Privacy Policy

What we collect, and why

Information you give us

When you fill out a contact form, book a call, request a proposal, or email us directly, we collect what you provide: name, email, phone (if given), company, a description of the project, and any attachments. We also keep the correspondence itself.

Information from engagements

If we sign a contract, we collect billing details (handled via Stripe, see below), deliverables you share with us (credentials, content, access to systems), and records of work performed. We keep this to deliver the service and for normal business recordkeeping.

Information collected automatically

When you visit the site we collect standard log data: IP address, user agent, referrer, pages visited, and timestamps. Analytics cookies (Google Analytics 4 and Vercel Analytics) fire only after you accept them in the consent banner. See the Cookie Policy for the full list.

Email newsletter (optional, when offered)

If we offer a newsletter and you subscribe, we collect your email address for the purpose of sending it. You can unsubscribe at any time using the link in any message.

How we use it

We use what we collect to:

• Reply to you and scope proposals.
• Deliver services we've agreed to, and invoice you for them.
• Operate and secure the site (rate limiting, spam prevention, audit logs).
• Understand how the site is used (only with your consent for non-essential analytics).
• Meet tax, accounting, and other legal obligations.

Our lawful bases under GDPR are: performance of a contract (delivering services), legitimate interests (running and securing the site, replying to inquiries), consent (optional cookies, newsletter), and legal obligation (tax records).

Who we share it with

We don't sell personal information. We don't share it for cross-context behavioral advertising. We do use a small set of processors to run the business:

• Vercel (hosting and Vercel Analytics).
• Google (Workspace for email, Google Analytics 4 for site analytics).
• Stripe (payment processing for PageVital subscriptions and Website Rescue one-off charges). Card details go directly to Stripe. We don't see or store them.
• Email delivery providers (transactional email for receipts, password resets, and contact-form acknowledgments).
• Accounting and tax tools (QuickBooks, our accountant), for invoicing and tax filings.

We share information with these providers only as needed for them to do their job. Each has its own privacy practices and contractual obligations to us.

We may also disclose information if required by law (subpoena, court order) or to protect our rights, property, or safety, or those of our users or the public.

Cookies

We use a small set of cookies. Necessary cookies run by default. Analytics cookies fire only after you accept in the banner. For the full list and how to change your choice, see our Cookie Policy.

Your rights

California (CCPA/CPRA)

If you're a California resident, you can:

• Know what personal information we've collected about you.
• Request a copy of that information.
• Ask us to delete it.
• Ask us to correct inaccurate information.
• Opt out of "sale" or "sharing" of personal information. We don't sell or share, so there's nothing to opt out of, but you can confirm that in writing if you'd like.
• Limit use of sensitive personal information. We don't collect any.
• Not be discriminated against for exercising these rights. Using them won't change the service or the price.

More on CCPA rights: oag.ca.gov/privacy/ccpa.

EU / UK (GDPR)

If you're in the EU or UK, you can:

• Access a copy of your data.
• Correct data that's wrong.
• Ask us to delete it ("right to be forgotten").
• Restrict or object to certain processing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent at any time (for anything based on consent).
• Lodge a complaint with your national data protection authority if you think we've mishandled your information.

To exercise any of these, email privacy@modernlabyrinth.com. We'll respond within 30 days (45 for complex requests, with notice). We may need to verify your identity before handing over information.

Data retention

We keep information only as long as we need it:

• Contact form submissions: up to 3 years, then deleted.
• Client records (contracts, deliverables, invoices): duration of the engagement plus 7 years for tax and accounting.
• Newsletter subscriptions: until you unsubscribe.
• Analytics data: up to 26 months (GA4 default).
• Server and security logs: 90 days.

When we no longer need information, we delete or anonymize it.

Data security

We use encryption in transit (HTTPS / TLS), access controls, and audit logs. Card data is handled directly by Stripe and never touches our servers. No system is perfectly secure, and we can't guarantee absolute security, but we take reasonable steps to protect what we hold.

HIPAA and Business Associate status

Modern Labyrinth acts as a Business Associate under HIPAA for certain healthcare clients. When we handle Protected Health Information (PHI) on behalf of a covered entity, that PHI is governed by the Business Associate Agreement between us and the covered entity, not by this Privacy Policy.

If you're a patient or end user and have questions about how your PHI is handled, contact the healthcare provider you interacted with. They are the covered entity. We can't respond to PHI-related access, amendment, or accounting-of-disclosures requests directly. Those go to the covered entity.

Children

Our services aren't directed to anyone under 16, and we don't knowingly collect information from children. If you think a child has given us information, email us and we'll delete it.

International transfers

We're based in the US, and our processors are mostly US-based. If you're visiting from outside the US, your information will be transferred to and stored in the US. For EU/UK transfers, we rely on Standard Contractual Clauses or equivalent safeguards offered by each processor.

Changes to this policy

We'll update this policy as needed. The "Last updated" date at the top tells you when. For material changes we'll post a notice on the site or email you if we have your address.

Contact

Questions about this policy or your data: