Privacy Policy

Controller & Privacy Contact

Momentous Technologies S.A. de C.V. ("Momentous", "we", "us") is the data controller responsible for your personal information. For privacy questions, requests, or to exercise your rights, contact privacy@momentous.dev.

Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority. UK visitors: Information Commissioner's Office (ICO). EU visitors: your national supervisory authority (e.g., CNIL in France, AEPD in Spain). Mexico visitors: INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales).

Information We Collect

Information you provide directly: name, email, phone, company, and message content when you contact us; email when you subscribe to our newsletter; business contact information as part of consulting engagements, governed by separate agreements.

Information we collect automatically: pages you visit, referring URL, UTM campaign parameters, approximate country (derived server-side from your IP via the MaxMind GeoLite2 database), viewport size, device type, browser language, and a server-generated session identifier. Your IP address is not stored — instead we store a salted hash that resets daily.

What We Don't Collect

We do not store your raw IP address. We do not use third-party advertising or remarketing pixels. We do not track you across other websites. We do not sell, rent, or share your data with third parties for marketing.

Sensitive Personal Information (CCPA)

We do not collect sensitive personal information as defined under the California Consumer Privacy Act, including precise geolocation, racial or ethnic origin, religious beliefs, contents of mail/email/SMS, genetic or biometric data, or sexual orientation/sex life information.

Cookies & Similar Technologies

We use a small set of first-party cookies and local storage entries:

• momentous-consent-v1 (localStorage, 12 months) — your consent decision. Strictly necessary.

• consent_decision (cookie, 12 months) — same purpose, exposed to the server. Strictly necessary.

• _session_id (cookie, 30 minutes sliding) — anonymous session for site analytics. Strictly necessary.

• geo_country (cookie, 24 hours) — your country code for the consent banner default policy. Strictly necessary.

• Google Analytics (_ga, _ga_*) — set only if you grant analytics consent. Per Google's retention policies.

• PostHog (ph_*) — set only if you grant analytics or marketing consent. Per PostHog's retention policies.

Categories of Recipients

We use Google Analytics 4 (operated by Google LLC, US) for aggregate site analytics. We use PostHog (operated by PostHog Inc., US) for product analytics, heatmaps, and session replay. Each operates under its own published Data Processing Agreement and Standard Contractual Clauses.

Legal Basis (GDPR Art. 6)

Server-side aggregate analytics (no advertising vendors involved) operate under our legitimate interest in operating and improving our site. For visitors in the European Economic Area, the United Kingdom, and Switzerland, all third-party analytics (Google Analytics, PostHog) operate only with your explicit consent. For visitors in other regions, default-on cookieless analytics may operate before you decide; you can opt out at any time via the Cookie Preferences link in the footer.

Your Rights

You have the right to: request a copy of your data (access); request correction (rectification); request deletion (erasure); request your data in a portable format (portability); object to processing under legitimate interest (Art. 21); withdraw consent at any time. To exercise these rights, email privacy@momentous.dev. We respond within one month.

Data Breach Notification

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, in accordance with GDPR Article 33, and will inform affected individuals when required.

Retention

Server-side analytics events: raw rows for up to 2 years, then anonymized k-aggregated summaries indefinitely (no individual-level data). Google Analytics: 14 months default. PostHog: per their free-tier terms (events typically up to 1 year, session recordings 30 days). Form submissions: retained until your account or relationship with us ends, plus the legally required retention period.

International Data Transfer

Your data is processed in the United States by our analytics vendors (Google Analytics and PostHog). This transfer is governed by Standard Contractual Clauses approved by the European Commission, and where applicable, the EU-US Data Privacy Framework (DPF) for vendors that maintain certification.

Source of Data

We collect data directly from you (form submissions, newsletter signup) and automatically from your device when you visit (session, geo from IP, UTM parameters from referring URL, device characteristics).

Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

Children

Our site is not directed to children under 16 (under 13 in the United States, per COPPA). We do not knowingly collect personal information from minors and do not create profiles of minors. If you believe we have inadvertently collected such information, contact privacy@momentous.dev for prompt deletion.

Cross-Device Consent

Your consent decision is stored per-browser, not per-person. If you share a device, your decision may apply to other users of that browser. Consent expires after 12 months and we will re-prompt.

Changes to This Policy

We may update this policy from time to time. We will revise the "Last updated" date at the top, and for material changes we will provide additional notice on the site.