Privacy Policy

The data controller is Tran Quang Duong, an individual operating dtducas.com from Ha Noi, Vietnam. For any privacy request, contact contact@dtducas.com.

• Subscription data: the email address you submit to receive updates.
• Account data: email and a securely hashed password (Argon2id) if you create an account; optional multi-factor (TOTP) secret, encrypted at rest.
• Usage data: pages viewed and interactions, collected via Google Analytics 4 — only after you consent.
• Technical data: IP address, browser and device type, and approximate location, processed transiently for security, rate limiting, and bot defence.

I never collect special-category data and never ask for more than a feature needs. Credentials are never stored or logged in plain text.

• To send updates you subscribed to — basis: your consent (withdrawable at any time).
• To create and secure your account and sessions — basis: performance of a service you requested.
• To keep the site secure, prevent abuse, and rate-limit requests — basis: legitimate interest.
• To measure traffic and improve the site via analytics — basis: your consent.

Only strictly necessary cookies are set without consent. Analytics cookies (Google Analytics 4) load only after you accept them in the cookie banner, via Google Consent Mode. See the Cookie Policy for details and how to change your choice.

I do not sell your data. I rely on trusted providers that process data on my behalf:

• Vercel — website hosting and delivery.
• Render — backend API hosting.
• Neon — PostgreSQL database (accounts, subscriptions).
• Upstash / Redis — rate-limiting and replay protection.
• Resend — transactional and newsletter email delivery.
• Cloudflare Turnstile — bot defence on forms.
• Google Analytics 4 — privacy-respecting, consent-gated analytics.

Some providers process data outside Vietnam or the EEA. Where that happens, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses offered by those providers.

• Subscription email: until you unsubscribe.
• Account data: for the life of your account; deleted on request or after prolonged inactivity.
• Analytics: retained per Google Analytics settings (up to 14 months), in aggregated form.
• Security logs: kept only as long as needed to protect the service.

Subject to applicable law, you may request access, correction, deletion, restriction, or portability of your data, and you may object to processing or withdraw consent at any time.

To exercise any right, email contact@dtducas.com. You also have the right to complain to your local data-protection authority.

Sign-up and sign-in payloads are protected end to end with a hybrid encrypted handshake (ECDH P-256 → HKDF → AES-256-GCM) with a fresh key per request, giving forward secrecy and replay protection. Passwords are hashed with Argon2id; secrets are encrypted at rest. No security measure is perfect, but I take protecting your data seriously.

This site is not directed at children under 16, and I do not knowingly collect their data. If you believe a child has provided data, contact me and I will delete it.

I may update this policy as the site evolves. Material changes will be reflected by the date below and, where appropriate, announced on the site.

Questions about this policy: contact@dtducas.com.