What I keep, where, and for how long.

Data inventory

1. Audit form submissions (URL + email)

• Source: the audit form on the home page or in the Booking section.
• Stored where: my email inbox + a Cloudflare KV record (encrypted at rest).
• Retention: kept while I'm working on or following up on your audit. If you become a client, kept for the duration of the engagement plus 1 year (for tax / contract reference). If you don't, deleted within 90 days.
• Right to delete: email me, deletion is same-day.

2. Direct correspondence (email, WhatsApp, Cal.com)

• Source: when you email hello@michaelmorakis.com, message me on WhatsApp, or book a call via Cal.com.
• Stored where: my email inbox (Fastmail, Greek-EU hosted), WhatsApp on my phone, Cal.com calendar.
• Retention: kept for the duration of any active relationship + 5 years for Greek tax/contract law (mandatory). After that, anonymized or deleted.
• Right to delete: can be exercised at the end of the legal retention period.

3. Project files (code, content exports, credentials)

• Source: active client engagements.
• Stored where: private GitHub repository (yours on transfer, mine until then), encrypted local backups, 1Password vault.
• Retention: repository transferred to you on launch. My local copies wiped within 30 days of project completion. 1Password vault wiped within 7 days of project completion unless you have engaged ongoing support.
• Right to delete: immediate on request, with written confirmation.

4. Anonymous analytics (Cloudflare Web Analytics)

• Source: anonymous page views collected by Cloudflare if you accept analytics.
• Stored where: Cloudflare. I have access only to aggregated dashboards.
• Retention: raw data retained by Cloudflare for 6 months per their policy. Aggregated counts can be retained indefinitely.
• Right to delete: data is anonymous — no individual record exists to delete. To stop new collection, change preferences in Cookie settings.

5. Consent record (your browser)

• Source: the consent banner.
• Stored where: in your browser's localStorage under the key mm_consent. Never sent to me.
• Retention: until you clear your browser's site data or use the "reset" option in Cookie settings.
• Right to delete: you control it — clear it any time from your browser.

6. Server logs (Cloudflare)

• Source: automatic logging of HTTP requests by Cloudflare for security and debugging.
• Stored where: Cloudflare's logging system. I do not have access to per-request logs.
• Retention: 7 days per Cloudflare's free-tier policy.
• Right to delete: automatic after 7 days; faster requires Cloudflare's process.

Backup retention

Local encrypted backups (Time Machine on macOS) retain rolling snapshots for 30 days. After 30 days, deleted records are unrecoverable from my end.

Cross-border data transfers

Email + Calendar + WhatsApp + Cloudflare may transit servers outside the EU/EEA. Each provider has its own SCC (Standard Contractual Clauses) or adequacy decision in place per Article 46 GDPR. I do not transfer personal data outside the EU/EEA on my own initiative.

Exercising your rights

Email hello@michaelmorakis.com. I respond within 7 days and process within 30 days as required by GDPR. See also GDPR rights for the complete list.