Privacy Policy

Last updated 2 June 2026

This Privacy Policy covers the Murakami Labs studio website at murakamilabs.com only. Our products run on their own domains and publish their own privacy policies. Polmi’s policy lives at polmi.app and governs the Polmi app.

We try to keep the policy short, specific, and free of vague language. If something here is unclear, write to hi@murakamilabs.com.

1. Who we are

“We”, “us”, and “Murakami Labs” refer to Murakami Labs OPC, a corporation organized under the laws of the Republic of the Philippines.

Contact: hi@murakamilabs.com.

2. What data we collect

The studio site does not require an account, has no signup forms, does not process payments, and does not collect names, phone numbers, or postal addresses through forms. Contact is by email only.

The site does collect or transmit the following:

  • Vercel Web Analytics. Cookieless aggregate measurement provided by our host. It records page views, anonymized country, and broad browser or device class. It does not set tracking cookies and does not collect personal identifiers.
  • Google Analytics 4. Measurement ID G-5FW4QWXDE2. Loads only after you accept on the cookie banner. Uses cookies (such as _ga and _ga_*) to record page views, session metadata, and approximate geographic region (country and, in some cases, city). IP addresses are anonymized in transit per GA4 defaults; no full IP is stored.
  • Google Search Console. A server-to-Google service that reports aggregate search performance for the domain. It sets no on-page cookies or scripts.
  • Vercel hosting logs. Our host briefly retains IP addresses and request metadata (URL, user agent, timestamp, response code) for security, abuse prevention, and operational debugging.
  • Cloudflare DNS. Cloudflare resolves DNS for the domain. It runs no on-page scripts. Per Cloudflare’s own policy, edge resolvers may log IP addresses for short retention windows.
  • Email replies.When you write to hi@murakamilabs.com, the message is delivered to a Google Workspace (Gmail) mailbox we control. Google’s privacy posture applies to the inbox in transit and at rest.
  • Sentry error monitoring. When a script error happens in your browser or on our server, an automated report is sent to Sentry (sentry.io). The report contains the error message, a stack trace, the URL where the error happened, your browser type and version, your operating system, and a short sequence of recent interactions (called breadcrumbs, things like the previous page you came from and any console messages). Your IP address is captured at the moment of the error so Sentry can geolocate it to a country, then is not stored. We do not send identifiers, email addresses, or form contents to Sentry.

3. Why we collect it

We use the data above for three purposes: keeping the site working, understanding which pages are read so we can improve them, and responding to email people send us.

  • Analytics (Vercel and GA4) help us see which posts and pages are useful. We do not run advertising, retargeting, or behavioral profiling.
  • Hosting and DNS logs support security and uptime: blocking abuse, diagnosing outages, complying with lawful requests.
  • Email contents are used to answer the email, and for nothing else. We do not run a newsletter and we do not send marketing email from this domain.
  • Error reports (Sentry) help us catch and fix bugs before they affect more readers. We do not use error data for advertising, retargeting, or profiling.

Legal basis under GDPR and similar regimes. For users in the EU, EEA, UK, and other consent-based regimes, we rely on your consent (Article 6(1)(a) GDPR) for Google Analytics and any other non-essential cookies. We rely on legitimate interests (Article 6(1)(f) GDPR) for Vercel Web Analytics, hosting and DNS logs needed to keep the site secure and operational, error monitoring (Sentry) needed to keep the site working correctly, and for responding to email you send us. You may withdraw consent at any time via the “Cookie preferences” link in the footer without affecting the lawfulness of processing carried out before withdrawal.

4. How long we keep it

We keep data only as long as it serves the purpose it was collected for, then delete it.

  • Vercel Web Analytics: rolling aggregate data, typically retained up to 12 months by Vercel.
  • Google Analytics 4: account-level retention is set to 14 months, after which event-level data is automatically deleted by Google.
  • Vercel hosting and Cloudflare edge logs: short operational windows set by the providers (commonly hours to a small number of days).
  • Email correspondence: retained in our mailbox as long as it is useful for support or business records, and deleted on request.
  • Sentry error reports: event-level data is retained for 90 days at the default plan level, then automatically purged. Aggregate issue counts and metadata may be retained longer for trend analysis.

