Privacy & Cookies · TH-LG-001

What we collect. Why. What you can do about it.

Last updated 04 June 2026 GDPR / RGPD EU Regulation 2016/679 Controller ThroughPortal.com

In one paragraph

ThroughPortal.com is a fictional concept site. The only data we receive about you is what your browser sends when it makes a request, plus anything you choose to submit through the access form. We do not run advertising, analytics, tracking pixels, or any third-party tag. We use no HTTP cookies. Some preferences (language, dismissed notices) live in your browser's localStorage, never sent to our server. Full detail below.

§1Data controller

For the purposes of EU Regulation 2016/679 ("GDPR") and the equivalent UK regulation, the data controller for this site is the operator of ThroughPortal.com. ThroughPortal.com is a fictional concept created as a design study. Where this policy refers to "we", "us", or "the controller", it refers to the natural person publishing this site.

You may exercise any right described in §6 by contacting the controller through the access form, with the subject line Data request.

§2What we collect, and only what we collect

a. Through the access form

The access form (the only form on the site) collects what you choose to type into it. Submissions are processed by Formspree, Inc., our form backend. Possible fields:

Name — optional
Organisation — optional
Email address — required, used only to reply to you
Message — optional

Formspree forwards the message to the controller's mailbox. No marketing list, no enrichment, no resale.

b. Automatic technical data

Whenever your browser fetches a page, it sends standard HTTP request metadata to our host (Vercel) — IP address, User-Agent, the URL requested, a timestamp, and the referrer if any. Vercel processes this for the strictly necessary purpose of serving the site and protecting it from abuse, and retains it as access logs for a limited period under its own policy (see vercel.com/legal/privacy-policy).

c. What we do NOT collect

No analytics or telemetry (no Google Analytics, no Plausible, no Fathom, no Matomo, no Hotjar, no Sentry, nothing).
No advertising tags or remarketing pixels (no Meta Pixel, no Google Ads tag, no LinkedIn Insight).
No fingerprinting, no cross-site tracking, no profiling.
No social media share buttons that load third-party scripts.

§3Purposes & legal basis

Purpose	Legal basis
Replying to your access-form submission	Consent (Art. 6(1)(a) GDPR), implied by the act of submitting the form.
Serving the website (host logs)	Legitimate interest (Art. 6(1)(f)) — the security and proper operation of the service.
Persisting your language preference	Stored locally on your device only; no transmission to the controller. No GDPR basis required.

§4Local storage & cookies

ThroughPortal.com sets no HTTP cookies of any kind. No consent banner is required, because there is nothing to consent to.

We do use the browser's localStorage API to remember a few preferences, exclusively on your device. None of this data ever leaves your browser:

throughportal.lang — the language you last picked (en or fr).
throughportal.btc.eur.rate — a 5-minute cache of the BTC/EUR exchange rate fetched from CoinGecko, so we don't refetch it on every page.
throughportal.wp-notice.dismissed — a flag set if you dismissed the white-paper translation notice.

You can clear these at any time through your browser's site-data settings.

Live BTC rate: when you visit the pricing section, your browser calls the public CoinGecko API to fetch the BTC/EUR rate. CoinGecko sees your IP and User-Agent. No personal data is passed. See coingecko.com/en/privacy.

§5Sub-processors

Three third-party services are involved in serving the site. Each is bound by its own privacy terms and acts as a processor where required.

Service	Role	Location
Vercel Inc.	Hosting & CDN	USA (with EU edges)
Formspree, Inc.	Access-form backend	USA
CoinGecko	Public BTC/EUR rate API	Singapore

For transfers outside the EEA, the controller relies on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) where applicable, alongside the service's own safeguards.

§6Your rights

Under the GDPR you have the following rights, free of charge, exercisable through the access form (subject line Data request):

Right of access — Art. 15. Receive a copy of the data we hold about you.
Rectification — Art. 16. Correct inaccurate data.
Erasure ("right to be forgotten") — Art. 17. Have your data deleted.
Restriction of processing — Art. 18.
Data portability — Art. 20. Receive your data in a structured, machine-readable format.
Objection — Art. 21. Object to processing based on legitimate interest.
Withdraw consent — at any time, for any processing based on consent. Past processing remains lawful.

We answer within thirty days. Identity verification may be requested if the request is unclear.

You also have the right to lodge a complaint with a supervisory authority — in France, the CNIL; in the UK, the ICO; in any other EU/EEA country, your national DPA.

§7Retention

Form submissions — retained for 12 months after the last exchange, then deleted.
Email correspondence — same: 12 months after the last reply.
Host access logs — retained by Vercel under their own policy (typically 30 days for IP-level data).

§8Security

The site is served over HTTPS with HSTS (Strict-Transport-Security max-age 2 years). Submissions to the access form are TLS-encrypted in transit. Stored correspondence is held in standard end-user mail infrastructure under the controller's reasonable security practices.

§9Children

This site is not directed at children under sixteen. We do not knowingly collect data from minors. If you believe a minor has submitted data through the form, contact us to have it erased.

§10Changes to this policy

Material changes will be reflected in the "Last updated" date at the top of this page. The page is versioned in the public repository of the site — every revision is visible there.