Last updated · 4 May 2026
Privacy Policy
This privacy policy explains what data H3 — Hand, Head, Heart as Design Operating System (“the book”, “we”, “us”) collects when you read it on h3.madebychocaholic.com, what we do with that data, and the rights you have over it.
This is a personal publishing project, not a company. The author is Fares Farhan, based in Indonesia.
1. Who is responsible for your data
Fares Farhan is the data controller for everything described below. You can reach me at f@madebychocaholic.com.
2. What we collect
When you sign in with Google to read the book, we collect:
- Your email address and name from Google. We do not see your Google password.
- Your highlights and notes — the text you mark, the chapter and section, and any note you attach.
- Your reading progress — which chapter and section you last read, and how far you scrolled.
- Your access tier — whether you have free access (front matter and Chapter 1) or full access.
- Payment records (when payments launch) — the payment processor’s transaction ID and status. We do not see or store your card or bank details. Those stay with the payment provider.
We do not collect IP addresses or browser fingerprints beyond what is technically necessary to serve the site.
3. How we use it
- To run the reader — sign you in, show your highlights, restore your scroll position, control which chapters you can access.
- To support you — if you email about an issue, we use your email to reply.
- To prevent abuse — block accounts that try to exploit the service.
We do not use your data for advertising. We do not sell it. We do not profile you for marketing.
4. Legal basis
For readers in the EU/UK (GDPR): we process data on the basis of performance of a contract (running the reader you signed up to use) and legitimate interest (security, abuse prevention).
For readers in Indonesia (UU PDP 27/2022): we process based on fulfilment of a contract with the data subject and legitimate interests as defined by the law.
5. Who else sees your data
We share data with a small number of service providers who run the infrastructure:
- Supabase — stores the user, highlights, progress, and comments tables. Hosted in the Asia Pacific region. Supabase privacy policy.
- Vercel — hosts and serves the website. Logs minimal request metadata (URL, status code, timing). Vercel privacy policy.
- Google — identity provider for sign-in. They learn that you signed in to “H3” but not what you did inside it. Google privacy policy.
- Payment processors (when payments launch) — Xendit (for Indonesian payment methods) and PayPal (international). They receive only what is necessary to complete a purchase. Xendit · PayPal.
We do not share your data with any other third party. We do not transfer it to advertising networks, analytics platforms, or aggregators.
6. International transfers
Your data may be stored or processed outside Indonesia (depending on the Supabase and Vercel regions in use). When that happens, we rely on the providers’ standard contractual clauses and equivalent safeguards.
7. Cookies and local storage
- A session cookie (set by Supabase) keeps you signed in. Without it you would have to sign in on every page load.
- localStorage in your browser caches your highlights and reading progress so the reader feels instant on slow connections. This stays on your device — you can clear it any time via your browser’s site data settings.
We do not use third-party cookies, analytics cookies, or tracking pixels.
8. How long we keep it
- Account data and highlights — for as long as you have an account. If you ask us to delete your account, we delete everything within 30 days, except records we are legally required to keep (such as payment transaction logs, retained per Indonesian tax law where applicable).
- Server access logs — kept by Vercel for up to 30 days, then deleted automatically.
- Inactive accounts — if you do not sign in for 24 months, we may email you a notice and delete the account if you don’t respond.
9. Your rights
You can:
- Access your data — email me and I will send you everything we have associated with your account.
- Correct anything that’s wrong — most of it (name, email) updates automatically when you change it on Google.
- Export your highlights — available on request via email.
- Delete your account and all associated data — email me and I will do this within 30 days.
- Withdraw consent — sign out and stop using the site; email me to delete remaining data.
- Complain to a regulator — in Indonesia, the Personal Data Protection Authority (once established under UU 27/2022). In the EU, your local Data Protection Authority. In the UK, the ICO.
10. Security
We rely on:
- HTTPS for all traffic.
- Supabase’s row-level security so a user can only read or write their own data — the database itself enforces this, not just application code.
- Encrypted data at rest in Supabase and Vercel.
- No long-lived service credentials shared with third parties.
No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant authority as required by law.
11. Children
The book is not directed at children under 16. If you are under 16, please do not sign up. If a parent or guardian believes a child has signed up, please email me and I will delete the account.
12. Changes to this policy
If we change this policy, we’ll update the “Last updated” date above and, for material changes, notify you by email before the change takes effect.
13. Contact
Questions, requests, or complaints: f@madebychocaholic.com.