Privacy Policy - Nelson Ford

Overview

This website (nelsonford.net) is operated by Nelson Ford. I respect your privacy and am committed to protecting any personal information you share with me. This policy explains what data I collect and how I use it.

Data Controller

Legal Entity: Nelson Ford (Sole Proprietorship)
Contact for Privacy Matters: privacy@nelsonford.net

Note: As a sole proprietorship operating from a residential address, a business address is not publicly disclosed to protect personal safety. This creates a residual GDPR Art. 13(1)(a) compliance gap. Users requiring a postal address for data protection inquiries may request one via the privacy email above, where alternative arrangements can be made (e.g., PO Box for formal correspondence).

Legal Basis for Processing

I collect and process personal information based on your consent and for legitimate purposes such as responding to inquiries and improving the website. This approach aligns with the General Data Protection Regulation (GDPR) for European visitors and the Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian visitors.

For analytics and marketing cookies, I rely on your explicit consent obtained through the cookie consent banner. You can withdraw this consent at any time.

GDPR Legal Basis Mapping (Article 6(1))

For visitors from the European Economic Area (EEA), I rely on the following legal bases under GDPR Article 6(1):

Processing Activity	Data Processed	Legal Basis	Explanation
Contact form submissions	Name, email, message content	Art. 6(1)(b) - Pre-contractual	Processing necessary to respond to your inquiry and potentially enter into a service contract
Cal.com meeting bookings	Name, email, booking details, notes	Art. 6(1)(b) - Contract Performance	Processing necessary to fulfill the scheduled meeting you requested
Google Analytics 4 (GA4)	IP address, cookies, browsing behavior, device info	Art. 6(1)(a) - Consent	Only loads after you explicitly accept analytics cookies via consent banner. You can withdraw consent anytime.
Microsoft Clarity	Session recordings, clicks, scrolls, device info	Art. 6(1)(a) - Consent	Only loads after you explicitly accept analytics cookies via consent banner. You can withdraw consent anytime.
Fathom Analytics	Anonymized page views, referrers (no personal data)	Art. 6(1)(f) - Legitimate Interests	Privacy-first analytics with no cookies, no IP tracking, fully anonymized. Legitimate interest: understanding website performance without profiling or behavioral tracking. Aligned with GDPR recital 47.

Legitimate Interests Assessment (Fathom): Fathom Analytics is used based on legitimate interests because: (1) it processes no personal data (fully anonymized, no cookies, hashed/salted identifiers), (2) it poses minimal privacy risk, (3) the business need (website performance insights) is proportionate, and (4) users cannot reasonably object to truly anonymous analytics. This balancing test aligns with GDPR recital 47 and ICO guidance on legitimate interests.

Information I Collect

Booking Information

When you book a call through the scheduling widget (powered by Cal.com), I collect the information you provide, including your name, email address, and any notes you add. This information is used solely to conduct and follow up on our meeting and is not shared with third parties for marketing purposes.

Analytics Data

I use multiple analytics services to understand how visitors interact with this website:

Fathom Analytics - Privacy-first analytics (always active, no consent required). Fathom does not use cookies, does not track personal data, and is fully aligned with GDPR requirements.
Google Analytics 4 - Detailed traffic analytics (requires consent). Only loads if you accept cookies. GA4 provides aggregated traffic data including: pages visited, time on site, referring source, geographic location (country/city), device type and browser.
Microsoft Clarity - Session replay and heatmaps (requires consent). Only loads if you accept cookies. Helps understand user behavior through anonymized session recordings and click heatmaps.

