Last updated: 10 June 2020
Word count: 2428
My name is Piper Haywood. I am a California-based individual and am responsible for the website that can be found at the URL https://piperhaywood.com.
What personal data is collected and why
Personal data is also known as personal information, personally identifying information (PII), or sensitive personal information (SPI). It refers to any information that may be used to identify a person such as a name or IP address.
I collect personal data on the lawful basis of legitimate interest. More specifically, I use it to maintain the security and essential functionality of this website and to contextualise the relevance of my writing. The nature of the collected data, how the data is used, who the data is shared with, and how long the data is retained is outlined below.
Web Hosting & Server Logs 💾
As with most web hosting providers, NFSN offers access logging, error logging, and rewrite logging. I have deliberately disabled access logging since it can contain personal data such as IP addresses and the host name of the accessing computer.
If comments are open on a post and you leave a comment, the content management system collects data shown in the comments form such as your name and email address, and it also collects your IP address and browser user agent string to help spam detection. Automated spam detection services are not used; instead, comments are checked for spam against a blacklist of terms.
Webmention is a standard for mentions and conversations across the web. Webmentions can include your name, the profile picture from your website, the URL of your website, and personal information you include in your post.
If your website supports webmentions, you may send a webmention to the endpoint of this website. By doing so, you are explicitly requesting the server to take notice of that referral and process it. As long as public content is concerned (i.e. you are not sending a private webmention), your use of this website’s webmention endpoint implies that you are aware that your webmention may be published and that you are aware of its contents.
Pending moderation for security purposes, incoming public webmentions will be published on this website. You can request the removal of one or all webmentions originating from your website at any time.
Logged-in editors may upload media to this website. If you upload images to this website, you should avoid uploading images with embedded location data (EXIF GPS) included since website visitors can extract this location data from any images that they download.
Embedded content from other websites 🎥
Because of these pitfalls, I avoid using embedded content on this website when possible.
I use Wordfence to configure a firewall, block malicious traffic, give me immediate alerts in the event of malicious activity, and enforce strong passwords. These features are essential in maintaining the security of this website and in protecting personal data. In order to maintain and provide these services, selected personal data including IP addresses and accessed URLs is collected and sent to Wordfence. Wordfence is located at Defiant, Inc, 800 5th Ave, Suite 4100, Seattle WA 98104, USA. For further information, please see Wordfence’s GDPR policies and their Data Processing Agreement.
This means that any personal data stored on my hosting may also be transferred to VaultPress. This is necessary for the safekeeping of this website in case some aspect of the hosting or another essential service provider were to go down.
I use analytics to better understand and contextualise my writing.
Since 8 January 2020, I have been using a self-hosted instance of Matomo as my primary analytics source. I have configured Matomo to anonymise the last two bytes of IP addresses, and User IDs are replaced with pseudonyms. Website visitors may opt out from analytics at any time by setting their preferences in the menu or by enabling Do Not Track in a supported browser.
Prior to 8 January 2020, I used Google Analytics as my primary analytics provider. I configured Google Analytics to anonymise IP addresses, and I deliberately disabled Data Collection for Advertising Features, Demographics and Interest Reports, User-ID, and all data-sharing settings.
Cookies are used on this website to support essential functionality and to gather some insight on how the website is used.
When you visit the site
When you visit the site, a script related to Matomo sets up several cookies.
_pk_id is used to store a few details about the user and expires in 13 months.
_pk_ref is used to store the attribution or referrer information and expires in 6 months.
_pk_cvar are short-lived cookies used to temporarily store visit data and expire in 30 minutes.
If you change any analytics settings
If you change any analytics settings, Matomo will set the cookie
mtm_consent_removed depending upon your preferences. These cookies do not have an expiry date so that the user’s preference persists during future visits.
If you leave a comment on the site
If you leave a comment on our site, you may opt in to saving your name, email address, and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit the login page
If you visit our login page, the content management system will set a temporary cookie
wordpress_test_cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
If you log in to the site
If you log in, the content management system will set up several cookies to save your WordPress login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
The security plugin Wordfence will also set up cookies related to the firewall. These cookies check the capability of the current user before WordPress has been loaded so that logged in users are given increased access, and non-logged in users are restricted from secured areas. The cookies also let the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block. These cookies persist for 2 weeks.
If the logged in user is an administrator (the top access level), Wordfence will also set cookie
wfwaf-authcookie-[hash] that is used to let site owners know when there is an admin login from a new device or location (a security risk). This cookie persists for 12 hours.
If you edit the site
If you edit or create a post or page on this site, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
About your data and how we use it
What rights you have over your data
- The right of access: Get in touch and we will provide you with an exported file of any data we hold about you, including data you have provided to us. If you have an account, you can log in and access your account data at any time.
- The right to rectification: If there’s any personal data about you that should be corrected by us, please let us know.
- The right to erasure, a.k.a. the “right to be forgotten”: Let us know and we will delete all your personal data that we store. If you have an account on this site, you can delete your account at any time. If you have commented on the site or we hold your data for any other reason, you can request that we erase any personal data we hold about you. Please note that we cannot remove or erase data that we are obliged to keep for administrative, legal, or security purposes.
- The right to restrict processing: If you would like to restrict or suppress the processing of any data we hold about you, get in touch and we will work with you to accommodate this.
- The right to data portability: We will give you an exported copy of your data so that you can provide it to another service.
- The right to object: You have the right to file a complaint regarding our collection and use of your data. Please tell us first so that we have a chance to address your concerns. If we fail in this, you can address any complaint to your national data protection authorities.
Who we share your data with
Since this website and related Matomo instance are self-hosted, most personal data is only shared with our hosting provider NFSN and backups provider VaultPress. Newsletter signups are shared with MailChimp, and personal data collected for security purposes is shared with Wordfence in order to maintain and improve the quality of their service.
We do not share personal data for advertising or any other purposes beyond what is described in this policy.
How long we retain your data
Comments and webmentions, including their metadata, are retained indefinitely so that we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
Personal information provided when signing up to our newsletter is retained indefinitely. If you unsubscribe, you will no longer receive newsletters from us but we will retain your contact details. If you would like your contact details to be deleted, please get in touch so that we can do this for you.
Personal information provided by registered users of the website is stored in the relevant user profile indefinitely. All users can see, edit, or delete their own personal information at any time. Users cannot change their username but are welcome to get in touch with a website administrator if they wish to do so. Website administrators may also see and edit users’ personal information.
Raw Matomo data that is more than 180 days old is deleted once a week. Legacy analytics data in Google Analytics is stored for 26 months. VaultPress backups are retained for 30 days.
Please see the Cookies section of this document for information about what cookies we set and when they expire.
How we protect your data
We use SSL encryption to protect our website traffic. Our SSL certificate is issued by Let’s Encrypt. Our website uses SSL encryption for security reasons and to protect the transmission of confidential content. You can recognise an encrypted connection if the URL reads
https:// instead of
http://. A green lock icon may also be displayed in your browser’s address bar. If you see the green lock icon, try clicking it. In many browsers, clicking the lock icon will give you further information about the website related to your privacy.
Wherever possible, we follow WordPress’s guidance regarding security and complete all CMS and plugin updates as soon as is feasible. We also use Wordfence for more advanced security features.
We do not store or transmit passwords in plain text formats such as spreadsheets, text files, or emails.
Data breach procedures
If there is a data breach where personal data may have been compromised, we will report the breach to the relevant supervisory authority. We will do so within 72 hours of becoming aware of the breach, where feasible. We will also get in touch with the affected users as soon as possible to let them know the nature of the breach and what data may have been involved.
Questions & Feedback