privacy

privacy policy

last updated 1 june 2026

We collect as little personal data as possible: enough to run the site, receive emails, manage signups, answer requests, and deliver client work.

controller

The data controller is Schema Theory, operated from Paris, France by Mikhail Galustov and his team. Contact: [email protected].

This notice covers schematheory.org, related Schema Theory pages, newsletter/update forms, contact requests, and early client or research interactions.

data we collect

Site and security data: IP address, user agent, request path, referral, timestamp, error logs, and abuse-prevention signals.
Signup data: email address, timestamp, IP address used for rate limiting, and consent state where relevant.
Contact data: name, email address, company, message content, and follow-up history when you write to us or book a call.
Research or audit inputs: URLs, domains, public website data, and optional contact details submitted through Schema Theory tools.
Client data: business contact details, contract records, project files, briefs, approvals, and billing records when we work together.

why we use it

run and secure the site

legitimate interests: availability, security, fraud prevention, and debugging.

reply to requests

pre-contractual steps or legitimate interests, depending on the request.

send requested updates

consent, with unsubscribe or deletion available at any time.

deliver client work

contractual necessity and legitimate interests in project delivery.

legal and accounting records

legal obligation under applicable business, tax, and accounting rules.

processors and recipients

We do not sell personal data. We share it only where needed with infrastructure, email, scheduling, analytics, professional-adviser, and production providers. Current core infrastructure includes Cloudflare for hosting, compute, security, and database storage. Email may be handled through Google Workspace and Resend. Client work may use specialist production, AI, research, or data vendors under appropriate safeguards.

Where data is transferred outside the European Economic Area, we rely on adequacy decisions, Standard Contractual Clauses, or equivalent safeguards where applicable.

retention

site logs

normally up to 90 days, longer only for security investigation.

signup emails

until unsubscribe, deletion request, or list retirement.

inquiries

up to 24 months after the last meaningful contact.

client and billing records

for the contract term and required legal retention periods.

research/audit submissions

only as long as needed to provide the result, improve the tool, or support a requested follow-up.

your rights

Under the GDPR you may request access, correction, deletion, restriction, portability, objection to legitimate-interest processing, and withdrawal of consent where consent is the legal basis. You may also complain to a supervisory authority. In France, that authority is the CNIL.

To exercise your rights, email [email protected]. We may need to verify your identity before acting on a request.

cookies

We do not use advertising cookies. Optional analytics, media, or marketing storage is disabled unless you consent. You can change your choice on the cookie page.

security

We use HTTPS, limited-access accounts, provider-side security controls, and operational review appropriate to the size and risk of the site. No internet service is perfectly secure; if you think something is wrong, contact us quickly.