PRIVACY CHOICES · LAST UPDATED 2026-04-27

Your privacy, your call.

A practical guide to exercising your data-protection rights on this Site — under GDPR (EU/UK), CCPA/CPRA (California), and the state privacy laws of Virginia, Colorado, Connecticut, Utah, and Texas.

DO NOT SELL OR SHARE We don't.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We have not done so in the preceding twelve months. There is no opt-out to give you because there is nothing to opt out of.

This statement satisfies the CCPA/CPRA requirement that the "Do Not Sell or Share My Personal Information" link lead to either an opt-out tool or a clear notice that no sale or share is taking place.

GLOBAL PRIVACY CONTROL Your browser's signal, on this device:

Checking…

We honor the Global Privacy Control header (sec-gpc) and the JavaScript property navigator.globalPrivacyControl as a valid opt-out request from sale or sharing — under the CCPA/CPRA, Colorado Privacy Act, Connecticut Data Privacy Act, and other statutes that recognise universal opt-out signals.

GPC is enabled by default in Brave and DuckDuckGo browsers, and is available as a setting in Firefox and as an extension in Chrome / Safari. Learn more at globalprivacycontrol.org.

02 · Exercise a right — step by step

Each right takes one email. Here is the template.

1. Compose the request

Send a single email to info@imadethisup.org with the subject line “Privacy request.” From the email address you wish to associate with the request, tell us:

Which right(s) you want to exercise — for example: access, correction, deletion, portability, restriction, objection, withdrawal of consent.
The email address(es), name(s), or other identifiers we may have used (so we can find your records).
Your jurisdiction (e.g., California, EU/Spain, UK, Virginia) so we can apply the right statutory framework.
If you are an authorised agent acting on behalf of a consumer, attach reasonable proof of authorisation.

2. We confirm receipt

We acknowledge your request within a few business days. If we need more information to verify your identity (the standard, modest verification described in our privacy policy), we ask for it then.

3. We respond

We respond within the time limit set by the law that applies to you:

CCPA / CPRA (California) — within 45 days of a verified request, extendable by another 45 days for cause.
VCDPA / CPA / CTDPA / UCPA / TDPSA (Virginia, Colorado, Connecticut, Utah, Texas) — within 45 days, extendable by another 45 days for cause.
GDPR / UK GDPR — within one month, extendable by two further months for complex requests.
All other jurisdictions — we apply whichever of the above time limits is most favourable to you.

There is no charge. We do not retaliate against you in any way for exercising any privacy right.

4. Appeal (where available)

If we deny your request and your jurisdiction provides an internal appeal mechanism (Virginia, Colorado, Connecticut, Texas), reply to our denial with the word "Appeal" in the subject line. We will reconsider within the statutory window. EU/UK residents may also lodge a complaint with their supervisory authority — the EDPB members directory for EU member-state DPAs and the UK Information Commissioner's Office.

EMAIL TEMPLATE

To: info@imadethisup.org
Subject: Privacy request

Right(s) I am exercising:
  [ ] Access / Right to know
  [ ] Correction
  [ ] Deletion / Erasure
  [ ] Portability
  [ ] Restriction of processing
  [ ] Objection to processing
  [ ] Withdrawal of consent
  [ ] Opt-out of sale / sharing
  [ ] Limit use of sensitive PI

Jurisdiction:  ______________
Identifiers we may have:
  email:       ______________
  full name:   ______________
  other:       ______________

I am submitting this request:
  [ ] on my own behalf
  [ ] as authorised agent (proof attached)

Brief description / context (optional):
  ______________________________

YOUR FOOTPRINT WITH US What we likely hold

Most visitors generate only 30-day server logs (IP, user-agent, request time, URL). If you have not emailed us or submitted the retain-an-expert form, that is the entire record.

Categories detail: /privacy §3.

SUPERVISORY AUTHORITIES

EU member-state DPAs — edpb.europa.eu
UK — ico.org.uk
California AG (CCPA enforcement) — oag.ca.gov/privacy/ccpa
California Privacy Protection Agency (CPRA) — cppa.ca.gov

03 · Frequently asked

Privacy-choices FAQ.

Do you sell my personal information?

No. We have not sold personal information at any point and have no plans to. The "Do Not Sell or Share My Personal Information" link is provided in our footer to satisfy California's disclosure requirement and to give you confidence that the negative statement is accessible.

Do you share my personal information for cross-context behavioural advertising?

No. We run no behavioural-advertising technology of any kind — no Google Ads, no Meta Pixel, no TikTok Pixel, no LinkedIn Insight Tag, no third-party retargeting, no audience-syncing pixels.

You don't use Google Fonts — why?

Google Fonts loaded directly from fonts.googleapis.com transmits the requesting visitor's IP address and user-agent to Google. A 2022 German court (LG München I, Az. 3 O 17493/20) held that this transfer requires explicit consent under GDPR. Rather than ask for consent we do not need, we use Bunny Fonts — a GDPR-compliant, EU-hosted, no-IP-logging, drop-in mirror of Google Fonts.

What is Global Privacy Control and do you honor it?

Global Privacy Control (globalprivacycontrol.org) is a browser-level signal that tells every site you visit "do not sell or share my personal information." California, Colorado, and Connecticut law require regulated businesses to treat it as a valid opt-out request. We honor it. The card above shows whether your current browser is sending the signal.

What about the small "Got it" notice that appears when I first visit?

That is an informational notice, not a consent banner. We do not need consent because we do not set tracking cookies. After you click it, a single first-party localStorage flag (imt-privacy-notice-dismissed-v1) is stored on your device so we don't bother you with the same notice again. Clear your browser's local storage to re-show it.

Can I opt out of having my IP logged?

Not at the application layer — server logs are how the Internet works, and we use them solely for security and abuse prevention. They expire after 30 days. If you want to mask your IP for principled reasons, the standard tool is a VPN or Tor. Our access controls do not block either.

I'm filing a request on someone else's behalf. Is that allowed?

Yes — most U.S. state privacy laws and the GDPR allow authorised agents (or, under GDPR, a duly mandated representative) to exercise rights on behalf of a data subject. Attach reasonable proof of authorisation. We may verify directly with the data subject before acting.