Nº 0X / PRIVACY

Privacy

Effective: April 30, 2026 · Last updated: April 30, 2026

PLAIN-LANGUAGE SUMMARY

The short version.

A plain-English read of how this site handles your data. The full legal policy is below.

What this site collects

  • If you submit the contact form: your name, email, the message you write, the category you picked, and — if you fill them in — your company and how you found us.
  • If you sign up for the newsletter (footer form, or the checkbox on the contact form): just your email.
  • Automatically when either form is submitted: your browser type, the page that sent you here, and a one-way hash of your IP address. We never store your raw IP — only a hash used to throttle spam.
  • If you accept analytics in the cookie banner: pageviews, clicks, and the basic browser info PostHog auto-collects. If you decline, none of this is captured.

What we do with it

  • Respond to your inquiries.
  • (Eventually) send you a newsletter. There isn't one yet. We'll write when there's something worth saying.
  • See which Lab Notes get read and where readers come from, so we can write better ones.
  • Keep spammers out.

What we never do

  • Sell your data.
  • Build advertising profiles.
  • Share the contents of your message with anyone outside Alcheva Holdings LLC and the service providers listed below.
  • Send marketing email to people who submitted the contact form without ticking the newsletter checkbox.

You're in control

  • Change your mind on cookies: use the "Cookie preferences" link in the footer.
  • See, correct, or delete your data: use the contact form (category General) and mention "privacy request" in the message.
  • Unsubscribe from the newsletter at any time — once a real newsletter exists, every email will include an unsubscribe link.

Read the full policy ↓

1. Introduction

This Privacy Policy describes how Alcheva Holdings LLC ("Alcheva," "we," "us," or "our") collects, uses, shares, and protects your personal information when you visit alchevalabs.com (the "Site"), the marketing site for the Alcheva Labs studio brand. By using the Site, you agree to the collection and use of information as described in this policy.

This Site is a marketing site. It does not host user accounts, store payment information, or run a mobile application. Separate Alcheva products (such as Subplot) have their own privacy policies covering their app-specific data flows.

2. Information We Collect

2.1 Information You Provide

  • Contact form submissions. When you submit the form at /contact, we collect: the inquiry category you select (one of: consulting, product feedback, press, partnership, speaking, or general), your name, your email address, the message you write, and — optionally — your company or context, where you found us, and whether you'd like to join the newsletter list.
  • Newsletter signups. If you submit the newsletter form in the site footer, we collect only your email address. If you tick the newsletter checkbox while submitting the contact form, your email is added to the same newsletter list.

2.2 Information Collected Automatically

  • Submission metadata. When you submit either form, we automatically capture: a SHA-256 hash of your IP address (used for rate limiting; we do not store the raw IP), the user-agent string of your browser, and the referring URL that sent you to the form.
  • Server logs. Our hosting provider (Vercel) maintains standard request logs that include IP address, timestamp, request path, status code, and user-agent for operational and security purposes. These logs are retained per Vercel's policies and are not used for marketing or analytics.
  • Analytics (opt-in only). When — and only when — you click Accept in our cookie banner, we load PostHog product analytics. PostHog auto-captures pageviews, page leaves with engagement time, button clicks, and form submission events, plus standard browser and device information (browser type, OS, viewport size, IP-derived approximate location at city/region level). See Section 8 for details on the cookies and storage PostHog uses.
  • Spam protection. The contact form embeds Cloudflare Turnstile, an invisible anti-bot widget. Cloudflare may collect signals from your browser (such as a challenge token, basic device characteristics, and your IP address) to distinguish humans from bots. This processing happens whether or not you have accepted analytics, because spam protection is necessary to operate the form.

