Privacy Policy

Who we are

Andrew Rahman is the data controller for personal data collected through this website and can be reached at andrew@spatialmedialab.org. “Spatial Media Lab” refers to the open-source organization that hosts the OpenSpatialDelay source code at OpenSpatialDelay source code on GitHub. “Spatial Media Library” refers to the pipeline of spatial-audio tools being built. “OpenSpatialDelay” is the first tool in that pipeline. Spatial Media Lab is the legal home of the plugin source code and its GPL-3.0 licensing; it is not a party to this privacy policy, which governs only the personal email data collected through andrewrahman.com.

What data we collect and why

We collect your email address and your consent signal (the ticked consent checkbox) when you submit the sign-up form on andrewrahman.com. We collect these items for one purpose only: to give you the OpenSpatialDelay installer and to send occasional updates about OpenSpatialDelay and other Spatial Media Library tools. The lawful basis for this processing is your freely given consent (GDPR Art. 6(1)(a); UK GDPR Art. 6(1)(a); under CCPA/CPRA, your direct opt-in at the form). We collect no other personal data on this site. andrewrahman.com sets no cookies of its own, runs no analytics, no advertising trackers, and no session recorders.

How we use your data

We use your email to (a) deliver the OpenSpatialDelay installer through the thank-you page after the form is submitted and (b) send occasional, manually composed updates about new Spatial Media Library tools and OpenSpatialDelay releases. Sends are infrequent and hand-written — there is no automated drip, no behavioural retargeting, and no profiling. We do not sell your email. We do not share it with advertisers. We do not make automated decisions that have legal or similarly significant effects on you.

Who we share your data with

We use Sender.net (UAB Sender.net, Vilnius, Lithuania) as a data processor for email capture and newsletter delivery. Form submissions, the double-opt-in confirmation email, and all outbound newsletter sends are handled by Sender.net; only the controller can access the subscriber list. Sender.net processes data on our instructions under GDPR Art. 28, governed by the Sender.net Data Processing Agreement (effective 28 August 2025). Sender.net’s published processing terms and own privacy policy are at sender.net/privacy-policy. We do not share your email with any other third party.

In delivering the email service, Sender.net processes the following categories of personal data on our instructions: your email address; and technical data including IP address, browser type, device information, location data, and email open/click events used for deliverability and engagement metrics.

Sender.net sub-processors. Sender.net engages a small number of sub-processors to operate its service. The sub-processors that may be involved in handling subscriber data for andrewrahman.com are:

• Google Cloud EMEA Limited (Dublin, Ireland) — cloud infrastructure and traffic analysis;
• Cloudflare, Inc. (San Francisco, USA) — content delivery, DDoS protection, web application firewall;
• Amplitude Inc. (San Francisco, USA) — product analytics on Sender.net’s application.

Sender.net’s full sub-processor list (including additional vendors used for billing, support, and SMS delivery that are not engaged for andrewrahman.com email capture) is published in Annex 1 of the Sender.net Data Processing Agreement.

International transfers.Where Sender.net or its sub-processors process personal data outside the EEA — notably US-based sub-processors such as Cloudflare and Amplitude — those transfers rely on the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) as the lawful transfer mechanism under GDPR Chapter V. Sender.net’s DPA §14 commits sub-processors based outside the EEA to a level of protection adequate under EU/UK data protection law. Beyond the technical-data recipients listed in “How andrewrahman.com is hosted and delivered” below, we do not share your email address with any other third party.

How andrewrahman.com is hosted and delivered. Beyond the email-capture and newsletter processing handled by Sender.net described above, ordinary use of this website results in technical-data transfers to the following infrastructure providers:

• Firebase Hosting(Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) serves the andrewrahman.com pages and assets. Each page request is logged by Firebase with the visitor’s IP address, User-Agent string, and request timestamp for the operational purposes of serving content, applying caching, and protecting against abuse. The site migrated from a prior host (Netlify) to Firebase Hosting on 2026-05-01.
• Cloudflare R2(Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA) delivers the OpenSpatialDelay binary downloads from a public R2 bucket. When you click “Download OSD,” your browser fetches the ZIP directly from r2.dev; Cloudflare logs the request IP, User-Agent, and byte range for delivery and abuse-protection purposes.
• YouTube / Google LLC (Mountain View, CA, USA). The homepage embeds a YouTube video preview using the privacy-respecting youtube-nocookie.comvariant. The video poster image is fetched from Google’s image CDN on every homepage load; this transfers your IP address, User-Agent, and Referer to Google. If you click the embed to play the video, additional connection metadata is transferred to YouTube; cookies may be set on interaction. We embed the video for product demonstration; we do not receive any analytics back from YouTube about your interaction.

These three providers are recipients of technical data (IP, User-Agent, request metadata) but do not process the email addresses captured by the Sender.net form. Their processing of technical data is governed by their own privacy policies, linked from each provider’s website. Because Google LLC and Cloudflare, Inc. are US entities, these transfers leave the EEA and rely on the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) as the lawful transfer mechanism under GDPR Chapter V; both Google and Cloudflare are certified under the DPF.

