Privacy Policy
Last updated: 30 May 2026
This policy describes how personal data is collected and handled when you visit eshu.earth. It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), India's Digital Personal Data Protection Act 2023 (DPDP), and Canada's PIPEDA.
Plain-English Summary
This is a personal portfolio site. When you use the AI chat, your IP address, question, and the AI's response are logged to Supabase and deleted after 30 days. Your IP is also used for rate-limiting via Upstash Redis, where it expires after 60 seconds. Nothing is sold. No cookies. No ads. No trackers.
The full legal detail is below. If something isn't clear, email contact@eshu.earth.
2Who Is Responsible for Your Data
The data controller for eshu.earth is Eshupriye Belgotra. This site is operated as a personal project and is not affiliated with any company or institution. For all privacy-related enquiries, contact contact@eshu.earth.
3What Personal Data Is Collected
| Data | Collected when | Purpose | Legal basis | Stored in |
|---|---|---|---|---|
| IP address | Every AI chat message sent | Rate limiting (max 10 req / 60 s) and abuse prevention | Legitimate interests (Art. 6(1)(f) GDPR) | Supabase logs table + Upstash Redis (60 s TTL) |
| Chat question | Every AI chat message sent | Generate an AI response via OpenAI; logged for debugging and quality monitoring | Legitimate interests (Art. 6(1)(f) GDPR) | Supabase logs table (30-day retention) |
| AI response | Every AI chat message sent | Logged alongside the question for debugging and monitoring response quality | Legitimate interests (Art. 6(1)(f) GDPR) | Supabase logs table (30-day retention) |
| Name, email address, free-text message | Contact form submission only | To respond to your enquiry | Consent / Legitimate interests | Email only (Resend → Gmail). Not written to any database. |
| Server request metadata (IP, user-agent, URL path, timestamp) | Every page load and API request | Infrastructure logging, error monitoring, and DDoS protection | Legitimate interests | Vercel edge logs (Vercel's own infrastructure — see Vercel Privacy Policy) |
4What Is Not Collected
Cookies
This site sets no cookies of any kind — not session cookies, not preference cookies, not analytics cookies.
Tracking pixels or fingerprinting
No tracking pixels, web beacons, canvas fingerprinting, or device fingerprinting are used.
Analytics
No Google Analytics, Mixpanel, Amplitude, Posthog, or equivalent analytics service is installed.
Advertising data
No advertising networks or retargeting pixels are present. Your data is never used for advertising.
Sensitive personal data
This site never asks for or processes special-category data (health, biometric, racial origin, political opinion, religion, sexual orientation, etc.).
5How Long Data Is Retained
Supabase chat logs (IP + question + response)
Automatically deleted 30 days after the log entry is created. A scheduled pg_cron job runs daily at 02:00 UTC and hard-deletes any row where created_at < now() - interval '30 days'. There is no soft-delete or archive.
Upstash Redis rate-limit keys
Each key is a hashed representation of your IP address. Keys have a TTL equal to the sliding window (60 seconds) and are automatically evicted by Redis after that window closes. No IP data persists in Redis beyond 60 seconds.
OpenAI API inputs and outputs
Your messages are transmitted to OpenAI's API (GPT-4o mini for chat, text-embedding-3-small for semantic search). Per OpenAI's API data usage policy, API inputs and outputs may be retained by OpenAI for up to 30 days for abuse monitoring, after which they are deleted. OpenAI does not use API data to train its models by default. See openai.com/policies/api-data-usage-policies.
Vercel infrastructure logs
Vercel retains server-side access logs according to their own data retention policy. This site has no control over that retention. See vercel.com/legal/privacy-policy.
Contact form submissions
Retained only as long as the email correspondence is active. Not stored in any database operated by this site. Resend processes the email transiently and does not store message content beyond delivery.
