Privacy Notice

• Who runs this — Jaime Andrés López Rendón, individual data controller, based in Singapore.
• What I collect — name and email when you contact me or comment, email when you subscribe, optional country, message content, and (only with consent) anonymous analytics.
• Who I share with — five processors (Sanity, Resend, Google Analytics, Slack, ipapi.co). No advertisers. No data brokers.
• Your rights — access, correction, deletion, portability, objection, withdraw consent. Use the request form linked from "Your rights" below.

Jaime Andrés López Rendón, an individual based in Singapore, is the data controller for personal data collected through jaimelopez.me. Acting as the data protection officer (DPO) under the Singapore Personal Data Protection Act 2012 (PDPA).

All privacy-related contact happens through the request form at /privacy/request — that channel routes to me and creates an audit trail. Please don't email a personal address for these requests; the form makes it easier for both of us to track.

I collect personal data only through the four channels below. Each one lists the data, the purpose, the lawful basis under EU/UK GDPR, and how long I keep it.

Submitted at /contact. I collect: your name, email, optional company name, message body, the topic you selected, your detected country (ISO-2 code), and the language version of the page.

Purpose: replying to your message and, if relevant, evaluating whether we have a basis to work together.

Lawful basis under EU/UK GDPR: Article 6(1)(b) (steps at your request prior to entering a contract) where you're inquiring about an engagement, otherwise Article 6(1)(f) (legitimate interest in responding to inbound messages). Under PDPA: deemed consent through your voluntary submission, with notice of purpose given on the contact page.

Retention: 24 months from submission, then deleted. Conversations that turn into a paid engagement are migrated to engagement records, governed by the engagement letter.

Recipients: stored in Sanity (CMS), emailed to me through Resend, and a short notification is sent to my Slack workspace.

Submitted via the footer or in-page newsletter forms. I collect: your email, your detected or selected country (ISO-2), the locale of the page you signed up from, and the source label (footer, blog, etc.). Optionally, a first name if you reply to a welcome email.

Purpose: sending one confirmation email (double opt-in), then occasional editorial notes (typically once a month).

Lawful basis under EU/UK GDPR: Article 6(1)(a) (consent), evidenced by the double opt-in. ePrivacy/PECR "soft opt-in" does not apply because there is no prior commercial relationship. Under PDPA: express consent via the same double opt-in.

Retention: until you unsubscribe, plus 30 days in a soft-deleted state to prevent accidental re-add. After that, only a one-way hash of your email is kept on a suppression list to honour your unsubscribe forever.

Recipients: stored in Sanity, sent through Resend. Newsletter campaigns currently include open and click tracking that helps me understand which posts resonated; the unsubscribe link in every email lets you opt out at any time, including via the RFC 8058 list-unsubscribe header that supports one-click unsubscribe in modern email clients.

Submitted on individual blog posts. I collect: your name, your email (kept private and never displayed), the comment body, your IP address, your user agent string, and your detected country.

Purpose: publishing the comment after moderation, contacting you about your comment if needed, and detecting spam/abuse.

Lawful basis under EU/UK GDPR: Article 6(1)(a) (consent) for publishing the public name and body, and Article 6(1)(f) (legitimate interest in moderating spam and abuse) for retaining the IP, user agent, and email. Under PDPA: deemed consent for the publishing flow, paired with a notice on the comment form. Under LGPD: legitimate interest under Article 7, VII for moderation.

Retention: approved comments remain published while the underlying post is live. IP addresses are kept for 90 days, then nulled out while keeping the comment body. Pending comments are auto-purged after 30 days. Comments marked as spam are kept for up to 6 months for cross-comment pattern detection, then purged.

Recipients: stored in Sanity, with a notification email sent to me through Resend.

I use Google Analytics 4 (GA4) to count page views and understand which posts get read. GA4 only loads if you click "Accept analytics" on the cookie banner, or if your browser already has a stored consent record from a previous visit.

Before any analytics script loads, the page sets all four Google Consent Mode v2 signals to denied by default in the EU, UK, Switzerland, Iceland, Liechtenstein, and Norway. Outside those regions, the same default applies until you make a choice. Advertising signals (ad_storage, ad_user_data, ad_personalization) stay denied even if you accept analytics — I don't run any advertising tag.

