Privacy Policy

HMX Zone is operated by Haroon Mohamed, an independent AI automation and lead generation consultant. This policy applies to the website hmxzone.com and any services delivered through it. Contact: For privacy-related enquiries, use the get-started form at /get-started or reach us via the direct channels listed there.

When you submit an enquiry, waitlist request, newsletter subscription, or admin login challenge, we collect: - Full name - Email address - Phone number - Company name - Website URL (optional) - Business type - Description of your needs - Current tools you use - Budget range - Project timeline - Any additional message you include We also process limited technical data needed to operate and protect the site, including IP address, browser type, device information, referring URL, form success/error events, and security events. Optional analytics tools such as Microsoft Clarity, Google Analytics, and Vercel Analytics load only after you choose analytics cookies.

We use enquiry and usage data to: - Review and respond to your project enquiry - Send confirmation and operational emails - Follow up if your project is a potential fit - Protect forms and admin routes from spam or abuse - Improve page quality, conversion paths, copy, layout, performance, and bug detection - Build internal reporting and monitoring for leads, waitlist submissions, uptime, route health, and form health We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing.

Enquiry, waitlist, newsletter, blog/admin, and monitoring data is stored in Supabase, a cloud database service (Supabase, Inc.). Data may be stored on servers in the EU or US depending on the Supabase project region. Email notifications triggered by form submissions are sent via Resend (Resend Inc.). Booking availability and booking confirmations are handled through Cal.com after intake. A Cloudflare Email Worker may also be used for backup reporting and weekly operational reports. After analytics consent, Vercel Analytics, Microsoft Clarity, and Google Analytics may process website usage, performance, replay, heatmap, traffic, and event data. Vercel Speed Insights may process performance telemetry in production. Cloudflare Turnstile processes anti-spam verification data when protected forms or admin login are used.

Enquiry records are retained for up to 24 months from the date of submission. This allows us to reference past conversations and track project histories. If no project engagement follows an enquiry within 12 months, the record may be deleted earlier at our discretion. You can request deletion of your data at any time (see "Your Rights" below).

Microsoft Clarity, Google Analytics, and Vercel Analytics are consent-gated. They are not loaded until you choose to allow analytics in the cookie banner. If you choose "Essential only", the site keeps necessary security, form, and booking functionality but does not intentionally load optional analytics scripts. The Cal.com booking embed loads only on the booking page after the intake step or when that page is opened directly. Analytics tools may use cookies, local storage, or similar browser technologies after consent depending on visitor settings, browser behavior, and the provider's current implementation. You can also use browser settings or extensions to block tracking technologies.

If you are located in the European Economic Area (EEA), you have the following rights: - Right to access - request a copy of the personal data we hold about you - Right to rectification - ask us to correct inaccurate data - Right to erasure - request deletion of your data ("right to be forgotten") - Right to restrict processing - ask us to limit how we use your data - Right to data portability - receive your data in a structured, machine-readable format - Right to object - object to processing based on legitimate interests To exercise any of these rights, contact us via the form at /get-started. We will respond within 30 days.

We take reasonable technical measures to protect your data, including: - Supabase row-level security policies - Cloudflare Turnstile on important forms and admin login - Rate limiting and honeypot fields on form submissions - HTTPS encryption in transit - Secret handling through environment variables - Admin-only monitoring tables and service-role-only database access No system is 100% secure. If you have reason to believe your data has been compromised, please contact us immediately.

Our services are intended for business professionals and are not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has submitted data through our site, please contact us and we will delete it promptly.

We may update this policy from time to time. Material changes will be noted at the top of this page with a "last updated" date. Continued use of the site after changes constitute acceptance of the updated policy.