6Third-Party Sub-Processors
Vercel (hosting and edge network)
All web traffic passes through Vercel's infrastructure. Vercel may log IP addresses, user-agent strings, and request paths for infrastructure and security purposes. Privacy policy: vercel.com/legal/privacy-policy
Supabase (database)
Chat logs (IP address, question text, AI response text, timestamp) are stored in a PostgreSQL database hosted on Supabase. Data is stored in the AWS region selected during project setup. Supabase is SOC 2 Type 2 certified. Privacy policy: supabase.com/privacy
Upstash (Redis — rate limiting)
IP addresses are written as rate-limit keys to an Upstash Redis instance with a 60-second TTL. Upstash is GDPR-compliant and does not use your data for any purpose other than serving the Redis API. Privacy policy: upstash.com/privacy
OpenAI (AI responses and embeddings)
Your chat questions are sent to OpenAI's API to (a) generate a vector embedding for semantic search, and (b) generate a natural language response via GPT-4o mini. OpenAI is a US-based processor. Data transfers from the EEA to the US are covered by OpenAI's Standard Contractual Clauses. Privacy policy: openai.com/policies/privacy-policy
Resend (transactional email)
Contact form submissions are delivered via Resend. Resend processes your name, email address, and message content transiently to route the email. Privacy policy: resend.com/legal/privacy-policy
7Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) or United Kingdom, all processing is conducted under Article 6(1)(f) GDPR — Legitimate Interests. The specific legitimate interests are:
- Abuse prevention and rate limiting: Logging IP addresses is necessary to enforce per-IP request limits and prevent automated abuse of the AI assistant, which incurs direct API cost.
- Debugging and quality assurance: Storing chat questions and responses allows diagnosis of broken responses, retrieval failures, and unexpected model behaviour.
- Security monitoring: Retaining logs for 30 days allows investigation of any security incidents or misuse patterns after the fact.
A balancing test has been considered: the data collected is minimal (no names, no account data, no persistent identifiers beyond IP), the retention period is short (30 days), and the purposes are limited to the operational integrity of the site. The processing is proportionate and unlikely to override the interests or fundamental rights of users. You have the right to object to this processing at any time (see section 9).
For contact form submissions, processing is based on Article 6(1)(a) — Consent (you voluntarily submit the form) and Article 6(1)(f) — Legitimate Interests (responding to a direct enquiry).
8International Data Transfers
This site is operated from Canada, which the European Commission has recognised as providing adequate protection under GDPR (adequacy decision for PIPEDA). Data stored in Supabase and processed by OpenAI may reside on servers in the United States. Transfers to the US rely on Standard Contractual Clauses (SCCs) or the relevant processor's data processing agreements where applicable. Upstash offers EU-region Redis instances; the region in use for this project is determined by the Upstash configuration. If you have concerns about the specific region your data is processed in, contact contact@eshu.earth.
9Your Rights
Right of access (Art. 15 GDPR / CCPA / DPDP)
You may request a copy of all personal data held about you. Because chat logs are indexed by IP address and timestamp, please include your IP address and the approximate date(s) of your chat session(s) in your request to allow records to be located.
Right to rectification (Art. 16 GDPR / DPDP)
If personal data held about you is inaccurate, you may request correction. Note that chat logs are factual records of what was sent and received and are not subject to correction on grounds of disagreement with the content.
Right to erasure / right to be forgotten (Art. 17 GDPR / CCPA / DPDP)
You may request deletion of your personal data at any time, ahead of the automatic 30-day deletion schedule. Requests will be executed within 7 days. Note that data already automatically expired from Redis cannot be 'deleted' as it no longer exists.
Right to restriction of processing (Art. 18 GDPR)
You may request that processing of your data be restricted (i.e., data is retained but not actively used) while a dispute or request is being handled.
Right to data portability (Art. 20 GDPR)
You may request your data in a structured, machine-readable format (JSON). Given the limited nature of the data (IP, question text, response text, timestamp), this can be provided by email.
