Last updated: 15 September 2023
Word count: 2676
My name is Piper Haywood. I am a New York-based individual and am responsible for the website that can be found at the URL https://piperhaywood.com.
TL;DR version: I track/store only what I have to in order to make the site run the way it needs to. Login functionality, security services, backups, that sort of thing. No services like Google Analytics as of 2 September 2020.
What personal data is collected and why
Personal data is also known as personal information, personally identifying information (PII), or sensitive personal information (SPI). It refers to any information that may be used to identify a person such as a name or IP address.
We collect personal data primarily on the lawful basis of legitimate interest. More specifically, we use it to maintain the security and essential functionality of this website. When legitimate interest does not suffice, for example in the collection of email addresses for our e-newsletter or comments, we do so on the lawful basis of consent. The nature of the collected data, how the data is used, who the data is shared with, and how long the data is retained is outlined below.
Web Hosting & Server Logs 💾
Flywheel maintains server logs for functionality and security purposes which include information about visitors to this site. This information may include IP addresses, browser type, Internet service provider (ISP), referring or exit pages, the files viewed on the Site (e.g., HTML pages, graphics, etc.), operating system, and date/time stamp. Flywheel does not sell, rent, or lease personal information to any third party.
If comments are open on a post and you leave a comment, the content management system collects data shown in the comments form such as your name and email address, and it also collects your IP address and browser user agent string to help spam detection. Automated spam detection services are not used; instead, comments are checked for spam against a list of disallowed terms.
ActivityPub is a decentralized networking protocol. This website functions as a federated profile via the ActivityPub plugin, so posts originating on this blog are syndicated on the fediverse. The website’s username is @blog and can be followed on platforms like Mastodon.
If you reply to one of this blog’s posts on the fediverse, you are explicitly requesting this website’s server to take notice and process your reply, and this implies that you are aware your reply may be published and you are aware of its contents. This includes information that you share about yourself on the fediverse such as your profile image and username.
Pending moderation for security purposes, incoming fediverse replies will be published on this website. You can request the removal of one or all replies from your fediverse account at any time.
Webmention is a standard for mentions and conversations across the web. Webmentions can include your name, the profile picture from your website, the URL of your website, and personal information you include in your post.
If your website supports webmentions, you may send a webmention to the endpoint of this website. By doing so, you are explicitly requesting the server to take notice of that referral and process it. As long as public content is concerned (i.e. you are not sending a private webmention), your use of this website’s webmention endpoint implies that you are aware that your webmention may be published and that you are aware of its contents.
Pending moderation for security purposes, incoming public webmentions will be published on this website. You can request the removal of one or all webmentions originating from your website at any time.
Logged-in editors may upload media to this website. If you upload images to this website, you should avoid uploading images with embedded location data (EXIF GPS) included since website visitors can extract this location data from any images that they download.
Embedded content from other websites 🎥
Because of these pitfalls, we avoid using embedded content on this website when possible. When we need to include an embed, we try to use enhanced privacy attributes where possible such as YouTube’s Privacy Enhanced Mode or Vimeo’s Do Not Track parameter.
We use Wordfence to configure a firewall, block malicious traffic, give immediate alerts in the event of malicious activity, and enforce strong passwords. These features are essential in maintaining the security of this website and in protecting personal data. Selected personal data including visitors’ IP addresses and accessed URLs is collected and sent to Wordfence so that they may accurately administer their security services. Wordfence is located at Defiant, Inc, 800 5th Ave, Suite 4100, Seattle WA 98104, USA. For further information, please see Wordfence’s GDPR policies and their Data Processing Agreement.
As of 2 September 2020, we no longer use analytics to track page views and other viewer information.
From 8 January — 2 September 2020, we used a self-hosted instance of Matomo for statistics that helped us contextualize our writing. When using Matomo, we configured it to anonymize the last two bytes of IP addresses, and User IDs were replaced with pseudonyms. Website visitors were able to opt out from analytics at any time by setting their preferences in the menu or by enabling Do Not Track in a supported browser.
Prior to 8 January 2020, we used Google Analytics as our primary analytics provider. We configured Google Analytics to anonymize IP addresses, and we deliberately disabled Data Collection for Advertising Features, Demographics and Interest Reports, User-ID, and all data-sharing settings.
Strictly necessary cookies are used on this website to support essential functionality. Please see the details below for more information about how cookies are set and how long they last for.
