Skip to content

Privacy Policy

Last updated: 27 April 2026

This Privacy Policy explains what personal data is collected when you use https://www.nzian.xyz (the "Site"), the blog at /blog, and the contact / hire forms operated by Ziauddin Robin ("I", "me"), how it is used, who it is shared with, and the rights you have over it.

I take privacy seriously. The Site is a personal portfolio — I am not in the data-broker business, do not sell visitor data, and only collect the minimum needed to reply to messages, deliver the newsletter, fight spam, and understand which content is useful.

1. Who is the data controller

Ziauddin Robin (sole operator), Mohsin Palace, 370/B Gulbagh R/A, Agrabad Access Road, Chittagong 4100, Bangladesh. Email: info@nzian.xyz. There is no separate company entity behind the Site.

2. What data is collected, why, and how long it is kept

DataWhen collectedPurposeRetention
Name, email, message bodyYou submit the contact, hire, or "Want to contact me" form.Reply to your enquiry, follow-up about freelance work.Up to 3 years from last interaction, then deleted from my inbox / archive.
Email addressYou opt in to the blog newsletter.Send new-post notifications.Until you unsubscribe (every email contains a one-click unsubscribe link).
GitHub username, avatar, comment bodyYou post a comment via Giscus on a blog post.Display threaded comments under the post.Stored in public GitHub Discussions on the nzian/nzianxyz repository until you delete the comment from GitHub.
IP address, user-agent, referrer, request URLEvery request to the Site (web-server log).Security, abuse / brute-force prevention, debugging.Server access logs are rotated within 14 days.
Anonymised analytics events (page views, clicks, scroll depth, Core Web Vitals)If you allow cookies / scripts to load.Understand which articles and projects are useful, find performance regressions.Per Google Analytics 4 default — currently 14 months.
Session-replay style heatmaps (Microsoft Clarity)If you allow Clarity to load.Spot UI confusion, dead clicks, layout bugs. Form fields and emails are masked.~30 days, per Clarity defaults.
Live-chat messages (Crisp)You start a chat on the Site.Real-time support / Q&A.Up to 12 months in the Crisp inbox.
Project files, credentials, business data (freelance clients only)You share them as part of an agreed engagement.Deliver the work you hired me for.Returned or deleted within 60 days of project closure unless we agree otherwise in writing.

3. Legal basis (GDPR / similar laws)

  • Consent — for marketing emails, optional analytics, and chat scripts. You can withdraw consent at any time.
  • Performance of a contract — for delivering freelance work you have engaged me for.
  • Legitimate interest — for replying to direct enquiries, keeping security logs, and basic site operation.
  • Legal obligation — where I must keep records (e.g. invoices) under applicable tax law.

4. Cookies & similar technologies

The Site itself sets only essential cookies needed for navigation and form security. The following third-party scripts may set their own cookies / local-storage entries when they load:

  • Google Analytics 4 (gtag.js)_ga, _ga_*. Anonymous traffic measurement.
  • Google Tag Manager — orchestrates the above.
  • Meta Pixel (Facebook)_fbp. Conversion measurement for any ads I run.
  • Microsoft Clarity_clck, _clsk. Heatmaps & session insights, with PII masking enabled.
  • Crisp Chatcrisp-client/* in localStorage to keep your chat session.
  • Giscus / GitHub — when you sign in to comment, GitHub sets its own auth cookies on its domain.
  • YouTube embeds (on some posts) — set cookies when the video player loads. I use youtube-nocookie.com where possible.

You can block these via your browser settings, an extension such as uBlock Origin, or by enabling "Do Not Track" / "Global Privacy Control". The Site continues to work without them.

5. Who I share data with

I do not sell or rent personal data. Limited data is processed by these providers strictly to operate the Site:

  • Google — Analytics, Tag Manager, Fonts CDN.
  • Meta — Pixel.
  • Microsoft — Clarity, Bing webmaster.
  • Crisp IM SAS — live chat.
  • GitHub, Inc. — Giscus comments via GitHub Discussions.
  • SMTP / email provider (currently a self-hosted Postfix relay) — used to deliver form messages and newsletters.
  • My web host — the VPS where Caddy + PHP serve the Site.

Some of these providers are based in the United States or the EU, so transfers outside Bangladesh / your country may take place under their respective Standard Contractual Clauses or equivalents.

6. Security

  • HTTPS-only with HSTS preload eligibility.
  • Strict X-Content-Type-Options, restrictive RewriteRules blocking direct access to /lib/* internals.
  • Form endpoints are server-side validated (PHP) with anti-spam checks.
  • Blog post sources live outside the web root and are read by the renderer; they are not directly servable.
  • Credentials supplied for freelance work are stored in an encrypted password manager and deleted at project closure.

No system is 100% secure. If you spot a vulnerability, please email info@nzian.xyz with subject "Security" and I will respond within 72 hours.

7. Your rights

Depending on where you live (EU/EEA, UK, California, Bangladesh, etc.), you have some or all of the following rights:

  • Access — ask what personal data I hold about you.
  • Rectification — ask me to correct inaccurate data.
  • Erasure ("right to be forgotten") — ask me to delete your data, subject to legal retention obligations.
  • Restriction & objection — limit or object to certain processing (especially analytics & marketing).
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — at any time, without affecting prior lawful processing.
  • Lodge a complaint with your local data-protection authority.

Email info@nzian.xyz with the subject "Privacy request" and I will respond within 30 days. There is no fee for reasonable requests.

8. Newsletter & transactional email

You only receive emails if you opt in via a form on the Site or after engaging me as a client. Every newsletter contains a one-click unsubscribe link. Transactional email about an active freelance project (invoices, scope changes, deployment notices) is sent under legitimate interest and continues until the project closes.

9. Children

The Site is not directed at children under 13. I do not knowingly collect data from children. If you believe a child has submitted a form, contact me and I will delete the data.

10. Automated decisions / AI

I do not use your personal data for automated profiling or AI-driven decision-making. Article content on the blog is written by me; any AI assistance is limited to drafting, grammar checks and code-review and is reviewed before publishing.

11. Changes to this policy

This policy may be updated when tools or laws change. The "Last updated" date at the top reflects the latest revision. Material changes (e.g. adding a new processor) will be highlighted on the page or via the newsletter.

12. Contact

See also: Terms & Conditions.