This policy explains how UNTRAPD handles your personal data when you use hub.untrapd.com, subscribe to our emails, or download our APK directly. It applies to the website, the newsletter, and the contact channel hub.contact@untrapd.com. The FINDERR Android app has its own dedicated policy at /apps/finderr/privacy/.
1. Data Controller
UNTRAPD is a solo independent project. Davis is the sole data controller and processes personal data as defined under the EU General Data Protection Regulation (GDPR, Regulation 2016/679).
2. What we collect, why, and on what legal basis
Email subscribers
- What: email address, sign-up date, sign-up source (e.g., security-hub-newsletter, security-hub-lockscreen-card, finderr-direct-download), the page you signed up from
- Why: to send the content you opted in to receive (security/recovery guides, FINDERR updates, newsletter)
- Legal basis: your consent — Article 6(1)(a) GDPR. You actively submitted the form. You can withdraw consent at any time by unsubscribing.
Direct APK downloaders
- What: the same fields above, plus a one-time email containing the download link and SHA-256 checksum
- Why: to deliver the APK and verify integrity
- Legal basis: your consent AND contract performance — Article 6(1)(a) and 6(1)(b) GDPR (you requested the download)
Hub website analytics
- What: pseudonymous traffic data via Google Analytics 4 (
G-S9K12W3PHT) — page views, country, device class, referrer. IP addresses are anonymized by Google before processing.
- Why: to understand which content helps people (and which doesn't), so we know what to write next
- Legal basis: legitimate interest — Article 6(1)(f) GDPR. We do not run advertising, we do not sell or share analytics data, and aggregated insights are necessary to operate a small content site.
People who email us
- What: email address and message content when you reply or write to
hub.contact@untrapd.com
- Why: to respond to you
- Legal basis: your consent by initiating the conversation, plus legitimate interest in maintaining customer support records
3. Who we share data with (sub-processors)
We use a small number of third-party services to operate. Each is bound by its own GDPR commitments:
- Netlify, Inc. — Hub website hosting (USA, with EU data processing addendum). Stores server logs and processes HTTP requests.
- Supabase, Inc. — database for email-subscriber records (
email_subscribers table) and FINDERR user accounts. EU region available; GDPR-compliant DPA in place.
- MailerSend — sends form-confirmation emails on subscription (e.g., the welcome email). EU-based provider.
- Google (Gmail Send-As) — outbound transit for newsletter broadcasts from
hub.contact@untrapd.com. Routes through Google's mail infrastructure.
- Google Analytics 4 — anonymized website analytics. IP anonymization is enabled.
- R2 (Cloudflare) — APK file storage for direct downloads.
We do not share, rent, or sell your personal data to advertisers, data brokers, or third parties for marketing purposes.
4. How long we keep your data
- Email subscribers: until you unsubscribe, plus 30 days for unsubscribe-confirmation records, after which the email address is deleted from active databases.
- Email replies / support correspondence: up to 24 months, then deleted.
- Analytics data: retained per Google's default GA4 settings (currently 14 months for event-level data, then aggregated).
- Server logs (Netlify): typically 30 days, per Netlify's retention policy.
5. Your rights under GDPR
If you are in the EU, EEA, or UK, you have the following rights regarding your personal data. Most can be exercised in seconds; all are free.
- Right of access (Article 15) — ask us what data we hold about you
- Right to rectification (Article 16) — correct inaccurate data
- Right to erasure (Article 17) — "right to be forgotten" — ask us to delete your data
- Right to restriction (Article 18) — limit how we process your data
- Right to data portability (Article 20) — receive your data in a machine-readable format
- Right to object (Article 21) — object to processing based on legitimate interest (e.g., analytics)
- Right to withdraw consent (Article 7(3)) — unsubscribe instantly via the link in every email, or via /unsubscribe
- Right to lodge a complaint (Article 77) — with the CNIL (France's data protection authority) or your local supervisory authority
To exercise any of these rights, email hub.contact@untrapd.com. We respond within 30 days as required by Article 12(3).
6. Cookies and tracking
The Hub website uses Google Analytics 4 cookies (_ga, _ga_*) for the legitimate-interest analytics purpose described above. We do not use advertising cookies, third-party tracking pixels, or social-network cookies. Email broadcasts contain no tracking pixels — we genuinely cannot tell whether you opened a specific email.
You can disable cookies in your browser settings. The site works without them; only analytics is affected.
7. Security
Email-subscriber records are stored in Supabase with row-level security policies. Outbound emails authenticate via SPF, DKIM, and DMARC. Unsubscribe links are signed with HMAC-SHA256 to prevent tampering. The website is served over HTTPS only.
8. International transfers
Some sub-processors (Netlify, Google) are based in the United States. These transfers are covered by the EU-US Data Privacy Framework or by Standard Contractual Clauses (SCCs) as appropriate. We minimize data sent to non-EU services and use EU regions where available.
9. Children
UNTRAPD's services are not directed at children under 16. We do not knowingly collect data from children. If you believe a child has submitted personal data, contact us and we will delete it.
10. Changes to this policy
If we materially change how we process data, we will update this page (with the new "Last updated" date at the top) and notify active email subscribers in their next regular email. Cosmetic edits won't trigger a notification.