Skip to main content
Legal · Plain English

Privacy.

Last updated · 23 May 2026 · Version 1.1

This page explains what data we collect when you use blinklabs.eu, why we collect it, where it goes, and what your rights are. We've tried to write it the same way we talk. No legalese.

Who we are

Blinklabs is a small digital studio run by Muke Spiteri in Malta. We design brands, build websites, and write custom software.

For GDPR, Blinklabs is the data controller for the information you submit through this site. The single point of contact for anything privacy-related is info@blinklabs.eu or WhatsApp +356 9997 5932.

What we collect, and when

We only collect data when you actively give it to us through the contact form or the "Let's talk" form in the pricing wizard. The data is exactly what you type in:

NameSo we know who to reply to.
EmailSo we can write back.
PhoneOptional. Only if you fill it in so we can WhatsApp you.
CompanyOptional. Helps us understand who you're representing.
Your messageThe text you wrote about your project.
Marketing consentA simple yes/no recorded from the tickbox on each form. Default is yes; untick and we won't add you to our occasional studio updates list.
Wizard answersIf you used the pricing wizard: which services you picked, your budget, the generated project summary. Submitted alongside your message.
IP addressRecorded with the submission for spam protection. Used to rate-limit (max 5 per hour) and dropped from working memory soon after.

The web server also keeps standard nginx access logs (your IP, the page requested, your browser version, timestamp). These keep the site running, and help if we ever need to debug an issue or stop abuse. They're rotated and deleted after 14 days.

What we don't collect. No Google Analytics, no Facebook Pixel, no behaviour profiling, no cross-site retargeting list. We do load the Google Ads tag (gtag.js) to measure whether our paid ads work, but it's gated behind the cookie banner — nothing is read or stored until you click Accept. If you click Reject, or don't choose at all, no advertising cookies are set. See the cookies section below for the full picture.

Why we collect it

One reason only: to reply to your enquiry. We use the data you give us to scope your project, write back, and follow up if there's a real conversation to be had. We never sell, rent, share, or repurpose it for marketing.

Under GDPR this is pre-contractual processing at your request (Art. 6(1)(b)) — you're asking us about a service, and we need the information to answer.

Where it goes (third parties)

When you submit a form, your data takes a short trip:

  1. The form sends it to our own Python service on our VPS.
  2. The service hands the email off to Resend (resend.com), a transactional email provider, who deliver it to our inbox.
  3. Our inbox is Google Workspace, so your message ends up in Gmail.

That's the full list. No CRM, no marketing platform, no third party gets a copy.

Sub-processors at a glance

ResendEmail delivery. Based in the US, processes data under standard contractual clauses. Logs of the send (sender, recipient, status, timestamp) sit in their dashboard for up to 30 days.
Google WorkspaceInbox hosting for info@blinklabs.eu. Standard Google business terms apply.
Our hosting providerRuns the VPS that holds the site and the form service. EU-based.
Google (Ads + Tag)Only after you click Accept on the cookie banner. Receives standard ad-measurement signals (URL, timestamp, ad-click identifier) for our Google Ads conversion tracking. Not given your name, email, phone or message. See the cookies section.

How long we keep it

Your rights

Because we're an EU business and you most likely are too, the GDPR gives you the following rights over your data:

To exercise any of these, email info@blinklabs.eu. We'll reply within 30 days, usually much faster.

If we're not getting it right and you've spoken to us first, you can complain to Malta's Information and Data Protection Commissioner at idpc.org.mt.

Cookies

The site uses two kinds of in-browser storage. Both are described here so you know exactly what's happening.

Technical (always allowed)

Small, non-tracking items kept on your device only:

None of these are sent to anyone. They don't follow you across sites and aren't linked to a profile.

Advertising measurement (opt-in only)

We run a small Google Ads campaign to put the studio in front of Maltese businesses. To know whether the ads actually lead to enquiries, we use the Google Ads tag (gtag.js) with Google Consent Mode v2.

What Google receives when you grant consent: standard ad-measurement signals (page URL, timestamp, conversion event, an ad-click identifier Google itself set when you clicked the ad). We do not send Google your name, email, phone, or message — those stay between you and us.

Google is the controller for the data their tag collects under their privacy policy and ads controller terms. Our role is limited to embedding the tag with consent gating.

Security

Form submissions travel over HTTPS. The mail service runs as an unprivileged user on a hardened systemd unit. Honeypot + per-IP rate limiting block the obvious abuse. The API key for our email provider sits in a 0600-permission environment file readable only by the service.

No system is perfectly safe. If something does ever go wrong with your data, we'll tell you within 72 hours, as the regulation requires.

Changes to this policy

If we change anything material, we'll update the "Last updated" date at the top of this page. If the change affects what we do with data we've already collected from you, we'll write to you directly.

Contact

For anything to do with your data: