Privacy Policy.

Last updated .

Privacy Policy

This Privacy Policy explains how Phuong Tran ("I", "me", "my") collects, uses, stores, and protects personal data when you visit thunderphong.com (the "Site").

I follow a minimal data approach: I collect only what is necessary for the Site to function and to respond to you, and I never sell, trade, or rent personal data.

By using the Site you agree to the practices described here. If you do not agree, please discontinue use.

1. Who I am (Data Controller)

I am a sole individual operating this Site as a personal/professional portfolio. There is no separate organization or legal entity behind it.

2. Scope

This policy covers only the public landing site at thunderphong.com (the root domain).

It does not cover:

  • Subdomains such as console.thunderphong.com or any other product/service I may operate under a subdomain — each has its own privacy policy because the data collected and the legal basis differ (e.g. authenticated accounts, transactional data).
  • Third-party websites linked from the Site.

If you are using a subdomain, please refer to the privacy policy published on that subdomain.

3. What data I collect

3.1 Server and infrastructure logs (automatically collected)

When you visit the Site, hosting and CDN providers automatically log:

  • IP address
  • Browser type and version (User-Agent)
  • Referring URL
  • Pages requested and timestamps
  • Approximate location (country/region from IP)

Purpose: site operation, security, abuse prevention, debugging.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)) / legitimate purpose for operating the Site (PDPL 2025).

Retention: 30 to 90 days (provider defaults).

3.2 Analytics

The Site uses Umami, an open-source, privacy-friendly analytics tool that I run on my own Railway infrastructure (self-hosted). Umami collects:

  • Page views and navigation paths within the Site
  • Referring sources (e.g. which external link brought you here)
  • Approximate country and device type
  • Aggregated session metrics

Umami does not use cookies, does not assign a persistent identifier to you, and does not share data with any third party. IP addresses are hashed and discarded before storage, so individuals are not tracked across sessions.

Purpose: understand which content is useful and improve the Site.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)) / legitimate purpose (PDPL 2025). Because analytics is cookieless and non-identifying, no consent banner is required.

Retention: aggregated metrics only; no per-user records.

3.3 Contact form

When you submit the contact form, I collect:

  • Your name
  • Your email address
  • The message you write
  • Submission timestamp and IP address (for spam protection)

Purpose: to reply to your inquiry.

Legal basis: your explicit consent (PDPL 2025) and processing necessary to take steps at your request before entering into a contract (GDPR Art. 6(1)(a)/(b)).

Retention:18 months from submission, after which the message is automatically deleted, unless an ongoing conversation justifies a longer period.

If you prefer, you may instead use the mailto: links on the Site, which open your own email client and send the message directly to me without any data being processed by this Site.

3.4 What I do NOT collect

I do not collect or store:

  • Passwords, payment information, or financial data
  • Precise location data (GPS)
  • Contacts, phone numbers, or government IDs
  • Health, biometric, religious, or political data
  • Any other sensitive personal data

I do not run advertising, marketing pixels, retargeting tags, session replay, heatmaps, or keystroke logging. The Site has no user accounts and no authentication.

3.5 Cookies and similar technologies

The Site uses strictly necessary cookies/local storage only (e.g. to remember your language preference). These do not require consent.

If non-essential cookies are introduced in the future (analytics, marketing, embeds), a consent banner will be shown and these cookies will not be set before you opt in.

4. Third parties who process data on my behalf (Processors)

ProcessorPurposeLocation of processing
Railway Corp.Application hostingSingapore (ap-southeast-1)
Cloudflare, Inc.CDN, DNS, bot protection, edge logsGlobal edge; closest to Singapore
Resend (Resend.com, Inc.)Outbound email delivery for contact formUnited States
Umami (self-hosted on Railway)Aggregate, cookieless traffic analyticsSingapore (ap-southeast-1)

All processors are bound by their own privacy and data processing terms. Where they are located outside Vietnam or the EEA, I rely on their standard data processing agreements (DPAs) and standard contractual clauses (SCCs) where applicable.

I do not sell personal data, share it for cross-context behavioral advertising, or use it for automated decision-making with legal effects.

5. International data transfers

Because I host the Site on Railway's Singapore region and use Cloudflare's global edge network, your data may be processed outside Vietnam, the EEA, or the United Kingdom.

For transfers from the EEA/UK, I rely on:

  • Standard Contractual Clauses (SCCs) offered by the relevant processor
  • The processor's own adequacy or transfer safeguards

For transfers from Vietnam (PDPL 2025), transfers are documented in line with the law's requirements for cross-border data processing.

6. Your rights

Subject to applicable law, you have the right to:

  • Access the personal data I hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict or object to certain processing
  • Withdraw consent at any time (without affecting prior lawful processing)
  • Data portability (receive your data in a structured, machine-readable format)
  • Lodge a complaint with your local supervisory authority:
    • Vietnam: Ministry of Public Security (Cục An ninh mạng và phòng, chống tội phạm sử dụng công nghệ cao — A05)
    • EU/EEA: your national data protection authority
    • UK: the Information Commissioner's Office (ICO)

To exercise any of these rights, email me at [email protected]. I will respond within 72 hours for Vietnamese requests and within one month for EU/UK requests, in line with applicable law.

Because the Site has no user accounts, I may need to verify your identity using the email address from which you originally submitted data.

7. Security

I take reasonable technical and organizational measures to protect your data, including:

  • HTTPS/TLS for all traffic
  • Cloudflare web application firewall and DDoS protection
  • Access controls on hosting and email infrastructure
  • Encryption at rest where supported by the processor

No system is 100% secure. If a personal data breach affecting your rights occurs, I will notify the Vietnam Ministry of Public Security within 72 hours, and notify affected users where required by GDPR Art. 34 or PDPL 2025.

8. Children

The Site is not directed at children under 16. I do not knowingly collect personal data from children. If you believe a child has provided data, please contact me and I will delete it.

The Site contains links to third-party websites (e.g. GitHub, LinkedIn, blog references). I am not responsible for their privacy practices. Please review their policies separately.

10. Changes to this policy

I may update this policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be highlighted on the Site for a reasonable period.

11. Contact

Questions, requests, or complaints about this policy or your data:

See also the Terms of Use.

Phuong Tran

Built with care, in Can Tho

© 2026 Phuong Tran