Privacy
This page explains what gets collected when you visit goodturndigital.com, why, and what you can do about it. The short version: forms collect what you type, cookies are minimal, and nothing gets sold to anyone.
Who runs this
Good Turn Digital is a one-person consultancy operated by Trevor Zalkind in Denver, Colorado. There is no marketing team, no data team, and no third-party processor handling your information. If you want to ask about anything on this page, the answer comes from me directly: hello@goodturndigital.com.
What gets collected
When you fill out a form (contact, newsletter, lead magnet, RSVP, booking) - whatever you type into it. Name, email, organization, project context, time slots, the path you selected on the intake form. Honeypot and Turnstile checks happen invisibly to filter out bots.
When you visit the site - routine server-side logging from Cloudflare (IP, user agent, referrer, request timestamp). This is the same kind of log every web host produces.
When you book a call - Cal.com captures your name, email, the meeting time, and any notes you add. Stripe captures payment information if you book a paid strategy session.
Cookies - two small cookies record where you came from so I can tell which channels actually work (LinkedIn, search, a referral, a direct visit). More on those further down.
Why it gets collected
To respond to your inquiry. To send the newsletter you opted into. To run the booking calendar. To know whether the work I do on LinkedIn or referrals is paying off. That's the whole list.
No data gets sold. No profiles get built. No ad pixels fire. The site has zero third-party trackers, and I plan to keep it that way.
Where it lives
Form submissions land in three places, all of which I run myself:
- A private database (NocoDB) on a server in my home office in Denver
- A workflow tool (n8n) that routes the submission to ntfy for a push notification on my phone
- Cloudflare D1, used as a write-ahead log on the edge so nothing gets lost if my home server is offline
Bookings live on Cal.com, also self-hosted on my server. Stripe payment data lives at Stripe (I see receipt details, not the card number). The site itself is hosted on Cloudflare Pages (US edge network).
Who else sees it
- Cloudflare sees inbound traffic and form submissions in transit, but doesn't store form contents
- Google Fonts serves Plus Jakarta Sans from fonts.googleapis.com - they see your IP when the page loads, nothing else
- Stripe sees payment information if you book a paid strategy session
- Cal.com is self-hosted, so the only people who see your booking are me and the email-confirmation pipeline (also self-hosted)
- No email service provider (the newsletter routes through the same self-hosted stack)
- No CRM platform and no ad networks. No analytics SaaS either.
How long it gets kept
Lead and project data sticks around for the life of the engagement plus a reasonable archive window for project records, usually one to two years. Newsletter subscriptions stay until you unsubscribe (one click, link in every send). The two attribution cookies expire after 90 days, or whenever you clear them. Server logs follow Cloudflare's defaults, which is a short retention window measured in days.
If you want anything older deleted, send an email and it gets done.
Your rights
You can ask me what data I have on you. I'll send it back. You can ask me to delete it, correct it, or stop using it. Each of those is a same-week response.
For EU, UK, and Swiss residents: those are your rights under GDPR, UK GDPR, and FADP respectively. Same email gets it done.
Cookies on this site
Two first-party cookies do marketing attribution:
- gtd_first_touch - records the first session that brought you to the site (UTM tags, referring site, landing page, timestamp). Set once per visitor, expires after 90 days.
- gtd_last_touch - records your most recent session. Updated on every visit.
Both are JSON-encoded values, and both get sent along with any contact form submission so I can connect a lead to where it came from.
Geofenced. Visitors in the EU, EEA, UK, and Switzerland are detected at the edge (via Cloudflare's country signal), and the cookies are not written for them. Those regions require prior opt-in consent for non-essential cookies under the ePrivacy Directive. Rather than putting up a consent banner, the simpler answer is to not set the cookies in the first place. The form still works, the contact still reaches me, the attribution just isn't recorded.
Cloudflare may also set a short-lived session cookie of its own for bot protection. That's a network-layer thing, not a site behavior, and isn't read or used by anything on this domain.
No third-party trackers. No ad cookies. No analytics SaaS pixel.
Children
This site isn't directed at anyone under 16. Don't sign up for the newsletter or fill out the contact form if you're younger.
When this policy changes
If anything material changes (a new system added, a new third party, a new data type collected), the change shows up here and the "last updated" date at the top gets bumped. The full history is in this site's git log if you want to see what changed and when.
How to reach me
Privacy questions, deletion requests, or anything else on this page - hello@goodturndigital.com.