Cookies

This website uses cookies in alignment with GDPR and other privacy regulations. When you first visit, you will see a consent banner with two options:

Necessary Cookies Only

These are essential for the website to function and cannot be disabled:

nelsonford_cookie_consent - Stores your cookie preference (Duration: 365 days)

Analytics and Marketing Cookies (Optional)

If you click "Accept All", the following cookies may be set:

Google Analytics (_ga, _ga_*, _gid) - Track website usage and traffic patterns
Microsoft Clarity (_clck, _clsk, CLID, ANONCHK, MR, MUID, SM) - Session replay and heatmaps
Google Tag Manager - Manages analytics and marketing tags

Third-Party Cookies We Use

Below is a detailed list of cookies, their purpose, and how long they last. This information was verified against official documentation on January 16, 2026.

Cookie Name	Provider	Purpose	Duration
_ga	Google Analytics 4	Distinguishes unique visitors	2 years (default), browser-limited to ~400 days
_ga_*	Google Analytics 4	Persists session state (container-specific)	2 years
_gid	Google Analytics 4	Distinguishes users (short-term identifier)	24 hours
_clck	Microsoft Clarity	Stores unique user ID and preferences	1 year
_clsk	Microsoft Clarity	Groups page views into single session	1 day
CLID	Microsoft Clarity	Identifies first-time visitor across Clarity sites	1 year
ANONCHK	Microsoft (Bing)	Checks if MUID cookie is passed for ads	10 minutes
MR	Microsoft	Tells Microsoft whether to refresh MUID cookie	7 days
MUID	Microsoft	Microsoft user identifier for analytics and advertising	1 year
SM	Microsoft	Synchronizes MUID across Microsoft domains	Session (deleted when browser closes)

Sources: Cookie expiration data verified from Google Analytics Help and Microsoft Clarity Docs on January 16, 2026.

Managing Your Preferences

You can change your cookie preferences at any time by:

Clearing your browser cookies and refreshing the page
Adding ?test-consent to any page URL to display the consent banner again
Using your browser's cookie settings to block or delete specific cookies

How to Withdraw Cookie Consent

You have the right to withdraw your cookie consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal (GDPR Art. 7(3)).

Withdrawal Methods

Method 1: Re-trigger the Cookie Consent Banner

Add ?test-consent to any page URL (e.g., nelsonford.net/?test-consent). This displays the consent banner again, where you can select "Necessary Cookies Only" to withdraw consent for analytics cookies.

Method 2: Clear Cookies in Your Browser

Delete cookies for nelsonford.net in your browser settings:

Chrome/Edge: Settings → Privacy and security → Cookies and other site data → See all site data → Search "nelsonford.net" → Remove
Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data → Search "nelsonford.net" → Remove Selected
Safari: Settings → Privacy → Manage Website Data → Search "nelsonford.net" → Remove
Brave: Settings → Shields → Cookies and other site data → See all site data → Search "nelsonford.net" → Remove

After clearing cookies, refresh the page. The consent banner will re-appear. Select "Necessary Cookies Only" to decline analytics cookies.

Method 3: Browser Cookie Blocking

Configure your browser to block third-party cookies entirely. This prevents GA4 and Clarity from loading even if you previously accepted cookies. Note that this may affect functionality on other websites.

Effect of Withdrawal

When you withdraw cookie consent:

Google Analytics 4 (GA4): Will stop loading. No more browsing behavior, device data, or session tracking.
Microsoft Clarity: Will stop loading. No more session recordings, heatmaps, or click tracking.
Fathom Analytics: Continues to run (no consent required). Fathom is privacy-first, fully anonymized, and collects no personal data. Aligned with GDPR without consent under legitimate interests (Art. 6(1)(f)).

Note: Essential cookies (like the consent preference cookie itself) remain active as they are necessary for the website to function. These do not track you and cannot be used for advertising.

How I Use Your Information

I use the information collected to:

Respond to your inquiries and provide requested services
Improve the website based on how visitors use it
Ensure the website functions correctly

I do not sell, rent, or share your personal information with third parties for marketing purposes.

