Privacy Policy

Effective date: 5 June 2026
Last updated: 5 June 2026

1. Summary

Web-Gate Studio is a small independent web studio operated by an individual private person in Ukraine. We do not use analytics or advertising trackers, we do not sell or share personal data with marketers, and we do not ask you to register an account. The only personal information we handle is what you choose to send us through the contact form, plus the technical information your browser unavoidably sends to our server with each request, plus a small number of strictly necessary cookies that keep the site working.

2. Who we are (data controller)

This site is operated by Web-Gate Studio / Студия Web-Gate (an individual private person, Ukraine), acting as the controller of personal data within the meaning of the Ukrainian Law on the Protection of Personal Data and, where applicable to visitors from the European Economic Area, the General Data Protection Regulation (EU) 2016/679 ("GDPR").

For any question about this policy, or to exercise any of the rights described below, write to: [email protected].

3. Information we collect

3.1. Information you give us through the contact form

The Site offers a contact form on the contacts page. When you choose to use it, you provide:

  • your name (free text, minimum two characters);
  • your email address;
  • your message (free text).

The form does not collect your phone number, address, age, or any other identifier beyond what you choose to write into the message field.

The submission is sent to us by email and is not stored in any database. We use it to read your enquiry and reply. If you do not want to use the contact form, you can write to [email protected] directly — it is exactly the same address that receives the form submissions.

3.2. Information collected automatically

Like every website, our server receives technical information with each request, including:

  • your IP address;
  • the User-Agent string your browser sends (browser name, version, operating system);
  • the URL you requested and the URL you came from (Referer header), if your browser sends one;
  • the date and time of the request.

This information is recorded in standard server access logs and is used to operate the site, diagnose errors and detect abusive activity. We do not link this technical information to an identified individual unless we have to (for example, in order to investigate a security incident together with the hosting provider or with law enforcement on the basis of a lawful request).

3.3. Honeypot for automated abuse

The site contains a single hidden, robots-disallowed link to /recent-updates. Real visitors never see or follow it. Automated scrapers and bots that ignore the disallow directive and follow the link are flagged and their IP address is added to a temporary block list (1 hour to 7 days, escalating with repeat offences). This is the only "behavioural" data we record, and it is recorded only when triggered.

3.4. Cookies

We use a very small number of strictly necessary cookies:

  • Session cookie (laravel_session or similar) — keeps your session state during a single visit; expires when you close the browser or after a short inactivity period;
  • CSRF token cookie (XSRF-TOKEN) — a security cookie that protects the contact form against cross-site request forgery;
  • Cookie-consent acknowledgement — set when you click OK on the cookie banner, so we don't show it on every page. Stored for one year.

We do not use any analytics cookies (no Google Analytics, no Yandex Metrica, no Matomo, no Plausible, etc.), no advertising cookies, no social network plugins, no third-party tag managers, and no website fingerprinting. Our cookie banner explains the same in plain language.

4. How we use this information

  • To deliver the requested pages (essential cookies and the application session);
  • To receive and reply to enquiries submitted through the contact form or sent directly by email;
  • To keep the site secure and resilient against abusive automated traffic (server logs and the honeypot);
  • To investigate and fix bugs and outages (server logs).

5. Legal basis for processing (GDPR Art. 6)

  • Contact form / direct email: steps taken at your request prior to entering into a possible engagement (Art. 6(1)(b) GDPR) and our legitimate interest in answering the people who write to us (Art. 6(1)(f));
  • Strictly necessary cookies and server logs: our legitimate interest in operating and securing the website (Art. 6(1)(f));
  • Cookie-consent acknowledgement: your consent, expressed by clicking OK on the banner (Art. 6(1)(a)).

6. Who else processes this information (service providers)

Because the website runs on infrastructure operated by other companies, your IP address and request metadata necessarily pass through them, and your contact-form submission necessarily passes through an email transport. We use:

  • OVH SAS (Roubaix, France, EU) — server hosting. Server logs are processed on OVH infrastructure inside the EU.
  • Cloudflare, Inc. (San Francisco, USA, with EU points of presence) — content delivery network and security layer. Cloudflare terminates the TLS connection between your browser and our origin and may process your IP address and request metadata to deliver and protect the service. The transfer to Cloudflare's US infrastructure is covered by Standard Contractual Clauses included in Cloudflare's Data Processing Addendum.
  • Email transport. Contact-form submissions are delivered to the operator's mailbox using a standard SMTP provider. The operator's mailbox is the only place your submission is stored after delivery; you may ask the operator to delete it at any time.

We do not share personal data with any other third party. We do not sell personal data. We do not use any advertising network.

7. International data transfers

Because Cloudflare's network is global, your IP address and request metadata may transit servers located outside the European Economic Area, including in the United States. This transfer is covered by the Standard Contractual Clauses incorporated by Cloudflare's Data Processing Addendum. Where the email transport provider is located outside the EEA, the corresponding transfer is likewise covered by Standard Contractual Clauses or an equivalent transfer mechanism. No other personal data leaves the EU.

8. How long we keep this information

  • Contact-form emails: kept in the operator's mailbox for as long as needed to address your enquiry and any reasonable follow-up. You can ask us to delete a specific message at any time.
  • Server access logs: rotated and deleted after approximately 30 days, unless a longer retention is needed to investigate a specific incident;
  • Honeypot block list: 1 hour to 7 days, depending on the number of repeat offences, after which the IP is automatically released;
  • Cookies: as described in section 3.4.

9. Your rights

To the extent the GDPR or the Ukrainian Law on the Protection of Personal Data applies to you, you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data rectified;
  • have your data erased ("right to be forgotten") where the legal grounds for processing no longer apply;
  • restrict or object to processing carried out under our legitimate interests;
  • data portability, where the processing is based on consent or on a contract and is carried out by automated means;
  • withdraw any consent you have given, at any time, without affecting the lawfulness of processing already carried out.

To exercise any of these rights, write to [email protected]. We will respond within one month.

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with a supervisory authority — for residents of Ukraine, this is the Ukrainian Parliament Commissioner for Human Rights (Ombudsman); for residents of the European Economic Area, this is the data protection authority of your country.

10. Children

This site is not directed at children and we do not knowingly collect personal data from children under the age of 14. If you believe a child has provided personal data to us through the contact form or otherwise, please contact us and we will take steps to delete it.

11. Security

We take reasonable technical and organisational measures to protect the limited personal data we handle: TLS encryption on every page (HTTPS), modern security response headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy), the honeypot and abuse-throttling described above, and a server stack kept up to date. No transmission over the internet can be guaranteed 100% secure, but we apply the standard of care a small site of this nature reasonably can.

12. Changes to this policy

If we change this policy in a material way, we will update the "Last updated" date at the top of this page and, where appropriate, post a brief notice on the home page. For non-material changes (typos, clarifications), we will only update the date.

13. Contact

Web-Gate Studio / Студия Web-Gate — individual private person, Ukraine.
Email: [email protected]