Start a Project
EN
FR
Legal

Privacy Policy

About this policy

This page explains what personal information Oui Digital collects on this website, why we collect it, who we share it with, and the rights you have. It is written to satisfy the California Consumer Privacy Act (CCPA/CPRA), the EU General Data Protection Regulation (GDPR), and Québec's Law 25. It is not legal advice. If you have questions about your specific situation, please consult a lawyer.

Who we are

Oui Digital is a web design studio based in San Diego, California. When this policy says "we," "us," or "Oui Digital," it refers to that business. Our website is published at oui.digital and offers a bilingual experience (English and Québec French).

Privacy contact: hello@oui.digital
Oui Digital, San Diego, CA 92116, United States

Person responsible for the protection of personal information (Law 25): Xavier Masse, Owner

What we collect and why

We only collect personal information that you give us voluntarily, plus a small amount of technical information needed to deliver and protect the site. We never sell your personal information for money.

Contact form

When you fill out our contact form, we collect your name, email address, an optional phone number, and the message you write. We use this information to reply to you and discuss whether we can help with your project. The form is processed by Netlify Forms (our hosting provider) and the resulting message is delivered to our team.

Free tools

We host several free tools on the site. Each handles personal information differently:

Website Scorecard

You answer a short set of questions about your website and we calculate a grade and pillar-level scores. If you choose to receive the full report or any associated artifact by email, we collect your email address (and your optional industry) and associate it with that scorecard submission. The results are stored on our infrastructure so we can send you the report.

Website Health Check

You enter a URL (and optionally a sitemap URL) and we run an automated audit of that website. To deliver the full report we ask for your email; you may also share an industry and an approximate location to help us tailor recommendations. The audit may capture your IP address briefly for rate-limiting and abuse prevention. A bot check (Cloudflare Turnstile) protects the form from automated abuse.

Website Cost Calculator

You select pages, features, timeline, and payment preference. To receive an estimate and a follow-up, we collect your name, email address, and an optional message, along with the selections you just made. The form is processed by Netlify Forms.

Website Launch Checklist

Your checked items are stored only in your browser (local storage). We do not receive or see them. If you click through to the contact form from the checklist, we may receive a non-personal summary (such as percent-complete) so we can tailor our reply.

Responsive Embed Code Generator

Your inputs are stored only in your browser (local storage). We do not receive or see them.

Analytics and attribution

If you accept the Analytics consent purpose, we use Google Analytics 4 to understand how visitors find and use the site. We may also add compatible analytics or session-recording tools (such as Microsoft Clarity) under the same Analytics consent purpose; if we do, this policy will list them. When you arrive on the site through a marketing campaign, we record the UTM parameters in your URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term) in your browser session so we can attribute any voluntary form you submit to its marketing source. We treat these UTMs as lead-attribution metadata attached to your voluntary submission, not as separate analytics.

Automated processing

Our Website Health Check and Website Scorecard generate scores, grades, and recommendations from the information you provide and from automated checks against your website. These are advisory outputs to help you decide what to fix; they do not produce a legal or similarly significant decision about you.

Cookies, storage, and consent

We use a small number of cookies and browser storage mechanisms. Some are essential to operate the site; others run only when you give consent through our consent banner.

Essential (always on)

  • A consent cookie that records which consent purposes you have accepted or refused.
  • Cloudflare Turnstile, on tool forms only, to protect against automated abuse.
  • Browser local storage used by certain tools (Website Launch Checklist, Responsive Embed Code Generator) to keep your in-progress work between page loads. This data does not leave your browser.

Analytics (with your consent)

  • Google Analytics 4 cookies, loaded via Cloudflare Zaraz, used to measure aggregated traffic and page performance.
  • If we add session-recording or heatmap tools in the future (such as Microsoft Clarity), they will load under this same Analytics purpose.

Marketing (with your consent)

If you accept the Marketing consent purpose, we may use this consent to enable advertising-related measurement and remarketing. We do not currently run advertising tags on the site, but Marketing consent gives us the basis to enable them in a compliant way if we do.

Session storage (functional)

We store your UTM parameters in session storage so any form you choose to submit during that visit can be attributed to its marketing source. The data is cleared when you close the browser tab.

Change your preferences

You can change your consent choices at any time by reopening the consent banner from the link in our site footer (or by clearing cookies for this site). Withdrawing consent does not affect the legality of processing carried out before withdrawal.

