Privacy Policy

2024-08-26 11:23

Privacy Policy

This page serves as the GDPR Privacy Notice for recipebook.bentasker.co.uk.

The controller of the (extremely limited) data collected is Ben Tasker.

You have the right to object to processing, either by objecting to a specific mechanism as described below, or by Contacting Me. If you feel your objection has not been appropriately handled, or that the processing does not have a lawful basis, you also have the right to complain to a supervisory authority.

Legitimate Interests

The following data is processed/retained based upon the Lawful Basis of GDPR Section 6(1)(f) - Legitimate Interests. In accordance with GDPR, all have been subjected to a Legitimate Interest Assessment (LIA) in order to balance your rights with the legitimate needs.

Access Logs

All requests and connections to my network services are written to access logs for the necessary purposes of Network & Information Systems Security, Billing and Account Management Purposes and Network Systems scaling and management.

The data stored which may be considered to contain Personal Data is

  • Connecting IP address
  • Details of the request/connection (i.e. which page and site was requested, or for non HTTP connections, which service was requested)
  • HTTP Referrer string (where available)
  • HTTP User-Agent header (where available)

The data collected in access logs is not passed to any third party, and will not be unless required by a lawful warrant issued by a court whose jurisdiction includes the United Kingdom (and any such warrant, even then, may be contested if it's felt to be overly broad or inappropriate - I have no more interest in allowing the Government to trample over your rights than you do).

Access logs are retained for 90 days from the date of their creation, after which they are automatically removed. However, where log lines are considered potentially relevant to a network incident, they may be retained until the investigation has completed. Those which are assessed to relate directly to the incident will be retained as part of the incident report, but will be anonymised as appropriate to the context in which they are being reported.

Any individual wishing to object to this processing should use the contact method provided within this policy. All requests will be considered upon their own merits (and the feasibility of implementation).

A limited amount of automated processing is used in order to identify "bad actor" IPs and limit their ability to cause harm to my systems. The data is not passed to any third party in order to perform this processing.

The processing of this data is not only essential to the services I provide, but is necessary to help ensure that any other data I may hold on you remains protected. Logs form an essential component of investigations into any suspected breach, and without them it may not be possible to identify (and fix) the method used to achieve a compromise. Ultimately, this limited processing benefits both you and my entire user-base.

Site Behavioural Analytics

I use an analytics program in order to record site and user behaviour on my sites for the purposes of identifying how sites are behaving and where (and how) improvements can be made (for example if a regularly visited URL results in a 404 Not Found). The data is used in order to rectify issues, track site performance and to aid in troubleshooting when issues are reported. It is also utilised in order to help make scaling and deployment decisions within my Content Distribution Network (CDN), as well as identifying cases where a user has been routed to an incorrect server (for example, a US user being sent to an Asian distribution node).

The system has been designed to minimise privacy impact, collecting:

  • HTTP Referer (where available)
  • Page Visited
  • OS and hardware platform
  • Browser reported timezone (offset from GMT)
  • Page load time
  • Number of pages viewed this session

Please note that tracking cookies are not used as part of this system, so separate visits will not automatically be associated to one another.

The data collected in access logs is not passed to any third party, and will not be unless required by a lawful warrant issued by a court whose jurisdiction includes the United Kingdom (and any such warrant, even then, may be contested if it's felt to be overly broad or inappropriate - I have no more interest in allowing the Government to trample over your rights than you do).

The data is protected by a variety of strong mechanisms, and access to the data is very tightly restricted.