Privacy
Last updated: April 2026
This page explains, in plain English, what we collect, why, where it lives, who it touches, and how to make it disappear. The site is a single-author advisory practice. The data footprint is small by design.
Who is responsible
Stefan Chiriacescu, operating as the data controller for stefan.chiriacescu.com. For any privacy-related question, write to stefan@ecommerce-today.com. You will get a real reply, not a ticketing system.
What we collect
Two categories. Nothing else.
- Lead-capture data. When you submit the form to receive the AI Manifesto and AI Org-Chart templates, we record your email address, the GDPR consent flag (true), the timestamp of submission, your IP address, and your browser user-agent string. The IP and user-agent are stored solely as legal evidence of the consent event, in case a regulator ever asks.
- A single analytics cookie, and only if you accept it via the cookie banner. The cookie tracks aggregated, anonymized page-performance signals through Google Analytics 4. It does not contain your email or any identifier we have linked back to you. Until you click Accept, no analytics cookie is set and no analytics request is made.
We do not collect: name, phone number, address, payment details, company size, role, or any other field. The form has one input. That is the entire personal-data surface.
Why we collect it (legal basis under GDPR)
- Email + consent flag are processed under Article 6(1)(a) GDPR — explicit consent. You ticked the box. You can withdraw at any time (see "Your rights" below).
- IP address + user-agent are processed under Article 6(1)(c) GDPR — legal obligation and Article 7(1) GDPR — proof of consent. We need this proof in case a supervisory authority audits the consent record.
- Analytics cookie is processed under Article 6(1)(a) GDPR — consent, given when you click Accept on the cookie banner.
How long we keep it
- Email + consent record: kept for as long as you remain on the contact list, plus the minimum legally-required retention window after deletion (typically up to 36 months for proof-of-consent purposes). You can force deletion at any time and we will honour it within 30 days, with the limited exception of records we are legally required to keep.
- Analytics data: retained by Google Analytics for 14 months from collection, then auto-deleted at the GA4 level.
- Cookie consent flag: stored in a first-party cookie on your device for 12 months, after which the banner reappears.
Who we share it with (sub-processors)
We use a small set of vetted service providers to run the site. None of them are sold your data; they process it on our behalf under written agreements.
- Supabase (EU region): hosts the leads database. Your email and consent record live here.
- Vercel: hosts the website and runs the form-submission function. Receives your IP and user-agent at request time.
- MailerSend: delivers the lead-magnet email and any follow-up. Receives your email address only.
- Google Analytics 4: processes anonymized analytics events, only if you opted in.
- Google Calendar: when you click any "Book a Working Session" link, you are sent to Google's appointment scheduling page. From that point Google's own privacy policy applies to whatever you submit there.
International transfers
Some of these providers (Vercel, MailerSend, Google Analytics, Google Calendar) may process data outside the European Economic Area, including in the United States. Where that happens, transfers are governed by the European Commission's Standard Contractual Clauses, the EU-U.S. Data Privacy Framework where applicable, and the providers' own additional safeguards.
Your rights
Under the GDPR you have the right to:
- Access the data we hold about you.
- Correct any inaccurate or incomplete data.
- Erase your record entirely (the right to be forgotten).
- Restrict further processing while a question is being resolved.
- Object to processing based on legitimate interest.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time, with no effect on the lawfulness of processing prior to withdrawal.
How to exercise these rights
Reply to any email from Stefan with the word delete, or write to stefan@ecommerce-today.com with the request you want actioned. We respond within 30 days. If you ask for deletion, your record is hard-deleted from our database. There is no soft-delete shadow.
Complaint to a supervisory authority
If you believe we have mishandled your data, you have the right to lodge a complaint with the data protection authority of your EU country of residence. We would, of course, prefer you contact us first so we can put it right.
Children
This site is aimed at executives and operators in a B2B context. It is not directed at anyone under 16. We do not knowingly collect data from minors. If you believe a minor has submitted the form, email us and we will delete the record.
Changes to this policy
If we materially change how we handle data, this page will be updated and the "Last updated" date at the top will move. Minor wording fixes do not move the date.