Privacy Policy

1. Data Controller

Name: Roee Bar Barkai
Email: linkedin.com/in/roee-bar
Website: https://roeebar.com

2. Data We Collect

• Analytics (Google Analytics 4): Page views, user flow, device information, browser type, IP address (anonymized via GA4 IP anonymization), geographic location (country/city level only)
• Contact Form Submissions: Name, email address, and message content (only if you voluntarily submit the form)
• Cookies: Google Analytics cookies (_ga, _gid, _gat) for analytics tracking
• Server Logs: HTTP request logs on Vercel (IP address, user agent, referer) for security and performance monitoring

3. Legal Basis for Processing

• Analytics (GDPR Article 6(1)(a)): User consent via cookie consent banner. Analytics cookies are only set after you accept the cookie banner.
• Contact Form Submissions (GDPR Article 6(1)(f)): Legitimate interest to respond to your inquiries and maintain communication.
• Server Logs (GDPR Article 6(1)(f)): Legitimate interest for security, fraud prevention, and performance optimization.

4. Data Retention Periods

• Google Analytics Data: 14 months (Google's default retention policy)
• Contact Form Submissions: 90 days after receipt, then permanently deleted
• Analytics Cookies: 2 years from first visit (GA4 default)
• Server Logs: 30 days (Vercel default), then automatically deleted
• Sentry Error Logs: 90 days for error events (PII pre-scrubbed)

5. Third-Party Data Processors & Subprocessors

6. Your GDPR Rights (Articles 15-22)

Under GDPR, you have the following rights:

• Right of Access (Article 15): Request a copy of all personal data we hold about you in a structured, commonly used, machine-readable format
• Right to Rectification (Article 16): Correct or update inaccurate or incomplete personal data
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to legal obligations
• Right to Restrict Processing (Article 18): Request that we limit how we use your data while a dispute is resolved
• Right to Data Portability (Article 20): Receive your data in a portable, machine-readable format (JSON, CSV)
• Right to Object (Article 21): Opt-out of analytics, marketing, or processing based on legitimate interest
• Right to Withdraw Consent (Article 7(3)): Withdraw consent for analytics at any time via cookie settings
• Right to Lodge a Complaint: File a complaint with your national data protection authority

7. Contact Form & Email Handling

When you submit the contact form on this website:

• Your name and email address are collected and stored in our email system
• A confirmation email is sent to you via Resend (email delivery service)
• Your message is stored for 90 days, then permanently deleted
• We use your email to respond to your inquiry only
• We will never sell, rent, or share your email with third parties
• You can request deletion of your contact form data at any time

8. Cookie Policy & Consent Management

9. External Links & Third-Party Websites

This website contains links to external websites (LinkedIn, GitHub, Twitter, etc.). We are not responsible for the privacy practices of external sites. Please review the privacy policies of any third-party websites before submitting personal data.

10. Security & Data Protection Measures

• HTTPS/TLS: All traffic encrypted in transit with TLS 1.3
• Content Security Policy (CSP): Strict CSP headers prevent XSS attacks
• HTTP Security Headers: X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security configured
• Data Minimization: We collect only data necessary for stated purposes
• Subprocessor Audits: Our third-party processors are vetted for security and compliance

11. International Data Transfers (EU/UK Residents)

If you are located in the EU, UK, or other jurisdiction with data protection laws, be aware that your data may be transferred to and processed in the United States, where some of our service providers are located.

Legal Mechanisms for Safe Transfers:

• Standard Contractual Clauses (SCCs): Our data processors have SCCs in place to ensure adequate data protection for EU/UK to US transfers
• EU-US Data Transfer Framework (DTA): Google Analytics and Vercel are certified under the EU-US Data Transfer Framework
• Adequacy Decisions: We ensure transfers comply with GDPR Article 46

12. Children's Privacy

This website is not directed at individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction, e.g., 16 in the UK). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it immediately.

13. Data Protection Impact & Legitimate Interest Assessment

We rely on legitimate interest (GDPR Article 6(1)(f)) for analytics and contact form processing. We have conducted a Legitimate Interest Assessment (LIA) to balance our interests against your privacy rights. The outcome: analytics provides valuable insights for website improvement, and contact form data is necessary for business communication.

14. Updates to This Privacy Policy

We may update this privacy policy from time to time as our practices evolve or to comply with legal requirements. We will notify you of any material changes by:

• Posting the new policy on this page
• Updating the "Last updated" date above
• For significant changes, emailing you at the address you provided

Your continued use of this website after changes have been posted constitutes your acceptance of the updated policy.

15. Data Protection Authority Contact Information

If you have concerns about our privacy practices or believe we have violated GDPR, you have the right to lodge a complaint with your national data protection authority:

• EU: Find your authority at EDPB members list
• UK: Information Commissioner's Office (ICO) — ico.org.uk
• USA: Federal Trade Commission (FTC) — ftc.gov