Privacy Policy
Effective date: April 2026
This policy explains how your personal data is collected, used, and protected when you use masry.page. I want to be straightforward about what data I collect, why I collect it, and what control you have over it.
Who is responsible for your data
masry.page is operated by Mohamed Elmasry in a personal capacity, based in the United Kingdom. I am the data controller for the purposes of UK data protection law (UK GDPR).
You can reach me at the contact form for any data-related questions or requests.
What data I collect
I collect different types of data depending on how you interact with the site:
When you create an account
- Email address— provided by you directly (magic link sign-in) or via Google OAuth
- Name— provided via Google OAuth or entered by you
- Profile image— provided via Google OAuth (if available)
When you use the site
- Session tokens— used to keep you signed in
- List memberships— which content lists or groups you belong to
- Subscriber records— if you subscribe to updates, your email and subscription preferences
What I do not collect
I do not use analytics or tracking cookies. I do not collect browsing behaviour, IP addresses for profiling, or location data. There are no third-party advertising trackers on this site.
Why I collect this data
| Purpose | Data used | Legal basis |
|---|---|---|
| Account access and authentication | Email, name, profile image, session tokens | Legitimate interest (providing the service you signed up for) |
| Gated content access | Email, list memberships | Legitimate interest (delivering content to registered members) |
| Marketing emails and updates | Email, subscriber records | Consent (you actively opt in) |
Third-party services that process your data
I use a small number of trusted services to run this site. Each one processes only the data necessary for its function:
| Service | Role | Location |
|---|---|---|
| Neon | Database (stores accounts, sessions, memberships) | United States |
| Vercel | Website hosting and serverless functions | Global (edge network) |
| Resend | Transactional email (magic links, notifications) | United States |
| OAuth authentication provider | United States |
International data transfers
Your data may be transferred to and processed in the United States by the services listed above. These transfers are protected under the UK Extension to the EU-US Data Privacy Framework, which provides adequate safeguards for the transfer of personal data from the UK to certified US organisations.
How long I keep your data
| Data type | Retention period |
|---|---|
| Session tokens | 30 days (then automatically expired) |
| Magic link tokens | 15 minutes (then automatically deleted) |
| Active accounts | As long as you use the service |
| Inactive accounts | Deleted after 12 months of inactivity, with advance notice sent to your email |
Cookies
This site uses only two cookies, both strictly necessary for the site to function. No consent banner is required for these because they are essential to the service.
| Cookie | Purpose | Duration |
|---|---|---|
authjs.session-token | Keeps you signed in across pages | 30 days |
authjs.csrf-token | Protects against cross-site request forgery | Session (cleared when you close your browser) |
There are no analytics, advertising, or tracking cookies. See the full Cookie Notice for more detail.
Your rights
Under UK data protection law, you have the right to:
- Access— request a copy of the personal data I hold about you
- Portability— receive your data in a structured, machine-readable format
- Erasure— ask me to delete your account and all associated data
- Rectification— correct any inaccurate personal data
- Restriction— ask me to limit how I process your data
- Objection— object to processing based on legitimate interest
- Withdraw consent— for marketing emails, you can unsubscribe at any time
To exercise any of these rights, email me at the contact form. I will respond within 30 days.
Right to complain
If you are not satisfied with how I handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection authority.
Children
This site is not directed at anyone under the age of 16. I do not knowingly collect data from children. If you believe a child has provided me with personal data, please contact me and I will delete it promptly.
Changes to this policy
I may update this policy from time to time. Material changes will be communicated by a notice on the site. The effective date at the top of this page will always reflect the latest version.