Privacy Policy

Last updated: April 23, 2026

Worknight Studio ("we", "us") operates this website and the Project Remnant pre-release project. This policy explains what personal data we collect, why, and the rights you have over it. It is written for a small hobbyist project with no revenue, and reflects that posture. It will be revised (and reviewed by legal counsel) before any paid release.

1. Who we are

The data controller for this website is Worknight Studio, [ADDRESS — TBD]. Contact: [EMAIL — TBD].

2. What we collect

We collect the minimum data needed to run the site and the newsletter.

2.1 Newsletter subscribers

• Email address you enter into the newsletter form.
• Subscription status (confirmed or not, opted-out or not) and the timestamps of those changes.
• The IP address of the signup request — used to rate-limit abuse (we reject more than a few signups from the same IP in a 24-hour window). IP is not stored long-term.

We use double opt-in: after submitting your email, you receive a confirmation email and your address is not added to our list until you click the confirmation link. Unconfirmed subscriptions are deleted after 30 days.

2.2 Website visitors

We do not use tracking cookies, advertising pixels, or third-party analytics that identify individual users. If we add analytics later, it will be a privacy-respecting, cookieless option (such as Cloudflare Web Analytics) and this policy will be updated.

Our hosting provider (Vercel) automatically records standard server logs including IP address, user agent, and request URL. These logs are kept for a short rolling window for operational and security purposes.

3. Why we collect it

Newsletter: to send you updates about Project Remnant that you opted in to receive. The lawful basis under GDPR is your consent (Article 6(1)(a)), given via double opt-in. You can withdraw this consent at any time.

Rate limiting: to prevent abuse of the signup form. The lawful basis is our legitimate interest in protecting the service (Article 6(1)(f)).

4. Sub-processors

We rely on the following third-party services to operate the site and newsletter. Each has its own privacy policy:

• Vercel Inc. — website hosting + serverless functions. Privacy policy.
• Supabase Inc. — database storing subscriber records. Privacy policy.
• Resend (Resend Inc.) — email delivery for newsletter confirmations and broadcasts. Privacy policy.
• Cloudflare, Inc. — DNS and bot protection (Turnstile). Privacy policy.

5. How long we keep your data

• Newsletter subscription: kept while you are subscribed. If you unsubscribe, we keep a minimal record (your email, the fact that you unsubscribed, and the date) so we don't accidentally re-add you. That minimal record is deleted 24 months after the unsubscribe.
• Unconfirmed signups: deleted 30 days after the initial submission.
• Server logs: typical rolling window of 30 days (set by Vercel), after which they are rotated out.

6. Your rights

Under the GDPR (EU/UK), CCPA/CPRA (California), and similar privacy laws elsewhere, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Port your data to another service in a machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time — by clicking unsubscribe in any email, or by emailing us directly.

To exercise any of these rights, email us at [EMAIL — TBD]. We aim to respond within 30 days.

If you are in the EU or UK, you also have the right to lodge a complaint with your local supervisory authority if you believe we have violated your rights.

7. We do not sell your data

We do not sell your personal data to anyone. We do not share it with advertisers or data brokers. The only parties with access to your data are the sub-processors listed in §4, each of which handles it under a data-processing agreement.

8. Cookies

At present, this website does not use tracking cookies. The only cookies set are strictly-necessary session cookies required for the site to function (for example, to keep you logged in if you become an authenticated user later).

9. Children

This site is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted data to us, please contact us and we will delete it.

10. International transfers

Our sub-processors are US-based. If you are located in the EU, UK, or elsewhere, your data may be transferred to and processed in the United States. We rely on the Standard Contractual Clauses (where applicable) of each sub-processor to provide an adequate level of protection for these transfers.

11. Changes to this policy

We may update this policy as the project grows or as laws change. The "Last updated" date at the top of this page reflects the latest revision. For material changes, we will notify current newsletter subscribers by email.

12. Contact

Questions about this policy or about how we handle your data: [EMAIL — TBD].