Lawful basis under EU/UK GDPR: Article 6(1)(a) (consent), captured via the cookie banner. Under PDPA and LGPD: same — opt-in consent.

Retention: GA4 user and event data is configured at 14 months in the GA4 admin (the strictest sensible setting). Aggregate, non-personal reports may be kept longer.

Recipients: Google Ireland Limited for traffic from EEA/UK; Google LLC otherwise. Standard Contractual Clauses and the EU-US Data Privacy Framework cover transfers to the US.

Detail: cookies set under consent include _ga and _ga_78XP4JW78P. See the cookie notice for the full table.

When you load a page or submit a form, I detect your country from request headers (Cloudflare, Vercel, or Google Cloud Load Balancer geo headers depending on the edge) or, as a fallback, by querying ipapi.co with your IP. Only the ISO-2 country code is stored — never your raw IP, except in the case of comment moderation as described above.

Purpose: showing the right newsletter country pre-selection, segmenting newsletter campaigns by country (e.g. APAC vs LATAM vs EU), and aggregate analytics in admin views.

Lawful basis: Article 6(1)(f) (legitimate interest in basic site functioning). Under PDPA: deemed reasonable for a site offering bilingual content to a global audience.

When I sign in to the admin panel, the site issues a signed session cookie called jl_admin (HttpOnly, 30-day TTL). This cookie is never set on a regular visitor's browser. Login activity (timestamp, IP, user agent) is logged for 12 months for security monitoring.

If you're in the EEA, UK, or Switzerland, your data may be transferred to the United States and Singapore. Transfers to the US rely on a combination of the EU-US Data Privacy Framework (where the recipient is certified) and Standard Contractual Clauses with supplementary technical measures.

Under the Singapore PDPA Section 26, I take reasonable steps to ensure that recipients outside Singapore are bound to a comparable standard of protection — through DPAs, SCCs, and processor commitments.

You have the right to know what data I hold about you, to ask for a copy, to correct inaccuracies, to ask for deletion, to object to processing based on legitimate interest, to withdraw consent, and to receive a portable copy of data you provided. The exact rights depend on which law applies to you:

• Singapore PDPA — access, correction, withdraw consent.
• EU GDPR / UK GDPR — access, rectification, erasure, restriction, portability, objection, withdraw consent, right to lodge a complaint with a supervisory authority.
• Brazil LGPD — confirmation of processing, access, correction, anonymisation/blocking/deletion of unnecessary data, portability, information about sharing, revoke consent. Response within 15 days.
• Mexico LFPDPPP, Colombia Habeas Data, Argentina PDP, and other LATAM regimes — equivalent ARCO rights are honoured on the same basis.
• California CCPA/CPRA — I do not meet the CCPA business thresholds, do not sell or share personal information, and do not run a Do Not Sell or Share program. The rights above are honoured for California residents on a comparable basis.

To exercise any of these rights, use the request form at /privacy/request. I'll acknowledge within 7 days and respond within 30 days (15 days for LGPD). Identity verification happens by replying to a confirmation sent to the email you provide. There's no charge for legitimate requests.

If you're not satisfied with how I've handled your request, you can lodge a complaint with the supervisory authority of your country. Some primary contacts:

• Singapore PDPC — https://www.pdpc.gov.sg/
• European Data Protection Board (list of EU supervisory authorities) — https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
• UK ICO — https://ico.org.uk/make-a-complaint/
• Brazil ANPD — https://www.gov.br/anpd/

The site is served over TLS. The admin session cookie is signed and HttpOnly. APIs are rate-limited per IP. Comment submissions go through honeypot, load-age, and link-count checks before they're stored.

No system is unbreakable. If a personal data breach affects you, I'll notify you and the relevant supervisory authority as required by law.

This site is not directed to children under 16. I don't knowingly collect personal data from children under 16. If you believe a child has submitted personal data, please use the request form at /privacy/request and I'll delete it.

If I make a material change — adding a processor, changing a lawful basis, expanding the data I collect, or narrowing your rights — the "Last updated" date at the top will change and the cookie consent banner will re-prompt for analytics consent. Cosmetic edits don't trigger a re-prompt.

A version history is maintained internally; the current version of this notice is shown alongside the date.