Privacy Policy

The Aluminum Dispatch (the "Site") is the controller of personal data processed on this site and its subdomains. For privacy questions, data-subject requests, or to reach our Data Protection Officer, use /contact with the subject line "Privacy request".

If you are in the EU and want to file a complaint, you may contact the lead supervisory authority of your member state. If you are in Brazil, contact the ANPD (Autoridade Nacional de Proteção de Dados). If you are in Vietnam, contact the Ministry of Public Security (Department A05). If you are in mainland China, contact the Cyberspace Administration of China (CAC).

Voluntary data: email address and (optional) company name when you subscribe to the newsletter, submit a contact form, or post a request-for-quote (RFQ).

Automatically collected: IP address, user-agent, referrer, page path, language, timezone, and coarse geolocation derived from IP. We use this for analytics and abuse prevention only.

We do not collect biometric data, government identifiers, health data, financial account numbers, or children's data. If you believe we have unintentionally collected data about a minor under 16, contact us and we will delete it.

Contract (Art. 6(1)(b)): processing subscription requests, delivering newsletters you signed up for, fulfilling RFQs.

Legitimate interest (Art. 6(1)(f)): aggregated analytics, preventing abuse and fraud, server security logs. We balance this interest against your rights and you can object at any time.

Consent (Art. 6(1)(a)): marketing emails beyond your original subscription, non-essential cookies. Consent can be withdrawn at any time without affecting prior lawful processing.

Legal obligation (Art. 6(1)(c)): responding to lawful requests from regulators or courts.

Service delivery: send the content or response you asked for.

Analytics: count page views, measure which pages are useful, detect broken flows. We use privacy-friendly tools (Plausible Analytics) that do not set identifying cookies.

Abuse prevention: rate-limit forms, block spam, detect scraping that harms the service.

Product improvement: aggregate, anonymised usage to prioritise features.

Newsletter email: until you unsubscribe, plus 30 days for unsubscribe audit trail.

Contact / RFQ submissions: 24 months, then deleted or anonymised.

Server access logs: 30 days.

Aggregated analytics: indefinite, but cannot be linked back to you.

Under GDPR, LGPD, PDPL, and PIPL you have the right to: access the data we hold about you; rectify inaccurate data; erase your data; restrict or object to processing; data portability (structured machine-readable export); and to not be subject to decisions based solely on automated processing that produces legal effects. We do not perform automated decision-making with legal effect.

To exercise any right, use /contact. We respond within 30 days (GDPR/LGPD), 15 days (PIPL), or as required by local law, whichever is sooner.

We use strictly-necessary cookies for language preference and session continuity. We use no advertising cookies and no cross-site tracking. Plausible Analytics runs cookieless. A detailed cookie table is shown in the cookie consent banner on first visit; you can change your choices any time via the "Cookie settings" link in the footer.

Resend (transactional email, USA / EU) — delivers newsletter and confirmation emails.

Vercel (hosting, USA / global edge) — serves the site and runs functions.

Neon (Postgres database, USA / EU) — stores subscription and RFQ records.

Plausible Analytics (EU) — cookieless page-view analytics.

We require each sub-processor to meet GDPR-equivalent standards and sign a Data Processing Agreement. We do not sell personal data.

Data may be processed in the United States, the European Union, and mainland China. For EU→US transfers we rely on Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework. For China outbound transfers we comply with PIPL Art. 38 and publish PIPIA summaries on request. For Brazil outbound transfers we apply the ANPD standard clauses.

Data in transit is encrypted with TLS 1.3. Data at rest in Neon is encrypted with AES-256. Access to production systems is limited to named administrators and protected by hardware-key two-factor authentication. We run automated dependency scans and act on high-severity CVEs within 72 hours. In the event of a personal-data breach that poses a risk to your rights we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

We will post material changes on this page and bump the "Last updated" date. For substantive changes affecting your rights we will notify subscribers by email at least 14 days before the change takes effect. The full change log is maintained publicly in the site repository.