If you leave a comment on the site
If you leave a comment on our site, you may opt in to saving your name, email address, and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit the login page
If you visit our login page, the content management system will set a temporary cookie
wordpress_test_cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
If you log in to the site
If you log in, the content management system will set up several cookies to save your WordPress login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
The security plugin Wordfence will also set up cookies related to the firewall. These cookies check the capability of the current user before WordPress has been loaded so that logged in users are given increased access, and non-logged in users are restricted from secured areas. The cookies also let the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block. These cookies persist for 2 weeks.
If the logged in user is an administrator (the top access level), Wordfence will also set cookie
wfwaf-authcookie-[hash] that is used to let site owners know when there is an admin login from a new device or location (a security risk). This cookie persists for 12 hours.
If you edit the site
If you edit or create a post or page on this site, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
About your data and how we use it
What rights you have over your data
- The right of access: Get in touch and we will provide you with an exported file of any data we hold about you, including data you have provided to us, and we will direct you to the third-party services listed above if your data may be held by them. If you have a WordPress account on this site, you can log in and access your account data at any time.
- The right to rectification: If there’s any personal data about you that should be corrected by us, please let us know and we will do our best to correct it.
- The right to erasure, a.k.a. the “right to be forgotten”: Let us know and we will delete all your personal data that we store and will direct you to the third-party services listed above if your data may be held by them. If you have a WordPress account on this site, you can delete your account at any time. If you have commented on the site or we hold your data for any other reason, you can request that we erase any personal data we hold about you. Please note that we cannot remove or erase data that we are obliged to keep for administrative, legal, or security purposes.
- The right to restrict processing: If you would like to restrict or suppress the processing of any data we hold about you, get in touch and we will work with you to accommodate this.
- The right to data portability: We will give you an exported copy of your data that we hold so that you can provide it to another service.
- The right to object: You have the right to file a complaint regarding our collection and use of your data. Please tell us first so that we have a chance to address your concerns. If we fail in this, you can address any complaint to your local data protection authorities.
Who we share your data with
Since this website is self-hosted, personal data gathered through the website itself is only shared with our hosting provider NFSN, the security platform WordFence, and backups provider Jetpack. Newsletter signups are shared with MailChimp.
We do not share personal data for advertising or any other purposes beyond what is described in this policy.
How long we retain your data
Comments and webmentions, including their metadata, are retained indefinitely so that we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
Personal information provided when signing up to our newsletter is retained indefinitely. If you unsubscribe, you will no longer receive newsletters from us but we will retain your contact details. If you would like your contact details to be deleted, please get in touch so that we can do this for you.
Personal information provided by registered users of the website is stored in the relevant user profile indefinitely. All users can see, edit, or delete their own personal information at any time. Users cannot change their username but are welcome to get in touch with a website administrator if they wish to do so. Website administrators may also see and edit users’ personal information.
The legacy Matomo analytics data was stored in a database backup and was deleted in March 2021. Legacy Google Analytics data is stored for 26 months, until 8 March 2022. Jetpack backups are retained for 30 days.
Please see the Cookies section of this document for information about what cookies we set and when they expire.
How we protect your data
We use SSL encryption to protect our website traffic. Our SSL certificate is issued by Let’s Encrypt. You can recognize an encrypted connection if the URL reads
https:// instead of
http://. A green lock icon may also be displayed in your browser’s address bar. If you see the green lock icon, try clicking it. In many browsers, clicking the lock icon will give you further information about the website related to your privacy.
Wherever possible, we follow WordPress’s guidance regarding security and complete all CMS and plugin updates as soon as is feasible. We also use Wordfence for more advanced security features.
We avoid transmitting passwords in plain text formats such as spreadsheets, text files, or emails whenever possible, and we strive to use multi-factor authentication (MFA) for all accounts associated with this website.
Data breach procedures
If there is a data breach where personal data may have been compromised, we will get in touch with the affected users where possible and will post an update on this site to let past and future visitors know the nature of the breach and what data may have been involved. Where feasible, we will do so within 72 hours of becoming aware of the breach. We will also report the breach to the relevant supervisory authority where required.
Though we are involved in the development and maintenance of others’ websites and we take care to consider data privacy when offering development services, we are not responsible for the data privacy or privacy policies of other websites since we are not their data controller.
Questions & Feedback