Who I am
The Donuts and Dragons blog, its Twitter account, Facebook Page and associated groups are a personal project by me, Inge Loots. The blog is hosted at https://ingeloots.nl/
What Personal Data I Collect and Why
By default WordPress does not collect any personal data about my visitors, and only collects the data shown on the User Profile screen from registered users. Some of my plugins do collect data, I’ll explain what they collect and why they collect it below.
When visitors leave comments on the site I collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
After approval of your comment, your profile picture is visible to the public in the context of your comment. Gravatar is used to give visitors who comment on this site an opportunity to set their personal avatar. It will be left blank if no Gravatar is set. Commenters can change their settings at Gravatar’s website.
Akismet collects information about visitors who comment on this blog using the Akismet anti-spam service. The information they collect typically includes the commenter’s IP address, user agent, referrer, and Site URL (along with other information directly provided by the commenter such as their name, username, email address, and the comment itself). The data is collected to distinguish spam from real comments on the site.
The IP address of visitors, user ID of logged in users, and username of login attempts are conditionally logged to check for malicious activity and to protect the site from specific kinds of attacks. Examples of conditions when logging occurs include login attempts, log out requests, requests for suspicious URLs, changes to site content, and password updates. This information is retained for 14 days.
When you use my JetPack powered Contact Form, it collects your IP address, user agent (which browser you use on which operating system), name, email address, website, and message are submitted to the Akismet service, for the sole purpose of spam checking. Both Akismet and Jetpack are owned by the company that makes WordPress: Automattic.
The actual submission data is stored in the database of this site and is emailed directly to me. This email will include the submitter’s IP address, time-stamp, name, email address, website, and message. I don’t get to see all the other data Automattic collects.
WordPress’ back-end allows me to remove submitted feedback and associated data from the database. As soon as I read and responded to your feedback, I will delete the feedback.
I chose WordPress stats over Google Analytics because of the light-weight tracking it does. The tracking is kept at a minimum and uses IP address, WordPress.com user ID (if logged in), WordPress.com username (if logged in), user agent (your browser/operating system), visiting URL, referring URL, time stamp of event, browser language, country code.
I do not have access to any of this information via this feature. For example, I can see that a specific post has 285 views, but I cannot see which specific users/accounts viewed that post. Stats logs — containing visitor IP addresses and WordPress.com usernames (if available) — are retained by Automattic for 28 days and are used for the sole purpose of powering this feature.
Activity Tracked: Post and page views, outbound link clicks, referring URLs and search engine terms, and country.
In accordance with EU guidelines, I use a widget by Jetpack to ask permission for cookies. Find more information about the EU Cookie Directive and how to change the cookie settings in your browser by clicking on the links.
If you leave a comment on this site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
I have enabled sharing icons to some social platforms and services: Buffer, Pinterest and Twitter. You can also share via e-mail or print the post if you want to. These sharing icons are part of the site’s theme which is Extra by Elegant Themes.
I have disabled sharing buttons to Facebook and Google-owned services because I can’t check how pervasive it is and I don’t want to expose my readers to it. Feel free to share links on those networks by the old-fashioned copying and pasting, thank you!
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. Examples of embedded content are the Spotify widget in the side bar and YouTube videos.
Note that blocking these cookies interferes with the embedded content. If you want to watch an embedded video on the site, you need to allow these cookies.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data I hold about you, including any data you have provided to me. You can also request that I erase any personal data I hold about you. This does not include any data I am obliged to keep for administrative, legal, or security purposes.
If you want to use your rights, you can contact me through my contact form. Note that under Dutch law, I have to ask for proper identification before handing over any personal data.
Where I send your data
Visitor comments may be checked through an automated spam detection service (Akismet). The information entered in a comment form may also be shared with Gravatar, a global avatar service that connects avatars with email addresses. WordPress, Akismet, Jetpack and Gravatar are all services by Automattic, Inc.
How I protect your data
I try to avoid collecting any unnecessary data and try to keep it to username, email address and IP address. This data lives in this site’s database, which I protect with a security plug-in. The plug-in prevents unauthorized access to your data.
What data breach procedures I have in place
What is on the internet, can be hacked. That’s the core thought in my data breach procedure. Anyone who tries hard enough will be able to hack anything. The only thing a web master can do is make it harder, hoping that hackers try an easier target instead. I have installed a security plug-in for that and make sure I keep the site, the theme and all plug-ins up-to-date.
When I get hacked despite all of this, I will inform anyone who has ever commented by sending them an email. I also will notify the public by a sticky blog post on my site and via my social media channels.