Privacy Policy
Thank you for your interest in my privacy policy. This policy contains information about how I process your personal data and about your rights according to the European GDPR (General Data Protection Regulation). My website and this privacy policy are provided in accordance with European law.
Scope
The following privacy policy is valid for:
- https://aristidebouix.cloud/ (clearnet HTTPS version of my blog)
- http://ymglrht2hmgdlt66oaztz4zpcuyzf7e773zgndcwz2msjgvkoysr7kid.onion/ (self-hosted Tor mirror of my blog)
Short version of this privacy policy
- By default, your IP address is processed by the caching servers part of Amazon Cloudfront’s service. This is technically necessary to send the site content to your client.
- By default, I only have access to logs provided by Amazon Cloudfront. Cloudfront log files are stored in an encrypted dedicated S3 bucket, and deleted after 30 days.
- I use Google Analytics service to know more about your browsing behaviour on the blog, this allows me to optimize the website UX and content.
- I do not try to identify you and only set one cookie for Google Analytics which is a unique profile ID distributed when you visit the website. Some other technical cookies may be set from Disqus, Report-URI, and Adex.
- I serve some ads from the Adex network.
- Your rights according to the European GDPR are explained in Articles 15–21 and 77 GDPR.
- In case of any questions related to this privacy policy, feel free to contact me.
Contents
- Definitions
- Personal data I process
- Personal data third parties process for me
- Accessing my website using mirrors and archives
- Your rights (Articles 15–20 GDPR)
- Right to object (Article 21 GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
- Limits of this policy
- Changes to this policy
Definitions
There are several definitions in the GDPR. The most important definitions are:
- ‘personal data’ means any information relating to an identified or identifiable natural person
- ‘processing’ means any operation […] on personal data […] such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
If I talk about your personal data in the following, I mean anything that can be used to identify you. This includes your name, e-mail address, and IP address. When I talk about “processing of personal data”, I mean any type of processing.
Personal data I process
When you visit my website, your IP address and user agent are automatically processed by Amazon Cloudfront. I automatically get this data from your client (e.g., your web browser or RSS/Atom feed reader). Cloudfront needs your IP address to send my contents back to your client. Cloudfront is only a caching service and AWS isn’t supposed to retain a copy of the access logs as they are a GDPR compliant data processor.
The legal basis for processing your personal data as explained above is Article 6(1) f GDPR.
Logging
Cloudfront writes information about certain client-side request to so-called log files. I use these log files to detect attack-like behavior and to improve the site services. Those log files are automatically encrypted using S3 server-side-encryption (SSE) and deleted after 30 days.
Personal data third parties process for me
The following third parties process personal data for me:
Amazon Web Services Inc, USA
Amazon Web Services, refers as AWS, (read their privacy policy) provides my website’s servers. Amazon Web Services may log access attempts (IP address, user agent) for all of its customers (including me) to detect DDoS attacks, attack-like behavior, and so on.
To use AWS, I concluded a data processing agreement according to Article 28 GDPR which is part of their online Service Terms.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Google (Alphabet Inc), USA
I rely on Google (read their privacy policy) to serve a better font (fonts.gstatic.com) as well as for the Google Analytics service.
Google Fonts (GF). GF are high-quality fonts used on this web site, to improve the quality of the final rendered text at your end. This is an essential service for the appearance of the site. For privacy considerations concerning the use of GF you can read here.
I use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (_ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. I also send Google your IP Address. I use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to me for improving the user experience and determining site effectiveness. If you would like to access what browsing information I have - or ask me to delete any GA data - please send me your _ga cookies (For each browser you wish me to delete the associated information) by email, once done delete your _ga cookies, and/or install the Google Analytics Opt-Out Browser Add-On.
I concluded a data processing agreement according to Article 28 GDPR with Google.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Disqus Inc, USA
Disqus Inc (read their privacy policy) allows user comments in the site’s articles. In order to use the service you need to register a Disqus account, access and deletion of your comment can be manage from your Disqus account. I do not serve any ad through Disqus, however their services require the load of a few cookies and javascript from disqus.com
and disquscdn.com
domain names.
To use Disqus, I concluded a data processing agreement according to Article 28 GDPR which is part of their online Terms of Service.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Report-URI Ltd, UK
Report-URI (read their privacy policy) allows me to redirect failed or suspicious webrequests for analysis. The data collected on Report-URI is anonymized and doesn’t contain your IP address or user-agent.
The legal basis for processing your personal data is Article 6(1) a GDPR.
AdEx Network OÜ, Estonia
Adex (read their privacy policy) is an attempt to monetize my website traffic while serving some ads in a less privacy intrusive way. Adex relies on Contextual Targeting, and isn’t supposed to collect any personal data. It loads ads from the domain moonicorn.com
.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Gandi SAS, France ( e-mail only )
Gandi SAS (read their privacy policy) provides my mail server. It isn’t necessary to send me any e-mails to access my blog/content. If you decide to contact me, you agree that me/Gandi SAS processes your personal data (e.g., name, e-mail address) to answer your request. I do not use your e-mail address for marketing purposes or tracking.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Algolia Inc, USA ( search bar only )
Algolia Inc (read their privacy policy) is the indexing and searching webservice I rely on for the article search functionality. As such they only process information that you enter in search queries, I also have access to the input which are hosted by Algolia in France for a duration of 90 days. Logs of search queries and operations can be processed outside of the EU but always stay in a system respecting privacy and security according to algolia GDPR documentation.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Cloudflare Inc, USA
I use Cloudflare (read their privacy policy) as a caching service to serve an HTML-to-LaTeX parsing javascript to render mathematics formula in my blogposts. I haven’t found a more elegant way to serve this library properly at the moment. You will note that Cloudflare doesn’t collect any data for this service.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Bitcoin.com (Saint Bitts LLC), USA
I only request the following API: index-api.bitcoin.com
to get the latest BCH/EUR trading rate so you can always give me exactly 1 euro donation with your badgerwallet. No personal data is involved. If you wish to make me a donation through the badgerwallet or any other cryptocurrency listed on my About page, your sending cryptocurrency address and the amount of the donation will be recorded on the corresponding blockchain and cannot be erased by me or any other third party.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Glitch, Inc, USA
I use the opensource tool visitor-badge to count how many users are viewing each page of my blog. No personal data is involved. The code is currently hosted on Glitch.
The legal basis for processing your personal data is Article 6(1) a GDPR.
Accessing my website using mirrors and archives
My blog content may be provided by third parties as a mirror website (reflecting the current content) or as an archived website (reflecting outdated content). Kindly note that this privacy policy doesn’t cover such mirrors or archives.
Your rights (Articles 15–20 GDPR)
According to the Articles 15 to 20 of the GDPR, you have several rights concerning your personal data processed by me:
- Art. 15: Right of access
- Art. 16: Right to rectification
- Art. 17: Right to erasure
- Art. 18: Right to restriction of processing
- Art. 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Art. 20: Right to data portability
You may exercise your rights by contacting me.
Right to object (Article 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point e or f of Article 6(1) GDPR, including profiling based on those provisions. I no longer process the personal data unless I demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims. This doesn’t affect the lawfulness of processing based on consent before its withdrawal (point c of Article 13(2) GDPR).
Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
Limits of this policy
This website may link to external sites that are not operated by me. Please be aware that I have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.
Changes to this policy
At my discretion, I may change this privacy policy to reflect current acceptable practices. I will take reasonable steps to let users know about changes via the website. Your continued use of this site after any changes to this policy will be regarded as acceptance of my practices around privacy and personal information.
This policy is effective as of 25 March 2020.