5. Who we share it with

We do not sell personal data. We do not trade it. The only third parties that see site data are the service providers (sub-processors) we depend on to operate the site:

  • Vercel Inc. Hosting, edge delivery, and Web Analytics. United States.
  • Google LLC. Analytics (GA4), Search Console, and Google Workspace (Gmail) for email. United States.
  • Cloudflare, Inc. DNS resolution for the domain. United States.
  • Functional Software, Inc. (Sentry). Browser and server error monitoring. United States.

We may also disclose data when required by law, court order, or valid government request, or to protect the safety, rights, or property of users, third parties, or ourselves.

6. Cookies and similar technologies

The studio site sets cookies through Google Analytics 4 (the _ga and _ga_G-5FW4QWXDE2 cookies). These identify a browser across page loads so GA4 can stitch a session together. They do not contain a name or email address. Vercel Web Analytics is cookieless.

Before Google Analytics loads, we ask for your consent through a banner shown on your first visit. If you accept, GA cookies are placed. If you decline, no GA cookies are set and the site works identically. You can change your choice any time from the Cookie preferences link in the footer; revoking consent clears existing GA cookies for the domain.

Accept and Decline appear with equal prominence on the banner per the EU ePrivacy Directive (Article 5(3)), the Court of Justice of the European Union’s Planet49 ruling (C-673/17), and the consent guidance issued by national supervisory authorities. The banner is shown to every visitor by default and we do not load non-essential cookies before consent.

In addition to the banner, you can block analytics cookies in your browser settings, use a tracker-blocking extension, or send a Global Privacy Control (GPC) signal. We honor a GPC signal as an opt-out where applicable law treats it as such (currently California, Colorado, Connecticut, and a growing number of US states).

7. International data transfers

We operate from the Philippines. Our sub-processors (Vercel, Google, Cloudflare) store and process data in the United States and other jurisdictions. If you are in the EU, EEA, UK, or another region with cross-border transfer rules, your data may be transferred outside your region as part of normal site operation.

For transfers to the United States, we rely on the following mechanisms in order of preference:

  • EU-US Data Privacy Framework (DPF). Google LLC, Vercel Inc., and Functional Software, Inc. (Sentry) are self-certified under the EU-US Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023) and its UK Extension and Swiss-US Extension. Where the certifying entity holds active certification, transfers from the EU, EEA, UK, and Switzerland to that entity are permitted on adequacy grounds. You can verify a vendor’s current certification at dataprivacyframework.gov.
  • Standard Contractual Clauses (SCCs). As a backup mechanism, and for transfers from jurisdictions not covered by the DPF, each sub-processor offers SCCs in its Data Processing Agreement. We rely on those SCCs in such cases.
  • IP anonymization. Google Analytics 4 anonymizes IP addresses by default. No full client IP is stored by GA.

Schrems III contingency. The EU-US Data Privacy Framework is subject to legal challenge before the Court of Justice of the European Union (the so-called “Schrems III” matter brought by NOYB and others). If the DPF is invalidated, we will fall back to SCCs and apply any supplementary measures required at that time. We will update this section if the situation changes.

If you would like a copy of the SCCs that apply to a specific transfer, or the DPF certification details for a sub-processor, write to hi@murakamilabs.com.

8. Your rights

The rights you have depend on where you live. Below are the regimes we explicitly address. If your jurisdiction is not listed, write to us anyway; we will treat the request in good faith under the closest applicable framework.

Philippines (Data Privacy Act of 2012, RA 10173)

You have the right to be informed, to object, to access, to rectify, to erase or block, to damages for unlawful processing, to data portability, and to lodge a complaint with the National Privacy Commission (privacy.gov.ph). We are the personal information controller for the studio site.

EU and EEA (GDPR)

Under the General Data Protection Regulation, you have the right of access, rectification, erasure, restriction of processing, data portability, and objection (including objection to processing based on legitimate interests). You also have the right to lodge a complaint with your national supervisory authority. Where we rely on consent, you may withdraw it at any time.

United Kingdom (UK GDPR)

The same rights as the EU GDPR apply. The supervisory authority is the Information Commissioner’s Office (ico.org.uk).

