§ Site policy · Legal

Privacy Policy.

How information is collected, used, and protected when you visit vrajesh.design or get in touch. Written in plain English, structured the proper way.

Last updated04 May 2026
Version2.0
ControllerVrajesh Pithadiya
JurisdictionWorldwide
Summary

vrajesh.design is a portfolio site. If you email or use the contact form, that message is used to reply to you, nothing else. No analytics, no advertising cookies, no data resold.

A handful of named providers (Cloudflare, Resend, Apple, Vimeo, YouTube) help run the site and deliver email. Each is listed below with what they do. Web fonts are served directly from this site.

01Who is responsible

This site is run by Vrajesh Pithadiya, an independent motion designer and CG compositor, trading as vrajesh.design. The business is registered in the United Kingdom as a sole trader, based in London, with ongoing work across India and worldwide.

Registered with the UK Information Commissioner's Office, registration number Z##########.

For the purpose of UK GDPR and EU GDPR, vrajesh.design is the data controller for personal data you share with us through this site or in direct correspondence.

02What is collected

Only the information needed to respond to you is collected. There is no sign-up, no account system, and no tracking pixel on this site.

Through the contact form

When you submit the form on the Contact page, the following is sent:

  • Your name, if you provide it
  • Your email address
  • The message you write
  • The project intent you select (project brief / collaboration / informal)
  • A budget bracket and timeline indicator (defaults applied if you don't change them)
  • An optional file attachment, up to 25 MB (brief, reference, PDF, video, etc.)
  • A hidden anti-spam field — legitimate visitors leave this blank automatically

Through direct correspondence

If you email contact@vrajesh.design directly, the message and any attachments are stored in the relevant email inbox in the normal course of business.

Through other channels

If you reach out via LinkedIn, Instagram (@vrajeshpithadia), Vimeo, or in person at an event, the message is treated the same way as a contact-form submission — used to reply, scope possible work, and keep a working record. Each platform stores your message under its own privacy policy.

Technical data

When you visit the site, your browser sends standard information such as IP address, user-agent string, and the page requested. This passes through Cloudflare (the hosting and security provider) and is briefly logged at the edge for operational and security purposes — typically for under 30 days. These logs are not linked to you by name and are not used for analytics.

Rate-limit data

When you submit the contact form, your IP address is held for up to 60 seconds in a Cloudflare key-value store to prevent the same IP submitting repeatedly. It is not linked to your message and expires automatically.

03How it is used

Information you submit is used to:

  • Reply to your enquiry or collaboration request
  • Scope, quote, and discuss a potential project
  • Keep a short record of the conversation for follow-up or reference

Your information is not sold, rented, traded, or shared with third parties for marketing or commercial purposes. It is not added to a mailing list. There is no mailing list.

04Legal basis

For visitors in regions covered by the UK GDPR, EU GDPR, or equivalent frameworks, the lawful bases relied on are:

  • Legitimate interest (Article 6(1)(f)) · receiving and replying to enquiries, logging traffic for security, rate-limiting the contact form, verifying you are human via Cloudflare Turnstile, and handling messages received on social channels. Our interest is running a portfolio site, replying to people who reach out, and preventing abuse — within what you would reasonably expect.
  • Steps before entering a contract (Article 6(1)(b)) · where your message leads to scoping, quoting, or engagement, your data is used to discuss and agree the work.
  • Legal obligation (Article 6(1)(c)) · for paid engagements, related correspondence, invoices, and contracts are kept for the period required by UK tax law (currently 7 years).

Consent (Article 6(1)(a)) is not relied on for any of the above, because consent is not the appropriate basis for these activities. You don't have to opt in to anything beyond what is strictly needed to deliver the page you requested.

05Third parties & processors

To run the site we use a small number of providers. Each processes only what they need, and none uses your data for advertising or profiling.

  • Cloudflare, Inc. · hosts the site (Cloudflare Pages), serves images and video (Cloudflare R2 at cdn.vrajesh.design), runs the contact-form processing function, holds rate-limit IPs for 60 seconds (Workers KV), and protects the contact form from bots (Cloudflare Turnstile). Cloudflare is the underlying network and security layer for almost every page on the site.
  • Resend (Resend, Inc.) · delivers your contact-form message from the site to our inbox. Your name, email, message, and any attachment pass through Resend's API in transit.
  • MailChannels · fallback email delivery if Resend is unavailable. Used rarely; same data in transit, attachments are dropped on this path.
  • Apple Inc. · the address contact@vrajesh.design is configured as a Custom Email Domain on iCloud Mail. Once your message is delivered, it is stored in Apple's iCloud Mail infrastructure where we read it.
  • Vimeo, Inc. and Google LLC (YouTube) · power the embedded video players on project pages. If you click play, those services may set cookies and follow their own privacy policies.
  • GoDaddy · manages the domain name and DNS records for vrajesh.design. GoDaddy does not handle the content of emails or contact-form messages.
  • LinkedIn (Microsoft), Instagram (Meta), Vimeo · if you message us through these platforms, the platform stores your message under its own privacy policy.

