Legal · Plain English

Privacy.

Last updated · 20 May 2026 · Version 1.0

This page explains what data we collect when you use blinklabs.eu, why we collect it, where it goes, and what your rights are. We've tried to write it the same way we talk. No legalese.

Who we are

Blinklabs is a small digital studio run by Muke Spiteri in Malta. We design brands, build websites, and write custom software.

For GDPR, Blinklabs is the data controller for the information you submit through this site. The single point of contact for anything privacy-related is info@blinklabs.eu or WhatsApp +356 9997 5932.

What we collect, and when

We only collect data when you actively give it to us through the contact form or the "Let's talk" form in the pricing wizard. The data is exactly what you type in:

NameSo we know who to reply to.

EmailSo we can write back.

PhoneOptional. Only if you fill it in so we can WhatsApp you.

CompanyOptional. Helps us understand who you're representing.

Your messageThe text you wrote about your project.

Marketing consentA simple yes/no recorded from the tickbox on each form. Default is yes; untick and we won't add you to our occasional studio updates list.

Wizard answersIf you used the pricing wizard: which services you picked, your budget, the generated project summary. Submitted alongside your message.

IP addressRecorded with the submission for spam protection. Used to rate-limit (max 5 per hour) and dropped from working memory soon after.

The web server also keeps standard nginx access logs (your IP, the page requested, your browser version, timestamp). These keep the site running, and help if we ever need to debug an issue or stop abuse. They're rotated and deleted after 14 days.

What we don't collect. No tracking cookies. No Google Analytics, no Facebook Pixel, no third-party analytics. No marketing list, no retargeting, no behaviour profiling. If you don't fill in a form, we have no record that you visited beyond the 14-day server logs.

Why we collect it

One reason only: to reply to your enquiry. We use the data you give us to scope your project, write back, and follow up if there's a real conversation to be had. We never sell, rent, share, or repurpose it for marketing.

Under GDPR this is pre-contractual processing at your request (Art. 6(1)(b)) — you're asking us about a service, and we need the information to answer.

Where it goes (third parties)

When you submit a form, your data takes a short trip:

The form sends it to our own Python service on our VPS.
The service hands the email off to Resend (resend.com), a transactional email provider, who deliver it to our inbox.
Our inbox is Google Workspace, so your message ends up in Gmail.

That's the full list. No CRM, no marketing platform, no third party gets a copy.

Sub-processors at a glance

ResendEmail delivery. Based in the US, processes data under standard contractual clauses. Logs of the send (sender, recipient, status, timestamp) sit in their dashboard for up to 30 days.

Google WorkspaceInbox hosting for info@blinklabs.eu. Standard Google business terms apply.

Our hosting providerRuns the VPS that holds the site and the form service. EU-based.

How long we keep it

Emails from the contact form or wizard: kept in our inbox while the conversation is alive, then archived. If we work together, your details stay in our project records for the duration of the project and up to 7 years after for Maltese tax-record requirements.
If we never end up working together and a conversation goes cold, we delete the message thread within 6 months.
Server access logs: 14 days, then deleted by log rotation.
Rate-limit memory: not persisted at all — held only briefly in the Flask service's RAM, gone on restart.
Wizard answers stored on your device: never. The wizard runs in your browser; nothing is saved until you hit Send.

Your rights

Because we're an EU business and you most likely are too, the GDPR gives you the following rights over your data:

Access — ask us what we have about you.
Rectification — if it's wrong, we'll fix it.
Erasure — ask us to delete everything. We'll do it within 30 days.
Portability — ask for a copy in a readable format.
Restriction — tell us to pause processing while we sort something out.
Objection — tell us to stop entirely.

To exercise any of these, email info@blinklabs.eu. We'll reply within 30 days, usually much faster.

If we're not getting it right and you've spoken to us first, you can complain to Malta's Information and Data Protection Commissioner at idpc.org.mt.

Cookies

This site doesn't set tracking cookies. It might use small, technical cookies briefly to remember things like your place in the pricing wizard during a visit — these don't follow you across sites and aren't linked to a profile. No cookie banner is needed because we're not tracking you.

Security

Form submissions travel over HTTPS. The mail service runs as an unprivileged user on a hardened systemd unit. Honeypot + per-IP rate limiting block the obvious abuse. The API key for our email provider sits in a 0600-permission environment file readable only by the service.

No system is perfectly safe. If something does ever go wrong with your data, we'll tell you within 72 hours, as the regulation requires.

Changes to this policy

If we change anything material, we'll update the "Last updated" date at the top of this page. If the change affects what we do with data we've already collected from you, we'll write to you directly.

Contact

For anything to do with your data:

Email: info@blinklabs.eu
WhatsApp: +356 9997 5932