Privacy

Privacy Policy

Last updated: April 2026

The short version

This is a personal site. I don't sell your data, I don't track you across the web, and I don't run ads. Anything I collect is only what's needed to make the site work.

What I collect

  • Contact form submissions — if you send a message, I store your name, email, and message so I can reply.
  • Account data — if you sign in (email or via GitHub/Google), I store the minimal profile info those providers return.
  • Server logs — standard request logs (IP, user agent, timestamp) via the hosting provider, kept short-term for debugging and abuse prevention.

Who I share it with

Only the services that run the site: Vercel (hosting), Supabase (database + auth), and the OAuth provider you choose to sign in with. No marketing partners, no data brokers, no analytics vendors selling your behaviour.

Cookies

Only the essentials — a session cookie if you sign in. No tracking or advertising cookies.

How long I keep it

  • Contact messages — kept for up to 24 months after our last exchange, then deleted.
  • Account data — kept while your account is active. Deleted within 30 days of account closure.
  • Server logs — rolled over by the hosting provider, typically within 30 days.

Where your data goes

The site runs on Vercel and Supabase. Your data may be processed and stored outside your home country, including in the United States. These providers use Standard Contractual Clauses and equivalent safeguards for international transfers out of the EEA and UK.

Your rights (GDPR — EEA & UK)

If you're in the EEA or UK, you have the right to:

  • Access — get a copy of the personal data I hold about you.
  • Rectification — correct anything inaccurate.
  • Erasure — ask me to delete your data.
  • Restriction — limit how I process it.
  • Portability — receive your data in a portable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing relies on consent, you can withdraw it at any time.
  • Complain — lodge a complaint with your local supervisory authority (in the UK, that's the ICO at ico.org.uk).

Legal bases I rely on: contact messages and account data — your consent and, where relevant, performance of a service you've requested. Server logs — legitimate interest in keeping the site secure and functional.

Your rights (CCPA/CPRA — California)

If you're a California resident, you have the right to:

  • Know — what personal information I've collected about you, the sources, the purposes, and who I've shared it with.
  • Delete — request deletion of your personal information.
  • Correct — fix inaccurate information.
  • Opt out of sale or sharing — I do not sell or share personal information for cross-context behavioural advertising. There's nothing to opt out of, but you have the right regardless.
  • Limit use of sensitive personal information — I don't collect or use sensitive personal information beyond what's needed to provide the service.
  • Non-discrimination — I won't treat you worse for exercising any of these rights.

Categories of personal information collected in the last 12 months: identifiers (name, email), internet activity (server logs), and account/profile information from OAuth sign-in. I do not sell or share any of it.

How to exercise your rights

Email me via the contact page with what you want (access, deletion, correction, etc.). I'll verify your identity where it's sensible to do so and respond within 30 days (GDPR) or 45 days (CCPA). You can have an authorised agent make the request on your behalf.

Data controller

The data controller for this site is Dan Stoll. Contact via the contact page.

Children

This site isn't aimed at children under 16, and I don't knowingly collect data from them. If you think I have, contact me and I'll delete it.

Changes

If this policy changes, I'll update the date at the top. No sneaky rewrites.