Scope
This notice describes how pulpax-portfolio (this site) collects, uses, and safeguards information provided by visitors. It applies to the public website and to the inbound-request form used for professional inquiries.
The site is operated personally by Pulpax Tangong Kwah. It is not a product, SaaS platform, or commercial data processor. The data footprint is intentionally minimal.
Information collected
Two categories of information are processed: information you provide, and technical signals captured automatically.
Information you provide — when you submit the contact / inbound-request form, the following fields are transmitted to the backend API endpoint POST /api/public/inbound-request:
- Name
- Email address
- Organization or company (optional)
- Message body and engagement context
Technical signals — to protect the form against abuse and maintain runtime stability, the backend records the request source IP address (column inbound_source_ip), the request timestamp, and standard HTTP request metadata (path, method, status). No cookies, no third-party analytics scripts, and no advertising trackers are set on the public site.
Purpose of processing
Information is processed strictly for:
- Responding to professional inquiries you initiate.
- Protecting the site and the inbound-request API against abuse, scraping, and automated submissions.
- Maintaining auditability of API access for security purposes.
Your information is never sold, rented, traded, or used to build advertising profiles.
Legal basis
Where the EU/UK General Data Protection Regulation (GDPR) applies, processing is conducted on the basis of consent (you voluntarily submit the form to initiate contact) and on the basis of legitimate interest (operating and protecting the site).
Where U.S. state privacy laws apply (including the Texas Data Privacy and Security Act), processing is conducted as necessary to respond to inquiries you have initiated.
Retention
Inbound-request records are retained while the inquiry is active and for a reasonable period afterward to allow follow-up correspondence and audit traceability. Technical security logs are retained for a limited rolling window consistent with operational and security needs.
Records that are no longer relevant are deleted or anonymized. Retention windows are operational defaults — they are not contractual commitments and may be adjusted as the platform evolves.
Security
The backend enforces JWT-authenticated admin access, security middleware, structured request logging, and HTTPS in production deployments. Source code, infrastructure standards, and operational routes are documented internally and reviewed continuously.
No system is absolutely secure. You are encouraged to share only the information necessary to initiate a conversation.
Your rights
Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port the personal data you have provided, and to withdraw consent at any time. To exercise these rights, contact the operator through the contact page.
Requests are honored within the timelines required by the applicable law. Identity verification may be requested to prevent fraudulent requests.
For full detail on GDPR alignment, lawful basis, retention windows, sub-processors, and breach notification, see the Compliance & Data Protection page.
International transfers
The site and backend are operated from facilities located in the United States. If you contact the operator from outside the United States, information you provide will be transferred to and stored in the United States.
Changes to this notice
This notice may be updated as the site evolves. The Last updateddate at the top reflects the latest revision. Material changes will be communicated by updating that date and, where appropriate, by adding a notice on the homepage.
Contact
Questions about this document, data requests, or notices can be sent via the contact page. Substantive inquiries receive a response within 24 hours.