Data Retention

I retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. Retention periods are determined by:

Business necessity: How long the data is needed for the original purpose
Legal obligations: Tax, accounting, and business record-keeping requirements
Technical constraints: Third-party service retention policies and data portability limits
User rights: Your ability to exercise GDPR/CCPA rights (access, deletion, correction)

Retention Periods and Criteria

Contact Form Submissions

Period: 1-2 years after inquiry resolved

Business Logic: Needed to respond to inquiry, track conversation history, and reference past interactions if you contact me again. Enables continuity if discussions resume.

Legal Obligations: Canadian business record-keeping practices recommend retaining business correspondence for tax and audit purposes (CRA guidelines suggest 6 years for business records, but 1-2 years is proportionate for non-contractual inquiries).

Deletion: Automatically deleted after 2 years or upon your request via privacy@nelsonford.net.

Cookie Consent Preferences

Period: 365 days

Business Logic: GDPR/ePrivacy best practice to re-confirm consent annually. Ensures your preferences remain current and you're reminded of data collection practices.

Technical Factors: Browser cookie storage standard. After 365 days, cookie expires and consent banner re-appears on your next visit.

Fathom Analytics Data

Period: Indefinite (aggregated, anonymized form)

Business Logic: Long-term trend analysis for website performance and improvement. No personal data is collected (no cookies, hashed/salted IPs), so retention poses no privacy risk.

Legal Basis: GDPR does not impose retention limits on truly anonymized data (data that cannot identify individuals). Fathom's architecture ensures data is anonymized at collection.

Google Analytics 4 (GA4) Data

Server-Side Data Retention: 14 months

Cookie Lifetime: _ga cookie lasts 2 years (browser-limited to ~400 days), _gid lasts 24 hours. See "Third-Party Cookies We Use" table above for complete cookie duration details.

Business Logic: 14-month server-side retention is sufficient for year-over-year comparisons and seasonal trend analysis while minimizing long-term profiling risk.

Technical Constraints: GA4's standard retention policy (configurable, set to 14 months). Google automatically deletes user and event data after this period.

GDPR Compliance: Proportionate retention period balancing analytics needs with data minimization principle (Art. 5(1)(c)). You can request deletion earlier via privacy@nelsonford.net.

Microsoft Clarity Data

Server-Side Data Retention: 90 days

Cookie Lifetime: _clck and CLID last 1 year, _clsk lasts 1 day, ANONCHK lasts 10 minutes, MR lasts 7 days, MUID lasts 1 year, SM is session-only. See "Third-Party Cookies We Use" table above for complete cookie duration details.

Business Logic: 90-day server-side retention for session replay analysis provides sufficient window to identify and address UX improvements and bug detection.

Technical Constraints: Microsoft Clarity's standard retention policy. Session recordings automatically deleted after 90 days.

GDPR Compliance: Short retention period reflects higher privacy sensitivity of session recordings (pseudonymous behavioral data). Aligns with data minimization principle.

Cal.com Meeting Bookings

Period: Duration of business relationship + 1 year

Business Logic: Needed to conduct scheduled meetings, maintain appointment history, and reference past discussions if we work together again.

Legal Obligations: If meetings lead to professional engagement, booking records may be business records subject to tax/accounting retention (CRA: 6 years from fiscal year end).

Deletion: If no engagement results, booking data deleted 1 year after meeting date. If engagement occurs, retention follows professional services agreement terms.

Google Consent Mode v2

This website implements Google Consent Mode v2, which is compliance-aligned with GDPR. This means:

All analytics and advertising cookies are set to "denied" by default
Google services only collect anonymized, aggregated data until you consent
Once you accept cookies, full analytics tracking begins
If you decline, only essential functionality cookies are used

This approach ensures alignment with GDPR's requirement for explicit consent before setting non-essential cookies.

Security Measures

I take reasonable steps to protect the information you provide, including using HTTPS encryption for all connections and industry-standard hosting security through Amazon Web Services.

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, I am committed to transparency and timely notification in accordance with GDPR and CCPA requirements.

