Privacy Policy

Last updated: January 2024

NanoStudio ("we", "our", or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our website at nanostudio.dev, use our services, or engage with us in any capacity. Please read this policy carefully to understand our views and practices regarding your personal data.

1. Information We Collect

We may collect and process the following categories of personal data. This list is intended to be comprehensive but not exhaustive; we may collect additional types of information as necessary for the purposes described in this policy or as required by law.

1.1 Identity Data

This includes your first name, last name, job title, company or organization name, and similar identifiers. We collect this when you fill out our contact form, request a consultation, subscribe to our newsletter, attend a webinar or event, or engage our services. In certain contexts, we may also collect your professional background, LinkedIn profile URL, or other publicly available professional information to better understand your needs and tailor our communications.

1.2 Contact Data

This includes your email address, telephone number, physical or mailing address, and any other contact details you provide when communicating with us. We use this to respond to your inquiries, send project updates, deliver invoices, and maintain our business relationship. We may also collect alternative contact methods (e.g., Slack handle, preferred meeting platform) when coordinating project work.

1.3 Technical Data

This includes your IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device type (desktop, mobile, tablet), unique device identifiers, and other technology on the devices you use to access our website. We collect this to ensure our website functions correctly across different devices, to diagnose technical issues, to detect and prevent fraud or abuse, and to improve our website performance. We may also collect information about your internet connection speed and the referring URL or search terms that led you to our site.

1.4 Usage Data

This includes information about how you use our website, including the pages you visit, the time and date of your visits, the time spent on each page, click paths and navigation patterns, page interaction information (such as scrolling, clicks, and mouse-overs), and whether you completed specific actions (e.g., form submissions). We collect this through cookies, server logs, and similar tracking technologies. This data helps us understand user behavior, improve our content and user experience, and optimize our marketing efforts.

1.5 Marketing and Communications Data

This includes your preferences in receiving marketing from us, your communication preferences (e.g., email vs. phone), and your feedback or survey responses. We use this to send you relevant content, respect your communication preferences, and improve our services based on your feedback.

1.6 Project and Business Data

When you engage our software development services, we may collect information about your business (industry, size, goals), project requirements, technical specifications, budget and timeline constraints, existing systems and infrastructure, and other data necessary to deliver our services. This may include access credentials (securely stored and used only as authorized), API documentation, and proprietary business logic. We treat this information as highly confidential and use it solely for the purpose of delivering the agreed-upon services.

2. How We Collect Your Information

We collect personal data through a variety of means. The method of collection depends on the type of data and the context of your interaction with us. Below we describe the primary collection methods in detail.

2.1 Direct Interactions

You may give us your Identity Data, Contact Data, and other information by filling in forms on our website, corresponding with us by post, phone, email, or other means, or when you engage our services. This includes when you: complete our contact form or request a consultation; subscribe to our newsletter or marketing communications; request that we send you resources, whitepapers, or other materials; attend webinars, events, or meetings; provide feedback or complete surveys; or enter into a contract with us for our services. When you provide information on behalf of another person (e.g., a colleague or client), you represent that you have the authority to do so and that the information is accurate.

2.2 Automated Technologies

As you interact with our website, we may automatically collect Technical Data and Usage Data through cookies, server logs, web beacons, and similar technologies. Our servers automatically record information when you visit our site, including your IP address, browser type, referring/exit pages, and the date and time of your visit. We may also use third-party analytics tools that collect similar information. For more information, see Section 9 (Cookies and Tracking Technologies) below.

2.3 Third Parties

We may receive personal data about you from various third-party sources, including: (a) analytics providers such as Google Analytics; (b) advertising networks and search information providers; (c) providers of technical, payment, and delivery services; (d) data brokers or enrichment services (where permitted by law and our internal policies); and (e) publicly available sources such as LinkedIn, company websites, and public registries. We combine this data with information you provide to us to better understand your needs and improve our services.

3. How We Use Your Information

We use your personal data for the purposes described below. We will only use your data where we have a lawful basis to do so, as described in Section 4. We may process your data for more than one lawful basis depending on the specific purpose.

3.1 Service Delivery

We use your data to respond to your inquiries, provide requested information, process consultation requests, and deliver our custom software development services. This includes project scoping, development, testing, deployment, and ongoing support and maintenance. We use your Contact Data to communicate with you about project status, deliverables, and any issues that arise. We use Project and Business Data to understand your requirements and deliver solutions that meet your needs.

3.2 Marketing and Communications

Where you have opted in, we use your data to send you marketing communications about our services, industry insights, case studies, blog posts, and company updates. You may unsubscribe at any time by clicking the unsubscribe link in our emails or by contacting us. We may also use your data to personalize the content we show you and to measure the effectiveness of our marketing campaigns.

3.3 Website and Service Improvement

We use Technical Data and Usage Data to improve our website, services, and user experience. This includes analyzing how visitors navigate our site, which pages are most popular, and where users encounter difficulties. We use this information to fix bugs, optimize performance, and make content more accessible and useful.