Third-party processors

We use a small number of well-known service providers to operate the site. Each receives only what is necessary for its role.

Service What it does for us Data it receives Region
Cloudflare (Workers, KV storage, Zaraz, Turnstile) Hosting our audit endpoints, storing lead and audit records, managing tag loading and consent, protecting forms against bots IP address, audit request data, lead form fields, consent state Global (US headquartered)
Netlify Hosting the website and processing the Contact, Calculator, and Scorecard forms Submitted form fields United States
Google Analytics 4 (via Cloudflare Zaraz) Usage analytics, loaded only with your Analytics consent Pseudonymous device identifier, page interactions, UTM parameters United States / global
Resend Sending transactional emails (your audit/scorecard report; internal lead alerts) Recipient email, message contents United States
Brevo Newsletter subscription management (only if you opt in) Email address, language preference European Union / global
TidyCal Booking page we link to from the site Whatever you choose to provide on the TidyCal booking page United States

International transfers

Most of the providers above are based in or transfer data to the United States. If you are in the EU/EEA, the United Kingdom, or Québec, your information will be transferred to a country whose data protection laws differ from yours. Where required, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework (for participating providers), and provider-specific safeguards published by each processor. You can ask us for more detail using the contact below.

How long we keep data

We keep personal information only as long as we need it for the purpose we collected it, plus any period required by law.

  • Audit results from the Website Health Check: 24 hours, then automatically deleted.
  • Audit progress state (used to stream results while an audit runs): 5 minutes, then automatically deleted.
  • Lead records (your email and the context of your submission) from any tool or form: up to 24 months after our last contact with you, then deleted or anonymized.
  • Transactional and marketing emails sent through Resend and Brevo: governed by those providers' retention policies.
  • Submissions through Netlify Forms (Contact, Calculator, Scorecard): governed by Netlify's retention policies.
  • Browser storage on your device (checklist items, embed generator settings, UTM session): kept until you clear it.

Transactional vs marketing email

Transactional email

If you use a tool that produces a report (for example, the Website Health Check or the Website Scorecard) and you provide your email to receive that report, we send you the report by email. We may follow up once or twice to make sure you received it and to offer help interpreting the results. This is transactional email and is not conditional on Marketing consent.

Marketing email

If you check the marketing consent box on a form, you are agreeing to receive occasional emails about our services, articles, and offers. You can unsubscribe at any time from any marketing email, or by contacting us.

Your rights

Wherever you live, you can ask us to:

  • Tell you what personal information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Delete information we no longer need (subject to limited exceptions, such as records we must keep for legal reasons).
  • Export your information in a portable format.
  • Stop processing your information for marketing purposes.
  • Withdraw consent you previously gave.

Depending on where you live, you may also have additional rights. See the region-specific sections below.

California residents (CCPA/CPRA)

This section provides the additional disclosures the California Consumer Privacy Act, as amended by the California Privacy Rights Act, requires.

Categories of personal information we collect

In the last 12 months we have collected the following categories of personal information about California consumers:

  • Identifiers (name, email, phone if provided, IP address).
  • Internet or other electronic network activity (pages visited, events triggered, with Analytics consent).
  • Geolocation data (inferred from IP address, and an optional self-reported approximate location on the Website Health Check).
  • Commercial information (only the specifications you enter into the Website Cost Calculator).

We do not knowingly collect the categories of sensitive personal information defined under CPRA. We do not knowingly collect personal information from children under 16.

Sources

  • Directly from you (through forms and tools).
  • Automatically (through cookies and similar technologies, with your consent for non-essential ones).
  • From our service providers (analytics, email, hosting).

Business purposes

  • Operating the site and its tools.
  • Responding to your inquiries.
  • Improving our content and services.
  • Sending you the reports or estimates you ask for.
  • Sending you marketing email only if you have opted in.
  • Preventing abuse and securing the site.

Categories of third parties

We share information with the categories of third parties listed in the Third-party processors section above (hosting, analytics, email, booking, internal alerting).

Sale and sharing

We do not sell your personal information for money. Under CPRA, "sharing" includes disclosing personal information for cross-context behavioral advertising. We do not run cross-context behavioral advertising on this site today. However, because analytics tags (such as Google Analytics 4) can be configured in ways that the law treats as "sharing," we treat the Marketing consent purpose in our banner as your opt-out: refusing or revoking Marketing consent prevents the loading of any marketing or advertising tags. You can also exercise this right by emailing us at the address below.