California (CCPA and CPRA)

California residents have the right to know what personal information we collect, to delete it, to correct inaccuracies, to opt out of sale or sharing for cross-context behavioral advertising, and to limit use of sensitive personal information. We do not sell personal information. We do not share it for cross-context behavioral advertising. We honor Global Privacy Control signals as an opt-out signal where applicable.

Brazil (LGPD)

Under the Lei Geral de Proteção de Dados, you have rights of confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. The supervisory authority is the ANPD.

Canada (PIPEDA)

Canadian residents have rights of access and correction with respect to personal information we hold about them, and may complain to the Office of the Privacy Commissioner of Canada.

California Online Privacy Protection Act (CalOPPA)

CalOPPA requires commercial websites that collect personal information from California residents to post a privacy policy. This page satisfies that requirement.

Other US state laws

We extend equivalent access, deletion, correction, opt-out, and non-discrimination rights to residents of states with comprehensive consumer privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Indiana, Tennessee, Delaware, Maryland, New Jersey, New Hampshire, Minnesota, Nebraska, Rhode Island, and any US state whose comprehensive privacy law is in effect at the time of your request. Where a state honors a Global Privacy Control (GPC) signal as an opt-out, we honor that signal.

China (PIPL)

Under the Personal Information Protection Law (effective 1 November 2021), residents of the People’s Republic of China have rights of access, correction, deletion, restriction, portability, and to withdraw consent. The Cyberspace Administration of China is the supervising authority. The studio site is not directed at the PRC market and we do not transfer personal data into China; if you are a PRC resident and have a request, write to hi@murakamilabs.com.

Japan (APPI)

Under the Act on the Protection of Personal Information, you have rights of disclosure, correction, suspension of use, and third-party disclosure records. The Personal Information Protection Commission of Japan is the supervising authority. Japan holds an EU adequacy decision; transfers between the EU and Japan are recognized as adequate.

Singapore (PDPA)

Under the Singapore Personal Data Protection Act (as amended 2020), you have rights of access, correction, withdrawal of consent, and data portability for ongoing relationships. The Personal Data Protection Commission of Singapore is the supervising authority.

South Africa (POPIA)

Under the Protection of Personal Information Act (in force since 1 July 2021), residents of South Africa have rights of access, correction, deletion, and objection. The Information Regulator is the supervising authority.

Thailand (PDPA)

Under the Thailand Personal Data Protection Act (in force since 1 June 2022), you have rights of access, correction, deletion, restriction, portability, and to withdraw consent. The Personal Data Protection Committee is the supervising authority.

India (DPDP Act)

Under the Digital Personal Data Protection Act, 2023, you have rights of access, correction, grievance redressal, and to nominate. The Data Protection Board of India is the supervising authority.

Australia (Privacy Act 1988)

Under the Australian Privacy Act and Australian Privacy Principles, you have rights of access and correction with respect to personal information about you that we hold. The Office of the Australian Information Commissioner is the supervising authority.

Switzerland (FADP)

Under the revised Federal Act on Data Protection (in force since 1 September 2023), residents of Switzerland have rights of access, correction, deletion, and objection. The Federal Data Protection and Information Commissioner is the supervising authority. Swiss transfers to certified US recipients are covered by the Swiss-US DPF Extension.

9. How to exercise your rights

Email hi@murakamilabs.com with the subject line “Privacy request” and tell us which right you want to exercise. We aim to respond within 30 days. We may ask for information that helps us confirm the request comes from you, especially before we delete or export data.

Because the studio site does not require an account, we usually do not hold personal information that is uniquely linkable to you. Where that is the case we will say so honestly rather than ask for new identifiers.

10. Children’s privacy

The studio site is not directed to children under 13 (or under 16 where local law applies). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, write to hi@murakamilabs.com and we will delete it.

11. Changes to this policy

We may update this policy as the site changes, as we add or remove sub-processors, or as the law requires. When we update it we will change the “Last updated” date at the top of the page. Material changes will be noted prominently for a reasonable period after the update.

12. Contact

Murakami Labs OPC, a Philippine corporation. Email: hi@murakamilabs.com.