How I handleyour data

Nelson Ford, independent practitioner based in Ottawa, Ontario, Canada. I am the data controller for this site. You can reach me at hello@nelsonford.net.

Three things, with different rules for each.

Server access logs. When you load a page, the hosting infrastructure records standard server access logs: your IP address, the path you requested, a timestamp, and your browser's user-agent string. These logs rotate per the hosting provider's defaults, generally 30 to 90 days.

Contact form contents. When you send a note through the contact form, your name, email, and message arrive in my inbox as a regular email. The form opens your own mail client, so you are the sender. I become the data controller when the message reaches me.

Analytics and ad measurement, only with your consent. On your first visit, a cookie banner asks whether you are OK with two optional categories: Analytics and Ads. Each is off by default. If you decline, or your browser sends a Do Not Track or Global Privacy Control signal, nothing in either category loads.

• Analytics, when you accept it, loads Google Tag Manager (container GTM-T5SJ483Q), which fires the analytics tags configured in that container. Today that is aimed at Google Analytics 4 pageview counts. Google processes the data in the United States under Google Consent Mode v2 settings.
• Ads, when you accept it, allows ad measurement tags configured in the same container to fire (used to attribute campaign visits).
• Fathom Analytics (site QMKTJHYT) runs cookie-free first-party page metrics. It does not set cookies, does not store IP addresses, and is operated by Fathom Analytics in Canada. It loads on every production pageview, including for visitors who decline the optional categories above, because it does not involve the kind of processing that ePrivacy gates on consent.

You can revisit your choice at any time using the Cookie preferences link in the site footer.

For inquiry handling, basic site operation, and (with your consent) understanding which pages people read.

Lawful bases under the GDPR:

• Server access logs. Article 6(1)(f), legitimate interest in keeping the site available and safe.
• Contact form. Article 6(1)(f), legitimate interest in replying to people who write to me.
• Analytics and Ads cookies. Article 6(1)(a), your explicit consent through the banner.
• Fathom. Article 6(1)(f), legitimate interest in understanding aggregate site usage; the cookie-free design keeps the impact on you minimal.

Under PIPEDA, the basis for all of the above is implied or express consent, matched to the channel you used and the choice you made on the banner.

Server access logs follow the hosting provider's retention window, generally 30 to 90 days.

Inquiry emails stay in my mailbox for the life of the engagement and a reasonable record-keeping period after, typically up to seven years to satisfy professional and tax obligations. If you write to me and the conversation does not lead to a working relationship, I keep your message only as long as is useful for follow-up. You can ask me to delete it at any time.

Analytics data inside Google Analytics 4 follows the GA4 default retention of 14 months and rolls off automatically. Fathom rolls its aggregate site data forward without identifying individuals.

Your stored consent choice itself lives in your browser's localStorage on this site as nf.consent.v1. Clearing your site data resets the banner.

Three external parties, with the consent-gated ones only after you opt in.

• Amazon Web Services, my hosting provider, for serving the site and standard log infrastructure.
• Google, only if you accept Analytics or Ads. Google processes the data in the United States.
• Fathom Analytics in Canada, for the cookie-free first-party page metric.

There is no advertising network outside the optional Ads category, no CRM enrichment, and no AI training pipeline ingesting visitor or inquiry data. Fonts are served directly from this site, not from Google Fonts or any third party.

Under PIPEDA, you can request access to the personal information I hold about you, ask me to correct it, and complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Under GDPR, if you are in the EEA or UK, you have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You can complain to your national supervisory authority. In the UK, that is the Information Commissioner's Office at ico.org.uk.

To withdraw consent for Analytics or Ads cookies, click Cookie preferences in the footer, change your choice, and save. Withdrawing consent stops new data from being collected by Google going forward. To request deletion of data already collected, email me and I will route the request through Google Analytics' data deletion controls.

For any of these requests, email hello@nelsonford.net. I will reply within thirty days.

This site is not directed at children under thirteen, and I do not knowingly collect their personal information.