LEGAL · GDPR

Privacy policy.

Plain English. No legal-PDF maze. I collect the minimum I need to run the site, ship the work, and respond to you. Everything else is opt-in.

Effective: 21 May 2026 · Version: 2026.05.21

Who I am

This site is operated by Niko Alho, an independent consultant based in Turku, Finland. The data controller under GDPR is me, in person. You can reach me at [email protected].

What I collect, and why

The site runs on a single Hetzner server in Helsinki with Caddy as the web server. I use Cloudflare for DNS and Cloudflare Email Routing to forward [email protected] to my personal inbox. The only customer-facing data points I touch are these:

1. Strictly necessary cookies and storage

  • Consent record — your cookie choices are stored in your browser as a single localStorage entry named na_consent. Contains your selections and an ISO timestamp. Never leaves your browser.
  • Session and security — Caddy may set short-lived cookies for security headers, CSRF protection, or anti-abuse rate limiting. None of these contain personal data.

Legal basis: GDPR Article 6(1)(f) — legitimate interest in operating a working site.

2. Analytics — opt-in only

When you click Accept all or enable Analytics in the cookie chooser, I load Google Analytics 4 via Google Tag Manager (GTM-52CV4HXQ). Until you opt in, every storage type that GA4 uses ( analytics_storage, ad_storage, ad_user_data, ad_personalization) is set to denied via Google Consent Mode v2.

When opted in, GA4 measures aggregate page views, referrers, and device class. IP anonymisation is enabled. No personally identifiable information is collected. I do not sell or share the data with third parties for marketing. The data lives in my Google Analytics property and is retained for 14 months.

Legal basis: GDPR Article 6(1)(a) — your explicit consent.

3. Marketing and ad cookies

Not used today. The category exists in the cookie chooser as a placeholder so the UI stays honest if I ever run an ad campaign. If that changes, the version number on the consent record will bump and you will be asked again.

4. Contact, booking, and email

When you email me, book a call, or fill the contact form, the message arrives in my personal email via Cloudflare Email Routing. I store correspondence in my inbox and CRM for as long as the conversation is active and reasonable to recall — typically one to three years for prospects, longer for active clients.

Legal basis: GDPR Article 6(1)(b) — necessary to deliver a service you asked about.

5. Server logs

Caddy writes standard access logs (IP, request path, user agent, status code, timing). These rotate weekly and are retained for at most 14 days for incident investigation and abuse prevention. They are never linked to identity and never shared.

Legal basis: GDPR Article 6(1)(f) — legitimate interest in operational integrity.

Who I share data with

  • Hetzner (Falkenstein/Helsinki, DE/FI) — hosting the server. EU data processor.
  • Cloudflare (US/global) — DNS and email forwarding. Standard Contractual Clauses cover the transfer.
  • Google (US/global) — only when you opt in to analytics. GA4 + Google Tag Manager. SCCs cover the transfer.
  • Resend (US) — only if you submit the contact form once that integration is live. SCCs cover the transfer.

No other third parties have access. There are no advertising networks, no affiliate trackers, no session replay tools, no heatmap tools on this site.

Your rights under GDPR

You can, at any time and at no cost:

  • Ask me what personal data I hold about you (right of access, Article 15).
  • Ask me to correct anything inaccurate (rectification, Article 16).
  • Ask me to delete it (erasure, Article 17). I will delete unless I have a legal obligation to keep it.
  • Ask me to restrict or stop a particular processing (Article 18).
  • Ask for your data in a portable format (Article 20).
  • Withdraw consent at any time. Use the cookie settings link to revisit your choices, or the reset link to wipe the record and start fresh.
  • Complain to the Finnish Data Protection Ombudsman at tietosuoja.fi.

Email [email protected] for any of the above. I respond within five working days.

Security

The site runs on TLS 1.3 with a Let's Encrypt certificate. Headers include HSTS preload, a strict Content Security Policy, COOP, X-Frame-Options, and Permissions-Policy. The deploy pipeline uses GitHub Actions with key-based SSH to a non-root user. Backups are pending — see about for an honest current-state note.

Children

This is a B2B consulting site. It is not directed at children and I do not knowingly collect data from anyone under 16.

Changes to this policy

When the data I touch materially changes, I bump the version number on the consent record so your browser asks again. The current version is 2026.05.21. The previous full text of this page is available in the site repository history.

Contact

Niko Alho
Turku, Finland
[email protected]
+358 40 153 9426

Need plain English on any of this? Ask. I will answer like a human.

Email me