Privacy Policy

Last updated: 25 April 2026

Who we are

Craftwebstudio is a web studio in Georgia (craftwebstudio.ge). We are the controller of your personal data under the GDPR and the Law of Georgia on Personal Data Protection.

What we collect

• Contact form: Name, email, phone, message — retained up to 24 months, then deleted or anonymized.
• Analytics: Page path, referrer, hashed user-agent, country (no raw IP). Retained up to 12 months.
• Cookies: Functional only (theme preference). No analytics cookies are set.

Who we share with

Sub-processors that act on our behalf:

• Vercel (hosting, EU region)
• Neon Postgres (database, EU)
• Upstash Redis (rate limiting, EU)
• Resend (transactional email, EU)
• Google (Gemini API for AI blog generation only — no user PII sent)
• Telegram (operator notifications only — no visitor PII shared)
• Meta/Facebook (only blog posts auto-published to our Page; no visitor data)

Your rights

Under GDPR Articles 15-22, you may access, correct, delete, port, or object to the processing of your data. Contact: info@craftbox.ge

Security

We use TLS for all data in transit, bcrypt for password hashing, JWT + TOTP for admin access, and a Content Security Policy at the browser level to mitigate XSS.

Complaints

Personal Data Protection Service of Georgia: pdp.gov.ge. EU residents may also lodge a complaint with their local DPA.