Privacy Policy
Last updated: 17 May 2026.
This policy explains what personal data Shepyrd ("we", "us", "our") collects when you visit shepyrd.tech or contact us, why we collect it, and your rights regarding that data. We've kept it as plain-language as we can. If anything isn't clear, email us — the address is at the bottom.
Who we are
Shepyrd is a strategic technology consultancy based in Malaysia. We operate the website at shepyrd.tech. We are the data controller for any personal data collected through this site.
What we collect
We collect the minimum data needed to respond to inquiries, keep the site running, and understand how it's used.
1. Information you give us directly (contact form)
When you submit the contact form on /contact, we collect:
- Your name
- Your email address
- Your company name (optional)
- The project type you selected
- The message you wrote
2. Information collected automatically
- Your IP address, used briefly for rate-limiting (max 5 contact form submissions per hour, to prevent abuse). Stored hashed in DynamoDB and automatically deleted after 1 hour.
- Standard HTTP request metadata (browser type, referring URL, page requested) — used to serve pages and diagnose errors.
3. Analytics — only if you accept the cookie banner
If you click "Accept" on the cookie banner, we load Google Analytics 4 (measurement ID G-P2Y889ST71). It collects:
- Aggregated, anonymized usage data (pages visited, time on site, device/browser type, approximate location at city level).
- A unique pseudonymous identifier stored in a cookie.
We do not use this data for advertising, do not share it with Google for advertising purposes, and never combine it with the contact form data.
If you decline the banner or close it without choosing, no analytics cookies are set and no data is sent to Google.
Why we collect it
| Data | Purpose | Lawful basis (GDPR) |
|---|---|---|
| Contact form fields | Reply to your inquiry | Legitimate interest / your request |
| IP address (rate-limit) | Prevent form abuse | Legitimate interest |
| Analytics (post-consent) | Improve the site | Consent |
| HTTP request metadata | Run + secure the site | Legitimate interest |
We never sell your data, never share it for advertising, and never use it for any purpose other than the one for which you provided it.
How long we keep it
| Data | Retention |
|---|---|
| Contact form messages | Stored in our email inbox (Google Workspace) indefinitely unless you ask us to delete |
| IP address (rate-limit) | 1 hour, then automatically deleted |
| Analytics (if consented) | 14 months, per Google Analytics default retention |
| HTTP server logs | 30 days |
If you'd like us to delete your contact form message, just ask — see the Your rights section.
Who we share it with (sub-processors)
We use three third-party services to operate this site. All process data on our behalf and are bound by their own privacy commitments.
| Provider | What they handle | Where |
|---|---|---|
| AWS (Amazon Web Services) | Site hosting (Amplify), transactional email (SES), rate-limit storage (DynamoDB) | Singapore (ap-southeast-1) + Malaysia (ap-southeast-5) |
| Google Workspace | Email inbox for incoming contact form messages | Google's global infrastructure |
| Google Analytics (only if consented) | Anonymized site usage analytics | Google's global infrastructure |
We do not share your data with anyone else. No marketing partners, no data brokers, no advertisers.
International transfers
We're based in Malaysia. Our infrastructure is primarily in Singapore (AWS Singapore region). Google's infrastructure is global. By submitting the contact form, you understand your data may be transferred to and processed in these jurisdictions. We rely on each provider's own data-transfer safeguards (AWS Standard Contractual Clauses, Google EU-US Data Privacy Framework).
Your rights
Under Malaysia's PDPA 2010
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Withdraw consent (e.g., decline the analytics cookie at any time)
- Limit how we use your data
- Make a complaint to the Personal Data Protection Commissioner of Malaysia (pdp.gov.my)
Under GDPR (if you're in the EU/EEA)
You additionally have the right to:
- Data portability (receive your data in a machine-readable format)
- Erasure ("right to be forgotten")
- Object to processing based on legitimate interest
- Lodge a complaint with your local supervisory authority
Under UK GDPR
Equivalent rights to GDPR. You can complain to the Information Commissioner's Office (ICO).
Under California CCPA / CPRA
If you're a California resident, you have the right to know what categories of personal information we collect, request deletion, and opt out of sale or sharing — though we don't sell or share personal information for advertising, so there's nothing to opt out of.
How to exercise these rights
Email team@shepyrd.tech with the subject line "Privacy request". We'll respond within 30 days (often much sooner). For deletion requests, please tell us which email address you used in the contact form so we can find your data.
Cookies
We use cookies as follows:
| Cookie | Purpose | When set | Duration |
|---|---|---|---|
| Strictly necessary (consent state, theme preference) | Remember your cookie banner choice + light/dark preference | Always | Session / 1 year |
Google Analytics (_ga, _ga_*) | Anonymized usage analytics | Only after you click Accept | 2 years |
You can clear cookies at any time via your browser settings. Declining or clearing analytics cookies has no effect on site functionality.
Children
Shepyrd is a business-to-business consultancy. The site is not directed at children under 13, and we do not knowingly collect personal data from them. If you believe a child has submitted data through our contact form, please email us and we'll delete it.
Security
We take reasonable technical and organisational measures to protect your data:
- All connections to the site use TLS (HTTPS); HSTS is enforced.
- Email is sent via SES with DKIM signing, SPF, and DMARC policies in place.
- The inbox is protected by Google Workspace, 2-step verification on the admin account.
- Infrastructure is provisioned via Terraform with least-privilege IAM roles; secrets live in encrypted state, never in source code or browser-visible bundles.
That said: no system is ever 100% secure, and we don't promise the impossible. If we ever experience a data breach affecting you, we'll notify you and any relevant regulator without undue delay.
Changes to this policy
If we change this policy, we'll update the "Last updated" date at the top and, for material changes, post a brief notice on the home page for at least 30 days. Your continued use of the site after a change means you accept the updated policy.
Contact
For any privacy-related question or request:
Email: team@shepyrd.tech Subject line: "Privacy request"
We typically reply within 1 business day. Formal requests are answered within the 30-day statutory window.