Privacy

1. Who publishes this and who is the controller

This website (the publication) is published by Corviado Ltd, a company registered in England and Wales (company number 17098795), whose registered office is at 86-90 Paul Street, 3rd Floor, London EC2A 4NE.

Corviado Ltd is the data controller for the personal data processed in connection with the publication, for the purposes of the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (the DPA 2018).

2. What data we collect and how we collect it

Our collection is intentionally narrow. In ordinary use of the publication, the only personal data we collect is that listed below.

2.1 Server logs

Our hosting provider records standard server logs when a page is requested. These logs include the requesting IP address, the user agent string of the browser, the timestamp of the request, the requested URL, and the HTTP status code returned. Server logs are used to operate the publication reliably, to detect and investigate abuse, and to diagnose technical problems.

2.2 Correspondence

If you write to us — by email, by post, or through any other correspondence channel — we receive and retain the content of that correspondence together with the metadata that ordinary email or postal systems produce (sender address, timestamps, and so on).

2.3 What we do not collect

We do not operate a newsletter, membership scheme, or user account system at this time. We do not run advertising. We do not maintain analytics tools (including Google Analytics, Plausible, Fathom, or similar). We do not set marketing, profiling, or targeting cookies. We do not use pixel trackers or fingerprinting technologies. If any of these positions change, this policy will be revised first and the date at the top of this page will be updated accordingly.

3. Lawful basis for processing

We process personal data under the following lawful bases in Article 6 of the UK GDPR:

• Legitimate interests (Article 6(1)(f)) for server logs, to operate and secure the publication. The interest pursued is the continued availability and integrity of the publication, balanced against the limited and transient nature of the data collected.
• Legitimate interests (Article 6(1)(f)) and, where relevant, performance of a contract or steps taken at your request prior to entering into a contract (Article 6(1)(b)) for responding to correspondence you initiate with us.
• Legal obligation (Article 6(1)(c)) where we are required to retain or disclose data to comply with applicable UK law, including a court order, a lawful direction of a regulator, or a tax or company record-keeping obligation.

We do not rely on consent for any processing described above. If we introduce any processing that requires consent in the future — for example a newsletter or analytics — we will ask for that consent in a separate, specific, and freely-given manner before collecting any data.

4. Cookies and similar technologies

The publication uses only strictly necessary cookies or local storage as required to deliver core functionality of the site. These are permitted under regulation 6(4) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) without consent.

No cookies are set for analytics, advertising, profiling, or personalisation. Because no non-essential cookies are used, no cookie banner is displayed; the ICO’s position, with which we agree, is that a consent banner should not be shown where there is nothing substantive to consent to.

If non-essential cookies are introduced in the future we will first ask for your prior, specific, and freely-given consent as required by PECR, and you will be able to accept, reject, or withdraw consent individually by category.

5. How long we keep data

Retention is kept short and proportionate to purpose.

• Server logs are retained by our hosting provider on its standard schedule (typically between a few days and a few weeks) and are not copied into longer-term storage by the publication.
• Correspondence with us is retained for as long as is reasonable to respond to the correspondence and to maintain a record of it, and in any event no longer than is necessary for the purpose for which it was sent. In practice, correspondence is retained for up to three (3) years unless a longer period is required by law or by the nature of the matter.
• Data required by law to be retained for tax, accounting, or company-law purposes is kept for the period required by the applicable legal provision.

6. Who we share data with

We share personal data only with service providers necessary for the operation of the publication, and only to the extent required for their services. Each processor acts under a written agreement that requires them to process the data only on our documented instructions and to protect it to the standards required by the UK GDPR.

The publication’s processors are:

• Vercel Inc., a Delaware corporation, which hosts the publication’s pages and records the standard server logs described at clause 2.1. Vercel’s privacy information is published at vercel.com/legal/privacy-policy.
• Proton AG, a Swiss corporation, which operates the email service (Proton Mail) used for editorial correspondence to and from the publication. Proton’s privacy information is published at proton.me/legal/privacy.

Each processor acts under the publisher’s standard data-processing terms (for Vercel, its Data Processing Addendum; for Proton, its equivalent) as required by Article 28 of the UK GDPR. We keep an up-to-date internal record of processing activities and will inform you of any change of processor that materially affects how your data is handled.