If we later add another processor — for example a separate transactional email service or a different newsletter tool — this policy will be updated to name the new processor, the change will be covered by an appropriate data-processing agreement, and you will be notified by email before any such transfer takes effect.

How long we keep your data

We retain your email indefinitely until you ask us to delete it, or until you unsubscribe. The list serves a long-running purpose — occasional updates about a continuing pipeline of spatial-audio tools — and has no natural expiry. You can delete your record at any time using the process in “How to exercise your rights” below. Unsubscribing has the same effect as a deletion request: your record is removed, not merely flagged as inactive.

Your rights

Under the EU GDPR and the UK GDPR you have the right to:

• access your personal data (GDPR Art. 15 / UK GDPR Art. 15);
• ask us to correct inaccurate data (GDPR Art. 16);
• ask us to delete your data — the “right to be forgotten” (GDPR Art. 17);
• restrict or object to our processing (GDPR Art. 18 and Art. 21);
• receive a portable copy of your data in a structured format (GDPR Art. 20);
• withdraw your consent at any time (GDPR Art. 7(3));
• lodge a complaint with your national data-protection supervisory authority. In the UK, that is the Information Commissioner’s Office (ICO) at ico.org.uk.

If you are a California resident, you have equivalent rights under the CCPA/CPRA, including:

• the right to know what personal information we hold about you and how we use it;
• the right to delete that information;
• the right to opt out of any “sale” or “sharing” of personal information — we do not sell or share your data, so there is nothing to opt out of;
• the right to non-discrimination for exercising these rights.

Under the UK Data Protection Act 2018 and the UK GDPR, your rights mirror the EU GDPR rights listed above and are enforced by the ICO.

How to exercise your rights

Email andrew@spatialmedialab.org from the address on file. A plain-text request naming the right you want to exercise is sufficient — there is no form and no required subject line. We will respond within 30 days (GDPR Art. 12(3)) and there is no charge for exercising your rights.

How to unsubscribe

To unsubscribe before newsletter sends begin, email andrew@spatialmedialab.org with the word “unsubscribe” in the subject or body. Once newsletter sends start (Phase 5 of the OpenSpatialDelay roadmap), every outbound message will include an unsubscribe link in the footer; clicking it removes you from the list immediately. Unsubscribing has the same legal effect as withdrawing consent: your record is deleted, not merely suppressed.

Changes to this policy

If we materially change this policy — for example, by adding a newsletter processor, changing the lawful basis, or starting to use analytics — we will update the effective date at the top of this page and notify everyone currently on the list by email before the change takes effect. Minor editorial changes (fixing typos, clarifying language) will not trigger a notification, but the effective date will still be bumped so a complete revision history is visible at the top of the page.

2026-04-17: Data Controller contact email updated to andrew@spatialmedialab.org. Andrew Rahman remains the data controller; only the contact channel changed.

2026-04-17:Email-capture processor changed to Sender.net (UAB Sender.net, Vilnius, Lithuania). Double opt-in flow and download delivery now run through Sender.net’s EU-based infrastructure. At the time of the processor change the sign-up form was served at andrewrahman.com/get-osd; the form has since been moved into a download modal on the homepage, and andrewrahman.com/get-osd now serves as the post-confirmation download page. No subscriber data has been migrated because no subscribers existed on the prior capture tool. Git history is the audit trail for the processor change.

2026-04-25:Sender.net Data Processing Agreement (DPA) reviewed in full (effective 28 August 2025 from the processor side). This policy now accurately discloses Sender.net’s sub-processors that may handle subscriber data (Google Cloud EMEA in Ireland; Cloudflare and Amplitude in the United States) and the international-transfer mechanism for non-EEA sub-processors (the EU-U.S. Data Privacy Framework, Commission Implementing Decision (EU) 2023/1795). The prior statement that subscriber data was stored within the EEA has been corrected — Sender.net may use US sub-processors under the Data Privacy Framework. The legal entity name “UAB Sender.lt” in the previous revision was a typographical error and has been corrected to “UAB Sender.net”. Data Controller (Andrew Rahman) and lawful basis (consent) are unchanged.

2026-05-01:Web host migrated from Netlify to Firebase Hosting (Google LLC, US) for the andrewrahman.com production launch. The policy now discloses the technical-data recipients of ordinary site use — Firebase Hosting (page serving), Cloudflare R2 (binary download CDN), and YouTube/Google (homepage video embed and poster image) — under a new “How andrewrahman.com is hosted and delivered” subsection. These three providers receive technical metadata (IP, User-Agent, Referer) but do not process the email addresses captured by the Sender.net form. The data controller (Andrew Rahman) and the lawful basis for processing email data (consent) are unchanged. International transfers to US-based infrastructure providers rely on the EU-U.S. Data Privacy Framework.