2 Data we collect automatically (minimal)

  • Server logs — IP address, user agent, requested URL, response code, referrer, and timestamp. Kept for 30 days, then deleted automatically. Used only for security, abuse prevention, and debugging.
  • Aggregated, cookie-less analytics — We use Plausible Analytics in cookieless mode, which counts page views without storing any personal identifiers. No cross-site tracking, no fingerprinting.
  • First-party preference storage — A small localStorage entry remembers UI state (e.g. "newsletter prompt dismissed") to avoid showing it again. You can clear this at any time.

4.3 Data we collect from third parties

Almost none. Specifically:

  • If you book a call, the scheduling tool you use (typically Cal.com) shares your name, email, and the time slot with us
  • If you sign in to a gated resource (e.g. a private beta), the authentication provider shares your verified email
  • We do not enrich your profile with data from social networks, public databases, or any other source

4.4 Data we do not collect

This is the list we are most often asked about. We do not use, and we do not allow on our Site, any of the following:

  • No third-party analytics (Google Analytics, Mixpanel, Amplitude, Heap, Segment, PostHog cloud, etc.)
  • No advertising or marketing trackers (Meta Pixel, LinkedIn Insight, TikTok Pixel, X Pixel, etc.)
  • No session replay or heatmap tools (Hotjar, FullStory, LogRocket, Microsoft Clarity, etc.)
  • No A/B-testing tools that track users (Optimizely, VWO, etc.)
  • No social-media embed scripts that fingerprint visitors
  • No browser or device fingerprinting, ever
  • No cross-site tracking, ever
  • No retargeting, ever
  • No "growth hacking" tools of any kind
  • No third-party fonts loaded from external servers that could log your IP
  • No third-party CAPTCHA services that sell data

5. How we collect it

  • Directly from you, when you fill in a form, send us an email, or talk to us on a call
  • Automatically, through the server logs and aggregated analytics described above
  • Through the authentication provider when you sign in to a gated resource

We do not use cookies for tracking. We do not use pixel tags. We do not use web beacons from third parties.

6. Why we collect it

Every piece of data we collect has a specific purpose. If we cannot articulate the purpose, we don't collect it.

  • Contact form submissions — to respond to your inquiry and, if relevant, prepare a proposal
  • Project data — to deliver the services you hired us to provide
  • Server logs — to keep the Site secure, prevent abuse, and debug issues
  • Aggregated analytics — to understand which pages are useful and which aren't, so we can improve them
  • Email correspondence — to communicate with you about an existing or potential engagement
  • Billing data — to issue invoices and meet our tax obligations

If you are in the EEA, UK, or Switzerland, we process your personal data on the following legal bases under Article 6 of the GDPR:

  • Performance of a contract (Art. 6(1)(b)) — when you hire us for a project, we process the data needed to deliver it
  • Pre-contractual steps (Art. 6(1)(b)) — when you ask us to prepare a proposal or quote
  • Legitimate interests (Art. 6(1)(f)) — for basic server logs, security, fraud prevention, and aggregated analytics. We have balanced these interests against your rights and freedoms and concluded they do not override them
  • Legal obligation (Art. 6(1)(c)) — for tax, accounting, and other statutory record-keeping
  • Consent (Art. 6(1)(a)) — for anything optional, such as newsletter subscriptions or call recording. You can withdraw consent at any time, without affecting the lawfulness of prior processing

If we ever process your data on a basis you don't recognise, we will explain it to you in writing before processing begins.

8. How long we keep it

We keep data only as long as we need it. After that, we delete or fully anonymise it.

  • Contact form submissions: 24 months from your last interaction with us, after which we delete or fully anonymise them. We do this even if you don't ask.
  • Newsletter subscriptions: until you unsubscribe. One-click unsubscribe is in every email.
  • Project data and correspondence: duration of the engagement + 7 years (for tax, accounting, and contractual record-keeping obligations under Portuguese law). After 7 years, we delete or fully anonymise.
  • Server logs: 30 days, then automatically deleted.
  • Aggregated analytics: indefinitely, but with no personal identifiers. These are statistics, not data about you.
  • Billing records: 10 years, as required by Portuguese tax law (Código do IRS / Código do IRC).
  • Backups: 30 days, then overwritten. Backups are encrypted and stored in a separate region.
  • Recruitment data (if you apply to work with us): 6 months from the end of the recruitment process, unless you ask us to keep it longer.

