Privacy Policy
Who I am
This site is run by Will Patrick. You can contact me about anything in this policy at hello@willpatrick.co.uk.
I do not have a data protection officer — one is not required for a personal blog — but you can use the same email address for any data protection queries.
What data I collect and why
| What I do | Data involved | Legal basis |
|---|---|---|
| Serve this website | IP address, user agent, page URL, referrer, approximate location (all from standard HTTP headers) | Legitimate interest (Art. 6(1)(f)) — running the site |
| Measure site usage (Cloudflare Web Analytics) | Anonymised page views via HTTP beacon — no cookies, no client-side storage | Legitimate interest / PECR Schedule A1 statistical-purposes exception |
| Newsletter signup | Email address you enter into the subscribe form | Consent (Art. 6(1)(a)) — you actively submit the form |
| Respond to your emails | Your email address and message content | Legitimate interest (Art. 6(1)(f)) — replying to correspondence |
Categories of personal data
- IP address, user agent, page URL, referrer, approximate geographic location (derived from HTTP headers by Cloudflare)
- Email address (only if you subscribe to the newsletter or contact me directly)
Who I share data with
| Recipient | Role | Location | What they receive |
|---|---|---|---|
| Cloudflare, Inc. | Processor (hosting and analytics) | United States | HTTP request data for hosting; anonymised page view events for analytics |
| Substack, Inc. | Separate controller (newsletter delivery) | United States | Email address you submit via the subscribe form |
Newsletter
When you subscribe using the form on this site, your email address is sent directly from your browser to Substack Inc. (United States), which is a separate controller for delivering the newsletter.
I rely on your consent, given by submitting the form, as the lawful basis for this processing. Substack handles your email under its own privacy policy.
You can unsubscribe at any time using the link in any newsletter email. If you want your data fully erased, email me and I will action the request with Substack on your behalf.
International transfers
Your data may be transferred outside the United Kingdom:
- Cloudflare (United States): certified under the EU-US Data Privacy Framework with the UK Extension. Verified at dataprivacyframework.gov/list.
- Substack (United States): relies on Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum.
How long I keep data
| Data | Retention |
|---|---|
| Server/CDN logs (Cloudflare) | 30 days |
| Cloudflare Web Analytics | 6 months |
| Newsletter subscriber email (Substack) | Per Substack’s own retention policy |
| Email correspondence | Duration of the conversation plus a reasonable period |
Your rights
Under UK GDPR you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time without affecting earlier processing (Art. 7(3))
To exercise any of these rights, email hello@willpatrick.co.uk. I will respond within one calendar month.
Complaints
If you are unhappy with how I have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office:
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
Is providing your data required?
No. Providing your data is entirely voluntary. You are not obliged to subscribe or to contact me. The site works without either.
Automated decision-making
This site does not use automated decision-making or profiling.
Cookies and storage
This site uses minimal cookies and no browser storage. The table below lists everything:
| Name | Provider | Purpose | Duration | Type | Category |
|---|---|---|---|---|---|
__cf_bm | Cloudflare | Bot management | ~30 minutes | Cookie | Strictly necessary |
cf_clearance | Cloudflare | Security challenge clearance | ~1 day | Cookie | Strictly necessary |
theme | This site | Stores your light/dark mode preference | Persistent | localStorage | Functional |
| — | Cloudflare Web Analytics | Page view measurement (no client-side storage set) | — | HTTP beacon | Analytics |
Cloudflare cookies (__cf_bm, cf_clearance) are strictly necessary for security and cannot be disabled.
Cloudflare Web Analytics operates without cookies or client-side storage. It sends a single HTTP beacon per page view containing no personally identifiable information.
The newsletter subscribe form does not set any cookies or browser storage. Your email address is sent directly from your browser to Substack when you submit the form.
Children
This site is not directed at children under 13. I do not knowingly collect personal data from children under 13. If you believe I have, please email me and I will delete it promptly.
Security
Data is protected by:
- TLS encryption on all connections (via Cloudflare)
- Processor selection based on compliance posture and signed data processing agreements
- Two-factor authentication on all service accounts
Changes to this policy
If I make material changes to this policy, I will update the effective date at the top. Where possible I will note significant changes on the site or in the newsletter.