Privacy Policy

Last updated: 2026-05-12

This policy describes how Sub Specie (the “site”) handles personal data. It is written with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive 2002/58/EC as transposed in EU member states, and the UK Privacy and Electronic Communications Regulations (PECR) in mind.

1. Controller

Data controller within the meaning of Art. 4(7) GDPR:

Jan Ebbing
Email: Jan.Ebbing@posteo.de

There is no statutory obligation under Art. 37 GDPR to appoint a data protection officer for a personal blog of this size, and none is appointed.

2. What is processed and why

2.1 Hosting and server logs

The site is hosted on Cloudflare Pages. When you load a page, Cloudflare automatically processes connection metadata including your IP address, User-Agent, requested URL, referrer, and timestamp. This is necessary to transmit the page to you and to keep the service secure.

  • Purpose: delivery of the site, abuse prevention, network security.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a working, secure website).
  • Recipient: Cloudflare, Inc. (US), under EU SCCs and the EU–US Data Privacy Framework.
  • Retention: per Cloudflare's own retention schedule; the site operator does not store these logs independently.

2.2 Theme preference (local storage)

If you toggle the colour theme, the site stores a single value theme="light"|"dark" in your browser's localStorage. This value never leaves your device and is read on subsequent visits to keep your preference.

  • Legal basis: regulation 6(4)(b) PECR / § 25(2) TTDSG / ePrivacy strictly–necessary exemption: storage of a user-interface preference explicitly chosen by you.

2.3 Page-view counter

Each blog post displays a view counter. When you open a post, the browser sends a request to /api/views/<slug>. The server stores one integer per post in a Cloudflare D1 database; no IP address, identifier, or session token is associated with the increment. The browser sets a per-tab sessionStorage flag named viewed:<slug> so that reloads in the same tab do not inflate the count; this flag is cleared when you close the tab.

  • Purpose: displaying an aggregate read count.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in basic, anonymous reach measurement) and the ePrivacy strictly–necessary exemption for the session flag, which is required to make the counter meaningful for a service you explicitly requested.
  • Personal data: none stored by the site beyond the aggregate counter.

2.4 Comments (Giscus)

Blog posts offer a comment section powered by Giscus, which is a wrapper around GitHub Discussions operated by the Giscus authors. The Giscus iframe loads content from giscus.app and api.github.com, which means your IP address, User-Agent, and the page you are viewing are transmitted to those services, and they may set cookies. If you sign in to comment or react, GitHub processes your account data under GitHub's privacy statement.

  • Loading: Giscus and its third-party requests are blocked by default. They only load after you click “Accept” in the consent banner or “Load comments” on a post.
  • Legal basis: Art. 6(1)(a) GDPR (consent) and regulation 6 PECR / § 25(1) TTDSG (consent) for the storage and access of information on your device caused by Giscus and GitHub.
  • Recipients: Giscus (operated by its maintainers) and GitHub, Inc. (US), a Microsoft subsidiary.
  • Withdrawal of consent: use the “Manage consent” control below at any time to revoke; once revoked, the Giscus script will no longer be loaded on future page views.

2.5 Embedded videos (YouTube)

Some posts embed YouTube videos via the youtube-nocookie.com privacy-enhanced domain. No cookies are set by YouTube until you click play. Once you start playback, YouTube (Google Ireland Ltd. / Google LLC) processes data under Google's privacy policy.

2.6 Search

The on-site search downloads a static JSON index from this site and runs entirely in your browser. Your search queries are not sent to any server.

3. Cookies and similar technologies

The site itself sets no first-party cookies. The following storage is used:

NameWherePurposeLifetimeBasis
themelocalStorageRemember light/dark choiceUntil you clear itStrictly necessary
consent.v1localStorageRecord your consent choiceUntil you clear itStrictly necessary (record of consent)
viewed:<slug>sessionStorageDedupe view counter within a tabTab sessionStrictly necessary

Third-party services (Giscus, GitHub, YouTube) may set their own cookies once you have consented and loaded their content. The site operator has no access to those cookies.

4. International transfers

Cloudflare, GitHub, and Google are headquartered in the United States and may process data outside the EEA/UK. Transfers rely on the EU–US Data Privacy Framework where applicable and on Standard Contractual Clauses under Art. 46(2)(c) GDPR.

5. Your rights

Under the GDPR (and the UK GDPR), you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21), as well as the right to withdraw consent at any time without affecting prior lawful processing (Art. 7(3)). You may also lodge a complaint with a supervisory authority, for example the Berliner Beauftragte für Datenschutz und Informationsfreiheit in Germany or the Information Commissioner's Office (ICO) in the UK. To exercise any of these rights, contact the address in section 1.

Note: because the site does not store identifiers about visitors, requests for access or erasure can usually only be answered with “no personal data about you is held by this site”. If you have commented via Giscus, your comment is stored in a GitHub Discussion under your GitHub account; deletion is performed through GitHub.

6. Manage consent

You have not made a choice yet. The banner is shown on every page.

7. Changes

If the site's data processing changes materially, this page will be updated and the “Last updated” date at the top will move. There is no mailing list, so please re-read the page if you care about updates.

No warranty of accuracy — use at your own risk.
© 2026 Sub Specie