What we collect, and what we don’t.

What we collect.

Email address. Only if you submit it through the signup form. We use it to send one email when the Strait of Hormuz operational status changes (open ↔ restricted ↔ closed). That’s the only use.

IP address (transient). When your browser requests a page, the IP is part of the request like every web request. We use it briefly for rate limiting (so a single address can’t hammer the form or the data API), and it appears in server access logs the hosting provider keeps for operational debugging. Rate-limit records are short-lived. Server access logs follow the hosting provider’s standard log rotation.

Aggregated, cookie-less analytics. Page views, country (derived from IP, then discarded), and referrer are recorded in aggregate by a privacy-focused analytics provider. No cookies, no individual identifiers, no cross-site tracking. The data shows up as “1,247 visits this week from Germany”, never as a profile of a specific visitor.

What we don’t collect.

We do not collect names, payment information, location data beyond country-from-IP, browsing history, or anything from third-party trackers. The only data currently handled is what is necessary to deliver the email-flip promise and to keep the public dashboard reachable.

Where the data lives.

Subscriber email addresses are stored in Google Cloud Firestore and transmitted to Resend for email delivery. Cloudflare sits in front of the site as a CDN and web-application firewall and processes incoming requests in transit; it does not retain subscriber email content. All three are commercial services with their own published privacy and security practices.

Subprocessors may change. If we move email delivery, the CDN, or the database to a different vendor, we will update this page to name the current set. We will not introduce a new category of subprocessor (for example, an analytics service that handles personal data, or any third party beyond infrastructure and email delivery) without giving existing subscribers reasonable advance notice.

We do not sell, rent, license, or share subscriber email addresses with anyone outside the infrastructure subprocessors above. The list exists for the sole purpose of delivering the status-flip email. If that ever changes, we will give existing subscribers reasonable advance notice and a clear opportunity to opt out before any new use takes effect.

How long we keep it.

Active subscribers. Until you unsubscribe.

After you unsubscribe. Clicking the unsubscribe link in any email marks the row as unsubscribed and stops sending. The row itself is kept so that an accidental re-signup using the same address does not start the flow over. To have the row deleted entirely, email hello@straits.live from the address you signed up with, or with the originally-used address in the body. We aim to process deletion requests promptly; the legal maximum response window under GDPR is 30 days.

Pending double opt-in. If you submitted an email but never clicked the confirmation link, the pending record expires within a short window and is deleted automatically.

Rate-limit IP records. Transient: kept only as long as needed to apply the per-IP rate window, then discarded.

Server access logs. Limited retention, following the hosting provider’s standard log rotation. Used only for operational debugging.

Your rights.

If you are in the EU, UK, California, or any of the other jurisdictions whose data-protection laws give you these rights, you have them whether or not the law specifically applies to Straits:

• Access: we will send you any data we hold associated with your email address.
• Correction: if anything is wrong, we will fix it.
• Deletion: we will remove the row entirely on request.
• Portability: we will export your data in a machine-readable format.
• Withdraw consent: at any time, by unsubscribing or by emailing us.

Send any of these requests to hello@straits.live. We aim to reply promptly; the legal maximum response window under GDPR is 30 days.

Cookies.

Straits sets no cookies of its own and uses no third-party tracking cookies. Our analytics provider operates without cookies. The CDN may set short-lived security cookies on requests it identifies as suspicious; these expire quickly and exist only to help the firewall distinguish a returning bot from a one-off request. None of these cookies tracks browsing behaviour or identifies a visitor across sites.

Children.

Straits is not directed at children under 13 (US) or under 16 (EU), and we do not knowingly collect data from children. If you believe a child has subscribed using your address, email us and we will remove the entry.

Changes to this policy.

If we change this policy in any way that materially affects how existing subscriber data is handled, we will give existing subscribers reasonable advance notice, by email, or by prominent notice on the site. Cosmetic changes (rephrasing, link updates, formatting) and updates to subprocessor names will be made in place and noted by the “Last updated” date below.