Privacy Policy
This policy covers the website hewnpath.com. Each product has its own policy covering what happens inside that product, linked at the bottom of this page.
1. Who is responsible
The data controller is:
Hewnpath
Email: [email protected]
Hewnpath is a one-person studio and is not required to appoint a Data Protection Officer. Write to the address above and you reach the person who decides what happens to your data.
2. Cookies: there are none
This site sets no cookies. It writes nothing to localStorage or sessionStorage. There is no advertising network, no social pixel, no session replay, and no cross-site tracking of any kind. That is why you are not being asked to accept anything: under the ePrivacy rules a consent banner is required when a site stores or reads information on your device, and this one does not.
You can verify this yourself: open your browser's developer tools, look at the Application tab, and the cookie and storage lists for this domain will be empty.
3. What the site collects
Waitlist and free downloads
When you enter your email in a waitlist or download form, we store your email address, which product or file the request came from, the date and time, and whether you ticked the optional box asking for occasional product updates. Nothing else. We do not store your IP address or your browser fingerprint with the signup.
Audience measurement
The site uses Cloudflare Web Analytics to count page views. It is cookieless: it does not store anything on your device and does not build a profile of you across sites or visits. It reports the page you viewed, the referrer, and coarse technical data such as country and browser family, in aggregate. Cloudflare processes your IP address transiently to derive the country and does not retain it for this purpose.
Server logs
Cloudflare, which serves this site, processes standard request data including IP addresses to deliver pages and to block attacks. This is ordinary infrastructure logging, kept short-term by Cloudflare and used by us only in aggregate.
4. Why, and on what legal basis (GDPR art. 6)
- Sending you the thing you asked for, the launch email or the download link: performance of your request, art. 6(1)(b).
- Occasional product updates: your consent, art. 6(1)(a), given by ticking a box that is never pre-ticked. The download and the waitlist do not depend on it, you get them either way. You can withdraw consent at any time, see section 7.
- Audience measurement and keeping the site up: legitimate interest in knowing which pages are read and in serving them securely, art. 6(1)(f), balanced against you by choosing a measurement tool that cannot identify or follow you.
5. How long we keep it
- Waitlist signups: until the product launches and the announcement is sent, then 12 months, then deleted. If you unsubscribe or ask for erasure, immediately.
- Download signups: 24 months from the last time you opened one of our emails or downloaded a file, then deleted.
- Analytics: aggregate only, retained by Cloudflare on their schedule. It contains nothing that points back to you.
6. Where it goes
Your email sits in a Cloudflare D1 database running in Cloudflare's European region. We do not sell, rent, or trade personal data, and we do not share it with anyone for their own purposes.
The only processors involved:
- Cloudflare, Inc.: hosting, database, and analytics. Privacy policy. Transfers outside the EEA are covered by Cloudflare's Standard Contractual Clauses and its EU-US Data Privacy Framework certification.
- Polar Software, Inc.: merchant of record for purchases. Polar is a separate controller for the checkout data you give it, under its own privacy policy. It only applies if you buy something.
Fonts are served from this domain. No third-party font, CDN, or icon service is contacted when you load a page here.
7. Your rights (GDPR art. 15 to 22)
You can ask us to:
- Access: send you a copy of everything we hold about you.
- Rectify: correct anything wrong.
- Erase: delete it.
- Port: hand it over in a machine-readable file.
- Restrict or object: stop a given use, including any processing based on legitimate interest.
Email [email protected] with "GDPR request" in the subject. We answer within 30 days, and it is one person reading, so usually much sooner. Exercising these rights is free.
Withdrawing consent to product updates is one click on the unsubscribe link in the footer of every email we send. No login, no reply needed, no reason asked. It takes effect immediately and does not affect the lawfulness of anything sent before.
If you think we have mishandled your data you can complain to your national data protection authority. Ours is the Garante per la protezione dei dati personali.
8. Children
These are tools for professional work and are not directed at children under 16. We do not knowingly collect their data. If you believe a child has signed up, write to [email protected] and it will be deleted.
9. Security
The site is served over HTTPS only, with a strict Content Security Policy and HSTS. The signup database is reachable only through a single endpoint that accepts an email address and nothing else. Access to it is limited to the operator named in section 1.
10. Changes
If this policy changes materially we will update the version and effective date at the top and, where the change affects data we already hold about you, email you before it takes effect.
11. Product policies
This page covers the website. What happens inside each product is covered separately: