Privacy Policy

Last updated: April 20, 2026

Data Controller

Martín Martín
Madrid, Spain
Contact: hi@mmartin.me

What Data We Collect

This website collects personal data only when you voluntarily submit it through the course waitlist form:

• Name and email address, provided when you join a course waitlist.

No data is collected through contact links. Clicking the email address opens your own email client.

Purpose and Legal Basis

Your data is processed for the following purpose:

• Course notifications: to inform you when a course you signed up for becomes available.

The legal basis for this processing is your explicit consent, given by checking the consent box and submitting the waitlist form (Article 6(1)(a) GDPR).

Data Storage and Processors

Your waitlist data (name and email) is stored in Cloudflare KV, a key-value storage service operated by Cloudflare, Inc. When you submit the form, a confirmation email is sent to you via Resend (Resend, Inc.), and an admin notification containing the same name and email is sent to the site owner via Telegram (Telegram Messenger Inc.); see Telegram’s Privacy Policy.

This website is hosted on Cloudflare Pages. Cloudflare processes technical data (IP address, user agent) as part of delivering the website and providing security services. See Cloudflare’s Privacy Policy.

Booking links on the training page redirect to Cal.com (cal.eu), a third-party scheduling service. Any data you provide when booking a session is processed by Cal.com under their own privacy policy.

Analytics

This website uses Umami Cloud (umami.is), a privacy-focused analytics service, proxied through this domain so no third-party scripts load in your browser. Umami records anonymous page-view events — page path, referrer, browser, operating system, country — and derives a daily visitor hash from your IP address, User-Agent and a rotating daily salt. No cookies are set, no cross-site tracking is performed, and the raw IP address is not retained. See Umami’s Privacy Policy.

Security Logging

To prevent abuse of the waitlist form, your IP address is temporarily stored in Cloudflare KV as a rate-limit counter (automatically deleted after approximately one hour). Your browser may also send Content Security Policy violation reports to this site when something is blocked by the policy; those reports include the IP address and User-Agent and are visible to the site owner in the Cloudflare function logs for debugging.

Cookies and Local Storage

This website does not set any cookies through its own code. It uses browser localStorage for functional purposes only:

• waitlist_enrolled: remembers that you already joined the waitlist so the success message is shown on return visits. Never sent to any server.
• ctf_uid: a randomly generated 4-character identifier used to personalise challenge flags in the Challenges section. It is not linked to your identity and is never sent to any server.
• ctf_solved: records which challenges you have completed and when, so your progress is preserved between visits. Never sent to any server.
• theme: remembers your colour theme preference (dark or light). Never sent to any server.

Cloudflare may set security-related cookies (__cf_bm, cf_clearance) automatically as part of its bot protection service. These are managed entirely by Cloudflare and are not accessible to this website’s code.

Data Retention

Waitlist entries (name and email) are kept until the corresponding course launches and launch notifications have been delivered — no automatic expiry is applied. Once notifications have been sent, or whenever you request deletion, the record is removed. Rate-limit entries expire automatically after approximately one hour.

Your Rights

Under the GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data (“right to be forgotten”).
• Restrict or object to processing.
• Data portability: receive your data in a structured format.
• Withdraw consent at any time.

To exercise any of these rights, contact hi@mmartin.me.

International Transfers

Your data may be processed by Cloudflare, Resend, Umami and Telegram, which operate or may operate servers outside the European Economic Area. These transfers are covered by appropriate safeguards such as the EU-US Data Privacy Framework or Standard Contractual Clauses.

Changes to This Policy

This policy may be updated to reflect changes in data processing. The “last updated” date at the top will be revised accordingly.