Privacy

Privacy Notice

Last updated: 2026-05-21

Who we are

This site is operated by XYZ Lab Consulting, a solo color-technology and software-strategy consultancy run by William Li. For privacy questions, contact william@xyzlab.ca.

What we collect

We collect personal data in two places on this site — the chardata release-notification subscribe form and the contact form. Both are explicit opt-in: nothing is collected until you submit one of these forms.

Subscribe form (chardata footer / colourbill.com front page)

  • Email address — the inbox where release notifications will be sent.
  • Optional one-line note — "how will you use chardata?" Helps us moderate subscriptions; not used for any other purpose.
  • Source — which surface the subscription came from (chardata or colourbill.com front page).
  • Audit trail — the IP address you submitted from, your browser's User-Agent string, and a timestamp. Kept so we can defend a consent claim and detect abuse.

Contact form

  • Name and message you typed.
  • The page or product you were contacting us about (e.g. chardata).
  • An IP-based rate-limit counter to deter spam (three submissions per hour per IP). The counter does not store your IP — it stores a one-way hash of it that expires after an hour.

Why we collect it

  • Subscribe form: to send you an email when a new major or minor chardata release ships. Patch releases are skipped. We do not send anything else.
  • Contact form: to respond to your message.

Our lawful basis under the GDPR is your explicit consent, given by checking the box and submitting the form. You can withdraw consent at any time by clicking the unsubscribe link in any release email, or by emailing us.

Who we share it with

We use one third-party service to actually deliver the emails:

  • Amazon Simple Email Service (SES), operated by Amazon Web Services, Inc. in the US-West-2 (Oregon) region. SES handles the SMTP transport. AWS's privacy practices are at aws.amazon.com/privacy.

We do not share, sell, or rent your data to any other party. There are no advertising networks, marketing partners, retargeting pixels, or data brokers involved.

How long we keep it

  • Active subscribers: we keep your email and the audit fields as long as you remain subscribed.
  • Unsubscribed users: we keep your row in an unsubscribed state for 30 days after you opt out, then delete it automatically via a daily cleanup job. The 30 days lets us handle an accidental unsubscribe (you ask us to re-add you) and verify our records of the opt-out.
  • Rejected applicants: occasionally we reject a subscription (clear spam pattern, profanity, etc.). Those rows are kept indefinitely so the same email can't repeatedly resubmit.
  • Contact form submissions: kept in our admin inbox (william@xyzlab.ca) per its provider's retention; not stored separately on this site.

Cookies and tracking

This site uses Google Analytics for aggregated, anonymous traffic statistics (page views, referrer sources, geographic country). We do not run advertising cookies, retargeting pixels, social-network trackers, or any cross-site identifier. WordPress itself sets a small number of session cookies that are only relevant to logged-in administrators — not to public visitors.

Your rights

If you're in the EU, UK, California, or another jurisdiction with formal data-protection laws, you have the following rights. (We honor them for everyone, regardless of where you live, as a matter of policy.)

  • Right to access: ask us what data we hold about you. Email william@xyzlab.ca; we'll respond within 30 days.
  • Right to correction: ask us to correct any inaccurate data (e.g. typo in your subscribed email).
  • Right to deletion ("right to be forgotten"): click the unsubscribe link in any of our emails (immediate), or email us asking for deletion (we delete the row when we receive the request and confirm to you).
  • Right to data portability: ask us for an export of what we have on you. We'll send a small CSV by reply email.
  • Right to withdraw consent: same as the right to deletion.
  • Right to complain: if you believe we mishandled your data, contact your local data-protection authority.

Security

Connections to colourbill.com and chardata.colourbill.com use TLS 1.2+ exclusively. Subscriber records are stored in a WordPress database on an AWS Lightsail instance with restricted SSH access. Sensitive third-party credentials (e.g. AWS SES keys) are encrypted with per-installation salts and never appear in our public site or repository.

Changes to this notice

We may update this notice from time to time. The "last updated" date at the top reflects the most recent revision. Material changes (new data categories, new processors, retention extensions) will be summarized here when made. There is no archive of older versions; this is the canonical one.

Contact

Privacy questions, deletion requests, or data-export requests: william@xyzlab.ca.