3.4 Legal and Compliance

We use your data to comply with legal obligations (e.g., tax, accounting, regulatory reporting), to enforce our terms of service, to protect our rights and the rights of others, and to defend against legal claims. We may also use your data in connection with mergers, acquisitions, or other corporate transactions, subject to applicable law.

3.5 Administration and Security

We use your data to administer and protect our business and website, including troubleshooting, data analysis, testing, system maintenance, support, and reporting. We also use data to detect and prevent fraud, abuse, and security incidents.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR) and the UK GDPR. We will only process your data where we have a valid legal basis.

  • Consent (Article 6(1)(a)): Where you have given clear, specific, and informed consent for us to process your personal data for a specific purpose. For example, when you subscribe to our newsletter or opt in to receive marketing communications. You may withdraw consent at any time.
  • Contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract. For example, when we process your contact and project data to deliver our software development services.
  • Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests include: operating and growing our business; improving our website and services; communicating with potential and existing clients; ensuring security and preventing fraud; and defending our legal rights. We conduct a balancing test to ensure our interests do not override your rights.
  • Legal Obligation (Article 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject, such as tax, accounting, or regulatory reporting requirements.
  • Vital Interests (Article 6(1)(d)): Where processing is necessary to protect your vital interests or those of another person (e.g., in an emergency). This basis is rarely used in our context.

5. Data Sharing and Disclosure

We may share your personal data with the categories of recipients described below. We require all recipients to protect your data in accordance with applicable law and our contractual obligations. We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5.1 Service Providers

We engage third-party vendors who perform services on our behalf, including: hosting and infrastructure providers (e.g., cloud hosting); email and communication service providers; analytics providers (e.g., Google Analytics); payment processors; project management and collaboration tools; and other technology service providers. These providers are contractually obligated to protect your data, use it only for the purposes we specify, and comply with applicable data protection laws. We conduct due diligence on our service providers and require them to implement appropriate security measures.

5.2 Professional Advisers

We may share your data with lawyers, accountants, auditors, insurers, and other professional advisers who provide consultancy, banking, legal, insurance, and accounting services to us. These parties are bound by confidentiality obligations and use your data only as necessary to provide their services to us.

5.3 Regulatory and Law Enforcement

When required by law, court order, or government request, we may disclose your data to regulators, law enforcement agencies, courts, or other authorities. We may also disclose your data when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud, or to respond to a government request.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your data.

6. International Data Transfers

We operate in Indonesia, Singapore, and remotely. Your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your jurisdiction. For example, if you are in the European Economic Area (EEA), your data may be transferred to Singapore, Indonesia, or the United States where our service providers or we have operations.

When we transfer data internationally, we implement appropriate safeguards to ensure your data remains protected. These safeguards may include: (a) Standard Contractual Clauses (SCCs) approved by the European Commission or other relevant authorities; (b) adequacy decisions recognizing that the destination country provides adequate data protection; (c) binding corporate rules; or (d) other mechanisms permitted under applicable law. You may request a copy of the safeguards we use by contacting us.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, regulatory, or reporting requirements. Our retention periods vary depending on the type of data and the purpose for which it was collected.

7.1 Marketing and Contact Data

For contact form submissions, newsletter subscriptions, and other marketing-related data, we typically retain data for up to three (3) years from your last interaction with us, unless you request deletion sooner or withdraw consent. If you unsubscribe from our communications, we may retain a minimal record (e.g., email address) to ensure we do not inadvertently contact you again.

7.2 Client and Project Data

For client project data, we retain data for the duration of our engagement and for a reasonable period thereafter (typically seven (7) years) to comply with legal obligations (e.g., tax, contract), resolve disputes, and enforce our agreements. Some data may be retained longer if required by law or for legitimate business purposes.

7.3 Technical and Usage Data

Technical Data and Usage Data (e.g., analytics) are typically retained in aggregated or anonymized form. Raw data may be retained for a shorter period (e.g., 12-24 months) for analytics and security purposes, after which it is deleted or anonymized.

8. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data. We will respond to your requests in accordance with applicable law and within the timeframes specified by such law (e.g., 30 days under GDPR, 45 days under CCPA).

8.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We may ask you to verify your identity before processing your request. In some jurisdictions, you may be entitled to receive information about the categories of data we process, the purposes of processing, and the recipients of your data.

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. We will take reasonable steps to correct the data promptly. If we have shared your data with third parties, we will inform them of the correction where practicable.

8.3 Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary, you withdraw consent, or you object to processing and we have no overriding legitimate grounds. This right is not absolute; we may retain data where we have a legal obligation or legitimate interest to do so.

8.4 Right to Restriction

You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data, the processing is unlawful but you prefer restriction to deletion, or we no longer need the data but you need it for legal claims.

8.5 Right to Data Portability

Where we process your data by automated means based on your consent or a contract, you may have the right to receive your data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

8.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object to marketing, we will stop processing your data for that purpose. For other objections, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

8.7 Right to Withdraw Consent

Where we rely on your consent to process your data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your data violates applicable law. We encourage you to contact us first so we can address your concerns.

