fyzno.
00:00 · AMS
[ § · Legal · Privacy Policy ]

Privacy, in plain language.Nothing to hide, little to take.

Last updated 3 July 2026. Ten sections covering everything this site and our engagements actually collect, under the GDPR and the Dutch implementation act (UAVG). It is short because the data we take is short. This policy is incorporated into our terms by reference (full document § 13).

01 · Controller

Who is responsible

fyzno, a digital infrastructure studio established in the Netherlands, is the controller for all personal data described on this page. For anything privacy-related, write to info@fyzno.com with the word Privacy in the subject line; the same partner who runs the infrastructure answers the mail.

02 · The brief

What the contact form collects

When you submit the written brief on /contact we store exactly what the form shows: your name, email address, organisation (optional), the project and scale you picked, and the brief itself. The server adds three technical fields: the time of receipt, your IP address, and your browser's user-agent string. The record is appended to a ledger file on our own server and a copy is delivered to our operator mailbox so we can reply. Nothing else is captured; there is no profiling, scoring, or enrichment.

03 · Server logs

What the web server logs

The nginx reverse proxy in front of the site keeps standard access logs: IP address, requested path, timestamp, response code, and user-agent. The application writes structured event logs (via systemd's journal) that include an IP address on contact-form events such as a rate-limit trip or a rejected submission. Both exist to keep the service secure and debuggable, and both are rotated and deleted after at most thirty days. The in-memory rate limiter keys on IP and email address, holds each key for a sliding sixty-minute window, and is never written to disk.

04 · Legal bases

Why we may hold it

The brief and our reply to it: steps taken at your request prior to entering into a contract, GDPR art. 6(1)(b). Server logs and rate limiting: our legitimate interest in keeping a public endpoint abuse-free and diagnosable, art. 6(1)(f), weighed and documented. Invoices and engagement records once you become a client: our legal obligation under Dutch tax law, art. 6(1)(c). We do not rely on consent for any of this, because none of it is optional decoration; where consent would ever be needed, we would ask first.

05 · Retention

How long, then gone

Contact briefs (ledger and mailbox copy): deleted no later than twenty-four months after our last exchange, sooner on request. nginx and application logs: at most thirty days. Rate-limit entries: sixty minutes, in memory only. Encrypted backups cycle on a thirty-day schedule, so data erased from the primary system leaves the backup set within one further cycle. Invoices and contract records: seven years, as required by the Dutch fiscal administration duty (Algemene wet inzake rijksbelastingen, art. 52). Nothing is kept because it might be useful someday.

Where it lives

Everything runs on our own server at OVHcloud in Gravelines, France, with encrypted daily backups retained in Strasbourg. OVHcloud acts as our hosting processor under a GDPR art. 28 agreement. All processing stays inside the EU; we transfer no personal data outside the European Economic Area, and we sell or trade data to no one, ever.

07 · Cookies

None. Actually none.

This site sets no cookies: no analytics, no advertising, no fingerprinting, no third-party embeds. Our Content-Security-Policy blocks requests to other origins outright, and fonts are served from our own domain. The single piece of browser storage we use is a session flag (fyzno:preloaded) that remembers the intro animation already played; it contains no personal data, never leaves your browser, and dies with the tab session. Under the Telecommunicatiewet art. 11.7a such strictly functional storage requires no consent banner, which is why you don't see one.

08 · Your rights

Access, correction, erasure, the lot

You can ask us at any time for access to the data we hold on you, a correction, erasure, restriction of processing, a portable copy, or you can object to processing based on our legitimate interest. Write to info@fyzno.com; we answer within one month, GDPR art. 12(3), and we may ask you to confirm you are who you say you are before releasing anything. If you believe we handled your data badly, you have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). We'd appreciate the chance to fix it first, but that is your call, not ours.

09 · Security

How it is protected

Transport is TLS-only with HSTS pinned for two years. Operator replies are S/MIME-signed so you can verify it is really us. The contact endpoint validates and length-caps every field, rejects cross-origin posts, and rate-limits per IP and per email. The server is patched weekly, backups are encrypted at rest, signing keys live with restricted file permissions, and access to the ledger is limited to the partners who answer your brief. No security is absolute; ours is documented, small-surface, and honestly described.

10 · Changes & contact

When this page changes

If we start collecting something new, or keep something longer, this page changes before the practice does, and the date below the headline moves. Material changes to how briefs are handled will be mentioned in the reply you get when you write to us. Questions, requests, complaints: info@fyzno.com, subject Privacy. Signed reply within forty-eight hours, resolution within the legal month.

Related · Terms of Service

Payment, renewal, liability and the operational-honesty commitments live in the terms. The two documents are written to be read together; where they touch data, this page governs the data.

Read the terms →

Exercise a right, or just ask what we hold on you: info@fyzno.com. Signed reply within forty-eight hours.