Privacy Policy

Who I am

I’m Neil Hughes, and I barely understand privacy notices at the best of times so I’ll try my hardest to keep this both simple and thorough.

(Update: I failed! This is 3000 words long, so it’s more thorough than simple. Although I have tried to keep it easy to understand, I should warn you that it is probably very, very boring. However, I want you to know everything I know about your data – that seems only fair!)

My website address is:

Essentially, I am just a man with a blog. Nevertheless, it seems to me that I should still do my reasonable best to meet acceptable standards of transparency when it comes to your data.

While I have done a lot of reading around this, I can’t promise I understand everything about good data practices – I suspect that it takes many years to become an expert in this sort of thing – but at the time of writing this document represents my best understanding of how your data is collected and used.

If I learn anything new about how this all works (for example, if I discover that some website feature is silently collecting more data than I am currently aware of), or if anything substantially changes, then I will endeavour to update this policy accordingly, and take further action if appropriate.

And if you, the reader, know more about this sort of thing than me and believe there’s something I could do better, then please let me know via I value your privacy highly and will never intentionally breach the rules.

As a sole trader / little-known author/speaker, this document is my attempt to be as transparent as possible about my attempts to keep up with a complex, changing set of rules about data and privacy.

Strap yourself in for an extremely tedious – but important – Rollercoaster Ride of Privacy Policy!

What personal data is collected and why


When visitors leave comments on the site the data shown in the comments form is collected, along with the visitor’s IP address and browser user agent string. The IP address and browser data are used to help detect spam.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your Gravatar profile picture is visible to the public in the context of your comment.


I am not currently aware of a way for you to upload images to the website. However, if a way exists which I’m not aware of, and if you make use of it to upload images to the website, then you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website would be able to download and extract any location data from images you upload to the website.


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. I haven’t adjusted the settings for these cookies, so they will last for the default amount of time, which I believe is one year.

If you have an account and you log in to this site, a temporary cookie is set to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, several cookies are set up to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

Currently, only I edit or publish articles. However, if someone else were to edit or publish an article, an additional cookie will be saved in their browser. This cookie includes no personal data and simply indicates the post ID of the article which was just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.


I used to have Google Analytics installed, but I mostly never used it, only occasionally logging in to see how many visitors the site was getting. In order to avoid collecting unnecessary data I have deleted my Google Analytics account and removed the analytics code from this site, so that’s one fewer thing to worry about, which is always nice.

Data Backups

Currently, this website is automatically backed up, and these backups are stored in the cloud over the secure Dropbox service. Short of a data breach at Dropbox, I believe nobody but me has access to these backups. For more, see the Dropbox privacy policy.

Mailing Lists

I have an irregular email newsletter. I hate being sent too many emails, so I try not to send very many myself. This newsletter – the Neil Hughes Occasional Email Experience – goes out at a very variable rate, but probably averages about once a month.

The mailing list is optional, and opt-in: to join, you have to enter your email address and click a link in your email to confirm. Every email provides an opportunity to unsubscribe, in the (unlikely?!) event that my infrequent ramblings are no longer welcome.

This mailing list is managed by a third-party provider, MailChimp, to deliver this newsletter. MailChimp gather statistics around email opening and clicks using industry standard technologies which helps me monitor and improve the newsletter. (Usually, I just use this to find out which puns in the subject line were SO bad that more people unsubscribed than usual.)

For more information on all of this, please see MailChimp’s privacy notice. You can unsubscribe to these mailouts by clicking the unsubscribe link at the bottom of any of our emails. If you email I will unsubscribe you manually as soon as I get the chance.

As part of the optional registration process for this newsletter, personal information is collected. Of course, this includes your email address (duh!), but also your IP address, data provided by your browser (including location), and (optionally) your name. Your email address and name is used to keep you updated about things you’ve asked to be updated about; i.e. being sent an irregular newsletter of silly stories and occasional marketing information.

Currently I don’t use your location data for any purpose. However, I believe Mailchimp collects such data automatically to provide me with the facility to send mailouts to people in particular locations: for example, on a hypothetical future book tour this provides me the facility to inform mailing list subscribers in a particular location that I am visiting their city and they might wish to come along to the event.

(I have no plans to use this sort of location data at the moment. As with all personal data I hold, if you have subscribed and wish to see/amend/delete your data, you can contact me at and I will do my best to help you out. From my limited experience, Mailchimp seem to be very good at providing me with the ability to assist with such requests.)

Lastly, I use a service called Sumo to provide a convenient signup to the Mailchimp list. (This is the potentially annoying popup which shows when a new visitor hangs around the site for a while, suggesting you might want to join the mailing list.)

If you use this Sumo popup to subscribe to the mailing list then the data you provide will be sent to Sumo and processed according to Sumo’s privacy policy. This data is then further sent to Mailchimp to add you to the list, as above.

To the best of my knowledge, every form which sends data to either Sumo, Mailchimp, or both, include warnings that this data will be sent to these third parties for processing.


I’m not sure if this needs saying, but obviously, if you email me then I will have your email address, along with your name and any data you send via that email.

(This is just… how email works, and presumably most people are aware of the necessity of sending the actual email in order to have sent an email. But for thoroughness I thought I ought to mention it.)

I use Gmail (by Google) to manage this email, so this provided email data will be stored on Google’s servers and managed according to their privacy policy.

I keep most of my emails, but I do delete some to free up space.

I don’t know where the boundary lies between private email communications and data processing obligations, but I would like to err on the side of greater transparency unless there is a good reason not to. So if you have emailed me and want to know if I retain any of your data then feel free to, um, email me* and I’ll do my best to help you with any reasonable requests. Assuming I don’t need to keep your email address or email data for some legal, administrative or security reason, I expect I would be happy to delete them.

