Privacy policy.

Privacy Policy

Effective date: [September 1, 2025]
Website: dionkucera.com (the “Site”)
Controller: Dion Kucera (“we,” “us,” “our”)
Contact: e-mail

We respect your privacy. This Policy explains what we collect, how we use it, and your choices. It applies to the Site, contact/booking forms, and related communications. If we change this Policy, we’ll post a new date above.

1) What we collect

A) Information you provide

  • Contact & inquiry data: name, email, organization, message content, and any files you attach.

  • Consultation/booking data (via Calendly): name, email, meeting time and metadata, notes you share.

  • Contract/project data (if you become a client): scope details, AOIs, datasets you supply, billing info (handled via our invoicing tools; we don’t store full card data on the Site).

Please don’t send confidential or regulated data (e.g., health, financial account numbers) through general forms; use a secure channel under a signed agreement.

B) Information collected automatically

  • Basic logs from our host (e.g., IP address, user agent, date/time, pages requested) for security and troubleshooting.

  • Plausible Analytics (privacy-friendly): page URL/title, referrer, device type, country/region, and approximate metrics like session duration. Plausible does not use cookies and does not collect personal profiles. Learn more at plausible.io.

  • Embedded third-party content (e.g., ArcGIS dashboards, calendars) may load their scripts; see their policies.

We do not run ads or use cross-site tracking pixels.

2) How we use information (purposes & legal bases)

Purposes

  • Provide and improve the Site (operate pages, fix bugs, keep services secure).

  • Respond to inquiries and schedule meetings (process your requests).

  • Perform and administer client work (under a separate contract).

  • Analytics (understand which pages are useful and improve content).

  • Legal & compliance (enforce terms, prevent abuse, comply with law).

Legal bases (GDPR/UK GDPR)

  • Contract / pre-contract: answering inquiries, scoping projects, fulfilling a signed Statement of Work.

  • Legitimate interests: operating a secure website; lightweight analytics; portfolio communications that don’t override your rights.

  • Consent: where we rely on optional features (e.g., non-essential cookies if ever added) or where local law requires consent.

  • Legal obligation: tax, accounting, regulatory requests.

You can withdraw consent at any time where consent is the basis.

3) Cookies & tracking

  • Plausible: by default, no cookies are set; analytics are aggregated and privacy-preserving.

  • Embeds (e.g., Calendly, ArcGIS Online/Esri): these may set their own cookies to function.

  • If we later adopt cookie-based analytics or ad tech, we’ll update this policy and show a consent banner where required.

“Do Not Track” signals: we don’t alter behavior in response to DNT, but we avoid cross-site tracking by design.

4) Sharing & disclosures

We don’t sell your personal information.

We share information only with:

  • Service providers (processors) who help us run the Site and business—for example:

    • Hosting/website platform (e.g., Squarespace or equivalent)

    • Analytics: Plausible Analytics

    • Scheduling: Calendly LLC

    • Email & productivity: Google Workspace

    • File storage & versioning: e.g., Google Drive, Dropbox, GitHub (as applicable)
      These providers are bound by contracts to process data only on our instructions.

  • Professional advisors & legal when necessary (accounting, compliance, dispute handling).

  • Authorities where required by law or to protect rights, safety, and security.

  • Successors in a business transfer (rare for a solo practice; you’ll be notified if this happens).

5) International transfers

We’re based in the United States. When transferring personal data from the EEA/UK/Switzerland to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other recognized safeguards. Some vendors may participate in recognized frameworks (e.g., EU-US Data Privacy Framework). Details are available on request.

6) Retention

We keep data only as long as necessary for the purposes above:

  • General inquiries: typically 24 months after last interaction.

  • Client/project files: for the duration of the engagement and a reasonable period afterward (commonly 3–7 years) to meet contractual, tax, or legal needs.

  • Analytics aggregates: typically longer in de-identified form.
    When retention is no longer needed, we delete or de-identify the data.

7) Your rights & choices

Depending on where you live (e.g., EEA/UK/California), you may have rights to:

  • Access the personal data we hold about you.

  • Correct inaccurate or incomplete data.

  • Delete your data (erasure).

  • Restrict or object to certain processing (especially where based on legitimate interests).

  • Port your data to another service (where technically feasible).

  • Opt out of “sale” / “sharing” (CPRA definitions). We do not sell or share personal information for cross-context behavioral advertising.

  • Limit use of sensitive personal information (CPRA). We don’t seek such data.

  • Withdraw consent (where processing is based on consent).

  • Complain to a supervisory authority (EEA/UK). You can also contact us first and we’ll try to help.

How to exercise rights

Email this website with your request. We may ask for information to verify your identity and will respond within the time limits set by applicable law.

Authorized agent requests (CA): If you use an agent, we may require proof of authority and verification of your identity.

8) California disclosures (CCPA/CPRA)

Categories collected (in the past 12 months): identifiers (name, email), internet activity (page interactions, device type via analytics), professional information (organization), and any information you choose to submit in forms.
Sources: you (forms, bookings, emails) and your device/browser.
Business purposes: to provide services, communicate, secure the Site, and perform analytics.
“Sale”/“Sharing”: we do not sell personal information and do not share it for cross-context behavioral advertising.
Sensitive personal information: not sought; if provided inadvertently, we use it only as necessary to fulfill your request.

We do not provide financial incentives related to your data.

9) Security

We use appropriate technical and organizational measures (TLS encryption, access controls, least-privilege accounts, and reputable vendors). No method is 100% secure; we can’t guarantee absolute security. If we discover a data incident affecting you, we’ll notify you and/or authorities as required by law.

10) Children

The Site is not directed to children under 16 (or the age defined by your local law). We do not knowingly collect their data. If you believe a child has provided personal information, contact us and we’ll delete it.

11) Third-party links & embeds

Our Site may include links to external sites and embedded content (e.g., ArcGIS dashboards, Calendly). Those services operate under their own privacy policies and terms. We’re not responsible for their practices.

12) Automated decision-making

We do not use your information for automated decision-making or profiling that produces legal or similarly significant effects.

13) Changes to this Policy

If we materially change how we process your data, we’ll update this page and adjust the effective date. If changes are significant, we may provide additional notice (e.g., banner or email).

14) Contact

Questions or requests? Contact me.