Privacy
What this site logs, why, for how long, who else processes it, and how to exercise your rights. Written to satisfy Articles 13 and 14 of the UK GDPR and the Data Protection Act 2018.
Last reviewed 6 May 2026.
1. Who I am
I’m Giuseppe Giona, a sole trader based in England. For the data this site processes, I’m the data controller.
- Registered with the Information Commissioner’s Office under the Data Protection (Charges and Information) Regulations 2018.
- Privacy contact: [email protected].
2. What gets logged
The site is deliberately minimal. No advertising, no analytics tracker, no behavioural profiling. The data below is what gets processed.
Server access logs
When you load a page, the hosting platform records the request: IP address, User-Agent, requested path, response status, response size, timestamp. Standard for any web server. Held around thirty days at the platform layer, then deleted.
Edge logs
Cloudflare sits in front of the site and records similar request metadata to filter abusive traffic and serve cached content. Typical retention is twenty-four hours to seven days at the edge, depending on the log category.
/api/analyse submissions
When you submit a Bitcoin address to the analyser, the address and its result may be cached for up to one hour to limit duplicate calls to the Blockstream API. The IP address from which the submission came is held for rate-limiting in a short-lived in-memory map; not written to disk.
beacon submissions
When you submit a domain to beacon.giuseppegiona.com, the domain, the scan result, the submitter’s IP, and the timestamp are kept for up to ninety days. This window exists so a complaint about misuse can be looked into. After ninety days the record is deleted.
Decoy endpoints
Some paths under this domain exist to detect automated abuse. A request that reaches one of those is logged with its IP, User-Agent, request line, and timestamp, and may be kept up to twelve months for security analysis. A normal visit to a real page on the site doesn’t reach a decoy endpoint.
3. Why I’m allowed to do this
Under Article 6 of the UK GDPR, I rely on:
- Article 6(1)(b) — processing necessary to operate a service you’ve asked for. This covers the basic request handling for the analyser endpoints.
- Article 6(1)(f) — legitimate interest in detecting and investigating abuse of the site. This covers security logs, edge logs, decoy endpoints, and the ninety-day beacon retention.
On the legitimate-interest side, the balancing leans clearly in favour of processing: the data is request metadata, not content; retention is at the short end of industry norms; nothing is joined with anything else, sold, or used for advertising. If you read this and disagree, you can object — see section 8 below.
4. Cookies
The site doesn’t set tracking cookies. The only cookies that may appear are functional ones set by the hosting or edge platform to route requests correctly; short-lived, no personal identifiers tied to you.
5. Who else handles this data
The following processors handle data on my behalf. Each has its own published security and privacy controls.
- Vercel Inc. — hosting and serverless functions. privacy policy, data processing addendum.
- Cloudflare Inc. — DNS and edge protection. privacy policy.
- Supabase Inc. — durable store for security and abuse logs. privacy policy.
6. International transfers
Some processors above are based outside the UK. Where data is transferred internationally, it’s covered by the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, published by the ICO. Where the destination country has UK adequacy, transfers rely on that.
7. Retention summary
- Server access logs: around 30 days.
- Edge logs: 24 hours to 7 days.
- /api/analyse cache and rate-limit data: in-memory only, up to one hour.
- beacon submission records: up to 90 days.
- Decoy endpoint hits: up to 12 months.
- Email correspondence: kept while the matter’s live, then archived or deleted.
8. Your rights
Under UK GDPR you can ask to see what I have on you, correct it, delete it, restrict how I use it, get a copy in a portable format, or object to me processing it where I rely on legitimate interest. If you object, I stop unless I can show a compelling reason that overrides your interests; either way, I tell you the answer in writing.
Email [email protected] with what you want and enough information to find the record (typically the IP address you used and the approximate time). I respond within one calendar month, usually faster.
9. The ICO
If you’re not happy with how a request is handled, you can complain to the Information Commissioner’s Office at ico.org.uk/make-a-complaint. You can do this without contacting me first.
10. Children
The site isn’t designed for, or directed at, children under thirteen. If you think a child has interacted with the site and you’d like related logs deleted, email [email protected].
11. Changes
This notice may change. Substantive changes update the “Last reviewed” date at the top. Earlier versions are kept and available on request.