This page explains what personal data is collected when you visit this site or
contact me through it, why it's collected, who processes it, and your rights
under the EU General Data Protection Regulation (GDPR).
Who is responsible for your data
The data controller for this site is:
Engagements are invoiced through Frilans Finans Sverige AB
(Sweden's largest umbrella employer for freelancers, org-nr 556802-1199),
which acts as the formal employer of record for each contract. Frilans Finans
is not involved in handling data submitted via this site's contact form — that
data flows only through the sub-processors listed below.
What data is collected, and why
Contact form submissions
When you submit the contact form on the home page, the following data is sent
to me by email and processed by my email service provider:
- Name — to address you in my reply.
- Email address — to reply to you.
- Selected service categories (optional) — to understand the type of work you're enquiring about.
- Project brief text (optional) — to scope the conversation.
Legal basis: Article 6(1)(b) GDPR — pre-contractual measures
taken at your request.
Anti-abuse and security data
To protect the form against bots and abuse, the following data is processed
when you submit (or attempt to submit) the form:
- IP address — used for rate limiting (5 submissions per IP per hour) and CAPTCHA verification.
- Browser metadata (User-Agent, JavaScript environment fingerprint) — used by Cloudflare Turnstile to determine whether you are likely a human or a bot.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in preventing
spam and automated abuse of the contact channel.
Server logs
The hosting provider records standard access logs (timestamp, requested URL,
HTTP status, IP address, User-Agent) for operational and security purposes.
These are retained for a short period and not combined with any other data.
Who processes your data (sub-processors)
I rely on the following service providers to operate this site. Each is bound
by a Data Processing Agreement (DPA) and processes data only on documented
instructions:
-
Vercel Inc. (USA, with EU functions region) — hosts this site
and runs the contact-form serverless function. The function is pinned to the
Frankfurt (eu-central-1 / fra1) region. Vercel relies on EU Standard
Contractual Clauses for any onward transfer.
(privacy policy)
-
Cloudflare, Inc. (USA) — provides the Turnstile bot-detection
challenge embedded in the form. Turnstile does not use tracking cookies but
processes IP and browser metadata to score the request. Cloudflare relies on
EU Standard Contractual Clauses.
(privacy policy)
-
Sendinblue SAS / Brevo (France, EU) — sends the contact-form
email and stores transactional logs for a limited period. EU-native processor;
no transfer outside the EEA for this data.
(privacy policy)
-
Upstash Inc. (USA, with EU region) — stores rate-limit counters
keyed by IP for one hour, used to enforce the 5-per-hour submission cap. The
database is in Frankfurt (eu-central-1).
(privacy policy)
-
Microsoft Corporation (USA, with regional data centres) — provides
the recipient mailbox where contact-form messages land. Subject to Microsoft's
standard EU data-handling commitments.
(privacy statement)
How long data is kept
- Contact-form submissions: retained in my inbox while the conversation is active and for up to 24 months afterwards for reference, unless you ask for earlier deletion.
- Brevo transactional logs: retained per Brevo's defaults (~30 days for content, longer for metadata).
- Rate-limit counters in Upstash: auto-expire after 1 hour.
- Server access logs: retained per Vercel defaults (typically up to 30 days).
Cookies and tracking
This site does not set tracking or analytics cookies. The only
client-side storage used is whatever Cloudflare Turnstile may set during the
bot challenge, which is purely functional and is not used for advertising or
cross-site tracking.
Your rights under GDPR
You have the right to:
- Request access to the personal data I hold about you (Art. 15)
- Request correction of inaccurate data (Art. 16)
- Request erasure of your data (Art. 17)
- Restrict or object to processing (Art. 18, 21)
- Data portability — receive your data in a machine-readable format (Art. 20)
- Withdraw consent at any time, where processing is based on consent (Art. 7)
To exercise any of these rights, email
jonathancryer-dev@outlook.com.
I will respond within one month of receipt as required by Article 12(3),
extendable by two further months for complex or high-volume requests.
Right to lodge a complaint
If you believe your rights have been infringed, you can lodge a complaint with
the supervisory authority where you reside or work. In Sweden, this is the
Integritetsskyddsmyndigheten (IMY);
in Denmark, the
Datatilsynet.
Changes to this policy
I may update this policy when site infrastructure or legal requirements change.
The "Last updated" date at the top reflects the most recent revision. Significant
changes will be highlighted in this section for at least 30 days after publication.
← Back to the home page