Privacy Policy
Version 2.0 · Last reviewed: May 2026
Data controller: Peter Aaron, United Kingdom · Contact via LinkedIn
1. Who this policy applies to
This privacy policy applies to all visitors and users of this personal portfolio website. The data controller is an individual based in the United Kingdom. This site is not operated by a company or organisation. UK GDPR and, where applicable, PECR govern the processing of personal data in connection with this site.
This policy is provided in accordance with Article 13 UK GDPR (information to be provided where personal data are collected from the data subject).
2. Personal data collected
2.1 Data you provide directly
If you choose to sign in using LinkedIn OAuth, the following data is received from LinkedIn and stored for the duration of your session:
- full name;
- email address;
- profile photograph (URL); and
- public LinkedIn profile URL.
Sign-in is entirely optional. The site is fully accessible without a LinkedIn account.
2.2 Data collected automatically
When you visit the site, the hosting infrastructure (Vercel) automatically records standard server access log data:
- IP address (may be truncated or hashed by Vercel);
- browser type and version (user-agent string);
- referring URL;
- pages requested and timestamps; and
- HTTP response codes.
This data is processed by Vercel as part of its standard hosting service. It is not used by this site for profiling or marketing purposes.
2.3 Cookies and localStorage
Cookies and browser localStorage are used as described in the Cookie Policy. No special category personal data (Article 9 UK GDPR) is collected or processed.
3. Purposes and lawful bases for processing
The table below sets out each processing activity, its purpose, and the lawful basis under Article 6 UK GDPR.
| Processing activity | Purpose | Lawful basis (Art. 6 UK GDPR) |
|---|---|---|
| Serving web pages | Delivering the site to your browser | Legitimate interests (Art. 6(1)(f)) — necessary for the operation of any website |
| Server access logs | Security monitoring, abuse prevention, infrastructure performance | Legitimate interests (Art. 6(1)(f)) |
| LinkedIn sign-in | Personalised sign-in experience; identifying the visitor | Consent (Art. 6(1)(a)) — you initiate sign-in voluntarily |
| Session management | Keeping you signed in during your visit | Legitimate interests (Art. 6(1)(f)) — necessary to maintain the signed-in session you requested |
| Analytics | Pageviews after consent, engagement events, conversion CTA clicks; where signed in, identification by LinkedIn vanity URL (email is never sent to analytics) | Consent (Art. 6(1)(a)) — only processed after you accept analytics cookies |
| Consent record | Storing your cookie preference to comply with PECR | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
No automated decision-making or profiling within the meaning of Article 22 UK GDPR takes place on this site.
4. Recipients and processors
Personal data is not sold, rented, or disclosed to third parties for their own purposes. The following third-party processors handle data as part of providing this site:
Vercel Inc. (hosting and infrastructure)
The site is hosted on Vercel's global edge network. Vercel processes server access log data as a processor under a Data Processing Addendum (DPA). Vercel is a US-based company; transfers are covered by Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA). See Vercel's Privacy Policy.
LinkedIn Ireland Unlimited Company (OAuth provider)
Sign-in via LinkedIn is handled through LinkedIn's OAuth 2.0 service. When you initiate sign-in, you are redirected to LinkedIn and subject to their terms. The data received back (name, email, photo, profile URL) is held only for your session. LinkedIn acts as an independent controller in relation to your LinkedIn account. See LinkedIn's Privacy Policy.
PostHog Inc. (analytics, consent-gated)
If you consent to analytics, PostHog Inc. receives usage data (pages visited, navigation paths, device and browser basics, and where signed in, your LinkedIn vanity URL or numeric LinkedIn member ID used as an identifier — your email is never sent to analytics). PostHog acts as a data processor under its Data Processing Agreement. Data is processed in PostHog's EU region (Frankfurt, Germany), which keeps analytics data inside the UK / EEA. No analytics are loaded or transmitted before you give consent. See PostHog's Privacy Policy.
5. International transfers
Vercel is headquartered in the United States. Transfers of personal data to Vercel are covered by the UK International Data Transfer Addendum (UK IDTA) to the EU Standard Contractual Clauses, providing appropriate safeguards under Article 46 UK GDPR. PostHog Inc. is a US-incorporated company; analytics data is processed exclusively in its EU region (Frankfurt, Germany), which keeps the data within the UK / EEA, and any residual support access from PostHog personnel is covered by Standard Contractual Clauses and the UK IDTA under PostHog's Data Processing Agreement. LinkedIn's international transfer mechanisms are governed by their own privacy policy. No other international transfers of personal data take place.
6. Retention periods
| Data | Retention period |
|---|---|
| LinkedIn session data (name, email, photo) | Until sign-out or session token expiry; not persisted beyond the session |
| Server access logs (held by Vercel) | Per Vercel's standard log retention (typically up to 30 days) |
| Cookie consent preference (localStorage) | Persistent until you clear browser data or reset via the preferences panel |
| Analytics data (PostHog) | Up to 12 months on a rolling basis under PostHog's default retention; deleted earlier on request |
7. Your rights under UK GDPR
As a data subject under UK GDPR you have the following rights. To exercise any of them, please contact via LinkedIn. Requests will be responded to within one calendar month in accordance with Article 12 UK GDPR.
Right of access (Art. 15)
You may request a copy of the personal data held about you and information about how it is processed.
Right to rectification (Art. 16)
You may request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17)
You may request deletion of your personal data where there is no compelling reason for its continued processing.
Right to restriction of processing (Art. 18)
You may request that processing of your data be restricted in certain circumstances, for example while a rectification request is assessed.
Right to data portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you may request a structured, machine-readable copy of your data.
Right to object (Art. 21)
Where processing is based on legitimate interests, you may object. Processing will cease unless compelling legitimate grounds can be demonstrated that override your interests.
Rights relating to automated decision-making (Art. 22)
Not applicable — this site does not make automated decisions with legal or similarly significant effects.
8. Right to withdraw consent
Where processing is based on consent (analytics cookies, LinkedIn sign-in), you have the right to withdraw that consent at any time without detriment. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. To withdraw consent for analytics, use the cookie preferences panel. To withdraw consent for LinkedIn sign-in, sign out and do not sign in again.
9. Complaints
If you have concerns about how your personal data is handled, please contact the data controller in the first instance. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the supervisory authority for data protection in the United Kingdom:
10. Changes to this policy
This policy may be updated from time to time. The "last reviewed" date at the top of this page indicates when the policy was last amended. Material changes will be reflected in an updated version number. Continued use of the site after a change is published constitutes acknowledgement of the updated policy.