Privacy Policy

Last updated: 25 April 2026

Who we are

Craftwebstudio is a web studio in Georgia (craftwebstudio.ge). We are the controller of your personal data under the GDPR and the Law of Georgia on Personal Data Protection.

What we collect

• Contact form: Name, email, phone, message — retained up to 24 months, then deleted or anonymized.
• Analytics: Page path, referrer, hashed user-agent, country (no raw IP). Retained up to 12 months.
• Cookies: Strictly necessary cookies always on (theme, consent storage). Analytics cookies (Google Analytics, Vercel Analytics) only after you opt in. Change anytime via "Cookie settings" in the footer.

Who we share with

Sub-processors that act on our behalf:

• Vercel (hosting, EU region)
• Neon Postgres (database, EU)
• Upstash Redis (rate limiting, EU)
• Resend (transactional email, EU)
• Google (Gemini API for AI blog generation only — no user PII sent)
• Telegram (operator notifications only — no visitor PII shared)
• Meta/Facebook (only blog posts auto-published to our Page; no visitor data)

Your rights

Under GDPR Articles 15-22, you may access, correct, delete, port, or object to the processing of your data. Contact: info@craftbox.ge

Security

We use TLS for all data in transit, bcrypt for password hashing, JWT + TOTP for admin access, and a Content Security Policy at the browser level to mitigate XSS.

Complaints

Personal Data Protection Service of Georgia: pdp.gov.ge. EU residents may also lodge a complaint with their local DPA.