Privacy policy
1. Who’s responsible
This site (murtazarangwala.com) is operated by Murtaza Rangwala, an independent consultant based in Nagpur, India. I’m the data controller for anything you send in through the site’s forms, and for the analytics tags described below. Reach me on hello@murtazarangwala.com for any privacy question, request, or complaint.
2. What I collect and why
A. Data you actively send me
When you submit the audit form, contact form, or book a Calendly slot, I receive:
- Your name, email, and company.
- Your website URL (optional).
- Details you provide about your Google Ads account — monthly spend band, vertical, current setup, primary goal, pain point.
- The source you told me you came from (LinkedIn / referral / etc.), if provided.
Purpose: replying to your enquiry and (if we work together) delivering the engagement. Legal basis under GDPR Art 6: legitimate interest in responding to direct commercial enquiries, or contract performance if we’re already engaged. I don’t use this data for advertising or share it with third parties other than the sub-processors listed below.
B. Data collected automatically
If (and only if) you accept the cookie banner, this site sets analytics and advertising cookies:
- Google Analytics 4 — anonymous session behaviour (pages viewed, time on site, referrer, device type). No personal identifiers.
- Google Ads conversion tracking — measures whether ads I run to attract new work convert into audit or contact submissions.
- Meta Pixel, LinkedIn Insight Tag — only fire if configured in tracking settings. Same purpose: attribution for ads I run.
Reject the banner and none of these load. Even if you accept, tracking uses Google Consent Mode v2 with ads_data_redaction and url_passthrough enabled — meaning personal identifiers are stripped from ping data even for consented users. Legal basis: consent.
3. Cookies used on this site
| Cookie | Purpose | Duration | Legal basis |
|---|---|---|---|
pl_consent_v1 | Remembers your cookie-banner choice so it doesn’t re-appear. | 6 months (localStorage) | Legitimate interest — technical necessity |
_ga, _ga_* | Google Analytics — distinguishes sessions and users. | Up to 2 years | Consent |
_gcl_* | Google Ads conversion linker. | Up to 90 days | Consent |
_fbp | Meta Pixel — first-party identifier for conversion tracking. | Up to 90 days | Consent |
li_*, UserMatchHistory | LinkedIn Insight Tag — conversion tracking. | Up to 30 days | Consent |
You can revisit your choices at any time by clearing this site’s localStorage; the banner will re-appear on your next visit.
4. Where your data goes
Form submissions are stored in Supabase (a managed Postgres service — data physically resides in the EU). No form data is shared with third parties. The following sub-processors handle specific technical roles:
- Supabase Inc (EU region) — database + auth. Their privacy policy.
- Vercel Inc (US, SCCs in place) — hosting and edge network. Their privacy policy.
- Google LLC (US, SCCs) — Analytics 4 and Ads. Their privacy policy.
- Calendly LLC (US, SCCs) — bookings when you use the “Book a call” link. Their privacy policy.
- Meta Platforms and LinkedIn — only if you consent to advertising cookies.
International transfers use Standard Contractual Clauses (SCCs) where the processor is outside the UK / EU.
5. How long I keep things
- Audit requests and contact submissions: 24 months from the date received, unless a business relationship starts (in which case they’re retained as part of the engagement records for 7 years for tax purposes) or you ask me to delete them sooner.
- Blog and site analytics: aggregated only, retained per Google Analytics’ standard 14-month retention.
- Cookie choices: 6 months, then re-prompted.
6. Your rights
Under GDPR (and equivalent UK / global law), you can:
- Access — ask what personal data I hold about you.
- Rectify — correct anything inaccurate.
- Erase — ask me to delete it (subject to legal retention).
- Restrict — pause processing while a dispute is resolved.
- Port — receive a copy in a machine-readable format.
- Object — to processing based on legitimate interest.
- Withdraw consent — for anything cookie / marketing related, at any time, via the banner or by clearing this site’s localStorage.
- Complain — to your local data-protection authority. UK: ICO. EU: your national DPA.
Every one of these routes to the same place — email hello@murtazarangwala.com. I respond within 30 days as required.
7. Security
The site runs on HTTPS end to end. Supabase is encrypted at rest and in transit; admin access uses two-factor auth. Form submissions are protected by row-level security policies (only authenticated admin sessions can read them) and a honeypot to block automated abuse.
8. Children
This site is a B2B consultancy site. It’s not directed at anyone under 18, and I don’t knowingly collect data from children. If you believe a child has submitted data, email me and I’ll delete it.
9. Changes to this policy
When the substance of this policy changes I bump the “Last updated” date at the top and, for material changes, re-prompt cookie consent on your next visit. Cosmetic edits (typos, formatting) don’t trigger a re-prompt.
10. Contact
Anything privacy-related — access requests, deletion requests, complaints, questions — routes to hello@murtazarangwala.com. Please put “Privacy” in the subject line so it doesn’t get lost in the audit-request inbox.