Notification Timeline

GDPR-Applicable Breaches (EEA Residents)

Timeline: Within 72 hours of becoming aware of the breach (GDPR Art. 33-34)

Triggers: Breach likely to result in a risk to your rights and freedoms (e.g., unauthorized access to names, emails, booking details, or session data).

Notification to Supervisory Authority: Within 72 hours to applicable Data Protection Authority.

Notification to Affected Individuals: Without undue delay if breach is likely to result in high risk to your rights (e.g., potential identity theft, fraud, or significant harm).

CCPA-Applicable Breaches (California Residents)

Timeline: Without unreasonable delay (Cal. Civ. Code §1798.82)

Triggers: Unauthorized acquisition of unencrypted or unredacted personal information that compromises security, confidentiality, or integrity of the information.

Notification Method: Email to affected California residents (if email address is held).

Notification Method

If you are affected by a data breach, I will notify you by:

Email: Sent to the email address you provided (contact form, Cal.com booking)
Website Notice: Prominent notice posted on the homepage if email contact is not available

Breach Notification Contents

Notifications will include:

Nature of the breach (what data was compromised)
Categories and approximate number of affected individuals
Likely consequences of the breach
Measures taken or proposed to mitigate harm
Contact information for questions (privacy@nelsonford.net)
Steps you can take to protect yourself (e.g., password changes, fraud monitoring)

Breach Prevention Measures

To minimize breach risk, I implement:

HTTPS encryption (TLS 1.3) for all data in transit
AES-256 encryption for data at rest (AWS S3/CloudFront)
Minimal data collection and retention (only what's necessary)
Third-party security certifications (AWS ISO 27001, SOC 2; Cal.com ISO 27001, SOC 2)
Regular security monitoring and updates
Privacy-by-design principles (e.g., Fathom anonymized analytics, IP anonymization in GA4)

Your Rights

Under GDPR, PIPEDA, and other privacy regulations, you have the following rights:

Right of Access - Request a copy of any personal data I hold about you
Right to Rectification - Request correction of inaccurate personal data
Right to Erasure - Request deletion of your personal data ("right to be forgotten")
Right to Restrict Processing - Request that I limit how I use your data
Right to Data Portability - Request a machine-readable copy of your data
Right to Object - Object to processing of your personal data
Right to Withdraw Consent - Withdraw cookie consent at any time without affecting the lawfulness of processing before withdrawal
Right to Lodge a Complaint - Lodge a complaint with a supervisory authority if you believe your data protection rights have been violated

To exercise any of these rights, please contact me using the details in the Contact section below. I will respond to your request within 30 days.

Exercise Your Rights Online (Self-Service)

For immediate self-service access to your data, use the tools below. These comply with GDPR Article 15 (Right to Access), Article 17 (Right to Erasure), and Article 20 (Right to Data Portability).

Note: These tools access data stored in your browser (localStorage, sessionStorage, cookies). For data stored on servers (contact form submissions, Cal.com bookings), please email privacy@nelsonford.net.

Right to Lodge a Complaint with Supervisory Authority

Under GDPR Article 77, you have the right to lodge a complaint with a data protection supervisory authority, particularly in your country of residence, place of work, or place of alleged infringement. This right exists regardless of any other administrative or judicial remedy you may pursue.

Example Supervisory Authorities:

United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk/make-a-complaint
France: Commission Nationale de l'Informatique et des Libertés (CNIL) - cnil.fr/en/plaintes
Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) - bfdi.bund.de
Canada (Ontario): Office of the Information and Privacy Commissioner of Ontario (IPC) - ipc.on.ca/filing-a-privacy-complaint
All EEA Countries: Find your national authority at edpb.europa.eu

Important: Lodging a complaint with a supervisory authority does not prevent you from pursuing other remedies, including judicial remedies. You may pursue both avenues simultaneously.

