Legal

Privacy policy

A plain-English statement of what personal data this site collects, why, how long it is kept, and the rights you have over it under UK data-protection law.

Last updated: 10 May 2026.

Who is the controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller for this site is Peter Bassill, operating from the United Kingdom. Contact: privacy@peterbassill.com or via the contact form.

What data is collected

1. Contact form submissions

If you fill in the form at /contact, the site stores:

  • The name you provide.
  • The email address you provide.
  • The subject and body of your message.
  • The IP address the request came from, and a timestamp.
  • The result of the Cloudflare Turnstile bot challenge, where enabled.

Lawful basis: legitimate interest — responding to enquiries you have actively initiated. Retention: kept until the conversation is resolved and follow-up correspondence has run its natural course; routinely deleted in batches no later than 24 months after last contact.

2. Server access logs

The Apache web server records standard request information for every page load: timestamp, source IP address, HTTP method, requested path, status code, response size, user-agent, and referrer.

Lawful basis: legitimate interest — operating, securing, and debugging the site, including detecting and resisting attacks against the admin area. Retention: 30 days for routine access logs; up to 12 months for log entries that have been flagged as part of a security investigation.

3. Audit log

Administrative actions on this site (logins, content changes, API token use) are recorded in an internal audit log capturing the actor, action, target, IP address, and timestamp.

Lawful basis: legitimate interest — security, accountability, and incident response. Retention: 12 months rolling, longer where required for an active investigation.

4. Rate-limit and anti-abuse data

To resist brute-force attacks against the admin login and abuse of the contact form, IP-keyed counters are kept in Redis and discarded automatically once the rate-limit window expires.

Lawful basis: legitimate interest — site security. Retention: minutes to hours, set by the rate-limit window in use.

5. Cookies and local storage

The site uses only the minimum cookies needed to operate, plus a single first-party preference cookie for theme selection. There are no analytics, advertising, or tracking cookies. See the cookie policy for the full list.

What this site does not collect

  • No analytics or behavioural-tracking identifiers.
  • No advertising or remarketing data.
  • No special-category data (health, biometric, political opinions, religion, etc.) — please do not include such data in a contact form submission.
  • No data is sold, rented, or shared for commercial purposes.

Third parties

The site is hosted on infrastructure operated by my chosen UK / EU hosting provider. The following third parties are used in narrowly-scoped roles:

  • Cloudflare Turnstile — bot challenge on the contact form. Cloudflare acts as a processor for the challenge data; their privacy policy applies.
  • Email delivery — replies to contact-form messages travel over standard email, which is processed by my email provider before reaching you.

I do not knowingly transfer personal data outside the UK or European Economic Area. Where a processor (such as Cloudflare) operates globally, transfers are made under the relevant Standard Contractual Clauses or UK Addendum.

Your rights

Under UK GDPR you have the right to:

  • Be informed about how your data is used (this page).
  • Request a copy of the personal data held about you (right of access).
  • Ask for inaccurate data to be corrected (right to rectification).
  • Ask for your data to be deleted where there is no overriding legal or legitimate-interest reason to keep it (right to erasure).
  • Restrict or object to processing.
  • Receive your data in a machine-readable format (right to data portability) where applicable.
  • Withdraw consent at any time, where consent was the basis for processing.

To exercise any of these rights, email privacy@peterbassill.com. I will respond within one calendar month, in line with the statutory limit, and will not charge a fee for routine requests.

Complaints

If you are unhappy with how a request has been handled, you can complain to the UK Information Commissioner's Office (ICO):

  • Web: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Children

This site is not directed at children under the age of 13 and does not knowingly collect personal data from children.

Security

Reasonable technical and organisational measures are in place to protect data against unauthorised access, alteration, disclosure, or destruction — including HTTPS-only delivery, strict Content-Security-Policy headers, hashed admin passwords, two-factor authentication on the admin area, server hardening, and regular security review. The disclosure path for security issues is in the security policy.

Changes to this policy

This policy may change as the site evolves. Material changes will be reflected in the "Last updated" date at the top, and significant changes will be flagged on the home page or via direct contact where reasonable.

See also: Cookie policy · Security policy.