We do not sell, rent, trade, or share your data with anyone outside this list.

06International data transfers

Most of the providers above are headquartered in the United States. When your data passes through them, it is transferred outside the UK and the European Economic Area.

We rely on the safeguards required by UK GDPR Chapter V to keep these transfers lawful:

  • EU-US Data Privacy Framework (and its UK Extension, the UK-US Data Bridge) — for providers that have self-certified to it. As of the date of this policy, this includes Cloudflare, Resend, Apple, Vimeo, Google, Microsoft, and Meta.
  • Standard Contractual Clauses with the UK International Data Transfer Addendum (IDTA) — as a backup mechanism where Data Privacy Framework certification is not in place.

You can request a copy of the relevant safeguards by emailing contact@vrajesh.design.

07Cookies & tracking

This site does not use analytics tools. There are no advertising trackers, no retargeting pixels, and no data brokers. Nothing on this site follows you around the internet.

A small number of strictly-necessary cookies are set by Cloudflare (the hosting and security provider):

  • __cf_bm · Cloudflare Bot Management. Set on most pages, expires after about 30 minutes of inactivity. Used to distinguish humans from bots.
  • Cloudflare Turnstile cookies · set on the contact page only, used to complete the bot challenge before your message can be submitted. Short-lived.

These are classified as strictly necessary under PECR (the UK Privacy and Electronic Communications Regulations) and do not require consent. They are not used to track you between sessions or for any commercial purpose.

If you click play on an embedded Vimeo or YouTube video, that player may set its own cookies. Those are governed by Vimeo's and YouTube's own privacy policies. You can block third-party cookies through your browser settings without affecting the rest of the site.

If analytics are ever introduced, this policy will be updated in advance and a clear notice added to the site.

08Retention

How long different categories of data are kept:

  • Contact-form submissions and enquiry emails · up to 24 months after the last exchange, to support ongoing conversations and let you pick up where you left off.
  • Engagement correspondence, invoices, contracts · up to 7 years, to meet UK tax and accounting obligations.
  • Rate-limit IP (Cloudflare Workers KV) · 60 seconds, then automatically expired.
  • Server / edge logs (Cloudflare) · typically up to 30 days, for operational and security purposes.
  • Cloudflare Turnstile challenge cookies · session-bound, short-lived.
  • Messages received on LinkedIn, Instagram, Vimeo, or in person · subject to each platform's retention. Local notes from in-person conversations follow the 24-month rule above unless they convert to an active engagement.

09Your rights

Depending on where you live, you may have some or all of the following rights over your personal information:

  • Access · request a copy of what is held about you
  • Correction · ask that inaccurate information be fixed
  • Deletion · ask that your information be removed
  • Objection / restriction · ask that processing be paused or limited
  • Portability · receive your information in a portable format
  • Withdraw consent · at any time, where consent is the basis

To exercise any of these, email contact@vrajesh.design. We aim to respond within 30 days. For complex requests we may extend this by up to two further months and will let you know. To verify your identity, we may ask you to confirm the email address from which you originally contacted us.

If you are based in the United Kingdom and feel a request has not been handled correctly, you have the right to complain to the Information Commissioner's Office (ico.org.uk). If you are based in the European Economic Area, you have the same rights under EU GDPR and can complain to your local data protection authority — a list is maintained at edpb.europa.eu.

If you have rights under your local data-protection law elsewhere in the world, we honour them in good faith.

10Security

The following measures are used to protect the information you share:

  • All traffic to and from the site is encrypted in transit using HTTPS (TLS 1.2 or higher).
  • The contact form is protected by Cloudflare Turnstile to prevent automated abuse, and is rate-limited to one submission per IP per minute.
  • Only the site owner has access to the inbox at contact@vrajesh.design, which is protected by an Apple ID with two-factor authentication.
  • Only data needed for the purposes above is retained, and only for as long as needed.

No method of transmission or storage is perfectly secure. If a breach occurs that affects your personal data, the Information Commissioner's Office will be notified within 72 hours where required, and you will be informed directly without undue delay if the breach poses a high risk to your rights and freedoms.

11Children

This site is aimed at a professional audience and is not directed at children. Information is not knowingly collected from anyone under the age of 16. If you believe a minor has sent information through the site, email contact@vrajesh.design and it will be removed.

12Changes

This policy may be updated to reflect changes in how the site works, which services it relies on, or in applicable law. The "Last updated" date at the top of this page always reflects the current version.

Material changes (anything that meaningfully affects your rights or how your data is handled) will be flagged on the site for a reasonable period.

13Contact

For anything privacy-related, or to make a request about your information:

Rather talk about a project? The contact page is the fastest way in.

Send a message