Privacy
policy.

No analytics, no advertising trackers, no third-party tag managers, no fingerprinting.

The site is hosted on Vercel, which records standard server-access logs (timestamp, requested URL, response status, client IP address, and user-agent string) for the purpose of operating, securing, and debugging the platform. Those logs are governed by Vercel's privacy policy.

When you submit the contact form, you choose to send us: your name, your email address, an optional company name, an optional service interest, and your message. The form also includes a hidden honeypot field (website) used only to filter automated spam — if your browser fills it, the submission is dropped.

Alongside that submission we record your IP address and browser user-agent. These two fields are used for rate-limiting and abuse prevention, and they are stored on the submission row so we can investigate if abuse is reported later. We do not use them for marketing, profiling, or sharing with third parties.

Submissions are stored in a Supabase (PostgreSQL) database that we operate, and a notification copy is emailed to us through Resend so we can read and reply.

Supabase and Resend act as data processors on our behalf and have their own privacy commitments. We don't sell or share submissions with anyone else.

We rely on the following service providers ("sub-processors") to operate grdflow.ca. Each handles data only on our instructions and under their own published privacy commitments.

• Vercel — hosting and edge delivery. Processes request metadata (IP, URL, status). Primarily United States.
• Supabase — database for contact submissions. Project hosted in a US region.
• Resend — transactional email for submission notifications. United States.
• Google Fonts — typeface delivery on public pages (not used on the WVE page, which self-hosts its font). United States.

Because these processors are located outside Canada, your personal data may be transferred to, and processed in, the United States. Where the processor is GDPR-relevant, it relies on standard contractual clauses or equivalent safeguards published in its own data-processing agreement.

If you are in the EU/UK and the GDPR applies to you, our legal bases are:

• Consent — for the personal information you choose to send through the contact form.
• Legitimate interests — for the IP address and user-agent we record for rate-limiting and abuse prevention, and for the server logs maintained by our hosting provider.

We do not use your data for advertising, profiling, or any form of automated decision-making.

Two harmless preferences live in your browser's localStorage:

• Theme — light or dark, so the site doesn't flicker on next visit.
• Palette — your chosen colour scheme (e.g., brick or charcoal).

Neither contains personal data, neither is read by us on the server, and clearing your browser storage removes them.

grdflow.ca sets no first-party cookies on the public site. The admin area (used only by Grdflow staff) uses authentication cookies provided by Supabase; those are not present on any public page.

The site loads typefaces from Google Fonts. Google sees the IP address and user-agent of the request, governed by Google's privacy policy. Everything else (icons, images, scripts) is served from grdflow.ca itself.

The interactive WVE page runs entirely in your browser. It draws a Three.js wave field that responds to your cursor and keystrokes. Nothing you do on that page is recorded or transmitted — there is no analytics call, no event log, no server round-trip.

Contact submissions, together with the IP address and user-agent recorded with them, are retained for up to 24 months after our last meaningful exchange with you, and then deleted on our next quarterly clean-up. If a submission relates to an open project or a legal/regulatory matter, we may keep it longer for the duration of that matter.

You can ask us to delete your records sooner at any time by emailing grdflow.admin@gmail.com.

Depending on where you live, you have the right to:

• Access the personal data we hold about you;
• Rectify data that is inaccurate or incomplete;
• Erase ("right to be forgotten") data we no longer need;
• Restrict or object to certain kinds of processing;
• Receive your data in a portable machine-readable form;
• Withdraw consent at any time (this does not affect processing already carried out);
• Not be subject to solely automated decision-making (we do not do this).

To exercise any of these rights, email grdflow.admin@gmail.com. We will respond within a reasonable time (within 30 days where the GDPR or similar law applies).

You also have the right to complain to a supervisory authority — for example, the Office of the Privacy Commissioner of Canada under PIPEDA, your local EU/UK data-protection authority under GDPR, or the California Privacy Protection Agency under the CPRA.

grdflow.ca is not directed at children. We do not knowingly solicit or collect personal information from anyone under the age of 13. For users in the EU/UK, the GDPR sets the default age of digital consent at 16 (lower in member states that have legislated down to 13); we apply the higher local threshold where it applies.

The site enforces HTTPS, sets a strict Content Security Policy, and disables iframe embedding via X-Frame-Options. Contact submissions are protected by origin checks, length caps, rate limiting, and a honeypot field. No defence is perfect — if you spot a security issue, please email grdflow.admin@gmail.com.

If we ever experience a security breach that poses a real risk of significant harm to you (PIPEDA s.10.1) — or, where the GDPR applies, any breach likely to result in a risk to your rights and freedoms — we will notify affected individuals and the relevant supervisory authority within the timeframes required by the applicable law (within 72 hours where the GDPR applies).

If this policy changes in a way that affects what we do with your data, we will update the "Last updated" date at the top of this page.

Data controller: Grdflow — a sole-proprietor studio operated by Jayden Tse, based in Canada.

Privacy contact: Jayden Tse · grdflow.admin@gmail.com

General contact: grdflow.ca/contact