Alec Jensen Development Privacy Policy

I respect your privacy and am committed to transparency regarding any information collected while operating my Services. This policy explains what data I collect, how I use it, and your choices.

I do not conduct user profiling, behavioral advertising, or marketing based on activity on the Services. Analytics are limited to aggregated, privacy‑respecting, cookieless metrics for operational insights only.

This policy applies to all websites, domains, services, and networks operated by Alec J. (collectively, the "Services"), including alecj.com, alecj.tk, and 3ln.me.

Controller and contact details

Controller: Alec J. (United States). For privacy questions or requests, please use the contact page.

At a glance

  • What I collect: minimal security logs (e.g., IP address, headers, timestamps), aggregated, cookieless first‑party analytics, and any details you voluntarily send via the contact page.
  • What I don't collect: advertising identifiers, third‑party tracking data, behavioral profiles, or data from data brokers.
  • Where data lives: Services and self‑hosted analytics run on infrastructure located in the United States. All traffic is routed through a web application firewall (WAF) on a cloud VPS, where some security telemetry may be stored. Some application data is stored in cloud databases (for example, kidney bot data is stored in a MongoDB database).
  • Why: keep the site secure and improve content/UX.
  • How long: security logs are kept only as long as needed to protect the service; analytics are aggregated and retained for operational insights; contact emails are kept as long as needed to respond.
  • Security: Security logs are separate from analytics. Detected malicious IPs may be automatically reported to reputable community threat‑intelligence lists to help protect the broader internet.
  • See also: the Security Policy for testing guidelines and responsible disclosure.

What I Collect and Why

I specifically aim to collect zero Personally Identifiable Information (PII) for operational and analytical purposes. The data collected falls into two categories:

1. Non-PII Usage Data (Analytics)

  • To understand traffic patterns and improve the user experience across the Services, I use self-hosted, first‑party, privacy‑respecting, cookieless analytics running on my own infrastructure.
  • This system records non-personal data points, such as:
    • Page views and session duration.
    • The general geographic area (country/region).
    • The type of device, browser, and operating system used.
    • Referrer URLs.
  • Crucially, this system is configured to avoid cross-site tracking and does not use third-party trackers or advertising identifiers. It does not process IP addresses or device IDs to personally identify you, it does not set analytics cookies, and it is not used for profiling or marketing.

2. Security and Server Log Data

  • To protect the integrity and security of the network and to prevent malicious activity (like DoS attacks or unauthorized access), server logs and security systems (CrowdSec WAF) temporarily process basic network information. All inbound traffic is routed through a WAF running on a cloud VPS; certain security telemetry (for example, block lists and counters) may be stored on that VPS.
  • This data includes IP addresses, request headers, and timestamps. IP addresses are processed strictly for security purposes such as detecting, preventing, and responding to abuse, spam, fraud, and service disruption (e.g., rate limiting and blocking malicious traffic).
  • Security logs are kept separate from analytics. This security data is retained only for as long as necessary to maintain network safety and is not used for marketing or profiling.
  • To help protect the broader community, IPs conclusively identified as malicious may be automatically reported to crowdsourced malicious IP databases/threat‑intel feeds (for example, abuse blacklists). Only indicators necessary for abuse mitigation are shared — not analytics or contact content.

Traffic routing and security infrastructure

To help protect the website, its content, and users, all incoming web traffic to the site is routed through a secure Virtual Private Server (VPS) operated via Oracle Cloud which functions as a Web Application Firewall (WAF). This means that HTTP/HTTPS requests pass first through this server, where certain security checks (for example, known attack patterns, bot traffic, and request anomalies) may be filtered before being forwarded to the origin server.

For transport security and inspection, TLS may be terminated on this VPS — in other words, requests are decrypted on this VPS and then securely routed to their respective origin servers via a private VPN tunnel. End-to-end protections and least-privilege access controls are maintained on the internal network.

This routing is done to improve the safety, availability, and integrity of the site and service. It is not used to sell, disclose, or otherwise share identifiable user data except as described elsewhere in this policy.

Because this process involves handling minimal connection metadata (for example, IP address, request headers, and timestamps), such metadata may be temporarily processed by the VPS/WAF infrastructure. This information is handled the same way as Security and Server Log Data described above.

Role of provider: The VPS/WAF provider (Oracle Cloud) acts as my processor under my instructions; I remain the data controller for this processing.

3. Contact Information

  • If you voluntarily email me or submit a contact form, I receive the information you provide (e.g., your name and email address) solely to respond to your inquiry.

4. Service Data (feature/bot content)

  • Some interactive features may store limited data required to operate the feature. This application data is kept in cloud databases. For example, kidney bot stores its data in a MongoDB database.
  • kidney bot (Discord): When enabled by a server admin, the bot may submit message text to Google's Perspective API to score for potentially harmful content (e.g., toxicity). If a score exceeds a configured threshold, the bot may delete the message and optionally record an audit log. To operate moderation and audits, we may store Discord IDs (user, message, channel, server), timestamps, relevant category scores, and the moderation decision. We strive to minimize retention.
  • This data is used only to provide the relevant feature and is not used for advertising or behavioral profiling.

What I do not do

  • No selling or sharing of personal information.
  • No user profiling or behavioral advertising.
  • No session replay, heatmaps, or fingerprinting.
  • No third‑party analytics or cross‑site tracking.