California Residents - Your Privacy Rights (CCPA/CPRA)

This section applies to California residents under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the preceding 12 months, I have collected the following categories of personal information:

Category	Examples	Collected	Source
A. Identifiers	Name, email, IP address	YES	Directly from you (forms), automatically (analytics)
B. Personal information (Cal. Civ. Code §1798.80)	Name, email	YES	Directly from you
C. Protected classifications	None	NO	N/A
D. Commercial information	Service inquiries	YES	Directly from you
F. Internet activity	Pages visited, clicks, search queries	YES	Automatically via cookies/analytics
G. Geolocation data	Country, region (approximate)	YES	Automatically via analytics
I. Professional/employment information	Job title (if provided)	YES	Directly from you

Business/Commercial Purpose for Collection

I use personal information for the following business purposes:

Responding to service inquiries and providing requested information
Scheduling and conducting consultation calls
Website analytics and improvement
Detecting and preventing fraud or security incidents
Debugging and error repair
Internal research for technology development

Categories of Third Parties

I share personal information with the following categories of third parties:

Analytics providers: Google (GA4), Microsoft (Clarity), Fathom Analytics
Scheduling platforms: Cal.com
Cloud infrastructure providers: Amazon Web Services (AWS)

Sale or Sharing of Personal Information

Do I sell personal information? NO. I do not sell personal information as defined by the CCPA.

Do I share personal information for cross-context behavioral advertising? YES. When you accept analytics cookies, data may be shared with Google Analytics 4 and Microsoft Clarity, which may use it for advertising purposes on their own platforms. You can opt out via the cookie consent banner or the link below.

Right to Opt-Out: Do Not Sell or Share My Personal Information

Your CCPA Rights

California residents have the following rights:

1. Right to Know (§1798.100)

Right to request disclosure of personal information collected, including categories and specific pieces of information. Response provided within 45 days (extendable to 90 days with notice).

2. Right to Delete (§1798.105)

Right to request deletion of personal information, subject to exceptions for legal obligations, fraud prevention, and internal uses. Response provided within 45 days.

3. Right to Correct (§1798.106, CPRA)

Right to correct inaccurate personal information. Response provided within 45 days.

4. Right to Opt-Out of Sale/Sharing (§1798.120)

Right to opt out of sale or sharing of personal information. Honored via cookie consent banner and "Do Not Sell or Share" link above.

5. Right to Limit Use of Sensitive Personal Information (§1798.121, CPRA)

Not applicable (no sensitive PI collected as defined by CPRA).

6. Right to Non-Discrimination (§1798.125)

You will not be discriminated against for exercising CCPA rights. No denial of services, different prices, or degraded service quality.

Exercising Your CCPA Rights

To exercise your rights:

Email: privacy@nelsonford.net
Subject line: "CCPA Request - [Right to Know/Delete/Correct]"
Include: Your name, email, and California residency confirmation

Verification: I will verify your identity before processing requests using email confirmation for low-risk requests and additional information for higher-risk requests (deletion).

Authorized Agents: You may designate an authorized agent to make requests on your behalf by providing written authorization.

Response Timeline: 45 days (extendable to 90 days with notice)

Children's Privacy (COPPA Compliance)

This website is not intended for children under the age of 13, and I do not knowingly collect personal information from children under 13 years of age.

Children's Online Privacy Protection Act (COPPA)

Under the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501-6506), operators of websites directed to children under 13, or with actual knowledge of collecting personal information from children under 13, must obtain verifiable parental consent before collection.

This website:

Is not directed to children under 13 (content is professional services for businesses)
Does not knowingly collect, use, or disclose personal information from children under 13
Does not permit children under 13 to publicly post or distribute personally identifiable information
Does not condition a child's participation on disclosure of more information than is reasonably necessary

If We Learn of Collection from a Child Under 13

If I become aware that personal information has been collected from a child under 13 without verifiable parental consent, I will:

Delete the information as soon as reasonably practicable
Not use the information for any purpose
Not disclose the information to third parties

Contact if Child Data Suspected

If you are a parent or guardian and believe your child under 13 has provided personal information to this website, please contact me immediately at:

Email: privacy@nelsonford.net

Subject line: "COPPA - Child Data Removal Request"

Upon receiving such a request, I will promptly investigate and delete any personal information collected from the child.