If you ask us to delete your data sooner, we will (subject to the legal retention obligations above).

9. Who we share it with

Almost no one. Specifically, we do not share your data with:

  • Advertisers or ad networks
  • Data brokers
  • Social media platforms
  • Marketing automation tools
  • AI training pipelines (yours or anyone else's)
  • Anyone else, unless you specifically ask us to

We do share your data with the limited set of sub-processors listed in section 10, and only to the extent necessary for them to provide their services to us. Each is bound by a written data-processing agreement that limits their use of your data to the specific purpose we instruct.

We may also disclose your data if required by law (e.g. a valid court order) or to protect our legal rights, but we will challenge overly broad requests and notify you where legally permitted.

10. Sub-processors

We use a small number of carefully vetted sub-processors. We notify you of changes at least 30 days in advance, and you may object to a new sub-processor on reasonable grounds.

  • Hosting (Site): Vercel, Inc. — Frankfurt, Germany region
  • Email: Fastmail Pty Ltd — Australia (we use their EU-data-residency option where available)
  • Payment processing: Stripe Payments Europe Ltd — Ireland
  • Scheduling (optional): Cal.com, Inc. — self-hosted or EU region
  • Analytics (cookieless, aggregated): Plausible Insights OÜ — Estonia, EU-hosted
  • Document signing (optional): DocuSign Ireland Operations Ltd — Ireland
  • Customer support tooling: A self-hosted instance of a help-desk tool, EU region
  • Accountants & legal counsel: As required, all under professional privilege and confidentiality

For a current, always-up-to-date list with links to each sub-processor's DPA, see gzyuans.com/sub-processors.

11. International data transfers

Some of our sub-processors are based outside the EEA. When we transfer your data internationally, we rely on one of the following safeguards:

  • Adequacy decisions — the European Commission has determined that the destination country provides an adequate level of data protection (e.g. the UK, Switzerland, Japan, New Zealand, Canada for commercial organisations)
  • Standard Contractual Clauses (SCCs) — the 2021 EU SCCs, with a transfer impact assessment where required, plus supplementary technical and organisational measures
  • Explicit consent — for occasional, specific transfers where none of the above apply

You can request a copy of the safeguards we rely on for a specific transfer by emailing support@gzyuans.com.

12. Cookies & tracking

This website does not set any marketing, advertising, or cross-site tracking cookies. The only browser storage we use is:

  • A first-party preference entry in localStorage (e.g. to remember that you've dismissed the newsletter prompt) — purely functional, no third parties, no expiry
  • Optional authentication cookies if you sign in to a gated resource — strictly necessary, set by the authentication provider, deleted when you sign out

You can clear all of this at any time from your browser settings. We do not honour "Do Not Track" signals separately because we don't track you in the first place.

For our EU visitors: under the ePrivacy Directive, the storage we use is either strictly necessary (exempt from consent) or set only with your explicit consent. We do not set non-essential storage without consent.

13. AI & machine learning

This section is important and explicit:

  • We never use your data to train AI models. Not our models, not anyone else's models, not "anonymised" derivatives of your data.
  • We never feed your data to public AI services (ChatGPT, Claude, Gemini, etc.) unless you have explicitly asked us to and confirmed in writing that the data is suitable for that use.
  • When we use AI-assisted tooling in our own work, we use self-hosted or enterprise-tier configurations where training on inputs is contractually disabled.
  • If we develop AI features for you as part of an engagement, the data handling is governed by the Statement of Work for that project — not by this section.

