Privacy,
in plain English.

Who's collecting.

This site is stevetan.com, operated by Steve Tan as a sole-operator personal brand. When this policy says "I" or "me", it means me · the human typing this. When it says "you", it means the person visiting the site, signing up for the newsletter, or filling out a form.

This site is a personal publishing platform. If we end up working together commercially, additional data processing under my company's engagement letter applies and is governed separately.

I am the data controller for any personal information collected through this site. Questions about how your data is handled go to the email at the bottom of this page.

What I collect.

I only collect data you give me directly, plus minimal anonymous analytics about how the site is used. The specific things I collect:

• Contact form submissions. Name, work email, phone number, company URL, role, team size, annual revenue band, project budget, services interest, the problem you're trying to solve, your current AI stack, and how you found me.
• Newsletter signups. Email address.
• Site analytics. Page views, referrer, country (not city), device type, browser. Aggregated. No personal identifiers.
• Server logs. IP address and timestamp, retained for 30 days for security and abuse prevention.
• Cookies. Only essential and analytics cookies. See Section 06.

I do not collect health data, financial account details (bank account numbers, credit card numbers, payment credentials), government IDs, social security numbers, biometric data, or any sensitive personal information through this site. Revenue band and project budget are collected for qualification purposes only · they are not financial account details. If you send me anything truly sensitive in a form anyway · for example by pasting it into the problem description · I will delete it on receipt.

Why I collect it.

Each thing I collect has one specific purpose. Nothing more.

• Contact form data is used to qualify the inquiry, reply personally, and · if there's a fit · scope and price the engagement.
• Newsletter emails are used to send my weekly operator essay and occasional product announcements. Nothing else.
• Analytics data is used to understand which content lands, what's worth writing more of, and what's broken.
• Server logs are used to detect abuse, scrapers, and security incidents.

The legal basis for processing your data (under GDPR if you're in the EU/EEA) is either your explicit consent (newsletter, form submission), legitimate interest (analytics, security), or contract performance (if we end up working together).

Who I share it with.

I don't sell your data. Not to advertisers, not to data brokers, not to anyone. There is no advertising business model on this site.

I do use a small set of third-party tools to run the site. These are sub-processors, not buyers. They see only what's necessary for their function:

• Email service provider. To deliver the newsletter and store subscriber addresses.
• Form processing. To route contact form submissions to my inbox.
• Hosting. The infrastructure the site runs on.
• Analytics. A privacy-respecting analytics provider that does not use cookies to track individuals across sites.
• Calendar / scheduling tool. If we book a call after the contact form, your name and email may be shared with the scheduling tool.

Each of these has its own privacy policy. I review them and choose vendors that don't resell data. The full current list is available on request.

I may also share data when legally required · for example in response to a valid court order or law enforcement request. I will tell you about such requests where I'm legally allowed to.

How long I keep it.

Different data lives for different lengths of time:

• Contact form submissions: kept as long as the relationship is active, plus three years after our last contact, for follow-up, reference, and to avoid re-asking the same qualifying questions if you reach out again. You can ask me to delete it sooner.
• Newsletter subscribers: kept until you unsubscribe. Unsubscribing removes you from the active list. A suppression record (your email + the fact that you unsubscribed) is retained so the system doesn't accidentally re-add you.
• Analytics: aggregated and retained indefinitely. There's no personal data in it to identify you.
• Server logs: 30 days, then automatically purged.

Cookies & tracking.

This site uses cookies sparingly. The categories:

• Essential cookies. Required for the site to function · session state, form integrity. These cannot be turned off without breaking the site.
• Analytics cookies. A minimal, privacy-respecting analytics tool that records aggregate page views. No cross-site tracking, no personal identifiers.

I do not use: Facebook pixel, TikTok pixel, Google Ads remarketing, X conversion tracking, LinkedIn Insight Tag, or any other ad-network retargeting tool. If you find such a script on this site, that is a bug · please email me.

You can disable cookies in your browser. The site will still work, but some preferences may not persist.

Your rights.

Depending on where you live, you have legal rights over the personal data I hold about you. The strongest baseline (which I apply globally):

• Right to access. Ask me what I have on you. I'll send you a copy.
• Right to correct. If something I have is wrong, tell me. I'll fix it.
• Right to delete. Ask me to erase your personal data. I'll do it inside seven days unless I'm legally required to keep it.
• Right to object. You can opt out of marketing communications at any time (every newsletter has a one-click unsubscribe).
• Right to portability. Ask me for an export of your data in a machine-readable format.
• Right to withdraw consent. If you previously gave consent for something, you can take it back. Future processing stops. Withdrawing consent may mean I can no longer provide certain things · for example, if you withdraw consent for the newsletter, I can't send it to you anymore.
• Right to lodge a complaint. If you think I've handled your data badly, you can complain to your local data protection authority. I'd rather you email me first so I can fix it directly.

I act as my own Data Protection Officer for PDPA purposes. All requests come straight to me.

International transfers.

I am based in Singapore. The site, the email service, and the analytics tools may be hosted in the United States, the European Union, or other jurisdictions. By using this site, you understand that your data may be transferred to and processed in those locations.

For EU/EEA visitors: where data is transferred outside the EEA, it's protected by Standard Contractual Clauses or equivalent safeguards required under GDPR.

Children.

This site is not directed at children. I do not knowingly collect personal data from anyone under 13 (or the minimum age in your jurisdiction). If you are a parent or guardian and believe your child has submitted personal data, email me and I will delete it on receipt.

Security.

I use industry-standard security measures: encrypted connections (TLS) for all data in transit, strong access controls on the vendors I use, and ongoing review of how data is stored.

No system is bulletproof. If a security incident affects your personal data, I will notify you and the relevant authority as quickly as possible · and inside 72 hours where legally required.

Changes to this policy.

If I change this policy, I update the version number and the effective date at the top of the page. Material changes (anything that meaningfully affects how your data is handled) get a banner at the top of the site for at least 30 days.

Continued use of the site after a change means you accept the updated policy. If you don't agree, the right move is to email me and ask for your data to be deleted.