Do Not Sell or Share My Personal Information

To opt out of sharing for cross-context behavioral advertising, open the consent banner from the footer of this site and refuse the Marketing consent purpose. You can also email hello@oui.digital with "Do Not Sell or Share" in the subject line.

Your rights as a California consumer

  • The right to know what personal information we have collected.
  • The right to delete personal information.
  • The right to correct inaccurate personal information.
  • The right to opt out of sale or sharing.
  • The right to limit the use of sensitive personal information (we do not currently process sensitive personal information).
  • The right to non-discrimination for exercising your rights.

To verify a request, we may ask you to confirm details associated with the personal information you previously gave us (such as the email address you submitted on a form). Authorized agents may make requests on your behalf with written permission from you and proof of their identity.

EU/EEA residents (GDPR)

This section provides the additional information required under the EU General Data Protection Regulation.

Data controller

The data controller for personal information collected on this site is Oui Digital, San Diego, CA 92116, United States, contactable at hello@oui.digital.

Lawful bases for processing

We rely on the following lawful bases under Article 6 GDPR, depending on the activity:

  • Consent (Article 6(1)(a)) — for analytics cookies, marketing cookies, and marketing email.
  • Performance of a contract or pre-contractual steps (Article 6(1)(b)) — for operating the tools you choose to use and for handling project inquiries.
  • Legitimate interests (Article 6(1)(f)) — for site security, fraud prevention, and attaching marketing-attribution metadata (UTM parameters) to voluntary form submissions you make.

Your rights as a data subject

  • Right of access (Article 15).
  • Right to rectification (Article 16).
  • Right to erasure (Article 17).
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20).
  • Right to object to processing (Article 21).
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right to lodge a complaint with your national supervisory authority.

International transfers

Some of our service providers are located in the United States or transfer data globally. Where we transfer your personal information outside the EU/EEA, we rely on Standard Contractual Clauses approved by the European Commission, the EU-US Data Privacy Framework for participating US providers, or other safeguards published by each processor.

Québec residents (Law 25)

This section provides the additional information required under Québec's Act respecting the protection of personal information in the private sector, as modernized by Law 25.

Person in charge of personal-information protection

Xavier Masse, Owner, is responsible for ensuring our compliance with Law 25. You can contact him at hello@oui.digital.

Purposes of collection

We collect personal information for the specific purposes described in the What we collect section above. We do not use your information for any other purpose without your consent.

Consent

We rely on your express consent for marketing email and for non-essential cookies. For other processing necessary to deliver the tool or service you have requested (for example, sending you the audit report you asked for), we rely on the implicit consent inherent in that request.

Your rights

  • Access — request a copy of the personal information we hold about you.
  • Rectification — correct information that is inaccurate or incomplete.
  • Portability — receive your information in a structured, commonly used technical format and, where technically possible, have it transmitted to another organization.
  • Withdraw consent — at any time, for processing that is based on consent.
  • Deletion / de-indexing — request that your information be deleted or, where appropriate, no longer made publicly accessible.

Automated decision-making

Our Website Health Check and Website Scorecard produce scores, grades, and recommendations using automated checks. These outputs are advisory; they do not produce a decision that has a legal effect on you or that significantly affects you in a similar way. You can ask us for an explanation of how a score or recommendation was reached.

Information transferred outside Québec

Some of our service providers are located outside Québec, principally in the United States. Before transferring personal information outside Québec, we assess whether the information will receive adequate protection. You can ask us for more detail on this assessment using the contact below.

How to exercise your rights

To exercise any of the rights described above, email us at hello@oui.digital. Please put "Privacy request" in the subject line and describe what you would like us to do. We will respond within the time limits required by applicable law (typically 30 days under GDPR; 45 days under CCPA; 30 days under Law 25). We may ask you to confirm your identity, usually by replying from the email address associated with the data you are asking about. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority — for example, the Commission d'accès à l'information du Québec, your EU/EEA national data protection authority, or the California Privacy Protection Agency.

Changes to this policy

We may update this policy from time to time as our site, tools, or service providers change. When we do, we update the "Last updated" date at the top of this page. If a change materially affects how we use your personal information, we will give you reasonable notice — for example, by a notice on this page or by email if we hold your address for that purpose.