Legal
Privacy Policy
Last updated . Applies to redxtrm.com and any sub-domains.
1. Data controller
The data controller for redxtrm.com is Rasel Miah (sole operator, trading as redxtrm), based in Bangladesh. You can reach the controller at [email protected].
2. What we collect
- You give us: name, email, message and any project details you submit through the contact form, order wizard, or newsletter signup.
- Account data (optional): if you sign in, an email address, hashed password (handled by Supabase Auth), and optional profile fields.
- Order & chat data: the structured order you build through
/orderplus any messages you send to the order copilot. - Technical data: IP address, user-agent, referrer, screen size, approximate region from IP, and pages viewed. Collected via server logs and (only with your consent) Google Analytics 4 through Google Tag Manager.
- Cookies: see the Cookie Policy for the full list.
3. Why we process it (lawful basis under GDPR Art. 6)
- Contract (Art. 6(1)(b)): to respond to a contact request, send a quote, and deliver agreed work.
- Legitimate interest (Art. 6(1)(f)): to keep the site secure (rate limiting, bot detection via Vercel BotID), debug errors, and prevent abuse.
- Consent (Art. 6(1)(a)): for analytics cookies, newsletter subscription, and any future marketing. You can withdraw consent any time without affecting prior processing.
- Legal obligation (Art. 6(1)(c)): tax/invoice record-keeping if we transact.
4. Third-party processors
We use the following sub-processors. Each is bound by their own terms and operates as a data processor under our instructions:
| Processor | Purpose | Region |
|---|---|---|
| Vercel | Hosting, edge functions, BotID | Global edge |
| Supabase | Auth, database, storage | Tokyo (ap-northeast-1) |
| Sanity | Content management | EU / US |
| Resend | Transactional + newsletter email | US |
| Google Tag Manager + GA4 | Analytics (only with your consent) | Global |
| Cloudflare | DNS, security baseline | Global edge |
| Convex | Real-time data layer (selected features) | US |
| Model providers (OpenRouter, OpenAI, Anthropic, x-ai) | Powering the order copilot when you chat with it | US |
We do not sell personal data. We do not share data with advertisers.
5. International transfers
Several processors operate outside the EEA/UK. Where transfers occur, we rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, plus each processor's own technical safeguards (encryption in transit and at rest).
6. Retention
- Contact form messages: 24 months after last correspondence, then deleted.
- Order wizard drafts: 12 monthsif you don't convert; indefinitely if tied to an active engagement.
- Newsletter subscriptions: until you unsubscribe.
- Account data: until you delete the account; backups expire within 30 days.
- Server & analytics logs: 14 months max.
- Invoices / tax records: 7 years (legal obligation).
7. Your rights
If GDPR or UK GDPR applies to you, you have the right to:
- access the personal data we hold about you,
- have inaccurate data rectified,
- have your data erased ("right to be forgotten"),
- restrict or object to processing,
- data portability (machine-readable export),
- withdraw consent at any time,
- lodge a complaint with your local supervisory authority (in the UK: the ICO; in the EU: your country's DPA).
Email [email protected] to exercise any of these. We respond within 30 days.
8. Security
All traffic is HTTPS-only with HSTS preload. Content Security Policy, X-Frame-Options, COOP and CORP headers are enforced. Database access uses Supabase row-level security. Secrets live in Vercel environment variables, never in the codebase. Bot and abuse detection runs on protected endpoints.
9. Children
This site is not directed at children under 16. We don't knowingly collect data from them. If you believe a child has given us data, email us and we'll delete it.
10. Changes to this policy
We may update this policy as the service evolves. The "Last updated" date at the top reflects the most recent change. Material changes (new processors, new processing purposes) will trigger a re-consent prompt.
11. Contact
For privacy questions, complaints, or data-rights requests, email [email protected].