Privacy Policy

Last updated: 2 May 2026

Who I am

Patch Window is a personal technical publication written and operated by Daniel Gustafsson, a sole trader registered in Sweden. I am the data controller for everything published at patchwindow.serverdigital.net.

For privacy questions or requests, email daniel@serverdigital.net.

What I store on your device

Three things, none of them for tracking-after-the-fact.

1. Your display preferences (pw-prefs). A small JSON object in your browser’s local storage. It holds your theme, accent colour, density, serif toggle, and easter egg state. The server never reads it. Clear it whenever you want. Functional, no consent required.

2. Your consent choice (pw-consent). When you answer the consent banner, your choice (yes or no to analytics) is stored in local storage so the banner does not nag you again. Required to honour your decision. No consent needed for storing the consent itself.

3. Analytics opt-out marker (umami.disabled). Only stored if you reject analytics or withdraw your consent. A flag the Umami tracker reads on each page load and stops itself if set. The tracker itself does not write cookies or persistent storage when running, so this is the only Umami-related entry that ever lands on your device, and only if you said no. See Cookies for full detail.

No advertising IDs, no fingerprinting, no third-party tracking pixels.

What I store on the server

Two things, both kept on infrastructure I run with my partner Karin in Helsinki, Finland (Hetzner Cloud, EU jurisdiction).

1. Web server logs. Every request to the site is logged by the reverse proxy (Traefik) and forwarded to a log database (Loki). The log entry contains your IP address, your user-agent string, the URL you requested, and a timestamp. I keep these for 30 days, then they are deleted.

I use these logs to keep the site running and to investigate abuse. Legal basis: legitimate interest (GDPR Article 6(1)(f)). The CJEU has explicitly recognised this as a valid basis for server logs (case C-582/14, Breyer).

2. Analytics via Umami. I run a self-hosted instance of Umami Analytics on the same server. If you accept analytics in the consent banner, Umami counts your page views and aggregates referrers, countries, browsers, and screen sizes. Your IP is hashed together with your user-agent and a daily-rotated salt; only the hash is stored, and the salt rotates every day so the same visitor cannot be re-identified across days.

Legal basis: consent (GDPR Article 6(1)(a) and ePrivacy Article 5(3) / Swedish LEK 9:28). You can withdraw at any time via the “Cookie settings” link in the footer.

I retain Umami data for 25 months and then it is deleted, matching the French CNIL guidance ceiling for analytics retention.

What I do not do

• No advertising. No ad networks, no retargeting, no audience segments.
• No third-party trackers. No Google Analytics, no Facebook Pixel, no Hotjar, no Mixpanel.
• No selling or sharing of any data with anyone, ever.
• No newsletter mailing list (yet — if I add one, I will update this page).
• No comments or user accounts. There is nothing to register for.

External links and embeds

The site links out to other sites (GitHub repositories, vendor docs, news articles). When you click an outbound link, the destination site sees your browser as you would expect.

The footer shows a Ko-fi donation button. The image is served locally so your browser does not contact Ko-fi until you click. If you click it, you go to ko-fi.com and their privacy policy applies.

Fonts

The site uses three Google Fonts (Playfair Display, Source Serif 4, JetBrains Mono). They are downloaded at build time and served from this domain. Your browser never contacts Google to load them.

Joint controllers

I run Patch Window. Karin (Holmdigital, registered in Sweden) operates the underlying infrastructure including the Umami analytics instance. Karin and I are joint controllers under GDPR Article 26 for the analytics data specifically. We have a written agreement covering this. You can address any rights request to me at the email above; I will route it.

Your rights under GDPR

You have the right to:

• Request a copy of any personal data I hold about you (Article 15).
• Ask me to correct it (Article 16).
• Ask me to delete it (Article 17).
• Object to my processing of it (Article 21).
• Withdraw consent at any time (Article 7) — for analytics, use the “Cookie settings” link in the footer.
• Lodge a complaint with the Swedish data protection authority IMY at imy.se.

To exercise any of these, email daniel@serverdigital.net. I will respond within one month.

In practice, the only personal data I hold about a typical visitor is their IP address in 30-day server logs (and a session token in Umami if you accepted analytics). If you want it deleted earlier, send me the IP and the rough time window and I will run a delete query.

Where the data lives

All processing happens on a single dedicated server in Helsinki, Finland. No US transfers, no third-country transfers, no Schrems II problem. Daily backups go to a Hetzner Storagebox in the same jurisdiction.

When this changes

I will update the date at the top whenever I change anything material. If I add new data flows (a newsletter, comments, embedded video, anything), I will write about it on the front page so it is hard to miss.

If you spot an error or an inconsistency between what this page says and what the site actually does, email me. I read every message.