If have any questions, would like to see your data, or have it deleted email me at firstname.lastname@example.org
Now technically this website is below the threshold where I would need to be GDPR compliant, so I’m making no promises with the accuracy of this, this is a friendly heads-up, not lawyered policy. But I think it’s good to let you know what’s actually going on here.
I don’t really need (or care) to track the use of this website, beyond the simple statistics offered by the server logs. And, I have no plans to use this site for any advertising. So as much as possible, I am not tracking you.
First I store a cookie to check if you have seen the cookie notice. This is basically pointless, but it does let me do a cookie notice without it annoying everyone every time they visit the site.
Obviously, a key part of this website is embedding YouTube videos. I have tried to set all of these to use YouTube’s “nocookie” domain (aka “Privacy-Enhanced Mode”) so that it will not store any cookies. And they’re true to their word, it doesn’t store any cookies. However, instead of using a cookie, YouTube just saves your tracking data to local storage, then fetches it when you next visit their site. Different words, different process, but still tracking without consent, still in violation of the GDPR.
So as a second privacy step, and a bit of website optimisation, rather than use YouTube’s embeds directly, I instead just fetch the thumbnail, and place a fake play button on top. Only when clicked does the (nocookie) embed actually load. Visually indistinguishable, without all Google’s bullshit.
Similarly, I’m using the “do not track” version of the Twitter timeline embed. Which also seem to store non-essential tracking data. And I have yet to find a good work around for.
Those are the only embeds I am using right now, and if I add any more I will try to make them as privacy compliant as possible. However these big tech companies are fully willing to completely violate these laws, and just accept a few multi-million dollar slaps on the wrist.
To stop spam signups and improve security in as unobtrusive a way as possible, I have had to use Google’s ReCaptcha. I am using the “checkbox” version of ReCaptcha v2, which is less invasive than the newer methods, and I have isolated it to only exist on the pages where it is absolutely required. Regardless, another in for Google.
If you visit the login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, I have set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
At checkout, we will collect your name, email address, username, and password. This information is used to setup your account for our site. The last 4 digits of your credit card number and the expiration date are saved by our site to use for reference and to send you an email if your credit card will expire before the next recurring payment.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Where your data is shared
If you request a password reset, the requesting IP address will be included in the reset email.
User comments may be checked through an automated spam detection service.
Payment information is processed through Stripe.
How long your data is retained
If you leave a comment, the comment and its metadata are retained indefinitely.
For users that register on the website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their own personal information at any time. Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.