Privacy policy.

This policy applies to mattdecrevel.com. For the portfolio site at decrevel.dev (and the labs subdomain), see its dedicated policy.

• Page visits: the URL you visited, the page you came from (referrer), your browser and device type, and coarse location (country, region, city) derived from your IP address. Your IP address itself is not stored.
• Interaction events: contact form submissions, booking requests, outbound link clicks, and similar product-analytics signals.
• A random session ID stored in your browser's session storage so multiple page views in the same visit can be grouped. It's cleared when you close the tab.

• Google Analytics 4 — page views and events, gated behind the consent banner. When accepted, GA4 sets _ga and _ga_* first-party cookies. Default retention is 14 months.
• Vercel Analytics & Speed Insights — cookieless, privacy-friendly aggregate measurement used to monitor performance. Runs regardless of consent.
• My own database (Neon Postgres) — stores the same page-view records described above for my internal analytics dashboard. No cookies involved.

If you engage me for consulting, I collect the details needed to run and bill the engagement: your name, email, phone, company, the agreement or statement of work, and invoice records (amounts, dates, and line items). This information is used only to deliver the work, invoice you, and meet my tax and accounting obligations — never for marketing.

Payments are processed by Stripe. When you pay an invoice, your card or bank-account details are entered on Stripe's secure checkout and go directly to Stripe — I never see or store full card or bank numbers. I keep only the non-sensitive payment metadata Stripe returns (amount, status, payment method type such as “card” or “ACH”, and Stripe customer/payment references) so I can reconcile your invoice. Stripe is certified PCI-DSS Level 1. See Stripe's privacy policy.

I retain client and billing records for as long as the engagement is active and afterward as required for legal, tax, and accounting purposes, then delete or anonymize them. You can request a copy or deletion of your personal data at any time (subject to records I'm legally required to keep).

I use a small set of trusted processors to run the consulting and billing side. They handle your data only to provide their service to me, under their own privacy terms:

• Stripe — payment processing (card & ACH bank transfer). Privacy
• PandaDoc — agreements and e-signatures. Privacy
• Resend — transactional email (invoices, receipts, reminders). Privacy
• Cloudinary — secure storage of invoice and document PDFs. Privacy
• Neon — the Postgres database that holds client, engagement, and invoice records.

Google Analytics runs in Consent Mode v2 with analytics storage denied by default. Nothing is written to cookies until you accept the banner. You can change your mind at any time:

Vercel Analytics and the internal database receive page-view data regardless of your consent choice — neither uses cookies, and neither stores your IP address. Google Analytics is the only tool gated by the consent banner.

Cookie settings — re-opens the consent banner so you can grant or revoke analytics storage.

Your choice is saved as a browser cookie named mdc_consent_v1. Clearing cookies for this site in your browser resets it.

• I don't run ads. Ad-related Google Consent signals are kept denied regardless of your choice.
• I don't sell, share, or otherwise hand your data to third parties for marketing.
• I don't fingerprint you or try to link your visit to another identity.

Questions, corrections, or data requests: matt@mattdecrevel.com.