Privacy Policy

Last updated: 28 April 2026

This site (steblik.com) is operated by Miroslaw Steblik (data@steblik.com), a sole trader based in the United Kingdom, acting as the data controller under the UK GDPR and EU GDPR.

This policy describes what personal data is collected when you use the site, the lawful basis for processing it, who it is shared with, how long it is kept, and the rights you have under data protection law.

Summary

• The only personal data collected at registration is your email address.
• No analytics, no tracking pixels, no third-party advertising.
• Cookies are limited to those strictly necessary for login and security.
• Email is sent via Resend (US) under standard contractual clauses.
• You can request access, correction, or deletion at any time.

Data collected

Account data

• Email address — used to log in, verify your account, and send password resets and other account-related messages.
• Hashed password — stored using PBKDF2 (Django default). The plain-text password is never stored.
• Date of registration and last login — stored alongside your account for security and account management.

No name, postal address, payment details, or other personal information is collected at registration. Providing an email address is required to create an account; the site can otherwise be browsed without registering.

Cookies

The site sets two cookies, both strictly necessary:

• sessionid — keeps you signed in. Expires after two weeks of inactivity or when you log out.
• csrftoken — prevents cross-site request forgery. Expires after one year.

Both cookies are exempt from the consent requirement under the Privacy and Electronic Communications Regulations (PECR) and the ePrivacy Directive, as they are strictly necessary for the service you have requested. They are not used for tracking, analytics, or profiling.

Server logs

Standard web-server access logs record your IP address, user agent, requested URL, response status, and timestamp. Logs are retained for 14 days and then automatically deleted. They are used for debugging, abuse prevention, and security monitoring.

What is not collected

• No analytics or tracking scripts (no Google Analytics, no tracking pixels, no fingerprinting).
• No third-party advertising networks.
• No social media embeds that load tracking code.
• Fonts are self-hosted — no requests are made to Google Fonts or any external font CDN.

Lawful basis for processing

Under Article 6 of the UK/EU GDPR, the lawful bases for processing are:

• Account creation, authentication, and transactional email — performance of a contract (Art 6(1)(b)). When you create an account, you enter into a contract with the operator to provide access to the service.
• Session and CSRF cookies, server logs, security monitoring — legitimate interests (Art 6(1)(f)): keeping the service available, secure, and free from abuse.
• Newsletter and marketing email (if you subscribe) — consent (Art 6(1)(a)) and PECR. Consent is given by an explicit opt-in and can be withdrawn at any time using the unsubscribe link in any marketing email.

Sub-processors and third parties

The following third parties process personal data on behalf of the site, under data processing agreements:

• Hosting provider: Hetzner Online GmbH (Germany). Hosts the application and database. The provider has access to data only as required to operate the underlying infrastructure.
• Email delivery — Resend (United States): Account-related and (if you opt in) marketing emails are delivered via Resend. Your email address and the message content are passed to Resend solely to deliver the message. Resend retains delivery metadata (delivered/bounced/opened) for operational purposes. See Resend's privacy policy.

No personal data is sold or shared with advertisers, data brokers, or any third party for their own purposes.

International transfers

Resend is established in the United States. Email addresses transferred to Resend are protected by the European Commission's Standard Contractual Clauses and, for UK data, the UK International Data Transfer Addendum issued by the Information Commissioner. These provide contractual safeguards equivalent to UK/EU data protection standards.

Data retention

• Account data — kept for as long as your account is active.
• Server logs — 14 days.
• Email delivery logs (at Resend) — retained according to Resend's own retention schedule, typically up to 30 days for message content and longer for aggregate metadata.
• Encrypted database backups — deleted account data may persist in encrypted backups for up to 30 days before being purged.

If you request deletion, your account and email address are removed from live systems within 30 days and from backups within the backup-retention window above.

Security

• All connections to the site are encrypted using TLS.
• Passwords are hashed with PBKDF2 (Django default) and salted; the plain-text password is never stored.
• The database is encrypted at rest by the hosting provider.
• Access to production systems is restricted to the operator and protected by multi-factor authentication.

Your rights

Under the UK and EU GDPR you have the right to:

• Access — request a copy of the personal data held about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your account and associated data.
• Restriction — ask that processing be limited while a dispute is resolved.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent (e.g. marketing), you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email data@steblik.com. Requests are responded to within one calendar month, in line with Art 12(3) UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority, or the supervisory authority in your country of residence within the EEA.

Children

The service is not directed at children under 16 and is not intended for their use. If an account is identified as belonging to a child under 16, it will be deleted.

Automated decision-making

No automated decision-making or profiling that produces legal or similarly significant effects is performed on your data.

Data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, the ICO will be notified within 72 hours of the breach being identified, in line with Art 33 UK GDPR. Where the risk is high, affected users will be notified directly without undue delay.

Third-party links

The site may contain links to external websites. Those sites have their own privacy policies and practices, for which the operator of this site is not responsible.

Changes to this policy

If this policy changes materially, registered users will be notified by email. Minor clarifications (typos, formatting) may be made without notification. The "last updated" date above will always reflect the current version.

Contact

For any question about this policy or your personal data, contact data@steblik.com.