1. Who is the controller
Abderrazzaq Kharroubi, Quartier Polytech 1, Allée de la Découverte 9, 4000 Liège, Belgium. Email hello@pointcloudprocessing.org. We are a small operation. There is no DPO, the controller is the author. This site is GDPR-aligned because most of our readers are EU-based.
2. What we collect, why, and on what basis
| Data | Why | Legal basis |
|---|---|---|
| Email address | To create your account and send magic-link sign-in emails | Contract performance (Art. 6(1)(b)) |
| Purchase records | To grant access to the tier you bought and for tax records | Contract + legal obligation |
| Reading and viewing progress | To resume where you left off and show your dashboard | Contract performance |
| Bookmarks, notes, highlights | Your personal annotations on chapters | Contract performance |
| Newsletter email (if you sign up separately) | To send the occasional book-related update | Consent (Art. 6(1)(a)), opt-in |
| Aggregate page-view analytics | To understand which chapters are read and improve the site | Consent, opt-in via cookie banner |
| Server logs (IP, user-agent, error traces) | To debug errors and prevent abuse | Legitimate interest (Art. 6(1)(f)) |
3. Who we share it with
We use the following processors. Each has its own privacy policy:
- Supabase (EU-Frankfurt region): database, auth, file storage
- Vercel: hosting, with the EU region for server-side functions
- Lemon Squeezy: payments and tax handling (merchant of record)
- Cloudflare Stream: video hosting and delivery
- Resend: transactional and newsletter email
- Sentry: error tracking (only error events, no user content)
- Vercel Analytics, privacy-friendly aggregate traffic analytics with no cookies and no cross-site tracking
4. International transfers
Our primary processors store EU data in the EU. Some (Lemon Squeezy, Resend, Cloudflare, Sentry) operate globally and may process data in the US under Standard Contractual Clauses. We selected EU regions where the provider offered them.
5. Retention
Account data: as long as your account is open, plus 6 years for tax records after deletion (Belgian and EU tax law).
Reading progress and annotations: until you delete them or close your account.
Newsletter list: until you unsubscribe.
Server logs: 30 days.
Error traces (Sentry): 90 days.
6. Your rights under GDPR
You have the right to:
- Access all personal data we hold about you
- Rectify incorrect data
- Erase your data (subject to tax retention)
- Restrict processing
- Object to processing based on legitimate interest
- Data portability: receive your data in a structured format
- Withdraw consent at any time (for items where consent is the basis)
- Lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données)
To exercise any of these, email hello@pointcloudprocessing.org. We aim to respond within 30 days.
7. Cookies
We use only the cookies and storage strictly necessary to operate the site (your sign-in session, your reader preferences in localStorage). Analytics and any non-essential tracking are off by default and only activate if you accept them in the cookie banner.
8. Children
This is a technical reference for adults. We do not knowingly collect data from anyone under 16.
9. Security
We use industry-standard practices: HTTPS everywhere, encrypted-at-rest databases, signed URLs for video access, role-separated Supabase keys (the service-role key never reaches the browser), webhook signature verification on every payment event.
10. Changes to this policy
If we materially change this policy we will email you and post the change. Prior versions are archived.
11. Contact
Questions or requests: hello@pointcloudprocessing.org.