Privacy & cookies

This notice is about how Engineering Product Design ("we", "us", "our") handles personal data when you visit or use our public website at https://www.engineeringproductdesign.org (the "Site"). It covers what we collect, why we use it, how long we keep it, who receives it, and what rights you have.

It applies only to the Site. It does not cover engineering, product design, or consulting work for clients. Those relationships are set out in separate agreements, statements of work, and commercial terms that we sign with each client. If you are or become a client, those documents govern how we handle information for the engagement, except where the law says otherwise.

If you use the Site, you confirm that you have read this notice. If you disagree with it, please stop using the Site.

For personal data we process in connection with the Site, the controller is Engineering Product Design.

If the law requires us to give further identifying details (for example registered office or company number), we will provide them when asked.

Questions about this notice, or requests to exercise the rights below, use our contact page at https://www.engineeringproductdesign.org/contact. For some requests we need to confirm who you are before we respond.

If you live in the European Economic Area, the United Kingdom, or Switzerland, you may complain to a data protection supervisory authority where you live, work, or where you think a problem arose.

If you use the contact form on the Site, we receive what you send: your name, organisation or company, email address, and the text of your message. Our systems send a notification email to our studio with a fixed subject line that names our business and states that it relates to a website message; the Reply-To header is set so we can answer you from our mail client at the address you entered. Anything else you put in the message, including a phone number, we receive as part of that text.

Submitting the form sends your details to our systems so we can check it for abuse and deliver it by email. That processing uses service providers we name in section 06 (for example hosting, bot protection, email verification, and transactional email). They act only as processors on our instructions where that applies.

When you browse the Site, our hosting providers and, where we use them, security tools log technical data in the normal way for serving pages: for example IP address, a rough location from the IP, browser type and version, device type, operating system, referring URL, pages viewed, request times, and similar diagnostics.

When you use the contact form, Cloudflare Turnstile may process technical data to help distinguish human visitors from automated abuse. Invisible Turnstile is used on our contact flow; Cloudflare’s Turnstile privacy addendum describes that processing: https://www.cloudflare.com/turnstile-privacy-policy/

If the Site loads fonts, images, or other files from third-party hosts (such as a CDN or font service), those providers may see technical data including IP addresses while they send those assets. Their own privacy notices describe that processing.

We do not ask for special categories of data on the Site (such as health information or government ID numbers). Please do not send that kind of information unless we have asked you for it explicitly.

We use personal data we collect through the Site for these purposes:

We reply to enquiries and handle messages you start. Lawful bases: taking steps at your request before a possible contract, and our legitimate interest in speaking with people who contact us.

We run, secure, and improve the Site, including logs, abuse prevention, fraud checks, and fixing problems. Lawful bases: our legitimate interest in operating a secure site, and legal obligations where they apply.

We comply with legal duties, answer lawful demands from authorities, and establish, exercise, or defend legal claims. Lawful bases: legal obligation or legitimate interests, depending on the situation.

We do not use the Site to run third-party analytics or advertising. How we use cookies, storage, and similar technologies is in section 05. If we start using analytics, advertising, or other non-essential trackers, we will update this notice and, where the law requires, obtain consent before using them.

In the EEA, UK, or Switzerland, the bases above apply. Where we rely on consent (for example for non-essential cookies), you can withdraw it at any time; that does not affect processing that was lawful before you withdrew. For withdrawals and other questions, use our contact page at https://www.engineeringproductdesign.org/contact.

We do not sell your personal information for money. We do not share it for cross-context behavioral advertising as those terms are used in applicable U.S. state privacy statutes. We do not make decisions about you based solely on automated processing that has legal or similarly significant effects.

Cookies are small text files stored on your device when you visit a site. We also mean similar tools: local storage, session storage, pixels, and scripts that read or write data on your device.

We use what is needed for the Site to work (security, load balancing, serving pages). We store your display choice, such as light or dark theme, in the browser’s local storage so it stays when you come back.

We do not set third-party analytics or advertising cookies. If that changes, we will update this section and obtain consent where the law requires before using non-essential tools.

You can block or clear cookies in your browser; some parts of the Site may not work the same way. You can usually clear local storage under your browser’s site data or storage settings. On phones, your manufacturer’s help pages explain advertising identifiers.

We use processors who work only on our instructions: hosting, content delivery, contact form handling (including Cloudflare Turnstile for abuse prevention, email verification where we use it, transactional email delivery through Postmark, and the application server that connects those services), email and IT security, and sometimes professional advisers. We expect them to protect personal data and use it only for those services. Suppliers may change; we update this notice when a change materially affects how we handle personal data on the Site.

We may disclose personal data if we think the law, a court order, or a regulator requires it; to protect our rights or investigate misuse; to reduce fraud or security risks; or to protect users, clients, or the public where that is lawful.

If we sell the business, merge, reorganise, or transfer assets, personal data may move with the transaction. Where the law requires it, we will make sure the recipient protects that data in line with this notice.

Some providers may process data outside the country where you live, including outside the EEA, Switzerland, or the UK. When we move personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we use safeguards the law requires, such as standard contractual clauses approved by the European Commission or UK authorities, extra measures when needed, or another valid transfer tool.

We keep personal data only as long as we need it for the purposes in this notice, unless the law requires or allows a longer period.

We keep enquiries and contact messages long enough to reply, follow up, and keep a reasonable business record, taking into account limitation periods and legal rules.

Server and security logs are kept for a limited time for security, debugging, and compliance.

When data is no longer needed, we delete it or strip identifiers so it cannot be tied to you, in line with our policies and the law.

We use technical and organisational measures aimed at protecting personal data from loss, unauthorised access, disclosure, or change. Sending data over the internet is never risk-free, and we cannot promise perfect security.

Where the law gives you rights, you may be able to access, correct, or delete personal data we hold; limit how we use it; object to certain processing; withdraw consent where we relied on consent; receive a portable copy in a machine-readable format; and, in some places, not face discrimination for exercising privacy rights.

Those rights have limits and exceptions under local law. We answer valid requests as the law requires. Use our contact page at https://www.engineeringproductdesign.org/contact to make a request.

Some U.S. states grant extra rights, such as opting out of certain processing or appealing our reply to a request. We comply where those laws apply to us.

The Site is not aimed at children under 16, or under the minimum age set by your local law. We do not knowingly collect personal data from children through the Site. If you think we have, contact us through https://www.engineeringproductdesign.org/contact and we will delete it where the law allows.

The Site may link to other sites or embed third-party tools. Those services have their own privacy rules. We do not control how they treat data. Read their notices before you give them personal information.

We may change this notice when our practices, technology, legal duties, or the Site change. We will update the effective date at the top. For important changes we may add a clearer notice on the Site. After we post an update, your continued use of the Site means you accept the new notice where the law permits that.