* this seems silly but I can’t think of a way around it!

Perhaps this section is an unnecessary statement of the obvious. I believe most of us know these days how email works, whereas cookies and analytics are a little more mysterious. But I guess you can’t have too much openness and transparency (unless, say, it leads to you spending all day writing privacy policies instead of doing actual work…!)

Moving on…

Who we share your data with

Visitor comments may be checked through an automated spam detection service, specifically AntiSpam Bee, a common spam detection service. (Since easily 99% of the ‘comments’ on this site are caught in the anti-spam net, this is a very good thing, in my opinion. Without services like this the entire internet would be an unreadable mess… more so than usual!)

Other than the services already mentioned in this privacy policy – Dropbox (for backups) and (optionally for mailing list subscribers) Mailchimp and Sumo –  I don’t share any data with anyone. As big technology companies, I expect these services have the resources to do a far better job than I could to secure this data – that’s why why I don’t manage my mailing list personally in the first place.

Currently I don’t share this website nor my mailing list with anybody else, and I have no plans to do so. In the unlikely event that this changes (say, hiring an assistant, which at the time of writing is a hilariously unlikely prospect) I will update this policy.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so follow-up comments can be approved automatically instead of holding them in a moderation queue.

For users that register on the website, the personal information provided is stored in your user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data I hold about you, including any data you have provided to me. You can also request that I erase any personal data I hold about you by emailing and explaining your request. This does not include any data I am obliged to keep for administrative, legal, or security purposes.

Lawful basis for processing data

To my limited understanding, the new EU GDPR regulations require a lawful basis for any data processing (which appears to be a fairly broad term covering even simple things like ‘saving an email address to a mailing list when someone asks to join’).

I don’t really do much data processing, but where you send me data (like signing up for a mailing list, or commenting, for example), I ask for your consent to process this data (by, say, adding you to the mailing list, or displaying your comment!)

I worry that it might be annoying to be asked for consent in all these different places, but this transparency is (hopefully!) better than silent use of your data, and I have done my best to ensure consent is requested in an appropriate manner, and that I’m only asking for the smallest amount of data which is necessary (I can’t very well send you newsletters unless you give me your email address!)

As for the mailing list, there is apparently some debate about whether or not ‘legitimate interests’ or ‘consent’ is the most appropriate lawful basis. Since lawyers seem to disagree on this, I can’t imagine I have much chance of figuring it out. But whichever technical term is most relevant to describe the process, my process remains as simple as I can make it while ensuring you are in control: 1) you want to be on the mailing list 2) you add yourself 3) you confirm 4) I occasionally send you emails 5) you can stop receiving emails at any time.

I recognise that consent is not indefinite, and so I will endeavour to contact inactive members from time to time to request that they refresh their consent to remain on the mailing list.

Additional information

How your data is protected

All of the services I use are protected with strong passwords and two-factor authentication where available. I believe that the services which store personal data (Mailchimp, Google Analytics, Sumo, etc) all store it appropriately using encryption and so on – though of course I have no way of verifying this beyond taking them at their word. Still, I have done my best to choose reputable organisations to provide these services, and if I discover otherwise then I will take appropriate action immediately.

What data breach procedures we have in place

If any of the organisations which store data – Mailchimp, Google, Sumo, Dropbox etc – were compromised, I would follow their advice regarding appropriate actions to take.

(Honestly, if Google gets hacked then I can’t imagine that Walking on Custard will be high on anyone’s worry list. Nevertheless, I will do my best to alert people to the possibility that their data has been accessed, if it is appropriate to do so!)

If my own website gets hacked, there’s not a lot I can do: because I don’t store data on visitors by default, I don’t have a means of alerting them. (However, this means that there is very little (or no?) identifiable data for a theoretical attacker to gain access to, so this may be a good thing.)

In this (hopefully unlikely) event, I will do my reasonable best to alert anybody whose data I believe may have been compromised (in particular, people who have signed up to comment on the blog) in order to inform them that their data may have been accessed, what data is included, and, if appropriate, I will seek advice on the correct steps to take to prevent recurrences in future.

What third parties we receive data from

At the time of writing, I can’t think of any third parties I receive data from.

What automated decision making and/or profiling we do with user data

At the time of writing, I don’t do any automated decision making or profiling on the website. Analytics data (see above) is stored, but I barely look at it. If this changes, I will update this section accordingly.

As for the mailing list, the tracking of active/inactive subscribers is processed automatically by Mailchimp in accordance with their privacy policy.


The website may link to external websites, which may perform their own collection and processing of your data.

I would never knowingly link to a nefarious website, and if I accidentally do so I will remove the link as fast as possible and take appropriate steps to alert anybody I can who may have been affected.


I don’t know the ages of website visitors, or emailers, or subscribers to my mailing list, and I don’t intend to ask. Of course I am happy to assist parents with any requests about data their children may have provided to me by visiting the site.

Industry regulatory disclosure requirements

Um. I’m told this is a thing, but I don’t believe I have any further disclosure requirements. However, if you know better, feel free to let me know and I will update this section accordingly. (Leaving this section in for maximum transparency, even of ignorance!)

Contact information

If you have questions about any of this, or if you’d like to view, amend or delete your personal data, then please feel free to email me via and I will do my best to help you with your request.

I also have an automated Data Access Request page which you may prefer – however, if this doesn’t work, or is insufficient, then I would like to reiterate that you are welcome to email me via

Changes to this Privacy Notice

This policy was last updated on 22 May 2018. I have set a date to review it again in May 2019.

If anything major changes on the website in the meantime then I will also endeavour to review this policy.

Wasn’t That Fun?

Not going to lie, I am glad to have reached the end of this. In the unlikely event anyone has ever read this document, I hope you enjoyed it, and I am pleased that you are so easily entertained 🙂 Love!