Plain language. No dark patterns.
We collect only what we need to do the work, we never sell or trade what you share with us, and we will tell you the truth about what is on our servers and what is not. Everything below is written in the language we would want a contract written for us.
Only what the work requires.
Two categories, and that is it.
Information you send us directly
Your name, email address, the company you work for, and whatever you choose to write in a project brief, an inquiry, or an email reply. If we eventually take you on as a client, we will also collect the information necessary to invoice you and to do the engagement — scope notes, credentials you authorize us to hold, and the work product itself.
Information collected automatically
Standard server logs — IP address, browser, the page you arrived on, and the page you went to next. We use these for security and to understand which parts of the site are useful. We use Vercel Web Analytics and Vercel Speed Insights, both cookie-less and anonymized at the source — they tell us aggregate page-view counts and load times without identifying you. We do not run third-party advertising trackers, behavioral profiling, or session replay tooling.
Information you opt into
If you turn on push notifications inside the client portal, your browser gives us a push endpoint URL and two cryptographic keys for that one device. We store those so we can send you a notification when a milestone ships or a project update is posted, and we delete them immediately when you disable push or revoke permission. If you subscribe to the calendar feed, we generate a private, signed URL tied to your account — we do not log who is reading the feed, but anyone holding that URL can read your milestone schedule, so treat it as you would a password.
The work, and nothing else.
We use what you send us to reply to your inquiry, scope and run the engagement, send invoices, and — when you have asked for it — deliver the occasional note from the practice. That is the entire list.
We do not sell your information, we do not trade it, and we do not share it with third parties for their own marketing. The only exceptions are vendors who help us run the business itself: our hosting provider, our database provider, our email provider, and our payments processor — each of which is contractually bound to handle data only on our instructions.
The short list.
Each of these is a contractually-bound subprocessor.
- VercelHosting, edge infrastructure, and cookie-less Web Analytics
- SupabaseDatabase, authentication, file storage, and Web Push delivery
- ResendTransactional and newsletter email delivery
- StripePayments and invoicing (when applicable)
- Zoho MailMailbox provider for our team
Functional only.
We use cookies for things the site cannot function without — keeping you signed into the client portal, remembering your form draft on the contact page, and recognizing the device you came in on. We do not run advertising cookies, cross-site trackers, or behavioral analytics. If your browser refuses cookies, the marketing site will still work; authenticated areas will not.
Your information is yours.
Whether you live in California, the EU, the UK, or anywhere else.
You can ask us at any time what information we hold about you, and we will tell you in plain English. You can ask us to correct it, you can ask us to delete it, and you can ask us to send you a copy of it — and we will do any of those within a reasonable window, typically thirty days.
For requests, write us at info@we-are-resilience.com with the subject line “Privacy request”. We will reply from a real human inbox, not a ticketing system.
How long we keep things.
- Inquiries that did not become engagementsUp to 24 months, then deleted.
- Active client recordsFor the life of the engagement.
- Closed client recordsSeven years, for tax and legal reasons.
- Newsletter subscribersUntil you unsubscribe.
Primarily United States.
Our database, our file storage, and our application servers run on US-based infrastructure. Email passes through providers with US and EU data centers. If you are located in the European Union, the United Kingdom, or another jurisdiction with cross- border data-transfer rules, your information may be transferred to the United States in the course of normal operations. Each subprocessor we rely on is contractually bound by appropriate transfer mechanisms (Standard Contractual Clauses where applicable). If you have specific data-residency requirements, write to us before signing an engagement and we will discuss what is feasible.
How we protect this, and what we do if we fail.
We protect your information with reasonable technical and organizational measures appropriate for a senior engineering practice: encryption in transit, access controls scoped to the people who need access, regular dependency audits, audit logs on sensitive actions, and least-privilege keys for every external service we touch. No system is unbreakable; we say that out loud rather than implying otherwise.
If we ever discover an actual compromise of personal information you have entrusted to us, we will notify you in writing as soon as we have a clear enough picture to be useful — what happened, what was affected, what we have done about it, and what you should do. Where the law requires faster notification (typically 72 hours under the GDPR), we follow the legal timeline. We will never sit on a breach to manage optics.
This is not a service for children.
We do not knowingly collect information from children under 13 (or under 16 in the European Union). Our work is sold to businesses and to adult professionals. If you believe a child has submitted information to us, please write to us at info@we-are-resilience.com and we will delete the record promptly.
We will tell you.
When we update this policy in any way that materially affects what we do with your information, we will note the change at the top of this page and, where we have your email, send a short note. The version below is the one currently in force.