Right to object (Art. 21 GDPR)
You may object to the processing of your personal data where processing is based on legitimate interests. Upon receiving a valid objection, processing will cease unless there are compelling legitimate grounds that override your interests, or processing is necessary for the establishment or defence of legal claims.
Right to withdraw consent
Where processing is based on consent (contact form), you may withdraw consent at any time by contacting contact@eshu.earth. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
CCPA — California residents
California residents have the right to: (1) know what personal information is collected and how it is used; (2) delete personal information; (3) opt out of the sale of personal information. This site does not sell personal information. To submit a CCPA request, email contact@eshu.earth with the subject 'CCPA Request'.
India DPDP Act 2023
Under India's Digital Personal Data Protection Act 2023, you have the right to access information about your personal data, correct inaccurate data, erase data no longer needed for the purpose it was collected, and nominate another person to exercise rights on your behalf. To submit a DPDP request, email contact@eshu.earth with the subject 'DPDP Request'.
Canada PIPEDA
Under Canada's Personal Information Protection and Electronic Documents Act, you have the right to access personal information held about you and to challenge its accuracy. Contact contact@eshu.earth to make a PIPEDA access request.
Right to lodge a complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In the EU, this is your national Data Protection Authority. In the UK, it is the ICO (ico.org.uk). In Canada, it is the Office of the Privacy Commissioner (priv.gc.ca). In India, it is the Data Protection Board of India.
10How to Exercise Your Rights
Email contact@eshu.earth with the subject line "Privacy Request — [type of request]" (e.g. "Privacy Request — Erasure", "Privacy Request — Access").
Please include:
- The type of request (access, erasure, objection, etc.)
- Your IP address — this is the only identifier available to locate your chat log records. You can find your IP at whatismyip.com.
- Approximate date(s) of the chat session(s) in question (if known)
All requests will be acknowledged within 72 hours and fulfilled within 30 days (or sooner where possible). There is no charge for reasonable requests.
11Data Security
All data in transit is encrypted via HTTPS/TLS. Supabase data at rest is encrypted by AWS (AES-256). Access to the Supabase database is restricted to server-side API routes using a service role key that is never exposed to the client. The Upstash Redis instance is accessed via HTTPS with token authentication. Environment variables (API keys, database credentials) are stored in Vercel's encrypted environment variable store and are never committed to source control. Despite these measures, no system is 100% secure. In the event of a data breach that affects your personal data, affected users will be notified by email (where contact details are available) within 72 hours of discovery, in accordance with GDPR Art. 33–34 obligations.
12Children's Privacy
This site is not directed at children under the age of 13 (or under 16 in jurisdictions where that threshold applies, including the EU under GDPR). If you are under the applicable age, please do not use the AI chat or submit personal data through the contact form. If you are a parent or guardian and believe a child has submitted personal data through this site, contact contact@eshu.earth and the data will be deleted within 48 hours.
13Cookies and Tracking Technologies
This site does not use cookies of any kind. No first-party cookies, no third-party cookies, no local storage tokens, no session storage, no tracking pixels, no web beacons, no canvas or browser fingerprinting, and no cross-site tracking of any kind. The only browser-side state used is in-memory React state (chat message history), which is cleared when you close or refresh the page and is never persisted.
14Automated Decision-Making and Profiling
This site does not engage in automated decision-making or profiling as defined under Art. 22 GDPR. The AI chat assistant generates responses based solely on the content of your question and a set of pre-loaded documents about Eshu. No user profiles are built, no behavioural patterns are analysed, and no decisions with legal or similarly significant effects are made based on your data.
15Changes to This Policy
This policy may be updated to reflect changes in the site's functionality, data practices, or applicable law. The "Last updated" date at the top of this page will always reflect the most recent revision. For material changes that expand the scope of data collection or alter your rights, a notice will be added to the site for a reasonable period. Continued use of the site after a policy update constitutes acknowledgement of the updated terms. Previous versions of this policy are available on request.
© 2026 eshu.earth · This policy applies to this site only.
contact@eshu.earth