Mario Merlo
Legal

Privacy Policy

Last updated: 25 June 2026

This page explains how personal data is handled when you visit mariomerlo.me (“this website”). The data controller is Mario Merlo, who can be reached at blog@mariomerlo.me. The approach here is deliberately minimal: this is a static website with no user accounts, no advertising, and no tracking cookies.

The data I process

Technical and security data (via Cloudflare)

This website is hosted on Cloudflare Pages and served through Cloudflare’s network. To deliver pages and protect the site against abuse, Cloudflare automatically processes technical request data — including your IP address, browser and device type (user agent), the pages you request, and the time of each request. Purpose: to serve the website reliably and keep it secure. Legal basis: my legitimate interest (Art. 6(1)(f) GDPR) in operating a functioning, secure website.

Aggregate analytics (Cloudflare Web Analytics)

I use Cloudflare Web Analytics to understand, in aggregate, how the site performs and is used — such as page-load timings, total page views, referring sites, and visitors’ country and browser. It is privacy-first: it sets no cookies and stores nothing on your device (no cookies, local storage, or similar), and does not track you across other websites or build a profile of you. It is also configured to exclude visitors from the EU and EEA: the analytics script is not loaded for visitors connecting from those regions, so if you are visiting from the EU/EEA, no data about your visit is collected through this tool. Purpose: basic, non-intrusive audience and performance measurement. Legal basis: my legitimate interest (Art. 6(1)(f) GDPR) in understanding traffic and performance to improve the site.

Correspondence

If you email me, I process your email address and the contents of your message in order to read and reply. Legal basis: my legitimate interest (Art. 6(1)(f) GDPR) in responding to enquiries, and/or taking steps at your request.

Nothing else

There are no contact forms, comment sections, newsletter sign-ups, logins, or payments on this website. No personal data is collected beyond what is described above.

Cookies and local storage

This website sets no cookies of its own and uses no local or session storage in your browser. The only cookies you may encounter come from Cloudflare and exist to protect the site. Specifically, when Cloudflare needs to check that a visitor is not an automated bot, it may present a security challenge and set a cf_clearance cookie recording that the challenge was passed, so you are not repeatedly challenged (it can last up to a year). Cloudflare may set other short-lived cookies for the same bot- and abuse-protection purpose. These are strictly necessary to provide the service you requested and, under the ePrivacy rules, do not require consent. Because the site uses no advertising or other non-essential cookies that store information on your device, there is no cookie consent banner.

Service providers

To run this website I rely on the following providers, acting as processors or independent controllers for the limited technical purposes above:

  • Cloudflare, Inc. — website hosting (Cloudflare Pages), content delivery, and security, and aggregate analytics. See Cloudflare’s own privacy policy for details of its processing.
  • Fastmail Pty Ltd. — for receiving and sending email, if you choose to contact me.

I do not sell your personal data, and I do not share it for advertising.

International data transfers

Some of my providers are located outside the European Economic Area (EEA): Cloudflare is based in the United States, and Fastmail is based in Australia. Where personal data is transferred outside the EEA, it is protected by appropriate safeguards under the GDPR — for Cloudflare, the EU–U.S. Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses, and for email, the equivalent contractual safeguards offered by the provider.

How long data is kept

Technical and security logs are retained only for Cloudflare’s standard log-retention periods, after which they are deleted or anonymised. Aggregate analytics contain no data that identifies you. Email correspondence is kept only as long as needed to handle your enquiry and any follow-up.

Your rights

Under the GDPR, you have the right to:

  • access the personal data I hold about you;
  • have inaccurate data corrected, or your data erased;
  • restrict or object to its processing;
  • data portability, where applicable.

To exercise any of these, email me at blog@mariomerlo.me. You also have the right to lodge a complaint with a supervisory authority. In Italy this is the Garante per la protezione dei dati personali; you may alternatively contact the authority in your country of residence.

Automated decision-making

This website carries out no automated decision-making or profiling that produces legal or similarly significant effects.

Children

This website is not directed at children, and I do not knowingly collect personal data from anyone under the age of 14 (the age of digital consent in Italy).

Changes to this policy

I may update this policy to reflect changes to the website or to legal requirements. The “last updated” date at the top reflects the latest revision.

Contact

Questions about this policy or your data: blog@mariomerlo.me.