Compliance & data protection

This document describes how pulpax-portfolio aligns with the EU/UK General Data Protection Regulation (GDPR), the UK GDPR, and adjacent data protection regimes including the Texas Data Privacy and Security Act and the California Consumer Privacy Act (CCPA / CPRA), to the extent each applies.

The site is a personal professional portfolio operated solo. Its data footprint is deliberately narrow: no analytics scripts, no advertising trackers, no third-party processors, and no behavioral profiling.

Pulpax Tangong Kwah acts as the sole data controller for personal data processed through this site. Inquiries may be directed via the contact page. An EU representative is not appointed because the processing falls below the threshold that would require one under Article 27 (no large-scale processing of personal data and no special categories of data processed).

Processing relies on two GDPR Article 6 bases:

• Consent — Art. 6(1)(a). When you submit the inbound-request form, you consent to your contact information being processed to respond to your inquiry.
• Legitimate interest — Art. 6(1)(f). Source IP addresses, request timestamps, and standard HTTP metadata are processed to protect the site against abuse, scraping, and automated submissions.

No special categories of personal data (Art. 9) are knowingly processed. Do not submit sensitive personal data through the contact form.

Only the fields that are operationally necessary are collected. The inbound-request payload accepted by POST /api/public/inbound-request contains: name, email, organization (optional), and message body. Source IP and timestamp are captured server-side for abuse detection and stored in inbound_source_ip.

No analytics cookies, no advertising cookies, no fingerprinting libraries, no third-party scripts. The HTML and assets served to your browser do not initiate any cross-origin tracking request.

Under GDPR / UK GDPR, you are entitled to the following rights with respect to the personal data we hold about you:

• Access (Art. 15) — Receive a copy of the personal data held about you.
• Rectification (Art. 16) — Correct inaccurate or incomplete personal data.
• Erasure (Art. 17) — Request deletion of your personal data ('right to be forgotten').
• Restriction (Art. 18) — Limit how your personal data is processed.
• Portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Objection (Art. 21) — Object to processing based on legitimate interest.
• Withdraw consent (Art. 7(3)) — Withdraw consent at any time, without affecting prior lawful processing.
• Lodge a complaint (Art. 77) — File a complaint with your local supervisory authority.

The complete catalogue of rights also extends to residents of Texas, California, and other jurisdictions with comparable regimes.

Submit any data subject request through the contact page. Include:

• The right(s) you wish to exercise.
• Sufficient information to identify the data in question (typically your email).
• Where the request is on behalf of another person, evidence of authorization.

Identity verification may be requested before sensitive operations such as erasure are performed, to prevent fraudulent or unauthorized requests. Responses are issued within 30 days of a verified request, extendable by an additional two months for complex requests in accordance with Art. 12(3). Requests are free of charge unless they are manifestly unfounded or excessive (Art. 12(5)).

Retention windows are operational defaults, kept short by design:

• Inbound-request records — retained for the duration of the active inquiry and a reasonable follow-up window, then archived or deleted.
• Source IP and security logs — retained for a rolling operational window sufficient for abuse detection and audit.
• Administrative session activity — retained for security audit and access integrity verification.

Records that fall outside their retention window are deleted or anonymized. Retention windows are operational guidance, not contractual commitments, and may be tuned as the platform evolves.

The backend and supporting infrastructure operate from facilities located in the United States. If you contact the operator from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data will be transferred to and stored in the United States.

Because no commercial processor relationship exists between you and the operator (interaction is initiated voluntarily by you to obtain a professional response), standard contractual clauses (SCCs) are not strictly required. Personal data is transferred under your consent and the operator's legitimate interest in responding to your inquiry.

The operator engages no third-party data processors for the public site. Hosting, backend, and database are operated directly. Should this change (for example, the introduction of a managed email transactional provider for inbound-request notifications), an updated list will be published in this document and the Last updated date will be revised.

Reasonable and appropriate technical and organizational measures are applied (Art. 32):

• JWT-authenticated administrative console with bcrypt-protected credentials.
• Refresh-token JTI tracking with revocation and reuse detection.
• Audit logging of login activity and inbound requests.
• Security middleware enforcing strict security headers and CORS preflight discipline.
• Schema-validated request payloads via Pydantic.
• HTTPS in production deployments; non-public administrative routes mounted same-origin.

Security posture is reviewed continuously. No system is absolutely secure — disclose only the information necessary to initiate a conversation.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, the relevant supervisory authority will be notified without undue delay and, where feasible, within 72 hours (Art. 33). Where the breach is likely to result in a high risk to data subjects, those data subjects will be informed without undue delay (Art. 34) by the most direct channel of contact available.

The site does not perform solely automated decision-making producing legal or similarly significant effects (Art. 22). No personality profiling, no scoring, no behavioral segmentation is conducted.

The site is directed to adult professional audiences. Personal data of children under 16 is not knowingly collected. If you believe a child's personal data has been submitted, contact the operator and it will be deleted promptly.

You have the right to lodge a complaint with your national or regional supervisory authority (Art. 77). EU residents may contact the supervisory authority of their place of habitual residence, place of work, or the place of the alleged infringement. UK residents may contact the Information Commissioner's Office (ICO). The operator encourages you to raise concerns through the contact page first so they can be addressed directly.

Material updates to this notice are reflected by revising the Last updated date at the top of the page. Continued use of the site after a revision indicates acceptance of the updated terms. Significant changes will be additionally summarized on the homepage.