Privacy Policy.

I am the data controller for everything collected through smlee.dev. That means the legal responsibility for handling your data sits with me directly, not with an agency or holding company.

Three forms exist on this site. Each one collects the minimum it needs to do its job. No tracking pixels in emails. No fingerprinting. Server-side IP and User-Agent are captured for spam attribution only.

Each processing activity has exactly one lawful basis. I do not stack bases or fall back on legitimate interest where consent is the correct ground.

Retention is tied to the reason for processing. Once the reason ends, the data is deleted. You can ask me to delete sooner (see section 09).

Every processor I rely on is listed below. If I add one, I update this page before it goes live. Each is bound by the relevant processor agreement (DPA) and is certified under the EU-US Data Privacy Framework.

All processors above are based in the United States. The primary transfer mechanism is the EU-US Data Privacy Framework (and the UK extension to it). Where DPF coverage is unavailable for a given transfer, Standard Contractual Clauses (SCCs, 2021 modules) plus supplementary measures apply as the fallback. Each processor's current privacy notice is the authoritative source for their posture:

• Vercel privacy policy
• Google (Workspace, Apps Script, Sheets, GA4) privacy policy
• Slack privacy policy

The full inventory. Strictly necessary keys load on every page. Analytics cookies load only after you accept the consent banner. If your browser sends a Global Privacy Control (GPC) signal, analytics are treated as not-consented automatically (see section 11).

If you are in the EU, EEA, UK, or Switzerland, you have all of the following rights. They are not favors. They are rights.

• Access: get a copy of the data I hold about you.
• Rectification: correct anything that is wrong.
• Erasure: ask me to delete your data (right to be forgotten).
• Restrict processing: freeze processing while a dispute is resolved.
• Data portability: receive your data in a machine-readable format.
• Object: object to processing based on legitimate interest.
• Withdraw consent: withdraw consent at any time (does not affect prior lawful processing).
• Lodge a complaint: file with your supervisory authority. UK residents: the ICO. EU residents: your member-state DPA (the EDPB members directory has the full list).

Email sangmlee23@gmail.com with the subject line "Data request, access/delete/etc". I respond within 30 days, per GDPR Art. 12(3). If your request is complex, I may extend by up to 60 additional days and will tell you why.

Identity verification: I will ask you to confirm the request from the same email you originally submitted, or to provide one additional matching detail (e.g. the URL you submitted to /scan). This prevents impersonation. I will not ask for ID documents unless the data at issue is genuinely sensitive and no lighter check works.

I do not sell personal information. I do not share personal information for cross-context behavioral advertising. There is no financial incentive program tied to your data.

California residents have the right to:

• Know what personal information I have collected.
• Request deletion of personal information.
• Correct inaccurate personal information.
• Opt out of any future sale or sharing (none currently happens).
• Limit the use of sensitive personal information (none is collected).
• Non-discrimination: exercising any of these rights changes nothing about how I treat you.

Same exercise procedure as section 09. Authorized agents may submit on your behalf with written permission.

If your browser sends a Global Privacy Control signal, this site treats analytics as not-consented before the cookie banner is even shown to you. You do not need to click anything for GPC to take effect. GA4 will not load on a GPC-flagged session.

smlee.dev is a B2B engineering practice site. It is not designed for, marketed to, or knowingly used by children under 16. I do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has submitted data, email sangmlee23@gmail.com and I will delete it.

The smlee.dev newsletter is not yet active. When it starts sending, every email will:

• Identify the sender clearly (Sangmin Lee, smlee.dev).
• Include a physical mailing address (CAN-SPAM and GDPR Art. 13).
• Provide a one-click unsubscribe link.
• Be sent only to addresses that explicitly opted in (Art. 6(1)(a) consent). No purchased lists. No imported contacts.

In the event of a personal data breach affecting EU or UK individuals, I notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33). Where the breach is likely to result in a high risk to your rights and freedoms, I notify affected individuals directly without undue delay (GDPR Art. 34).

Notification will identify the categories of data affected, the approximate number of individuals concerned, the likely consequences, and the remediation steps taken or planned.

Material changes update the last-reviewed date at the top of this page and (when appropriate) trigger a notice to active subscribers. Non-material edits (typos, link fixes, formatting) update the page without notification. The English version is the legally binding text; translations of the legal-notice banner are informational.

Any privacy question, data subject request, or compliance concern: sangmlee23@gmail.com. Response within 30 days for data subject requests; faster for most other questions.