logo
HomeSkillsCareerPortfolioBlogContacts
  • Home
  • Skills
  • Career
  • Portfolio
  • Blog
  • Contacts

Privacy Policy

Introduction

This Privacy Policy describes how Cristian Di Carlo ("we", "us") collects and processes data when you visit this website or access the CMS. For questions or to exercise your rights, contact us at okazakee@proton.me.

Data Controller

Cristian Di Carlo — okazakee@proton.me

Data We Collect

Infrastructure (Vercel)

This website is hosted by Vercel, Inc. (USA). Vercel processes standard request data — including IP addresses, browser type, OS, referring URL, and request timestamps — as part of normal server operation. This is handled by Vercel as a data processor on our behalf. We do not have direct access to raw server logs.

Performance Monitoring (Vercel Speed Insights)

We use Vercel Speed Insights to monitor Core Web Vitals. It collects anonymous performance metrics: page load times, device type, browser, and approximate country. Data is processed by Vercel, Inc.

Analytics (Umami)

We use a self-hosted instance of Umami to understand how visitors use this website. Umami collects page views, referral sources, approximate country, browser type, device type, and screen size. No IP addresses are stored. No cookies are used. Data never leaves our own servers.

All Umami data is fully anonymous — no personal identifiers are stored and re-identification is not possible. This data falls outside the definition of personal data under Art. 4(1) GDPR.

CMS Authentication

Access to the CMS is restricted to explicitly invited users only. Self-registration is disabled. When a user is granted access and authenticates, we collect and store the following data:

Via email + password login:

  • Email address
  • Password (hashed, never stored in plain text)
  • Display name
  • Profile avatar (optional, user-uploaded)

Via GitHub OAuth:

  • Email address
  • GitHub username
  • Display name (from GitHub profile)
  • Profile avatar URL (from GitHub)

Session data:

  • Authentication session stored in HTTP-only cookies prefixed with sb- (managed by Supabase)
  • Sessions are invalidated on logout or token expiry

Rate limiting:

  • IP address and email are temporarily held in memory to enforce login attempt limits (max 5 attempts per 15 minutes). This data is never persisted to disk or database.

This data is used solely to authenticate users and control access to CMS features. It is not used for marketing or shared with third parties beyond the data processors listed below.

Functional Cookies

Two cookies are set solely to persist your display preference:

CookiePurposeExpiry
themeModeStores your selected theme (light / dark / auto)365 days
resolvedThemeStores the resolved theme for server-side rendering365 days

Authentication session cookies (sb-*) are set only upon CMS login and are strictly necessary for maintaining an authenticated session.

None of these cookies are used for tracking or advertising.

Legal Basis for Processing

Processing ActivityLegal Basis
Infrastructure & performance monitoringLegitimate interest — Art. 6(1)(f) GDPR
Anonymous analytics (Umami)Outside GDPR scope (fully anonymous data)
CMS user authenticationContract performance — Art. 6(1)(b) GDPR

International Data Transfers

Vercel is based in the United States. Data processed by Vercel (infrastructure and Speed Insights) may be transferred outside the EU/EEA under Standard Contractual Clauses (SCCs) per GDPR Chapter V. See Vercel's Privacy Policy.

Supabase stores CMS user data. Depending on your project's configured region, data may be processed outside the EU/EEA. Supabase, Inc. relies on SCCs for international transfers. See Supabase's Privacy Policy.

GitHub (Microsoft) processes authentication data during OAuth login. See GitHub's Privacy Policy.

Umami analytics data is self-hosted and never transferred outside our own servers.

Data Retention

  • Umami analytics: retained indefinitely, or until manually purged
  • Vercel data: governed by Vercel's retention policy
  • CMS user data: retained for as long as the account is active. Upon account deletion, all profile data, avatar files, and authentication records are permanently removed
  • Rate limiting data: held in memory only, cleared automatically every 5 minutes
  • Functional & session cookies: expire on logout or after 365 days, or until cleared by the browser

Your Rights

Under GDPR you have the right to access, rectify, erase, restrict, object to, and port your personal data.

Umami analytics data is fully anonymous and outside GDPR scope — data subject rights cannot be applied to it as no individual can be identified.

CMS users can delete their own account at any time from the account settings, which triggers complete removal of all associated personal data. For any other requests, contact: okazakee@proton.me

Changes to This Policy

Any updates will be posted on this page with a revised date.

Last Updated: April 2026

Made with ❤️ by Okazakee | Source Code
CMS|Privacy Policy