3. How We Use Your Information

We use the information we collect to:

  • Respond to your inquiries. The founder reads contact-form submissions and writes back.
  • Manage newsletter interest. If you opted in, your email sits at status pending until the newsletter actually launches. At that point we will either send a one-time confirmation email through our email service provider, or migrate your address as a cold subscriber where the law permits — your choice will be honored either way, and every newsletter email will include an unsubscribe link.
  • Operate and improve the Site. If you accepted analytics, we use aggregate PostHog data to understand which Lab Notes get read, where readers come from, and where people drop off on the contact page.
  • Prevent spam and abuse. Turnstile, a hidden honeypot field, and a per-IP-hash rate limit (max 3 contact submissions or 5 newsletter submissions per hour) protect the form from automated abuse. Submissions that fail any of these checks are silently flagged in our database and never trigger newsletter signup, even if the checkbox was ticked.
  • Send a periodic digest to the founder. Every eight hours, a scheduled job summarizes new inquiries and newsletter signups and sends that summary by email — via Resend — to the founder. This digest goes only to the founder and is not shared externally.
  • Comply with legal obligations. We may use your information to respond to lawful requests from authorities and to enforce our Terms of Service.

4. How We Protect Your Information

4.1 Encryption at rest

All data stored in our database (PostgreSQL via Supabase) is encrypted at rest. This includes contact-form inquiries and newsletter subscriber records.

4.2 Encryption in transit

All data transmitted between your browser and our servers is encrypted via TLS (HTTPS). Form submissions, page requests, and analytics events are all sent over encrypted channels.

4.3 Access control

The database tables that hold inquiries and newsletter subscribers have Row-Level Security enabled, and the public ("anon") API key has no read or write access to either table. All form submissions are written by server-side code using a service-role credential that exists only on the server and is never exposed to the browser. Reading the data requires logging into the Supabase dashboard with the founder's credentials.

4.4 IP addresses are hashed, not stored

To enable rate limiting without retaining personally identifying network data, we hash incoming IP addresses with SHA-256 and store only the hash. The raw IP is never written to our database.

5. Data Retention

5.1 Contact-form inquiries

Inquiries are business records. We retain them indefinitely. If you ask us to delete an inquiry (see Section 7), we will mark it as archived in our database — removing it from any active use, the founder's reading queue, and any future analysis or reporting. The row itself is preserved for legal and audit reasons, but contains nothing more than what you submitted plus the automatic metadata in Section 2.2.

5.2 Newsletter subscribers

Email addresses on the newsletter list are retained until you unsubscribe or request deletion, or until we retire the list (for example, if we discontinue the newsletter). Once a real newsletter launches, every email will include a one-click unsubscribe link.

5.3 Server logs

Vercel server logs are retained per Vercel's policies (typically a rolling window of a few days to a few weeks). We do not control Vercel's log retention beyond their published settings.

5.4 Analytics

PostHog event data is retained for as long as we maintain a PostHog account, subject to PostHog's own retention policies. If you previously accepted analytics and want your captured events deleted, see Section 7.

6. Data Sharing

6.1 Service providers

We share data with the following service providers, solely to operate the Site:

  • Supabase — database and storage. Hosts the inquiries and newsletter tables. (US-hosted on AWS.)
  • Vercel — site hosting and serverless functions. Sees standard request logs and processes form submissions on their compute. (US-hosted.)
  • Cloudflare (Turnstile) — anti-bot protection for the contact form. Receives a token and basic device signals to distinguish humans from automated traffic.
  • Resend — transactional email. Sends the eight-hourly digest summary to the founder. Resend processes the email content during delivery.
  • PostHog — product analytics, only after you accept the cookie banner. Receives pageview events, click events, and standard browser/device metadata. (You can choose between US and EU hosting; this Site uses the US region by default.)

We do not authorize these providers to use your data for any purpose other than providing services to us.

6.2 What we do not do

  • We do not sell your personal data. Not to advertisers, not to data brokers, not to anyone.
  • We do not build advertising profiles. Your inquiry contents and analytics events are not used for ad targeting or behavioral profiling. The Site does not load any advertising or social pixel (Google Ads, Meta Pixel, TikTok, LinkedIn Insight, etc.).
  • We do not share inquiry contents externally. The body of your message stays inside our systems and the service providers listed above.
  • We do not send marketing email to inquirers who did not opt in. If you submitted the contact form without ticking the newsletter checkbox, you will only ever hear from us as a direct reply to your inquiry.

