Privacy Notice
Last updated · May 23, 2026
01Who I am
The data controller is Noxum Media & Consulting PVV, a sole proprietorship registered in the Netherlands (KvK: 42066188). You can contact us at [email protected] for any privacy-related matters.
02What I collect
I collect the following personal data when you use the commission form: preferred name, pronouns, legal name, email address, country, billing address, VAT number, concept and off-limits text, custom name text, custom touches text, reference URL, your IP address hash, and your user agent.
Alongside this, I retain the commission selections you make (length, format, voice, spice level, exclusivity, delivery, revisions, and personal-touches flags), your agreement to the legal terms, and the pricing breakdown you were shown.
03Why I collect it
I collect this data based on the following legal grounds:
- Contract performance: To process and fulfill your commission requests.
- Legitimate interest: To prevent fraud and abuse (via IP hashing for rate limiting) and to maintain a tamper-evident audit log of operator access to your submission, supporting accountability under Article 5(2) GDPR.
- Legal obligation: To retain invoices as required by Dutch tax law.
Submissions are reviewed by me (the data controller) through an authenticated administrative interface. Each access and status change is recorded in an append-only audit log so that any unauthorised access could be reconstructed if a security incident occurred.
04Who I share with
I use the following third-party processors to operate this service. Each is bound by a Data Processing Agreement:
- Supabase (database hosting). See their privacy policy.
- Render (hosting). See their privacy policy.
- Cloudflare (DNS, CDN, WAF). See their privacy policy.
- Resend (email delivery). See their privacy policy.
- Sentry (error tracking). See their privacy policy.
05International transfers
My primary hosted compute runs in Frankfurt (EU). Some of my processors may still transfer or process your data outside the European Economic Area (EEA), including control-plane data and operational logs that may transit the United States. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, as documented in each processor's Data Processing Agreement linked above.
06How long I keep it
I retain your data for the following periods:
- Invoiced commissions: 7 years, as required by Dutch tax law.
- Declined or unaccepted commissions: 90 days, after which personally identifiable information is anonymized.
- Rate-limit buckets: 24 hours.
- IP hashes: Retained for the lifetime of the associated commission record.
- Sentry error events: 30 days.
- Outbound email records: Anonymized or deleted alongside the underlying commission record, on the same schedule.
07Your rights
Under the GDPR, you have the right to access, rectify, erase, restrict processing of, object to the processing of, and request the portability of your personal data. To exercise any of these rights, please email [email protected].
You also have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), reachable at autoriteitpersoonsgegevens.nl.
08Provision of data
Providing your personal data via the commission form is a contractual requirement. If you do not provide the required fields (name, email, billing address, concept), I cannot process your commission request.
09Automated decisions
I do not use automated decision-making or profiling as defined under Article 22 of the GDPR. All commission requests are reviewed and processed manually.
10Cookies
There is one cookie on this site, set automatically by my CDN (Cloudflare) for security:
| Cookie | Set by | Purpose | Duration | Type |
|---|---|---|---|---|
| __cf_bm | Cloudflare | Bot and abuse detection at the network edge. | ~30 minutes | Strictly necessary |
I do not set any analytics, advertising, or tracking cookies. If I add analytics in the future, I will update this notice and ask for your consent first where required.
If you use the commission form, your in-progress form choices are also saved in your browser's session storage, which is tied to the current tab and is not a cookie (see §11 below).
11Browser storage
To help you resume an incomplete commission form within the same visit, I save your in-progress form choices in your browser's session storage. Drafts live only on your device, clear automatically when you close the tab or browser, and clear when you complete the form.
The following fields are saved:
- Length, format, voice selection, spice level, exclusivity, rush, and revisions.
- Hypnotic trigger and induction selections.
- Working title, voice description, and reference URL (if you provide them).
- Personal-touches toggles (the on/off flags only; the actual personal text is never saved).
- The state of your agreement checkboxes.
The following are never saved in browser storage:
- Preferred name, pronouns, legal name, email, country, billing address, VAT number.
- Concept text and off-limits text.
- Custom name text and any personal-touches detail text.
The free-text fields above (working title, voice description, reference URL) can in principle contain identifying material if you choose to type it. If you'd rather not have anything saved on your device, close the tab. The draft clears automatically.
12Changes
If this notice changes, I will update the date above.