Legal bases for processing

  • Security logging: Legitimate interests (IT/network security; prevention and detection of abuse and fraud).
  • Analytics (self‑hosted, aggregated, cookieless): Legitimate interests (improving content, performance, and usability).
  • Contact responses: Legitimate interests (responding to your inquiry) or contract if applicable.

Where processing is based on legitimate interests, you may object to processing. If you wish to object to analytics or security logging, contact me and I’ll explain options and implications (note: basic logging is technically required to deliver the site and maintain security).

How I Use Data

  • To operate, maintain, and improve the functionality of the Services (using Non-PII Usage Data).
  • To respond to your inquiries and provide user support.
  • To maintain security and prevent abuse, fraud, and illegal activity (using Security and Server Log Data).

Data Sharing and Disclosure

I do not sell your personal information to any third parties. I also do not share data with any external partners for marketing or advertising purposes.

Minimal data is shared with necessary service providers strictly to operate the Services, subject to appropriate contractual safeguards:

  • Hosting and Infrastructure Providers: To keep the Services running.
  • Cloud infrastructure provider (Oracle Cloud): Provides the VPS/WAF used to route and filter traffic; acts as my processor under instructions and may process minimal connection metadata for security.
  • Security Services (e.g., CrowdSec): To identify and mitigate security threats on my network.
  • Analytics (self‑hosted): Analytics run on my own infrastructure. No analytics data is shared with third parties, used for advertising, or combined with data from other websites.
  • Cloud databases: To store application data required for features (for example, kidney bot data in a MongoDB database).
  • AI moderation provider (Google Perspective API): When a Discord server enables AI filtering for kidney bot, message text may be sent to Perspective for scoring, subject to Google's terms and privacy notices. Only what is necessary for scoring is sent.

These providers act as processors under my instructions where applicable. Subprocessors may change over time; material changes will be reflected in this policy.

I may also disclose data if legally required to do so, or if I believe in good faith that such action is necessary to comply with legal obligations, protect the security of my networks, or protect my rights.

Data Retention

I keep data only as long as necessary for the purposes outlined above or to comply with legal obligations. Security and WAF telemetry are typically retained for up to 30–90 days unless required longer to investigate suspected abuse. Analytics are aggregated and retained for operational insights without personal identifiers. Contact messages are retained as long as needed to respond and maintain reasonable records.

Security incidents

If I become aware of a data incident that is likely to pose a risk to your rights or freedoms, I will notify affected users and/or regulators where required by law.

Your Choices and Rights

  • Since I do not collect PII for analytics or general site operation, there is no personal data to access, correct, or delete in those systems.
  • If you have provided contact information (via email or form), you can contact me to request access to, correction of, or deletion of that information, where applicable and legally permissible.

Your rights (EU/UK GDPR)

  • Access: request a copy of personal data that relates to you.
  • Rectification: request corrections to inaccurate data.
  • Erasure: request deletion where applicable (for example, where no longer needed).
  • Restriction: request processing to be limited in certain circumstances.
  • Portability: receive certain data in a structured, commonly used, machine‑readable format.
  • Object: object to processing based on legitimate interests (including analytics and security logging) where applicable.
  • Complaint: lodge a complaint with a supervisory authority in your country of residence or work.

To exercise any of these rights, please use the contact page. Note that basic security logging may be technically necessary to deliver the site and maintain integrity.

Children's Privacy

The Services are not directed to children under the age of 13. I do not knowingly collect personal information from children under 13.

Cookies

The Services may set a small number of first-party cookies that are strictly necessary for basic site functionality (for example, to remember simple preferences or to manage session state). These cookies are not used for advertising, cross-site tracking, or profiling. Analytics are fully cookieless and set no analytics cookies.

  • No third-party advertising cookies are used.
  • Analytics are self‑hosted, first‑party, privacy‑respecting, and cookieless; they do not track you across other websites.
  • You can control or delete cookies via your browser settings at any time.

Analytics for this site operate entirely without cookies.

Do Not Track (DNT)

Browsers may send a Do Not Track (DNT) signal. This site does not track you for advertising and does not use third‑party trackers. Because there is no cross‑site tracking to disable, DNT does not change site behavior — but your preference is respected in spirit.

Global Privacy Control (GPC)

This site honors Global Privacy Control (GPC) signals as an opt‑out of selling or sharing personal information. I do not sell or share personal information; therefore, GPC does not change behavior, but it is recorded as your preference where applicable.

Changes to this Policy

I may update this policy from time to time. Material changes will be prominently reflected on this page. Your continued use of the Services after changes take effect constitutes acceptance of the updated Policy.

Contact Information

Questions about this policy or your data? Please contact me.

Regional rights (CPRA/CCPA)

If you are a California resident, you may have rights under the CCPA/CPRA (e.g., to know, delete, correct, and to be free from discrimination). I do not sell or share personal information for cross‑context behavioral advertising. To exercise rights or ask questions, please contact me via the contact page.

International transfers

My servers, VPS/WAF, and self‑hosted analytics are located in the United States. If you access the Services from outside the U.S., your connection will route to U.S. infrastructure to deliver and secure the site. Where I engage service providers to process personal data from the EU/UK, I rely on appropriate safeguards such as Standard Contractual Clauses, where applicable.

Last updated: October 20, 2025