Privacy policy
Last reviewed: 18 May 2026. Your privacy is very important to me. This policy explains how I collect, use, communicate, disclose, and otherwise make use of personal information — and the rights you have under the GDPR.
My commitments
Before or at the time of collecting personal information, I will identify the purposes for which information is being collected.
I will only retain personal information as long as necessary for the fulfillment of those purposes.
I will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.
Personal data will be relevant to the purposes for which it is to be used, and — to the extent necessary for those purposes — accurate, complete, and up-to-date.
I will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
I will make readily available to you information about my policies and practices relating to the management of personal information.
Who's collecting your data
This site is operated by Joe Gullo Digital B.V. — a B.V. registered in Leiden, Netherlands. KVK 98746375. Contact: hello@joegullo.com.
I am the data controller for joegullo.com. The scale of processing on this site does not require a designated Data Protection Officer under Article 37 GDPR.
What I collect, and why
Data you give me directly
When you fill out a form on this site — the contact form on /connect, the project-details form on /work-with-me, or the newsletter signup — you may provide:
- Name and email — required so I can reply, and (for newsletter signups) deliver the newsletter
- Company name (optional) — helps me understand the context of your inquiry
- Website URL (optional) — helps me prepare for a discovery call
- Project description — needed to scope and quote your project
- GDPR consent flag — an explicit record that you opted in
The lawful basis for this processing is consent (Article 6(1)(a) GDPR) — you fill the form because you want me to reply. You can withdraw consent and request deletion at any time by emailing hello@joegullo.com.
Form submissions are stored:
- As email to my inbox (Fastmail — see Subprocessors below)
- As a record in the project's
content/inquiries/directory on the server - Not in any third-party CRM. I don't use one.
Submissions are retained for 3 years unless the engagement converts to a paying project — in which case retention follows the contract terms, typically 7 years for accounting purposes under Dutch tax law.
Data collected automatically
I run self-hosted Umami analytics. Umami is privacy-friendly: it does not use cookies, does not collect personal data, and aggregates page views without fingerprinting. Umami stores:
- Country (derived from IP, not the IP itself)
- Browser and OS family
- Device type (mobile / desktop)
- Pages you visit and time on each page
- Referrer (where you came from)
This data is not personally identifiable under GDPR and processing is lawful as legitimate interest (Article 6(1)(f) GDPR) — running a basic analytics dashboard for the practice. You can opt out via the cookie banner.
Cookies
This site uses three categories of cookies:
- Strictly necessary (session, CSRF, language preference). Cannot be disabled. Not subject to consent under ePrivacy law.
- Analytics — only if you opt in via the cookie banner. Umami works without cookies; this toggle reserves the option to add fuller analytics in future.
- Marketing — only if you opt in. Used for the MailerLite newsletter form. Loads only after consent.
The cookie banner appears on first visit and remembers your choice. You can change your preferences at any time via "Update cookies preferences" in the site footer.
Subprocessors
I use a small set of EU-based vendors to operate this site. Each has its own GDPR-compliant data processing agreement (DPA) in place.
| Vendor | Purpose | Location | DPA |
|---|---|---|---|
| Fastmail | Email (inbox + transactional) | Netherlands | Yes |
| MailerLite | Newsletter delivery (after opt-in only) | Lithuania (EU) | Yes |
| Umami Analytics (self-hosted) | Privacy-friendly analytics | My own server, EU | Self-operated |
| Stripe | Payment processing (if you book a paid engagement) | Ireland (EU) | Yes |
| [hosting provider] | Web hosting | Netherlands | Yes |
If a subprocessor changes, I will update this policy with the change date.
Your GDPR rights
Under the GDPR you have the right to:
- Access the personal data I hold about you
- Rectify inaccurate data
- Erase your data (right to be forgotten)
- Restrict processing
- Port your data to another controller
- Object to processing based on legitimate interest
- Withdraw consent at any time (without affecting the lawfulness of prior processing)
- Complain to the Dutch Data Protection Authority — Autoriteit Persoonsgegevens
To exercise any of these rights, email hello@joegullo.com. I will respond within 30 days as required by Article 12(3) GDPR.
Data transfers outside the EU
This site is hosted in the Netherlands. Subprocessors are all EU-based (Netherlands, Lithuania, Ireland). I do not transfer personal data outside the EU/EEA.
Children
This site is not directed at children under 16 and I do not knowingly collect personal data from children. If you believe a child has submitted personal data, please email hello@joegullo.com and I will delete it.
Security
The site runs HTTPS on all routes. Form submissions are CSRF-protected. The Kirby panel is protected by 2FA. Backups are encrypted at rest. I follow OWASP Top 10 guidance for the codebase.
If you believe you've discovered a security vulnerability, please email hello@joegullo.com with details — please don't disclose publicly first.
Changes to this policy
I will update the "Last reviewed" date at the top of this policy when material changes are made. Significant changes will be announced on the newsletter, and a notice will be added to the site for 30 days.
Contact
Questions about this policy or your data:
Joe Gullo Digital B.V.
Leiden, Netherlands
hello@joegullo.com
KVK: 98746375