The data controller for this website is neuralboot, the open-source project and organization behind Trapetum. The site is accessible at https://neuralboot.com/trapetum and is served via Amazon CloudFront backed by Amazon S3.
For any privacy-related enquiry, please contact us at privacy@neuralboot.com. This same address is used to reach the person responsible for the protection of personal information under all applicable frameworks referenced in this policy.
The Trapetum software itself is open-source and licensed under the terms available at https://github.com/neuralboot/trapetum/blob/main/LICENSE. This privacy policy relates solely to the landing-page website, not to the software.
When you visit this site, Amazon CloudFront automatically records standard access-log data, including your IP address, the URL requested, HTTP status code, browser user-agent string, and timestamps. This data is processed by Amazon Web Services on our behalf and is used solely for security and operational purposes.
The site is currently protected by a password gate. When you authenticate, a strictly necessary session cookie (tpw) is set to maintain your session. No personal information beyond a session token is stored in this cookie.
We use Google Analytics 4 (Measurement ID: G-KW7XS6QPKY), loaded via Google Tag Manager (GTM-M8VLW9HR). We operate Google Consent Mode v2 with all storage defaulted to "denied". No analytics cookie is placed and no analytics hit is sent to Google unless you explicitly grant consent through our consent banner. If you consent, Google Analytics may collect your IP address (anonymised by Google), browser and device attributes, and browsing behaviour on this site (pages visited, session duration, referral source).
If you choose to subscribe to our newsletter, we collect your email address only. We use a double opt-in process: you will receive a confirmation email before your address is added to our list. Your email address is stored on our own AWS infrastructure (AWS Lambda plus DynamoDB, region eu-west-1, Ireland) and we use Amazon SES to send emails. We do not share your email address with any third-party marketing platform.
We do not collect names, postal addresses, payment information, or any special categories of sensitive data. We do not run advertising, sell data, profile visitors for commercial purposes, or use cross-site tracking.
| Processing activity | Purpose | Legal basis (GDPR) |
|---|---|---|
| CloudFront access logs (IP, user-agent) | Security, abuse prevention, operational diagnostics | Legitimate interests (Art. 6(1)(f)) |
Access-gate session cookie (tpw) |
Maintaining authenticated session | Strictly necessary for service delivery; legitimate interests (Art. 6(1)(f)) |
Consent record cookie (nb_consent) |
Recording your consent choice for auditing | Legal obligation / legitimate interests (Art. 6(1)(c) and (f)) |
Google Analytics 4 (_ga, _ga_*) |
Understanding site traffic and usage patterns | Consent (Art. 6(1)(a)) — only after explicit opt-in |
| Newsletter email address | Sending product and project updates you requested | Consent (Art. 6(1)(a)) via double opt-in |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. In each case, the processing is limited to what is necessary and you retain the right to object (see Section 7).
| Data category | Retention period |
|---|---|
| CloudFront server logs | 90 days, then automatically deleted |
Session cookie (tpw) |
Session duration (expires when browser closes or gate is removed) |
Consent record (nb_consent) |
12 months |
Google Analytics data (_ga, _ga_*) |
Up to 14 months in Google's systems; see Google's own retention controls in GA4 |
| Newsletter email address | Until you unsubscribe; we delete within 30 days of a valid unsubscribe or erasure request |
| Sub-processor | Service | Data processed | Location |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Site hosting (S3 + CloudFront), newsletter infrastructure (Lambda, DynamoDB, SES) | IP addresses (logs), email addresses (newsletter) | eu-west-1 (Ireland) for newsletter; CloudFront edge globally |
| Google LLC | Google Analytics 4 via Google Tag Manager (consent-gated) | Pseudonymous identifiers, browsing data (only after consent) | United States and other Google locations |
We do not use any advertising networks, data brokers, or social media tracking pixels.
Our primary newsletter infrastructure is located in AWS eu-west-1 (Ireland) and does not involve a transfer outside the EEA for that data.
When you grant consent to Google Analytics, data is transferred to Google LLC in the United States. Google relies on Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, participation in the EU-US Data Privacy Framework (DPF) as the legal mechanism for this transfer. You can review Google's transfer safeguards at privacy.google.com/businesses/gdprcontrollerterms.
CloudFront access logs may be temporarily cached at edge locations globally; these are treated as operational metadata and retained for 90 days.
For residents of jurisdictions with transfer restrictions (including Japan and Quebec), the above transfer mechanisms are relied upon to ensure an adequate level of protection. If you have questions about specific safeguards, contact privacy@neuralboot.com.
If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) or the UK GDPR applies to our processing of your personal data. You have the following rights:
Email privacy@neuralboot.com with the subject line "Data Subject Request" and describe your request. We will respond within one month (extendable by two further months for complex requests). We may ask you to verify your identity before acting on your request.
To withdraw consent for analytics cookies, use the Your Privacy Choices control at the bottom of any page or see the Cookie Policy. To unsubscribe from the newsletter, use the unsubscribe link in any email we send you.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights with respect to your personal information.
Submit a verifiable consumer request to privacy@neuralboot.com with the subject line "California Privacy Request". We will respond within 45 days (extendable once by a further 45 days with notice). You may designate an authorised agent to make a request on your behalf; the agent must provide written authorisation signed by you.
For residents of Quebec, Canada, Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25) applies to our collection and use of personal information.
We collect personal information only for the explicit purposes described in Section 2 above. We obtain your consent before collecting information for non-essential purposes (such as analytics). Where personal information is transmitted to a third party located outside Quebec (such as Google in connection with Google Analytics), we carry out a privacy impact assessment and rely on adequate contractual safeguards before any such disclosure.
The person in charge of the protection of personal information for this site can be reached at privacy@neuralboot.com. Requests will be handled within 30 days.
For residents of Canada outside Quebec, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies, together with any substantially similar provincial legislation.
For visitors in Japan, the Act on the Protection of Personal Information (APPI) and its 2022 amendments apply to our handling of your personal information (kojin joho).
Wherever you are located, including under Brazil's Lei Geral de Proteção de Dados (LGPD), Australia's Privacy Act, South Korea's PIPA, or any other applicable data protection law, we commit to offering you the same core rights: the right to know what we collect, to access your data, to correct inaccuracies, to request deletion, to withdraw consent, and to lodge a complaint with the relevant authority. Please contact privacy@neuralboot.com to exercise any of these rights.
This site is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you are a parent or guardian and believe we have collected information from a child under 16, please contact us at privacy@neuralboot.com and we will delete that information promptly.
We implement reasonable technical and organisational measures to protect your personal information. These include serving the site exclusively over HTTPS via CloudFront, storing newsletter data in isolated AWS infrastructure with access controls and encryption at rest, and applying the principle of data minimisation throughout. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals and, where required by law, the relevant supervisory authority.
We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, provide a more prominent notice (such as an email to newsletter subscribers). We encourage you to review this policy periodically. Continued use of the site after any changes constitutes acceptance of the updated policy to the extent permitted by law.
Data controller: neuralboot
Privacy contact: privacy@neuralboot.com
Person responsible for personal information protection (Quebec / PIPEDA): reachable at the same address.
Please include a clear description of your request in your email. We will acknowledge receipt and respond substantively within the timeframes specified for your jurisdiction above.