How Somyx collects, uses, and protects your data — written plain, GDPR-aligned, reviewed regularly.
Version 1.0 · Baseline: EU GDPR (2016/679) · UK GDPR · Swiss FADP (2023)
Somyx LLC is the controller of personal data collected through somyx.com. We're a small product-engineering studio based in Kyiv, Ukraine, working with clients across Europe.
For any question about your data — access, correction, deletion, restriction, portability, objection, or withdrawing consent — write to privacy@somyx.com. We read every one and reply within ten business days.
This notice covers data we collect when you visit somyx.com or write to us through any of its forms.
We apply the EU General Data Protection Regulation (GDPR, EU 2016/679) as our baseline regardless of where you are, because most of our visitors are EU-based and we'd rather hold one consistent posture than several. If you're a UK or Swiss resident, the equivalent rights under the UK GDPR and the Swiss Federal Act on Data Protection (FADP, revised 2023) apply too.
Three categories, broadly.
Information you give us through the contact form: your name, work email, company, the brief of what you want to build, your budget range, your timing, and a one-paragraph consent to be contacted. The form will not submit without the consent checkbox ticked.
Information you give us when you subscribe to our Notes: an email address, nothing else.
Technical information that any web request reveals: your IP address, your user agent, and the language your browser asks for. We read these briefly to rate-limit spam (no more than five inquiries per hour from the same address), to verify the anti-spam token, and to serve the page in the right language.
Inquiry data is used to reply to your inquiry. The legal bases under GDPR Article 6 are legitimate interest (responding to a business inquiry is what you came for) and explicit consent (the form's checkbox records that you've read this notice).
Newsletter emails are used to send the Notes you subscribed to, and nothing else. The legal basis is consent — single opt-in, with an unsubscribe link in every email.
Anonymous usage analytics are only loaded if you accept them through the cookie banner. The legal basis is consent.
IP-based rate limiting and bot verification are legitimate-interest processing aimed at keeping the contact form usable. We don't store IP addresses beyond the request that needed them.
We keep cookies to a minimum. Two categories: necessary cookies the site can't work without, and analytics cookies that only load if you opt in through the banner.
You can change your choice at any time by clicking Cookie settings in the footer.
We share the bare minimum with a small set of named processors. All of them operate under a written Data Processing Agreement.
Resend (US) delivers transactional email — your form submission to us, an auto-reply to you, and the newsletter you subscribed to.
Cloudflare (US, with EU regional infrastructure) verifies the Turnstile anti-spam token on the contact form.
Vercel (US) hosts the site and provides cookie-less analytics.
Google Analytics 4 (US), only if you accept the Analytics category, provides aggregated usage data with IP anonymisation enabled and ad-personalisation signals turned off.
Because the processors above are US-based, your data may be transferred outside the EEA, UK, or Switzerland. We rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 version) as the legal mechanism for those transfers, supplemented by the EU-US Data Privacy Framework where the processor is self-certified.
If you'd like to see the specific safeguards in place, write to privacy@somyx.com and we'll send the relevant DPA appendices.
Form submissions live in our email for 24 months in case a project conversation reopens, then they're archived or deleted on request.
Newsletter subscribers stay on the list until they unsubscribe.
Analytics data is retained for 14 months in Google Analytics 4 (the shortest retention GA4 allows); nothing personally identifiable is stored there. Vercel's cookie-less analytics retains aggregates indefinitely but cannot be tied back to an individual.
Server logs are kept for 30 days.
If you ask us to delete your data sooner than these defaults, we will — see the next section.
Under the GDPR, the UK GDPR, and the Swiss FADP you have the right to access your data, correct anything that's wrong, ask us to delete it, restrict how we use it, port it elsewhere, object to processing based on legitimate interest, and withdraw your consent at any time without affecting processing that's already taken place.
To exercise any of these, email privacy@somyx.com — no special form required. We respond within ten business days for straightforward requests and within thirty for anything that needs investigation.
If you believe we've mishandled your data, you have the right to lodge a complaint with your national data protection authority. In Ukraine that is the Ukrainian Parliament Commissioner for Human Rights. The European Data Protection Board maintains a list of EEA authorities at edpb.europa.eu.
somyx.com is not directed at children under 16, and we don't knowingly collect data from anyone in that age group.
If you believe a child has submitted data through one of our forms, write to privacy@somyx.com and we'll delete it on the same day.
We update this notice when we change what we collect, how we collect it, or who we share it with. The eyebrow at the top of this page shows the last review date.
Material changes — a new processor, a new data category, a new purpose — bump our consent version. The banner reappears so you can re-confirm your choice. Cosmetic clarifications don't reset consent.
For any question, comment, or rights request, the address is privacy@somyx.com — we read every one.
Questions about your data? Write to privacy@somyx.com.
COOKIES
We use a small set of cookies to make the site work, and — with your permission — Google Analytics to understand which pages matter. Read our privacy policy →