1. Introduction and data controller
The privacy of my visitors is important to me. This Privacy Policy explains how your personal data is collected, used, stored, shared, and protected when you access or use my website at jacobriggs.io and its associated subdomains and services (together, the "Website"). Throughout this policy, "I", "me", and "my" refer to Jacob Riggs, the individual who owns and operates the Website. "You" and "your" refer to you, the visitor or user.
For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and all applicable data protection legislation, the data controller responsible for your personal data is:
Jacob Riggs - based in Australia.
As I operate from Australia, I handle personal data in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where you access the Website from the United Kingdom or the European Economic Area (EEA), your personal data is also handled in accordance with the UK GDPR and the EU GDPR. Where these regimes differ, I aim to apply the standard that is most protective of your personal data.
jacobriggs.io is a personal website and portfolio. It is not a company or registered business. I am committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws. Please read this policy carefully so that you understand how your information is handled.
2. Personal data I collect
I collect and process several categories of personal data, depending on how you interact with the Website. Only personal data that is necessary for the purposes described in this policy is collected. Simply browsing the Website does not require you to provide any personal data.
2.1 Contact form data
When you send me a message through the contact form (jacobriggs.io/contact), I collect the name, email address, subject, and message you provide, together with any files you choose to attach. Your IP address at the time of submission is recorded for spam prevention and included in the email I receive. The contact form is protected by Google reCAPTCHA (see Section 4.1).
2.2 Payment and transaction data
If you make a payment through the payment form (jacobriggs.io/pay), I record the essential data needed to process, log, and issue a receipt for the transaction - typically your email address, the payment amount and currency, your IP address, and a payment reference. Payments are processed by third-party payment gateways (see Section 4.2). Your full card details are entered directly with the payment provider and are never collected by or stored on my servers.
2.3 CV download data
To download my CV (jacobriggs.io/cv) you are asked to submit an email address, to which a download link for a PDF copy is sent. The PDF is embedded with a unique watermark signature which may be used in conjunction with the submitted email address to help investigate and identify the source of unauthorised sharing or leaks.
2.4 Newsletter subscription
If you subscribe to my mailing list, the email address you provide is collected so that I can send you occasional updates. Subscriptions are managed through MailerLite (see Section 4.3). You can unsubscribe at any time using the link in any email or by contacting me.
2.5 Technical and device data (log files)
Like most websites, my server automatically records log files when you access the Website. This information may include your IP address, browser type and version, operating system, Internet Service Provider (ISP), referring and exit pages, and date/time stamps. This data is used for security, diagnostics, and understanding aggregate usage trends, and is not ordinarily linked to your identity.
2.6 Cookies and similar technologies
The Website uses a limited number of cookies:
- Session cookie (PHPSESSID) - a strictly necessary cookie that maintains your session on interactive pages (such as the contact and payment forms). It is deleted when your session expires. Strictly necessary cookies do not require consent.
- Consent cookie (cookieconsent_status) - records your cookie preference as chosen through the consent banner, so you are not asked repeatedly.
- Analytics cookies (_ga, _gid) - set by Google Analytics only where you have opted in via the consent banner, to help me understand aggregate traffic. See Section 4.1.
The consent banner is opt-in: analytics cookies are not set unless you agree. You can change or withdraw your choice at any time through the cookie settings on the banner, or by clearing cookies in your browser. The Website does not use advertising cookies, marketing cookies, or social media tracking pixels.
2.7 Encrypted paste sharing (share.jacobriggs.io)
My share service (share.jacobriggs.io) is a zero-knowledge pastebin. Anything you paste is encrypted and decrypted entirely within your own browser; the decryption key is contained in the link fragment and is never sent to or stored on the server. As a result, I cannot read the contents of pastes. The server stores only the resulting encrypted data and its expiry, and standard technical log data as described in Section 2.5.
3. Purposes and legal bases for processing
Under Article 6(1) of the GDPR, there must be a lawful basis for each processing activity. The bases I rely upon are:
3.1 Performance of a contract (Article 6(1)(b))
Processing your payment and issuing a receipt, and providing any service or item you have requested, are necessary to perform the transaction you enter into with me.
3.2 Legitimate interests (Article 6(1)(f))
Certain data is processed where necessary for my legitimate interests, provided these are not overridden by your rights and freedoms:
- Responding to enquiries - handling and replying to messages you send through the contact form.
- Security and abuse prevention - logging IP addresses, using reCAPTCHA, and moderating comments to protect the Website against spam, fraud, and misuse.
- Protecting intellectual property - watermarking CV downloads to trace unauthorised sharing.
- Understanding usage - reviewing aggregated, non-identifying trends to maintain and improve the Website.
3.3 Consent (Article 6(1)(a))
Consent is relied upon for optional analytics cookies and for subscribing to my mailing list. Where consent is the legal basis, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
3.4 Legal obligation (Article 6(1)(c))
Your data may be processed where necessary to comply with a legal obligation, such as retaining payment records for tax and accounting purposes or responding to lawful requests from authorities.
