[ LEGAL / DATA ]Effective: January 1, 2025

Data Collection

A plain-language summary of exactly what data we collect when you visit this website, why we collect it, and how long we keep it — with no jargon.

Our Approach

We collect as little data as possible. We do not use third-party advertising trackers, social media pixels, or behavioural profiling tools. What we collect is either something you actively give us, or anonymised technical data that helps us understand how our website performs.

No third-party tracking. No Google Analytics, no Facebook Pixel, no Hotjar, no ad network cookies.
No tracking cookies. Our analytics do not use cookies; they use browser localStorage with a random identifier.
No data selling. Your information is never sold or shared with advertisers.

Contact Form Data

When you submit a project brief or contact form, we collect and store the following fields:

Field	What it is	Required
Name	Your full name or company name	Yes
Email address	Your business or personal email	Yes
Company name	Your organisation (optional on some forms)	No
Service category	Which service you are interested in	Yes
Project overview	Description of your project goals	Yes

Where it goes: Stored in our secure PostgreSQL database (Supabase). Only our team can access it.
How long we keep it: Up to 3 years for business records, then permanently deleted.
Why we collect it: To respond to your enquiry and discuss your project.

Website Analytics

Every page you visit on our website is recorded by our self-hosted analytics system. Here is exactly what is captured:

Data point	What it is	Identifies you?
Page URL	The address of the page you visited	No
HTTP referrer	The URL of the page you came from	No
UTM parameters	Campaign tags from email or ad links (e.g. utm_source)	No
Visitor ID	A random UUID stored in your browser localStorage — not linked to your identity	No
Session ID	A random UUID for the current browser session (erased when you close the tab)	No
CTA clicks	Which call-to-action buttons you clicked	No

Where it goes: Our own database — no third-party analytics service receives this data.
How long we keep it: Up to 12 months, then deleted.
No cookies used.The visitor ID lives only in your browser's localStorage and is never transmitted to other sites.

Browser Local Storage

We write the following entries to your browser's storage:

Key	Storage type	Purpose
cms.analytics.visitorId	localStorage (persists across sessions)	Counts unique visitors — random UUID, cannot identify you personally
cms.analytics.sessionId	sessionStorage (erased on tab close)	Groups page views within a single visit
cms.analytics.tracked.*	sessionStorage	Prevents counting the same page twice in one session

You can clear these at any time by clearing your browser's site data or local storage for vanaila.com. Doing so will not affect your access to any part of the website.

Fonts and Static Assets

This website uses Google Fonts (Sora, Playfair Display, Inter Tight, Instrument Serif, JetBrains Mono). The font files are downloaded and served from our own server via Next.js font optimisation — your browser does not make any direct requests to Google's servers. Google cannot track your visit through fonts on this site.

Server Logs

Our web host's server automatically logs standard HTTP request metadata: your IP address, browser user agent, date and time, and requested URL. These logs are used solely for security monitoring and infrastructure diagnostics, are not linked to your identity, and are typically purged within 30 days by our hosting provider.

Data We Do Not Collect

To be explicit, we do not collect or process:

Financial or payment information (we have no payment forms)
Social media profile data or login credentials
Location data beyond what may appear in your IP address in server logs
Biometric or health data
Data from children under 16
Information from third-party data brokers

Your Control Over Your Data

You have the following options:

Clear localStorage — removes your visitor ID. In your browser developer tools under Application → Local Storage → vanaila.com.
Request deletion of contact data — email care@vanaila.com with the subject "Data deletion request" and we will remove your submission records within 30 days.
Access your data — email us and we will send you a copy of any personal data we hold about you.

Applicable Regulations

We have designed our data practices to comply with the following frameworks:

UU PDP (Indonesia) — Undang-Undang Perlindungan Data Pribadi No. 27 Tahun 2022. As an Indonesian-registered company, this is our primary regulatory framework.
GDPR (European Union) — General Data Protection Regulation. We apply GDPR-equivalent practices for all visitors regardless of location.
PDPA (Thailand / ASEAN) — Personal Data Protection Act and similar ASEAN data protection laws where applicable.

Questions or regulatory enquiries may be directed to care@vanaila.com. We are Vanaila Digital, registered in Indonesia.

Questions or data requests?

care@vanaila.com →