Privacy Policy

Last updated: 7 May 2026.

This site (denis.app) is run by Denis Kalinichenko, a freelance Product Engineer based in Poland. I'm the data controller under GDPR. Contact: [email protected].

This page is plain language. If anything here is unclear, email me.

What I collect

When you load any page. Vercel Analytics records the page you viewed, your country (region-level, not city), the device class, and the referring site. It is cookieless and pseudonymous — no cross-site tracking, no profile built about you. You can opt out at the operating-system level via "Do Not Track" or browser tracking-protection settings.

When you use the /cli shell. Each prompt you send and the model's reply are stored as a transcript so I can review the conversation, refine the persona, and detect abuse. I save:

  • A salted hash of your IP address.
  • Your approximate country of origin (a 2-letter code derived from Cloudflare's edge data — not stored for requests that don't pass through Cloudflare).
  • Your User-Agent string (browser/device identifier).
  • The prompt and reply text, plus any tool-call arguments (e.g. a message draft or a booking you confirmed).
  • A session ID generated in your browser at session start.

When you confirm a message or a booking in /cli. The shell can draft a direct message or a meeting booking on your behalf. Nothing leaves your browser until you click [Send] or [Book]. When you do:

  • For a confirmed message: the name, contact, and body you typed are forwarded to a private chat I read on my phone, and a 90-day audit record (your IP hash, the message, name, and contact) is written to my Redis store so I can investigate abuse.
  • For a confirmed booking: your name, email, chosen slot, and meeting duration are forwarded to my scheduling backend (Cal.com) so the meeting lands on my calendar, and the same 90-day audit record is written.

On your device. The site stores a denis-theme key in your browser's localStorage to remember your light/dark theme choice. It never leaves your browser.

Nothing else. No tracking cookies. No advertising networks. No fingerprinting. No data sold to anyone.

Why I collect it

  • Analytics: to see which pages people read.
  • Transcripts: to keep the AI shell honest and improve the persona over time.
  • IP hash: to enforce per-visitor rate limits and block abusive traffic.
  • Theme key: so the site looks the same when you come back.

Who else processes it

  • Anthropic (US) — your /cli prompts are sent to the Claude API to generate replies. Anthropic processes them under their own privacy and usage terms.
  • Upstash (US/EU, via the Vercel Marketplace) — hosts the Redis store for rate-limit counters, transcripts, and outbound message/booking audit records.
  • Vercel (US) — hosts the site, the API function, and the analytics pixel.
  • Cloudflare — sits in front of DNS and the CDN edge.
  • Cal.com (US, with an EU instance) — receives the visitor name, email, and chosen slot whenever you confirm a booking through /cli, and stores it on my scheduling account. Cal.com may email you a confirmation and reminder per its own terms.
  • Telegram (UAE-based) — receives any message you confirm through /cli, delivered as a chat message to a private bot I own. Telegram retains the chat history under its own privacy terms.

Most of these processors operate outside the EU/EEA — mostly in the US, plus UAE for Telegram — so your data may be transferred there. The commercial ones (Anthropic, Upstash, Vercel, Cal.com) publish Standard Contractual Clauses, the GDPR-recognised safeguard for cross-border transfers, and I rely on those. Telegram's posture is governed by its own privacy policy; if you don't want a message to reach Telegram, email me at [email protected] instead of using /cli's send tool.

I don't share your data with anyone else, and I don't sell it.

How long I keep it

  • Transcripts: indefinitely, but small in volume — manually pruned when stale or sensitive.
  • Outbound message and booking audit records (Redis): 90 days, then auto-expired.
  • Rate-limit counters: 1 to 24 hours, then auto-expired.
  • Analytics: per Vercel's retention (typically up to 30 days for raw events, longer for aggregates).
  • Confirmed messages on Telegram and bookings on Cal.com: kept by those services per their own retention. I delete individual ones from my chat history or calendar on request.

Your rights under GDPR

You can ask me to access, correct, or delete data tied to you. Email [email protected] with whatever context you have (approximate session ID, date and time, IP if you remember it). I'll respond within 30 days.

Children

The site isn't aimed at children under 16, and I don't knowingly collect data from them.

Changes

If I change this policy in any meaningful way, I'll update the "Last updated" date at the top. Material changes get a footer note for at least 30 days.