4. Data sharing and third-party recipients
I never sell, rent, or trade your personal data. It is shared only in the limited circumstances below, and each third party processes data in accordance with its own privacy policy.
4.1 Google
I use Google Analytics (where you consent) to understand aggregate traffic, Google reCAPTCHA to protect the contact form from spam, and Google Fonts to render typography. When these services load, Google may receive your IP address and related technical information. This is governed by Google's Privacy Policy.
4.2 Payment gateways
Payments are handled by third-party payment gateways (such as Stripe and PayPal). When you pay, your payment details are provided directly to the relevant provider, who processes them under their own privacy policy and security standards. I receive only confirmation of the transaction and the limited data described in Section 2.2.
4.3 MailerLite
If you subscribe to my mailing list, your email address is stored and processed by MailerLite, which provides the email delivery service, under their privacy policy.
4.4 Hosting provider
The Website is hosted on infrastructure provided by OVH SAS, with the server located in the United Kingdom. OVH provides the physical and network infrastructure and does not access your personal data beyond what is necessary to provide hosting services.
4.5 Law enforcement and legal requirements
Your personal data may be disclosed to law enforcement, regulators, or courts where required by law, court order, or where reasonably necessary to comply with a legal obligation, protect the rights or property of the Website, prevent or investigate wrongdoing, or protect the safety of users or the public.
5. International data transfers
The server is located in the United Kingdom. Some third parties I use (such as Google, the payment gateways, and MailerLite) may process data on servers outside the UK and European Economic Area (EEA). Where personal data is transferred outside the UK/EEA, it is protected by appropriate safeguards, such as the providers' participation in the EU-US Data Privacy Framework, Standard Contractual Clauses, or the derogations permitted under Article 49 GDPR (for example, where the transfer is necessary to perform a service you requested).
6. Data retention
Your personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Indicative retention periods are:
- Server log files - retained for as long as is necessary for security, diagnostics, and the investigation or prevention of abuse and attacks.
- Contact form messages - retained for as long as necessary to handle your enquiry and any follow-up correspondence.
- Payment records - retained for as long as required for financial, tax, and legal compliance.
- CV download email addresses - reviewed every 12 months and securely deleted once no longer necessary.
- Newsletter subscriptions - retained until you unsubscribe.
- Cookie consent preference - retained for up to 12 months.
- Encrypted pastes - retained until they expire or reach their view limit, then deleted.
When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.
7. Data security
I implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (HTTPS/TLS across the Website), keeping payment card handling with certified payment providers, storing credentials and secrets server-side away from client code, validating and sanitising user input, and restricting administrative access. While I take reasonable steps to protect your data, no method of transmission or storage is completely secure, and absolute security cannot be guaranteed.
8. Your rights under GDPR
Under the UK GDPR and EU GDPR you have the following rights in relation to your personal data. If you are in Australia, you also have the right to access and seek correction of your personal data under the Australian Privacy Principles. These rights are not absolute and may be subject to conditions and exceptions.
- Right of access (Article 15) - to obtain confirmation of whether your data is processed and a copy of it.
- Right to rectification (Article 16) - to have inaccurate or incomplete data corrected.
- Right to erasure (Article 17) - to request deletion of your data in certain circumstances.
- Right to restriction (Article 18) - to request that processing be restricted in certain circumstances.
- Right to data portability (Article 20) - to receive data you provided in a structured, commonly used, machine-readable format.
- Right to object (Article 21) - to object to processing based on legitimate interests.
- Right to withdraw consent (Article 7(3)) - to withdraw consent for analytics cookies or newsletter emails at any time.
To exercise any of these rights, please contact me. I will respond within one month of receipt; in complex cases this may be extended by up to a further two months, in which case I will let you know within the first month. No fee is charged unless the request is manifestly unfounded or excessive. I may need to verify your identity before acting on a request.
If you believe your data has been handled unlawfully, you have the right to lodge a complaint with a supervisory authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. In the United Kingdom, it is the Information Commissioner's Office (ICO) at ico.org.uk. If you are elsewhere in the EEA, you may contact the supervisory authority in your country of residence.
9. Automated decision-making and profiling
I do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you, as defined in Article 22 of the GDPR.
10. Third-party services and links
The Website integrates with or links to third-party services, including Google (Analytics, reCAPTCHA, Fonts), the payment gateways, and MailerLite, and links to external sites such as X and LinkedIn. Each third party processes data under its own privacy policy, which I encourage you to review. I am not responsible for the privacy practices of external websites or services.
11. Children and age restriction
The Website is not intended for or directed at children under the age of 16, and I do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact me and I will delete it as soon as reasonably practicable.
12. Changes to this Privacy Policy
This policy may be updated from time to time to reflect changes in practices, the Website, or applicable law. When changes are made, the "Last updated" date at the foot of this page will change. Where changes materially affect how your data is processed, I will make reasonable efforts to notify you. You are encouraged to review this policy periodically.
13. Contact
If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, including to exercise any of your rights under Section 8, please contact me through the contact form. I aim to respond to all legitimate enquiries within one month.
Last updated on 4 July 2026.