Legal
Privacy Policy
How NWARRAH collects, processes, and protects information across our website, contact channels, and engagements. Written in plain engineering language — not legal filler.
Overview
NWARRAH is an engineering studio. We collect the minimum data needed to run our website, respond to enquiries, deliver projects, and improve our services. We do not sell personal data, and we do not run ad-tech profiling.
Data minimisation by default
If a piece of data is not required to deliver a service or meet a legal obligation, we prefer not to collect it at all.
Data we collect
- Identity & contact data you submit: name, email, phone, company, and message content.
- Project data shared during an engagement (documents, credentials via secure channels, requirements).
- Account data if you create a login: email, profile fields, and role.
- Technical data: IP-derived country, device type, browser, and referring source.
- Usage data: pages viewed and interactions, in aggregate and cookie-free.
Analytics
We run first-party, cookie-free analytics. We record a per-tab session identifier (not tied to your identity), the page path, device category, approximate country from timezone, and the referring source.
event = { path, referrer_source, device, country, session_id }
// no cookies · no cross-site tracking · no ad networksBooking (Calendly)
When you book a call, scheduling may be handled by a third-party calendar provider. The data you enter (name, email, and any notes) is processed by that provider to confirm and manage your meeting. We receive the same details to prepare for the call.
Contact & lead forms
Information submitted through contact, lead, and audit request forms is stored in our CRM to route, respond to, and follow up on your request. We treat this as business-necessary processing.
Transactional emails (confirmations, replies, account emails) are sent to fulfil your request. We do not add you to marketing lists without explicit opt-in.
Third-party processors
| Processor | Purpose | Data |
|---|---|---|
| Supabase | Auth, database, storage | Account & submitted data |
| Calendar provider | Meeting scheduling | Name, email, notes |
| Email provider | Transactional email | Email address, message |
| Hosting/CDN | Serving the website | Request metadata |
Processors, not data brokers
Each processor acts on our instructions under a data processing agreement and may not use your data for their own purposes.
Retention
- Enquiry & lead records: up to 24 months after last contact.
- Project records: for the duration of the engagement plus contractual/legal retention.
- Analytics events: aggregated and retained for trend analysis, no personal identity attached.
- Account data: until you delete your account or request removal.
Your rights
Depending on your jurisdiction you may request access, correction, deletion, export, or restriction of your data, and you may object to certain processing. We respond within statutory timeframes.
International users
We operate globally. Where data is transferred across borders, we rely on appropriate safeguards such as standard contractual clauses with our processors.
Security
We encrypt data in transit and at rest, apply role-based access control, and follow least-privilege principles. See our Security page for the full posture.
Children
Our services are intended for businesses and professionals. We do not knowingly collect data from children under 16.
Changes
We may update this policy as our services evolve. Material changes are reflected in the version and last-updated date at the top of this page.
Frequently asked
Questions about this document? Reach us at our contact page.
Let's build something that compounds.
Tell us about your product, systems or automation goals. We'll map a path forward.