What Data Do I Collect?
When you visit Letters Blogatory for any purpose—to read, to submit a comment or a message via the contact page, or to subscribe to my email newsletter—my HTTP server collects information about your visit in a log file, including your IP address, the date and time of your visit, the HTTP request you sent, the HTTP status code that my server returns to your browser; the size of the object my server sent to your browser or that your computer sent to my computer; the referred header in your HTTP request; and the user agent header in your HTTP request.
My server also logs data on communications that are blocked by my packet-filtering firewall and by my web application firewall. In the case of the packet-filtering firewall, the log file contains the date and time of the packet, your IP address, and certain technical information about the blocked packet. In the case of the web application firewall, the log file contains the date and time of the HTTP request, a partially anonymized version of your IP address, and technical information about the reason the request was blocked.
When you submit a comment, my blogging software stores the content of your comment, your name, IP address, email address, (optionally) website URL, the date and time you submitted the comment, the identity of the comment to which you are responding (if any), and the date and time you clicked the check box to acknowledge that submitting a cookie will result in placement of cookies on your computer. If my software flags your comment as spam (in which case the comment will not be publicly displayed), it will also store in the database information about the reason your comment was flagged.
When you subscribe to Letters Blogatory’s email newsletter, my blogging software stores your email address in a database and the date on which you subscribed. In addition, when my email server sends you the newsletter, my server logs data about the transmission, including technical data about your email server’s response to the email transmission (for example, SMTP response codes). In addition to technical information, this includes the IP address at which your email service provider receives email. If the email “bounces,” my blogging software stores your email address, the date and time of the bounced email, and the reason for the bounce. My blogging software database also stores aggregate information about the number of recipients who have opened my email newsletters or who have clicked on a link contained in each newsletter, but not on the particular subscriber who opened or clicked.
If you use the contact form to get in touch with me, my blogging software sends me an email that contains your name, your email address, the subject of your message, and the content of your message.
If you are a member of the Letters Blogatory listserv, my blogging software stores your name, your email address, and the content of any email you send to the other members of the listserv. In addition, when my email server sends listserv messages, my server logs data about the transmission, including technical data about your email server’s response to the email transmission (for example, SMTP response codes). In addition to technical information, this includes the IP address at which your email service provider receives email. If the email “bounces,” my blogging software stores your email address, the date and time of the bounced email, and the reason for the bounce.
What Use Do I Make Of The Information?
When you subscribe to my email newsletter, I use your email address in order to send you the newsletter.
If you are a member of the Letters Blogatory listserv, I use your name and email address in order to send you listserv messages and to authenticate you as a listserv member (since only emails from approved email addresses can be sent to listserv recipients). I archive listserv messages to provide a record of listserv discussions.
I make no other use of the log data, except for server maintenance or server security purposes.
How Long Do I Retain Data?
HTTP logs are retained for 14 days. Email logs are retained for 4 days. The firewall logs are retained for 14 days.
For subscribers and listserv members, your email address is retained for as long as you are a subscriber or member. I delete email addresses within 30 days of an unsubscribe.
Comments (including the commenter’s name, email address, and website address, and information about the date and time the commenter accepted the data protection policy) and email messages are retained indefinitely. The IP address is retained for two months.
How Can You Ask To Review Your Data, Or To Have It Erased?
Because I delete log files regularly, and within 14 days in any event, I do not accept requests to erase data in the logs sooner than they would ordinarily be erased. Nor do I accept requests to review log data.
Upon request, I will provide a commenter, subscriber, or listserv member with all information concerning his or her comments, subscription, or membership. The request must include the name under which the comments were submitted or the email address under which the subscription or listserv membership is registered. Subscribers and listserv members can request deletion of their data by unsubscribing or informing me that they wish to leave the listserv. I will consider, on a case-by-case basis, requests from commenters to delete comments or associated metadata, but because the purpose of submitting the comment was for publication in a permanent form, I am not obligated to honor such requests.
Where Are the Data Stored?
All data are stored on a server in New Jersey, in the United States. Backups are stored in Virginia, in the United States.
Do third parties have access to your data?
No third party is authorized to have access to your data. I will disclose your data to a third party only if I believe that the law requires me to do so, or only if I believe that disclosure is necessary to protect my interests (e.g., if the disclosure is necessary for server maintenance or security, or if the disclosure is necessary to allow me to assert or defend a legal claim).
If you click on a “social sharing” button under a post, you may be sharing information about your visit to Letters Blogatory with the relevant social network. I have no responsibility for the social network’s collection or use of such data. But the buttons are “opt-in;” they do not do anything or allow any information to be shared unless you click on them.
When you access Letters Blogatory, communications between our computers are encrypted using industry-standard technology. So you have reasonable assurance that no one who does not have access to your computer has the ability to read the data Letters Blogatory sends to your computer or to read the full URL or other data (e.g., the substance of a blog comment) that you send to my server. A network attacker may, however, be able to determine that your computer has sent a request to my server (though not the particular web page you have requested). There may also be unknown vulnerabilities that would, if exploited, allow a network attacker to read the substance of the communications between your computer and my computer.
My server is a virtual private server provided by Linode, a well-established and reputable cloud computing company. Linode in turn contracts with data center providers. Linode and its providers are responsible for the physical security of the machine on which my virutal private server runs. Linode also provides the virtualization technology that allows more than one virtual private server to run on a single machine. Breaches in the physical security of the datacenter, or security vulnerabilities in the virtualization software or in the other software I use to operate Letters Blogatory could result in unauthorized access to your data. Linode has said that it is committed to GDPR compliance by May 25, 2018, though it has not yet published its compliance policy.
I store backups of my blog database in encrypted form on Amazon Web Services’ Simple Cloud Storage Service. In addition, when you access Letters Blogatory, your computer will download certain static files (for examples, scripts, images, PDFs) from Amazon’s Cloudfront CDN. Amazon has said that it complies with the GDPR.
There is no absolute guarantee of data security against determined attackers.
If you leave a comment on the site, I may set cookies with the name, email address, and (optionally) website address you provide. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
My website may also set a PHP session cookie that expires at the end of your browsing session.