Privacy Policy for eomer.co.uk
=========.TXT FORMAT=========
Use your browser back button to return to the previous page.

Terminology:
Policy = This policy document, the Privacy Policy for eomer.co.uk
Site/the Site/Eomer = eomer.co.uk
Host = krystal.uk, where the Site is hosted

****************************************
Update to the below
****************************************
I have moved Host from UK2 to Krystal.uk. The situation seems to be unchanged despite this.

****************************************
Temporary overriding provision relating to IP ADDRESS LOGGING
****************************************
a) I've spoken to the Host, and they've said that under my current package I am unable to disable IP address
logging and the logging of user agents (e.g. "Mozilla/5.0 (Linux; Android 12" etc.). In order to do so, I'll need
to upgrade to a virtual private server (as that would allow me to administrate my own metrics), which I will do
when I'm able.

b) Whilst IP addresses may or may not be considered personal information (it's debateable, since in Eomer's
case an IP and user agent are all we collect, which may not actually be enough to identify an individual person),
what matters is whether there is a lawful basis for collection.

c) There are several forms of lawful basis under GDPR. One is consent, which you'll recognise if you've seen
those annoying cookie permission popup boxes on pretty much any major website. This is sort of difficult to
implement, given that unless you turn off IP logging entirely, a user has to have their IP logged before they can
give consent.

d) A different lawful basis is "legitimate interest":
	- it is legal to process personal data if "processing is necessary for the purposes of the legitimate
	interests pursued by the controller or by a third party, except where such interests are overridden by
	the interests or fundamental rights and freedoms of the data subject which require protection of personal
	data" (Article 6 GDPR)

	The thing to note here is "legitimate interests pursued... by a third party". In this case, the third party is
	the Host provider, who - given that they're hosting my site, on a basic package - has a security interest in
	logging IP addresses (which I believe is why they said they can't disable it - if I moved to a VPS, their
	security interest dissipates).

	What this means is that I can process your IP address (even though it's not me, but the Host) to fulfil their
	industry-standard security concern, and legally I don't even need to mention that I'm doing so, since you 
	only need to inform a user that you're doing something if you're seeking their consent for that lawful basis.

e) Look, we've all been on the net for a long time. You all know that IP address logging is standard, even if we'd prefer
it not be. If this was a legal problem, there would have been a massive outcry by now, yet there hasn't been, which
indicates that there is a legitimate interest.

f) So here's my policy: until such time as I can upgrade to a VPS, I'll be collecting your IP address and user agent, in
order to fulfil the legitimate security interest of my Host. For as long as I am forced to do so, I'll have an announcement
on the index page that says I'm doing so. When that announcement disappears, that will mean I've stopped logging IP
addresses and user agents.

****************************************

This policy overlaps with the cookie policy. In the event of a conflict between the policies, this (the Privacy Policy)
takes precedence.

All points made in the Policy relate to what is within Eomer's control. I cannot say for certain what information is
collected by the Host where this site is hosted, however I have gone through every setting I could find looking for
anything which might collect data from the user (you) and turned it off. 

1) 
As Eomer is hosted in the United Kingdom, it must comply with UK data protection law. This includes but may not be limited to:
	- The General Data Protection Regulation, a regulation of the European Union, which was largely retained in UK
	law after Brexit
	- The Data Protection Act 2018, domestic law in the United Kingdom
	- Case law relating to these

2)
Eomer does not collect data as a general rule. To put it bluntly, as there are no accounts, cookies, or trackers, we have no vectors
for data collection.

3)
The only information that Eomer might inadvertently collect about you in general is IP addresses, as you make requests for
documents held on Eomer. Under the GDPR the collection of this data is acceptable as "Processing shall be lawful only if...
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller... except where... protection
of personal data" [Article 6 Para 1 Point F].

Despite this, I shall endeavour to purge logs of all connecting IP addresses as often as possible. However, by using the site
you're agreeing that your IP address may be logged on the server somewhere for up to a year.

4)
For specific site functionality (such as in a guestbook, or for the purposes of some side project), none of which has been
implemented yet, Eomer may be required to collect personal information from you. In the case that that becomes necessary,
such collection shall only occur on very specific web pages; you shall be warned before you click it, and again once you get
onto the page with the option to leave. In such instances, you will be informed of exactly what information I want to collect from
you, how I will use it, of your rights under UK law, and of how and when I will dispose of that information.