6.3 Legal requirements

We may disclose your information if required by law, legal process, or governmental request, or to protect the rights, safety, or property of Alcheva Holdings LLC, our users, or the public.

7. Your Rights and Choices

7.1 Access and portability

You may request a copy of the personal data we hold about you. Use the contact form (category General) and mention "privacy request" in the message. We will respond with your data in a portable, machine-readable format.

7.2 Correction

If we hold something about you that's wrong, request a correction the same way. We'll either fix the underlying record or annotate it, depending on what makes sense.

7.3 Deletion

Use the contact form to request deletion. We will mark any inquiry from you as archived (see Section 5.1) and remove your email from the newsletter list immediately. We will respond within 30 days.

7.4 Cookie and analytics preferences

You can change your cookie choice at any time via the Cookie preferences link in the site footer. If you switch from Accept to Decline, PostHog is told to stop capturing immediately, and its stored identifiers are cleared on your next page load.

7.5 Newsletter unsubscribe

Until a real newsletter launches, you have not received any email from us, and there is nothing to unsubscribe from in your inbox. Once we launch the newsletter, every email will include a one-click unsubscribe link, and unsubscribing will set your record's status to unsubscribed in our database.

8. Cookies and Similar Technologies

8.1 Strictly necessary storage

We use a single localStorage key, alcheva-consent, to remember whether you accepted or declined non-essential analytics. This entry is set only by you clicking Accept or Decline in the cookie banner. It is required for the consent mechanism itself and does not require consent to store.

8.2 Analytics (opt-in only)

When — and only when — you click Accept in our cookie banner, we load PostHog. PostHog sets cookies prefixed ph_ and additional localStorage keys to assign an anonymous visitor ID, group events into sessions, and record page views. We do not sell this data or share it with advertisers. You can revoke consent at any time via the Cookie preferences link in the site footer; when you revoke, PostHog is instructed to stop capturing and its stored identifiers are cleared on your next page load.

8.3 Anti-bot protection

Cloudflare Turnstile, embedded on the contact form, may set its own short-lived cookies or storage entries to remember that you've passed the challenge. This is necessary to operate the form and is not used for tracking across sites.

8.4 No advertising or social pixels

This Site does not load Google Analytics, Google Ads, Meta/Facebook Pixel, TikTok, LinkedIn Insight, Hotjar, session replay, or any third-party advertising or social tracker.

9. Children's Privacy

This Site is intended for adults and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has submitted information through the Site, contact us via the contact form and we will delete it promptly.

10. International Data Transfers

Our database (Supabase) and hosting (Vercel) are based in the United States. If you access the Site from outside the United States, your data will be transferred to and processed in the United States. By using the Site, you consent to this transfer.

11. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know: request the categories and specific pieces of personal information we have collected about you.
  • Right to delete: request deletion of your personal information, subject to certain exceptions (such as our need to retain inquiries as business records — see Section 5.1).
  • Right to opt out of sale: we do not sell personal information. No opt-out is necessary.
  • Non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise these rights, use the contact form (category General) and mention "CCPA request."

12. European Residents (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Performance of a contract or pre-contractual steps — when we respond to your contact-form inquiry.
  • Consent — for non-essential analytics (PostHog) and for newsletter signups.
  • Legitimate interests — for spam protection, security logging, and operational record-keeping, where your rights do not override our interests.

You have the right to access, rectify, erase, restrict processing, and port your data. You also have the right to object to processing and to lodge a complaint with your local data protection authority. Use the contact form to exercise these rights and we will respond within 30 days.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will note the date of the most recent revision in the "Last updated" line at the top. If we make material changes, we will indicate that prominently on this page for at least 14 days before the changes take effect. Continued use of the Site after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or our data practices, use the contact form at alchevalabs.com/contact and select the General category. Mention "privacy" in the subject of your message and we will route it accordingly. We aim to respond to privacy-related inquiries within 30 days.

Alcheva Holdings LLC operates this Site under the Alcheva Labs studio brand.

↑ Back to the summary