Third-Party Services

This website uses the following third-party services:

Fathom Analytics - Privacy-first website analytics (no consent required). Privacy Policy
Google Tag Manager / Google Analytics 4 - Website analytics (requires consent). Privacy Policy
Microsoft Clarity - Session replay and heatmaps (requires consent). Privacy Policy
Cal.com - Scheduling and booking calls. Privacy Policy
Amazon Web Services (S3/CloudFront) - Website hosting and content delivery. Privacy Policy

These services have their own privacy policies governing how they handle data. I have no control over and assume no responsibility for the privacy practices of these third-party services.

International Data Transfers

Some personal data is transferred to and processed in countries outside the European Economic Area (EEA) and Canada. In accordance with GDPR Article 44-50 and the Schrems II decision (C-311/18), I provide the following transparency about international transfers and safeguards:

Third-Party Services and Transfer Mechanisms

Google Analytics 4 (GA4) - United States

Data Transferred: IP addresses (anonymized), cookies, browsing behavior, device information

Transfer Mechanism: Google's EU-US Data Privacy Framework certification and Standard Contractual Clauses (SCCs) (Module 2: Controller to Processor)

Safeguards: IP anonymization enabled, consent-based activation only, data minimization (no cross-device tracking), encryption in transit (TLS 1.3) and at rest (AES-256).

Microsoft Clarity - United States

Data Transferred: Session recordings, click/scroll events, device information

Transfer Mechanism: Microsoft's EU-US Data Privacy Framework certification and Data Protection Addendum (DPA) with Standard Contractual Clauses

Safeguards: Consent-based activation only, masking of sensitive input fields (passwords, credit cards), 90-day retention limit, encryption in transit and at rest.

Cal.com - United States

Data Transferred: Name, email, meeting preferences, booking notes

Transfer Mechanism: Data Processing Agreement (DPA) available upon request via Cal.com Trust Center . Cal.com claims GDPR compliance-alignment (see Cal.com Privacy Policy ).

Safeguards: Encryption in transit (TLS), ISO 27001 and SOC 2 Type II certified infrastructure, minimal data collection (only booking essentials), no advertising or profiling.

Amazon Web Services (S3/CloudFront) - United States

Data Transferred: Website access logs (IP addresses, timestamps, user agents)

Transfer Mechanism: AWS Data Processing Addendum (DPA) with Standard Contractual Clauses (Module 1: Controller to Controller)

Safeguards: Server-side encryption (AES-256), TLS 1.3 for all connections, minimal logging (access logs only, no application data), 90-day log retention, AWS Compliance Programs (ISO 27001, SOC 2).

Fathom Analytics - Germany (EU)

Data Transferred: None (EU-based processing, no international transfer)

Server Location: Frankfurt, Germany (AWS eu-central-1 region)

Privacy Characteristics: No cookies, no personal data collected, fully anonymized analytics. GDPR compliance-aligned by design. Chosen specifically as privacy-first alternative to US-based analytics.

US Surveillance Law Risk Assessment (Schrems II)

Following the Schrems II decision (C-311/18), I have assessed the risks of US government surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333:

Risk Assessment: The data transferred to US-based services (GA4, Clarity, Cal.com, AWS) is primarily pseudonymous (IP addresses, device identifiers, session data) or limited contact information. While these services are subject to US surveillance laws, the following factors mitigate risk:

Data is not "targeted" for intelligence purposes (ordinary website analytics and hosting)
Minimal data collection (only what's necessary for stated purposes)
Short retention periods (90 days to 14 months)
Technical safeguards (encryption, anonymization, consent-based activation)
EU-based alternative available (Fathom Analytics for core website metrics)

