← Back home

— legal

Privacy Policy

Version 2 · Effective 2026-04-20

1. Who We Are

TheSiteNerds LLC ("we," "us," "our") is a New York limited liability company providing custom website and web-application development, managed hosting, and related services.

Contact for privacy matters:

This policy covers:

  • The public website at thesitenerds.com (including the contact form and Calendly booking)
  • The client portal at thesitenerds.com/portal/
  • Websites we host on behalf of clients, only to the extent we process personal data as a service provider — in that case, the client is the controller (see Section 9)

2. What We Collect

2.1 Information you give us

  • Contact form submissions: name, email address, message.
  • Calendly bookings: name, email, meeting time, optional notes. Handled by Calendly on our behalf.
  • Client portal account: name and email. Authentication is by magic link; we do not store passwords.
  • Payment information: processed by Stripe. We do not store card details. We retain your Stripe customer ID, subscription status, and current period end to manage your account. Card and payment-history details are accessible through Stripe's hosted customer portal.
  • Project content: brand assets, copy, images, access credentials, and similar material you share during a project, subject to the confidentiality obligations in the MSA.

2.2 Information collected automatically

  • Analytics (PostHog): page views, events, device type, browser, approximate location (country/region from IP), referrer. We use privacy-friendly settings: IP addresses truncated, no cross-site tracking, no advertising cookies.
  • Server logs: IP address, user agent, timestamps, requested resources. Used for security, debugging, and uptime monitoring.
  • Cookies and similar technologies: see Section 7.

2.3 Information we do NOT collect

  • Social Security numbers
  • Sensitive personal data (health, race, religion, sexual orientation) unless a specific project explicitly requires it, in which case we address it in the project-specific agreement
  • Biometrics

3. How We Use Information

We use information to:

  • Respond to inquiries and schedule intro calls
  • Provide and operate the client portal and delivered services
  • Send invoices and process payments
  • Provide hosting, maintenance, and support
  • Monitor security, prevent abuse, and debug issues
  • Communicate about projects, service updates, and relevant changes to our services
  • Comply with legal obligations (tax, accounting, contract records)

We do not:

  • Sell your personal information
  • Use your information for cross-context behavioral advertising
  • Share your information with third parties for their own marketing

4. Legal Bases (EU/UK visitors)

Where the GDPR or UK GDPR applies, our legal bases are:

  • Contract: to provide services you request
  • Legitimate interests: to run and secure the website, respond to inquiries, and operate the business
  • Consent: where we rely on it (e.g., non-essential cookies, if applicable)
  • Legal obligation: accounting, tax, and record-keeping

5. Who We Share With

We share personal information only with the following service providers, and only to the extent each needs it to do its job:

  • Fly.io — application hosting
  • Neon — managed Postgres database
  • Stripe — billing and payments
  • Resend — transactional email (contact form, auth, invoices)
  • PostHog — analytics
  • Calendly — intro-call scheduling
  • GitHub — source control for projects stored in our repositories
  • PandaDoc or DocuSign — contract signing

We also share with:

  • Professional advisors (our attorney and accountant), under professional-confidentiality obligations
  • Legal authorities when required by valid legal process, or to protect our rights, users, or the public
  • A successor entity if we sell or restructure the business; you will be notified and your data will remain subject to this policy

We do not share information with advertisers, data brokers, or unrelated third parties.

6. How Long We Keep It

  • Contact form submissions: up to 2 years from receipt, unless the inquiry becomes a client relationship
  • Client portal data: for the duration of the engagement plus 6 years after termination (aligned with NY tax and contract-record retention); a full export is available on request per the Hosting Agreement
  • Invoices and payment records: 7 years (tax/accounting)
  • Analytics events: up to 24 months
  • Server logs: up to 90 days
  • Backups: per the Hosting Agreement — 30 days rolling (90 days on Active Care)

After retention periods end, we delete or anonymize the data.

7. Cookies

We use a small number of cookies:

  • Essential: authentication, session state, CSRF protection. Required for the portal to work.
  • Analytics (PostHog): set only when analytics is active. We honor browser "Do Not Track" and "Global Privacy Control" signals by disabling analytics for visitors that send them.

We do not use advertising, retargeting, or cross-site tracking cookies.

You may disable cookies in your browser. Disabling essential cookies will break the portal; disabling analytics cookies does not affect site functionality.

8. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete personal information, subject to legal retention obligations
  • Port your information to another provider
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority (EU/UK) or your state attorney general (applicable US states)

How to exercise: email privacy@thesitenerds.com. We respond within 30 days. We may verify your identity before acting on a request.

California (CCPA/CPRA): we do not sell or share personal information as those terms are defined under California law. You have the additional right to know categories of information collected, categories of third parties we share with, and to non-discrimination for exercising your rights.

EU/UK (GDPR/UK GDPR): our contact for data-protection questions is the email above. We have not appointed a separate DPO. Legal bases are in Section 4.

9. Client-Hosted Sites (Processor Role)

For websites we build and host on behalf of clients, the client is the controller of end-user personal data collected via that site. We act as a processor/service provider under the client's MSA and Hosting Agreement. End users of a client site should consult that client's own privacy policy. We will assist the client in responding to end-user data requests per the applicable contract.

10. Security

We implement reasonable technical and organizational measures: encrypted transport (HTTPS), encrypted backups at rest, least-privilege access, MFA on administrative accounts, and dependency patching. No system is perfectly secure. We will notify affected individuals and authorities of any security incident involving personal data within the timeframes required by applicable law.

11. Children

Our services are directed to businesses. We do not knowingly collect personal information from children under 13. If we learn we have, we will delete it. Contact us at the privacy email above if you believe this has happened.

12. International Transfers

We are based in the United States. If you visit from outside the US, your information will be transferred to the US and processed by US-based service providers. We rely on Standard Contractual Clauses or equivalent safeguards where required.

13. Changes to This Policy

We may update this policy. The "Effective" date at the top reflects the latest version. Material changes will be communicated via email to active clients and via a notice on thesitenerds.com at least 14 days before they take effect.

14. Contact

← Back to thesitenerds home