How we handle your information.

3sixs operates https://3sixs.com. 3sixs is a DBA / assumed name of 3Specials LLC, a Texas limited liability company. We are a small product studio positioned in the Fort Worth / DFW area and work with clients across the United States.

For privacy questions or requests, the fastest path is the contact page or hello@3sixs.com. Your email reaches a real person on our team.

The site collects only what is needed to operate it and respond to inquiries:

• Contact-form / brief details. Fields you fill in: name, work email, company, project type, engagement shape, and your message.
• Email and communication metadata. Standard sender/recipient, timestamps, and delivery status for the correspondence we exchange about your inquiry.
• Technical diagnostics. If the site throws an error, an event including URL, browser and device details, request/referrer metadata, and a stack trace is forwarded to our error-monitoring tool — see Section 10 for the Sentry configuration. Session Replay is not currently enabled.
• Security and rate-limit data. Bot-defense tokens from the contact form and short-lived counters keyed on the IP-plus-email pair to throttle abuse. Brief content is not stored in those counters.
• Analytics data from Plausible. Aggregate page views, country-level location (derived transiently from IP, not stored), referring site, and rough device class. Cookieless and not tied to any individual visitor.
• Information from signed client engagements (when applicable). If you become a paying client, additional information is processed under the separate written agreement we sign with you. That agreement — not this notice — governs the data handling for the engagement.

We use information to:

• Respond to your inquiry and discuss whether the work is a fit.
• Operate and secure the website.
• Prevent spam, abuse, and automated attacks.
• Improve site performance and fix bugs.
• Troubleshoot errors observed in production.
• Comply with applicable legal, tax, and accounting obligations.
• Manage client and project communications where a signed engagement exists.

We do not use your information to send marketing emails you did not request, build advertising profiles, or enrich third-party datasets.

Where European data-protection law applies, the legal basis for each processing purpose is summarized below. We include this for transparency; it does not mean we have concluded every EU/UK law applies to 3sixs in every case.

We rely on a small set of service providers to run the site and contact pipeline. We share information with them only to the extent needed for the service they provide. The full inventory lives on the subprocessors page; the short summary:

• Vercel — hosting and content delivery. Standard server logs.
• Plausible — cookieless analytics. No personal identifiers collected.
• Sentry — error monitoring. Session Replay is not currently enabled; an event sanitizer removes known PII fields where supported by our SDK configuration (see Section 10).
• Resend — transactional email delivery for inbound briefs and replies.
• Cloudflare Turnstile — bot-defense check on the contact form. Runs in its own frame and may set short-lived security signals there.
• Upstash Redis — short-term rate-limit counters keyed on the IP-plus-email pair. Brief content is not stored.
• Slack (optional) — internal team heads-ups. When enabled, the payload deliberately omits your name, email, IP, and brief content.

Each provider operates under its own privacy practices. Where required, we rely on provider-published terms, data-processing addenda, and standard contractual clauses; we do not claim that every vendor has a signed DPA unless verified.

3sixs does not intentionally use advertising cookies or cross-site tracking on this site. Plausible is cookieless. The bot-defense widget on the contact form may set short-lived cookies or use similar browser signals inside its own iframe for the security check — functional only, not advertising.

We do not currently display a consent banner because nothing on this site requires consent for non-essential cookies. See the cookies notice for the full breakdown and the privacy choices page for how the rule changes if we ever add optional marketing tooling.

3sixs does not sell personal information and does not share personal information for cross-context behavioral advertising. We share information with the service providers listed above strictly so they can perform the function they were hired for. We may also share information when required by law or to protect against fraud, abuse, or harm to users of the site.

3sixs operates from the United States. Our service providers may process data in the United States and other regions depending on their architecture. Where vendor transfers are subject to European, UK, or other transfer rules, those vendors typically rely on published standard contractual clauses, data-processing addenda, or Data Privacy Framework participation as applicable.

We do not claim a signed bilateral DPA with every vendor unless verified. If you have a specific transfer-mechanism question for a vendor we use, email hello@3sixs.com.

Practical retention windows:

• Contact-form inquiries / briefs: up to 24 months after the last meaningful interaction, unless a client relationship begins or legal/accounting needs require longer.
• Client and project records: governed by the signed agreement and by our legal and accounting obligations.
• Email records: as needed for ongoing business correspondence and for legal and accounting purposes.
• Security and rate-limit records: short operational windows, typically hours to 90 days depending on provider and log type.
• Analytics: aggregated, cookieless analytics retained according to our Plausible configuration and provider defaults.
• Error logs: typically 30–90 days, longer only when needed to investigate a specific incident.

Where exact provider-default retention is not visible to us from a vendor dashboard, we rely on provider documentation; specific questions can go to hello@3sixs.com.

We aim for a realistic, defensible security posture for a small studio:

• HTTPS / TLS for all visitor traffic.
• Provider-supported encryption at rest for stored data.
• Least-privilege access on admin and vendor accounts.
• Multi-factor authentication for admin and vendor accounts where supported.
• Bot defense and per-IP-plus-email rate limiting on the contact pipeline.
• Periodic dependency review and patching for the libraries that ship to the public site.

Error monitoring (Sentry). Sentry is configured to remove request bodies, request cookies, auth/cookie headers, selected Sentry user identifiers, known contact-form field keys, and Turnstile tokens from event payloads where supported by our SDK configuration. It also redacts email addresses from error messages. Session Replay is not currently enabled.

We do not intentionally add visitor IP addresses to Sentry event payloads; Sentry may still receive connection metadata as a service provider.

No system is perfectly secure. We do not guarantee that the site or our systems will be free from vulnerabilities or unauthorized access. If you believe you have found a security issue, please email hello@3sixs.com and we will respond — see the security page for our responsible-disclosure posture.

Breach notice. If we become aware of a security incident affecting your information, we will investigate, mitigate, and notify affected people and regulators where required by law.

3sixs does not make automated decisions with legal or similarly significant effects about website visitors. Anti-spam rate-limiting may automatically reject a submission, but a human reviews real inbound briefs before any business decision is made.

Depending on where you live and whether a given law applies to us, you may have rights to:

• Access information we hold about you.
• Correct information that is inaccurate.
• Delete information, subject to legal-record exceptions.
• Export a copy of information you provided to us (portability).
• Object to, or opt out of, certain processing where applicable.
• Appeal a decision we make on your request, where applicable law provides for it.

To make a request, email hello@3sixs.com from the address you contacted us with, or use the contact form. For applicable U.S. state privacy requests we target a response within 45 days, with a permitted extension where the law allows. Authorized agents may be asked to provide proof of authority. See /privacy-choices for the practical request process.

For California residents and where comparable state laws apply, the following table summarizes our practices over the last 12 months. We do not sell personal information and do not share it for cross-context behavioral advertising; we are not adding a “Do Not Sell or Share” flow because there is nothing to opt out of. If that ever changes, this section changes first and a control will be offered before anything is sold or shared.

See /privacy-choices for the request flow and timing.

This site is intended for businesses considering 3sixs for product work. It is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has sent us information, a parent or guardian can email hello@3sixs.com and we will delete it.

Where European or UK law applies, consent rules for children under 16 may apply; we do not actively process children’s information and would handle any such request through the same email contact.

3sixs has not appointed a Data Protection Officer, and we have not designated an EU or UK representative because we do not actively target individuals in those regions. If you have a privacy question or request from anywhere, email hello@3sixs.com and a real person on our team will reply.

We will update this page when our practices change. The “Last updated” date at the top reflects the most recent revision. For significant changes we will say what changed and why.