14. Your rights

Under the GDPR, the UK GDPR, the LGPD, the CCPA/CPRA, and equivalent laws, you have the right to:

  • Access the personal data we hold about you (Art. 15 GDPR)
  • Rectification of inaccurate or incomplete data (Art. 16 GDPR)
  • Erasure ("right to be forgotten") (Art. 17 GDPR)
  • Restriction of processing in certain circumstances (Art. 18 GDPR)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20 GDPR)
  • Object to processing based on legitimate interests (Art. 21 GDPR)
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3) GDPR)
  • Lodge a complaint with your local data protection authority
  • Not be subject to a decision based solely on automated processing (Art. 22 GDPR) — we don't do this anyway

California residents additionally have the right to know what categories of personal information we collect, to delete it, to opt out of any "sale" (we don't sell), and to non-discrimination. Shine the Light requests can be sent to support@gzyuans.com.

Brazilian residents have the rights set out in Art. 18 of the LGPD, which broadly mirror the GDPR.

To exercise any of these rights, email support@gzyuans.com with the subject "Data request — [your name]". We respond within 30 days, usually much faster (typically within 5 business days). We may need to verify your identity before acting on a request, to prevent disclosure to the wrong person.

15. Children's privacy

Our Site and services are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe we have collected data from a child, please email support@gzyuans.com and we will delete it promptly.

16. How we protect it

We take security seriously. The data we hold is protected by a layered set of technical and organisational measures:

16.1 Technical measures

  • TLS 1.3 for all data in transit (with HSTS preloaded)
  • AES-256 encryption for all data at rest
  • Hardware security keys (FIDO2) for all production access — no passwords, no SMS 2FA, no push prompts
  • Single Sign-On with mandatory MFA for all internal tools
  • Principle of least privilege — team members only get access to the data they need for their role
  • Encrypted, air-gapped backups retained for 30 days, stored in a separate geographic region
  • Dependency scanning on every commit, with automated alerts for known vulnerabilities
  • Quarterly third-party penetration tests of all production systems
  • Continuous monitoring with alerting on anomalous access patterns

16.2 Organisational measures

  • Background checks for all team members before they access production data
  • Annual security training for the entire team, including phishing simulations
  • Documented incident response plan with quarterly tabletop exercises
  • Vendor risk assessments before onboarding any new sub-processor
  • Data Processing Agreements with every sub-processor
  • Privacy by Design review for every new feature or system before it ships

17. Personal data breach notification

If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible (Art. 33 GDPR)
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights (Art. 34 GDPR)
  • Document all breaches, including the facts, effects, and remedial actions taken (Art. 5(2) GDPR)

Our definition of "becoming aware" is conservative — once any team member is aware, the clock starts. We do not wait until the full scope is known before starting the notification process.

18. Changes to this policy

We may update this policy from time to time. When we do:

  • We will post the updated policy on this page with a new "Last updated" date and a version number
  • For material changes, we will display a banner on the Site for at least 30 days
  • For significant changes that affect your rights, we will email active clients and newsletter subscribers, and where required by law, request renewed consent
  • A changelog of material revisions is available on request

Your continued use of the Site after a change constitutes acceptance of the updated policy. If you do not accept the updated policy, please stop using the Site and contact us to delete your data.

19. Complaints & supervisory authority

If you believe we have not handled your personal data properly, we encourage you to contact us first at support@gzyuans.com so we can try to resolve the issue directly.

You also have the right to lodge a complaint with a data protection authority. Our lead supervisory authority is:

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 - 1.º, 1200-651 Lisbon, Portugal
Phone: +351 21 392 84 00
Website: www.cnpd.pt

If you are in another EU country, you can lodge a complaint with your local data protection authority. We will cooperate fully with any investigation.

20. Contact us

For anything privacy-related, reach out to:

gzyuans, Lda. · Data Protection
Rua das Flores 42, 1200-194 Lisbon, Portugal
Email: support@gzyuans.com
Subject prefix: Privacy — (or DPO — for the Data Protection Officer)

We aim to acknowledge all privacy requests within 5 business days and resolve them within 30 calendar days, in line with Art. 12(3) GDPR. If we need more time, we will tell you why and when you can expect a response.

Document versions: v1.0 published April 2022. v2.0 published September 2024 (added sub-processor list and breach notification). v3.0 published June 2026 (added AI section, California/Brazilian rights, expanded retention and security sections).
Languages: This policy is published in English. In case of conflict with a translated version, the English version prevails.