User Choice: If you are concerned about US surveillance risks, you can:

Decline analytics cookies (GA4/Clarity will not load; only EU-based Fathom will track visits)
Use privacy-focused browsers (Brave, Firefox with tracking protection) or VPNs
Exercise your right to object or request deletion via privacy@nelsonford.net

Supplementary Measures

Beyond Standard Contractual Clauses, I implement the following supplementary measures recommended by the European Data Protection Board (EDPB) to protect data transferred to the US:

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Pseudonymization: IP anonymization (GA4), hashed identifiers (Fathom)
Data Minimization: Only essential data collected, no cross-device tracking or profiling
Consent-Based Activation: GA4 and Clarity only load after explicit cookie consent
Short Retention: 90 days (Clarity), 14 months (GA4) vs. indefinite retention
Transparency: This comprehensive disclosure of transfers, risks, and safeguards
EU Alternative: Fathom Analytics provides core metrics without leaving EU jurisdiction

Your Rights Regarding International Transfers

If you are in the EEA and object to your data being transferred outside the EU, you may:

Decline analytics cookies (this prevents GA4/Clarity transfers; Fathom remains EU-based)
Request deletion of any data already transferred via privacy@nelsonford.net
Lodge a complaint with your national Data Protection Authority (see EDPB website for contacts)

Contact

If you have any questions about this privacy policy or how your data is handled, please contact me at privacy@nelsonford.net or use the contact form.

Changes to This Policy

I may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. Material changes will be noted in the change log below.

Change Log

Version 2.2 - January 16, 2026

Accurate cookie lifetime disclosures (LEGAL-REMEDIATE-013):

Added "Third-Party Cookies We Use" table with specific cookie names, purposes, and expiration times
Documented Google Analytics cookies: _ga (2 years, browser-limited ~400 days), _ga_* (2 years), _gid (24 hours)
Documented Microsoft Clarity cookies: _clck (1 year), _clsk (1 day), CLID (1 year), ANONCHK (10 minutes), MR (7 days), MUID (1 year), SM (session)
Clarified distinction between cookie lifetime (how long cookies persist in browser) and server-side data retention (how long providers keep data)
Added verification date and source links (Google Analytics Help, Microsoft Clarity Docs)
Updated Data Retention section to include both cookie lifetimes and server retention periods

Cookie expiration data verified January 16, 2026. Quarterly cookie audit scheduled for April 16, 2026.

Version 2.1 - January 16, 2026

Added self-service data subject rights tools (LEGAL-REMEDIATE-009):

Added "View My Data" button - displays all localStorage, sessionStorage, and cookies (GDPR Art. 15)
Added "Export My Data" button - downloads data as JSON file (GDPR Art. 20, CCPA §1798.100)
Added "Delete My Data" button - clears all browser-stored data with confirmation dialog (GDPR Art. 17, CCPA §1798.105)
All tools comply with WCAG 2.1 AA accessibility standards
Tools accessible in "Your Rights" section of this privacy policy

Version 2.0 - January 16, 2026

Major compliance update based on legal review (LEGAL-001):

Added comprehensive CCPA/CPRA compliance section with all required disclosures
Added Data Controller section with contact information
Documented residual GDPR Art. 13(1)(a) compliance gap (business address omission)
Added "Do Not Sell or Share My Personal Information" opt-out mechanism
Added detailed CCPA rights explanation (Know, Delete, Correct, Opt-Out, Non-Discrimination)
Documented Google Analytics 4 and Microsoft Clarity as "sharing" under CCPA
Added categories of personal information collected (CCPA compliance-aligned format)
Added change log to track material policy changes
Updated effective date to specific date with version number

Previous version archived: project/legal-archives/privacy-v1.0-2025-01-archived.astro

Version 1.0 - January 2025

Initial privacy policy with GDPR compliance, cookie consent, and third-party service disclosures.