To exercise any of these rights, please contact us via our contact page.

9. Cookies and Tracking Technologies

Our website uses cookies, web beacons, pixels, and similar technologies (collectively, "Tracking Technologies") to enhance your experience, analyze site traffic, and personalize content. A cookie is a small text file that is placed on your device when you visit a website. Cookies can be "session" cookies (deleted when you close your browser) or "persistent" cookies (remain until they expire or you delete them).

9.1 Types of Cookies We Use

  • Strictly Necessary Cookies: These are essential for the website to function. They enable core functionality such as security, network management, load balancing, and access to secure areas. You cannot opt out of these cookies without affecting website functionality.
  • Performance and Analytics Cookies: These collect information about how visitors use our site (e.g., pages visited, time on site, bounce rate). We use this to improve our website. Examples include Google Analytics. These cookies are typically aggregated and anonymized.
  • Functional Cookies: These remember your preferences and choices (e.g., language, region, font size) to provide a more personalized experience. They may also enable features such as live chat or embedded content.
  • Targeting or Advertising Cookies: If we use advertising in the future, these cookies may be used to deliver relevant ads and track ad campaign effectiveness. They may be set by us or by third-party advertising partners.

9.2 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages. For example, if we embed a YouTube video, YouTube may set its own cookies. We do not control these third-party cookies. Please refer to the respective third party's privacy policy for more information.

9.3 Managing Cookies

You can control and manage cookies in several ways. Most browsers allow you to refuse or accept cookies through their settings. You can also delete cookies that have already been set. Please note that blocking or deleting certain cookies may impact your experience on our website and limit the functionality we can offer. For more information, visit your browser's help section or visit www.allaboutcookies.org.

10. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include, but are not limited to:

  • Encryption: We use encryption in transit (TLS/SSL) and at rest where appropriate to protect sensitive data.
  • Access controls: We limit access to personal data to authorized personnel on a need-to-know basis and use strong authentication where applicable.
  • Secure hosting: We use reputable hosting providers that implement industry-standard security practices.
  • Regular assessments: We periodically review our security practices and update them as needed to address emerging threats.
  • Employee training: We train our personnel on data protection and security best practices.

Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of any passwords or credentials you use to access our services. If you suspect unauthorized access to your data, please contact us immediately.

11. Children's Privacy

Our website and services are not directed to individuals under the age of 18 (or the age of majority in your jurisdiction, if higher). We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately. We will take steps to delete such information from our systems as soon as reasonably practicable. If we learn that we have collected personal data from a child, we will delete that information unless we are required by law to retain it.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay. Our notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, the measures we have taken or propose to take to address the breach, and contact details for further information. We maintain an incident response plan and conduct regular reviews to minimize the risk of breaches.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share the information.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., to complete a transaction, detect security incidents, comply with legal obligations).
  • Right to Correct: You may request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising in a way that constitutes a "sale" under the CCPA.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us via our contact page. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf; we may require proof of such authorization. We will respond within 45 days of receiving a verifiable request.

14. Other Regional and International Considerations

Brazil (LGPD): If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, anonymize, or delete your data, and to receive information about data sharing. You may also have the right to revoke consent and to data portability.

Indonesia (UU PDP): If you are in Indonesia, the Undang-Undang Perlindungan Data Pribadi (UU PDP) may apply. We process your data in accordance with applicable Indonesian data protection requirements and will respond to requests from Indonesian data subjects in accordance with the law.

Singapore (PDPA): If you are in Singapore, the Personal Data Protection Act (PDPA) applies. You have rights to access and correct your personal data, and we will process your data in accordance with the PDPA's consent and purpose limitation requirements.

Other Jurisdictions: We strive to comply with applicable data protection laws in all jurisdictions where we operate or where our users are located. If you have questions about your rights in your jurisdiction, please contact us.

15. Do Not Track and Global Privacy Control

Some browsers offer a "Do Not Track" (DNT) signal. There is no universally accepted standard for how websites should respond to DNT signals. Currently, our website does not alter its behavior based on DNT signals. We may revisit this as standards evolve. If you use Global Privacy Control (GPC) or similar signals, we will honor your opt-out preferences where technically feasible and where required by applicable law.

16. Third-Party Links and Services

Our website may contain links to third-party websites, plugins, or applications (e.g., social media, partner sites, case study references). Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party sites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit. Our inclusion of links does not imply endorsement of the linked site or its content.

17. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, regulatory guidance, or other factors. When we make material changes, we will notify you by posting the updated policy on this page, updating the "Last updated" date, and, where appropriate, by sending you an email or other notification. We encourage you to review this policy periodically. Your continued use of our website or services after the effective date of any changes constitutes your acceptance of the revised policy. If you do not agree to the updated policy, you may need to discontinue use of our services and contact us to request deletion of your data where applicable.

18. Contact Us

If you have questions about this privacy policy or wish to exercise your rights regarding your personal data, please contact us through our contact page.