Privacy Policy

This Privacy Policy describes how Shubham Goyal ("I", "me", "my") collects, uses, stores, and protects personal information you provide when using shubhamgoyal.dev (the "Website"). This policy complies with: • The Digital Personal Data Protection Act, 2023 (DPDP Act) — India • The Information Technology Act, 2000 and IT (SPDI) Rules, 2011 — India • The General Data Protection Regulation, 2016/679 (GDPR) — European Union • The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 By using this Website, you acknowledge that you have read and understood this Privacy Policy.

We collect only the minimum data necessary to operate the Website: a) Contact Form Data When you submit the contact form, we collect your full name, email address, subject, and message. This data is stored in our database and used solely to respond to your inquiry. b) Account Registration (optional) If you register an account to post comments or engage with blog content, we collect your name, email address, and a hashed (bcrypt) password. We never store plain-text passwords. c) Blog Interaction Data We track anonymous view counts and like counts per blog post. This data is not linked to any individual user unless you are logged in. d) Comments If you post comments on blog posts, we store your name, email, and comment text. e) Automatically Collected Data We use Vercel Analytics (a privacy-friendly analytics tool) to collect aggregated, anonymised usage data including page views, browser type, country, and device type. No personally identifiable information is linked to analytics data. f) reCAPTCHA Our contact form is protected by Google reCAPTCHA v3. Google may collect IP address, browser information, and other signals to verify you are human. This data is processed by Google under their own Privacy Policy.

For users in the European Economic Area (EEA), we process your personal data on the following legal bases under Article 6 of GDPR: • Consent (Article 6(1)(a)): When you voluntarily submit the contact form or create an account. • Legitimate Interests (Article 6(1)(f)): For security, fraud prevention (reCAPTCHA), and analytics to improve the Website. • Contract (Article 6(1)(b)): When processing is necessary to respond to your inquiry or provide services you have requested. Under the DPDP Act 2023 (India), processing is based on your free, specific, informed, and unambiguous consent for contact form submissions and account registration.

Your personal data is used exclusively for: • Responding to your contact form submissions and inquiries • Sending an automated acknowledgement email upon form submission • Managing your account and authentication • Displaying your approved comments on blog posts • Improving Website performance using anonymised analytics • Preventing spam and abuse via reCAPTCHA • Complying with applicable legal obligations We do not use your data for advertising, profiling, or sell it to any third party.

We use the following trusted third-party services, each bound by their own privacy policies: • MongoDB Atlas (database hosting) — data may be stored on servers in the US/EU under appropriate safeguards • Cloudinary (image storage and delivery) — stores portfolio and blog images • Vercel (hosting and analytics) — GDPR-compliant edge hosting platform • Google reCAPTCHA v3 — spam protection; governed by Google's Privacy Policy • Nodemailer / SMTP — for transactional email delivery We do not share your personal data with any other third party without your explicit consent.

We retain your personal data only as long as necessary: • Contact form submissions: retained for 12 months, then permanently deleted • Account data: retained as long as your account is active; deleted within 30 days of account deletion request • Comments: retained until you request removal • Analytics data: aggregated and anonymised; retained for up to 24 months • Server/application logs: automatically purged after 30 days You may request deletion of your data at any time by emailing [email protected].

Depending on your jurisdiction, you have the following rights: Under GDPR (EEA residents): • Right to Access (Art. 15): Request a copy of your personal data we hold • Right to Rectification (Art. 16): Correct inaccurate or incomplete data • Right to Erasure (Art. 17): Request deletion of your personal data ("Right to be Forgotten") • Right to Restriction (Art. 18): Restrict how we process your data • Right to Data Portability (Art. 20): Receive your data in a machine-readable format • Right to Object (Art. 21): Object to processing based on legitimate interests • Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing • Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA) Under DPDP Act 2023 (India): • Right to information about personal data processing • Right to correction and erasure of personal data • Right to grievance redressal • Right to nominate a representative for data management To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR) or as required by applicable Indian law.

We use minimal cookies strictly necessary to operate the Website: • Authentication cookies: used to keep you logged in (session management); these are essential and cannot be disabled • reCAPTCHA cookies: set by Google for spam protection We do not use advertising cookies, tracking pixels, or cross-site tracking technologies. You may block or delete cookies via your browser settings, though this may affect Website functionality.

We implement industry-standard security measures to protect your personal data: • Passwords are hashed using bcrypt with appropriate salt rounds • All data is transmitted over HTTPS/TLS encryption • Authentication uses signed JSON Web Tokens (JWT) with expiry • Database access is restricted by IP allowlisting and role-based access control • We conduct periodic security reviews of dependencies and configurations No method of transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

Your data may be processed and stored on servers located outside India, including in the United States and European Union (via MongoDB Atlas and Vercel). For transfers from the EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) as required by GDPR Chapter V. For transfers under the DPDP Act 2023, we ensure that receiving parties provide a level of protection comparable to Indian law.

This Website is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, please contact us at [email protected] and we will delete it promptly. Under the DPDP Act 2023, processing of children's data requires verifiable parental consent, which we do not seek and therefore do not process.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The updated policy will be posted on this page with a revised effective date. For material changes, we will make reasonable efforts to notify registered users via email. Continued use of the Website after changes constitutes acceptance of the revised policy.

As required under the Information Technology Act, 2000 and DPDP Act 2023, the designated Grievance Officer for Indian users is: Name: Shubham Goyal Email: [email protected] Website: shubhamgoyal.dev You may lodge a grievance regarding the processing of your personal data. We will acknowledge your grievance within 48 hours and resolve it within 30 days.

For any privacy-related queries, requests, or complaints, please contact: Shubham Goyal Email: [email protected] Website: shubhamgoyal.dev For GDPR complaints unresolved by us, you may contact your local supervisory authority. A list of EU DPAs is available at: edpb.europa.eu