Privacy Policy
Effective 2026-06-18
Plain-language summary
Sandcastle Labs is the studio name for Orrin Consulting, LLC (Colorado). This policy covers only the marketing site at sandcastlelabs.ai, not our products (each has its own policy) or consulting engagements (governed by your signed agreement).
We run a marketing site. We measure how it’s used with analytics, send a newsletter if you ask for it, and reply if you email us. We don’t sell your data, don’t run ad networks, and collect as little as we can. The detail is below.
Who we are
The site is operated by Orrin Consulting, LLC, doing business as (“DBA”) Sandcastle Labs, based in Denver, Colorado, United States, and is the “data controller” for the personal data this site collects. For anything in this policy, email hello@sandcastlelabs.ai.
What we collect
When you visit the site
| Data | Why | How |
|---|---|---|
| Pages viewed, clicks, scroll depth, referrer, approximate location, device/browser | To understand what content is useful and improve the site | Product analytics (PostHog) and Google Analytics 4 |
| Aggregate traffic and performance metrics | To keep the site fast and reliable | Vercel Web Analytics |
| IP address, user agent, request timestamps | Standard server logs for security, abuse prevention, and debugging | Our hosting provider (Vercel) |
Anonymous visitors are measured in aggregate; we only link analytics to a person if they give us their email (e.g. by subscribing). We don’t build advertising profiles or run third-party ad or retargeting pixels.
When you subscribe to the newsletter
If you sign up for our newsletter, we collect your email address and a tag noting where on the site you subscribed. We use it only to send the essays and letters you asked for, a few times a month at most. Email delivery is handled by Buttondown. You can unsubscribe from any email using the link in its footer, or by emailing us.
When you email us
If you email hello@sandcastlelabs.ai (or any address on this domain), we receive whatever you send:
your email address, your message, and anything you include. We use it to reply and to keep a record of
the conversation.
Cookies and similar technologies
PostHog and Google Analytics use cookies and similar storage (e.g. localStorage) to recognise
returning browsers and measure usage. Vercel Web Analytics is cookieless.
If you visit from the EU, EEA, or UK, we detect your region at our edge and ask for your consent before any non-essential analytics cookies load; they stay off until you accept. Everywhere else, analytics load when the page loads, and you can opt out using the methods below. Either way, we don’t sell or share personal data, so there’s nothing for Global Privacy Control or “Do Not Track” signals to suppress.
How to opt out of analytics
- Browser controls: block or clear cookies for sandcastlelabs.ai in your browser settings.
- Google Analytics: install Google’s opt-out browser add-on.
- Tracker blockers: most content and tracker blockers (e.g. uBlock Origin) stop PostHog and GA on this site.
- Email us: write to
hello@sandcastlelabs.aiand we’ll delete or suppress any data we can reasonably identify as yours.
Who we share data with
We don’t sell your personal information and we don’t share it for cross-context behavioural advertising. We do use a small set of service providers (“sub-processors”) to run the site:
| Provider | What it does | Where |
|---|---|---|
| Vercel | Hosting, server logs, web analytics | United States |
| PostHog | Product analytics | United States (US Cloud) |
| Google (Analytics 4) | Website analytics | United States |
| Buttondown | Newsletter delivery | United States |
Each processes data on our behalf under its own terms. We may also disclose information if required by law, to enforce our terms, or to protect the rights, safety, or property of Sandcastle Labs or others.
Security, transfers, children, and links
We serve the site over HTTPS and limit who can access the data we hold; no method is completely secure, but we take reasonable measures. Our providers are in the US, so visitors from outside the US have their data processed there, and where required we rely on the providers’ Standard Contractual Clauses. This site isn’t directed to children under 16 and we don’t knowingly collect their data; tell us if you believe we have and we’ll delete it. We link to other sites and aren’t responsible for their privacy practices.
How long we keep it
- Analytics: Google Analytics and PostHog retain event data according to their configured retention settings, on a rolling basis, in aggregate where possible.
- Newsletter: until you unsubscribe or ask us to delete you.
- Emails: kept for as long as needed to handle your request and keep reasonable business records.
Your rights
Legal basis (EEA/UK). We rely on legitimate interests for analytics and inbound email, and on your consent for the newsletter.
Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent.
- EEA / UK (GDPR): the rights above, plus the right to lodge a complaint with your local data protection authority.
- California (CCPA/CPRA): the rights to know, delete, correct, and to opt out of “sale” or “sharing.” We do not sell or share personal information as those terms are defined, so there is nothing to opt out of. You can still exercise your other rights, and we will not discriminate against you for doing so.
To exercise any of these, email hello@sandcastlelabs.ai. We may need to verify your identity before acting on a request.
Changes to this policy
If we make a material change, we’ll update the “Effective” date at the top and, where appropriate, note it on the site. Continued use of the site after a change means you accept the updated policy.
Contact
Questions, requests, or complaints: hello@sandcastlelabs.ai. Orrin Consulting, LLC (DBA Sandcastle Labs), Denver, Colorado, USA.