Controller and contact for privacy matters
The data controller is Gharvynnthit, Nieuwe Looiersstraat 3H, 1017 VA Amsterdam, Netherlands. The address is also our correspondence address for data protection letters. You can write to contact@gharvynnthit.world and call +31 20 623 5949 for practical questions, including the exercise of a right under the GDPR, though we may ask you to confirm your identity in a second step if a request is sensitive or if someone could impersonate you. We will not use your rights request to send marketing unless you have separately and clearly opted in to such messages.
We have not appointed a Data Protection Officer as a mandatory step under the law that applies to us at this time; if that changes because of the scale of processing or a statutory trigger, the contact for the DPO will be published in this block and, where required, in the public register. For processor relationships, the Article 30 record lists each processor and the main categories of data they see.
Categories of data and what they are for
Server and delivery logs include IP address, request time, URL path, protocol version, and user agent string, sometimes a referrer, generated by the web server or a reverse proxy. We use them to keep the service secure, to see unusual bulk traffic, to debug misconfiguration, and to support accountability when something goes wrong. We do not use raw logs to write public articles about a single person.
Contact form submissions when you use our form contain the name and email you type, the message body, a time-based submission metadata line we may add, and, depending on the build, a token that reduces automated spam. We do not use the form for clinical or diagnostic work; the privacy policy and the form label ask you to avoid including medical records, because a general business inbox is not a clinical system.
Cookie and local storage consent fields store your choices, category flags, a version, and a time stamp, as set out in the cookies policy. That record can be part of a proof file if a regulator ever asks that our optional tags matched your opt-in, but the record itself is small and is not a personality profile in the large-scale sense of that word in plain English.
Future commercial records for paid or booked services, if we add them, will be described in an annex or a separate product sheet and may include payment references processed by a payment provider, where we do not want to see full card data on our own disks. The underlying principle is always minimisation: we ask for the smallest amount that can fairly complete the process.
Legal bases in plain language
Contract or pre-contract applies when you order something we sell and the message is an ordinary business arrangement message. Legitimate interests applies to some security, product improvement, and light analytics, after a balancing test. Consent is what we use for non-essential cookies and similar technologies under the ePrivacy frame and for marketing you actively choose.
Legal obligation may apply in rare cases when we are told to keep something by a competent court or public authority, always within what the law in the EU/EEA allows, and you will be informed where the law does not prevent us from doing so.
We do not seek to make solely automated decisions that produce legal or similarly significant effects for you, using only automated means, in the way Article 22 GDPR is usually described. If a future feature ever looked like a score or gate you could object to, we will describe a meaningful human contact path before launch.
How long we keep data
Short-lived technical logs: around ninety days by default, in a rolling window, with a longer, exceptional window when we preserve an item because of an open incident, a request from a regulator, or a genuine litigation hold. We log the reason for a longer hold in a simple internal file so it can be revisited when the case closes, within what the law allows and without keeping everything forever “just in case”.
Contact and communication threads: for twenty-four months after the last message in a chain in ordinary business matters, or longer if the law, a clear mutual agreement, or a real dispute file requires. Backups: rotation policies mean that a deleted line may take a while to fall out of all encrypted backup tiers; we will not actively restore from backup to reuse deleted personal data in a new purpose once you have a valid erasure right that applies.
Consent and analytics identifiers: until you clear the site data, we deploy a new schema that invalidates the key, you withdraw, or a vendor’s maximum lifetime ends, whichever comes first, for each part of the stack.
Security measures, integrity, and confidentiality
We protect accounts and infrastructure with transport encryption where the stack supports it, with role-based access on the business side, with vendor reviews before we give access to a name list, and with instruction documents for any colleague who can see a message from the public. We expect processors to have incident playbooks, and we will report to you and to a supervisory authority in the time-frames the GDPR and national security rules set when a reportable event occurs. No online system is zero risk; the aim is a reasonable, layered defence proportionate to the data.
Integrity: we will correct factual mistakes in a record that concern you, when you can show a fair reason and when the law is not the opposite, such as a duty to keep a fraud-related record. Confidentiality: people who are not in the need-to-know group for a particular set of data should not be able to browse it in our stack because of account roles; we re-check that when a role changes or someone leaves a project.
Your rights, where to go, and timing
You may be entitled to: access, rectification, erasure, restriction, objection (including in some cases to legitimate-interest processing, where the balance of interests allows), and data portability for information you gave us in a structured format when the processing is automated and based on contract or consent. You can lodge a complaint with the Autoriteit Persoonsgegevens in the Netherlands or, when applicable, with another EEA lead authority, without giving up a judicial remedy. We will answer most requests without undue delay and within a month, or with an extension the GDPR allows, and we will tell you if we need more proof of who you are or if a request is manifestly unfounded, in a fair way, before any fee discussion under the law.
If you are not in the EEA, some of these rights still apply in specific cross-border cases; when we must refuse a request, we will say which provision we rely on, except where a secrecy rule genuinely prevents a full line-by-line answer.
International transfers, processors, and children
When we work with a processor in a non-adequate country, we will use a valid transfer tool such as the European Commission’s standard contractual clauses, the UK or Swiss equivalent where relevant, and supplementary measures when the level of risk after a transfer impact assessment so requires. A summary of the key safeguards can be requested in writing; we can redact a narrow business secret but not hide the name of a serious mechanism.
We do not offer the public site to children as a product directed at them. If you believe a child’s personal data has reached us without appropriate authority, email us; we will delete it when there is no legal reason to keep it and when we are satisfied the request is genuine, without using it to sell anything back to a parent.
Changes to this policy: we will post an updated file with a new “last review” line at the bottom when the substance of processing changes, not for cosmetic edits only. A date shown only in the hero uses your current device clock for a visual snapshot; the binding review date for compliance work is the line below.
Last material review of this text: 25 April 2026.