We do not sell personal data. We do not share personal data with advertisers, data brokers, political organisations, or for any form of profiling by third parties.

We may disclose personal data where required to do so by UK law, including in response to a valid court order or lawful regulator request, or where disclosure is necessary to establish, exercise, or defend legal claims.

7. International transfers

Some of our service providers process personal data on infrastructure located outside the United Kingdom. Specifically:

• Vercel Inc. serves the publication from infrastructure in the European Union and the United States. Transfers to Vercel in the United States are made under the UK International Data Transfer Agreement (the IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses, as appropriate, with supplementary measures where required following an assessment of the kind described in Schrems II (Case C-311/18).
• Proton AG processes email data in Switzerland. The Secretary of State has made an adequacy regulation in respect of Switzerland under section 17A of the DPA 2018, which means that transfers to Switzerland do not require any additional safeguards beyond the processing agreement in clause 6.

Copies of the safeguards relied upon are available on request using the contact details in clause 10.

8. Your rights under UK data protection law

Subject to the conditions set out in the UK GDPR and the DPA 2018, you have the following rights in respect of personal data that we process about you:

• The right to be informed — this policy, together with the information we provide on request, is intended to satisfy this right.
• The right of access — you may ask us for a copy of the personal data we hold about you, and for information about how we process it.
• The right to rectification — you may ask us to correct personal data you believe is inaccurate, or to complete data you believe is incomplete.
• The right to erasure — you may ask us to delete personal data in the circumstances permitted by the UK GDPR.
• The right to restrict processing — you may ask us to limit the ways in which we process personal data about you, in the circumstances permitted by the UK GDPR.
• The right to data portability — where we process your personal data on the lawful bases of consent or contract, by automated means, you may ask us to provide a copy in a structured, commonly used, machine-readable format, or to transmit it to another controller where technically feasible.
• The right to object — where we process your personal data on the lawful basis of legitimate interests, you may object to the processing on grounds relating to your particular situation.
• Rights in relation to automated decision-making and profiling — we do not make decisions about you by solely automated means, and we do not profile you, so this right does not currently engage; we note it for completeness.

9. How to exercise your rights

To exercise any of the rights in clause 8, please write to the email or postal address given in clause 10, with enough information to enable us to identify you and your request. We may ask for further information, including identity verification, where reasonable and necessary to confirm your identity.

We will respond without undue delay, and in any event within one (1) month of receipt, as required by Article 12(3) of the UK GDPR. Where a request is particularly complex or we receive a number of requests from the same person, we may extend that period by a further two (2) months and will tell you if we do so and why.

Most requests are handled without charge. Where a request is manifestly unfounded or excessive, in particular because of its repetitive character, we may charge a reasonable fee to cover our administrative costs or refuse to act on the request, and will explain our decision.

10. Contact

For any privacy-related correspondence, including to exercise a right described in clause 8, please write to:

Corviado Ltd
Data Protection
86-90 Paul Street, 3rd Floor
London EC2A 4NE
United Kingdom

Or by email to the address published on our About page, marked “Data Protection” in the subject line.

As a small organisation the publication is not required by Article 37 of the UK GDPR to appoint a formal Data Protection Officer. Responsibility for data-protection matters sits with the publisher directly.

11. Children

The publication is not directed at children and does not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us using the details in clause 10 and we will delete it.

12. Complaints to the Information Commissioner

If you are dissatisfied with our handling of your personal data you are entitled to complain to the United Kingdom’s data-protection regulator, the Information Commissioner’s Office, at ico.org.uk. We would normally appreciate the opportunity to deal with your concerns directly before you approach the ICO, but you are under no obligation to contact us first.

13. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as required by Article 32 of the UK GDPR. These measures include access controls, encryption in transit for correspondence sent over modern email protocols, short retention periods, and careful selection of processors with their own demonstrable security arrangements. No system is perfectly secure, and where we are required to notify a personal data breach we will do so within the timeframes required by the UK GDPR and the DPA 2018.

14. Changes to this policy

We may revise this policy from time to time — for example, if our processing operations change, if a processor is added or replaced, or if data-protection law changes. The revised version will be published on this page with an updated last revised date in the masthead above. Material changes will be flagged at the top of this page for a reasonable period following the revision. We recommend that you check this page periodically.