Folio V — On Privacy

Privacy Notice.

What we collect when you write to us, who else handles it, where it travels, and the rights you may exercise over it.

§ 01Who we are

The Code Abides Limited is the data controller for the personal data processed through this website. Any questions about this notice — or any data we hold about you — can be sent to info@thecodeabides.co.uk.

Registered name
The Code Abides Limited
Registered office
9–11 Vittoria Street, Birmingham, B1 3ND, England & Wales
Company number
13307220
VAT number
GB 409 268 876
ICO registration
ZC127568
Contact
info@thecodeabides.co.uk

§ 02What data we collect

The contact form on this site collects only the information you provide and the minimum needed to deliver and protect that submission:

  • First and last name — supplied by you in the form.
  • Email address — so we can reply.
  • Practice or company — optional; supplied by you if useful.
  • Message content — the free-text body of your enquiry.
  • IP address — observed transiently by the function that handles the submission, used only for rate-limit checks and Cloudflare Turnstile verification. The raw IP is not retained beyond that window. The audit log records only a salted SHA-256 hash, never the raw address.

Browsing the rest of the site — reading the journal, the practitioners page, this notice itself — collects no personal data of any kind.

§ 03Cookies and similar technologies

This site sets no analytics, marketing, measurement, or cross-site tracking cookies, and no first-party preference or session cookies under normal use. Browsing the site does not place any cookie on your device.

When — and only when — you interact with the contact form's Cloudflare Turnstile widget, a small number of strictly-necessary security cookies may be set on the challenges.cloudflare.com domain (and possibly on this origin, depending on browser behaviour):

Cookie Set by Purpose Lifetime
cf_chl_rc_i challenges.cloudflare.com Internal Cloudflare Challenge Platform diagnostic for production-issue detection Session
cf_chl_rc_ni challenges.cloudflare.com Internal Cloudflare Challenge Platform diagnostic Session
cf_chl_rc_m challenges.cloudflare.com Internal Cloudflare Challenge Platform diagnostic Session
__cf_bm challenges.cloudflare.com Cloudflare bot management on the challenge endpoint itself (may be observed because challenges.cloudflare.com is itself protected by Cloudflare) ~30 minutes

These cookies fall under the strictly-necessary exemption in PECR Regulation 6(4): they are set only because you have explicitly invoked the contact form, they are required to deliver the bot-mitigation that makes the form usable at all, and they perform no tracking or cross-site identification. The ICO gives "security cookies that authenticate users and protect against fraudulent use" as the canonical example of cookies covered by this exemption.

This is why this site does not display a cookie banner. There is nothing for you to consent to under PECR; disclosure is what the law requires here, and that disclosure is this section.

§ 04Lawful basis for processing

For receiving and replying to enquiries, the lawful basis is legitimate interests under Article 6(1)(f) of the UK GDPR — namely, our interest in responding to enquiries about our professional services, balanced against your reasonable expectation that a business publishing a contact form will read and reply to the messages it receives.

For Cloudflare's secondary use of Turnstile signals to improve its bot-detection capability, the lawful basis is Cloudflare's own legitimate interests, as disclosed in the Turnstile Privacy Addendum. Cloudflare acts as an independent controller for that purpose; see § 06 below.

No special-category data (Article 9) and no criminal-offence data (Article 10) are processed. There is no automated decision-making producing legal or similarly significant effects (Article 22).

§ 05Recipients and processors

Three vendors process personal data on our behalf in connection with the contact form:

  • Microsoft Azure — site hosting and the function runtime that handles the submission.
  • Resend (Plus Five Five, Inc.) — transactional email delivery.
  • Cloudflare, Inc. — bot mitigation (Turnstile) on the form, with a secondary independent-controller role described in § 06.

Microsoft 365 hosts the mailbox the messages land in. The full subprocessor list — purpose, location and transfer mechanism — is published in § 10 below.

§ 06Cloudflare's dual role

Cloudflare's role under UK GDPR is unusual enough to be worth flagging directly. For the same Turnstile interaction, Cloudflare acts in two capacities:

  • As processor, delivering the bot-mitigation service we have instructed it to provide on the contact form.
  • As independent controller, for the secondary purpose of improving Turnstile's bot-detection capability across all Cloudflare customers.

The data processed for these purposes includes IP address, TLS fingerprint, User-Agent string, the sitekey and origin, and behavioural and JavaScript challenge signals. Cloudflare states it does not have the ability to directly identify any individuals from these signals. The full position is set out in the Turnstile Privacy Addendum.

§ 07International transfers

Two transfers of personal data outside the UK take place when you use the contact form:

  • Your name, email address, optional company name and message content transit and are stored in the United States via Resend, our transactional-email provider.
  • Your IP address and Turnstile challenge signals are processed by Cloudflare's global anycast network. For UK visitors this typically occurs at a UK or EU point of presence; the parent entity is in the United States.

Both transfers rely primarily on the EU-US Data Privacy Framework with the UK Extension. Resend is a self-attested DPF participant; Cloudflare is enrolled as Participant ID 5666. The DPF carries an adequacy decision under the Data Protection (Adequacy) (United States of America) Regulations 2023.

Should DPF adequacy ever be suspended or withdrawn, both vendors have EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK International Data Transfer Addendum deemed entered into as a contractual fallback.

§ 08How long we keep data

We hold your data only as long as needed for each system to do its job:

System What it holds Retention
Microsoft 365 mailbox (info@) Your message and any reply correspondence Until the matter is resolved, plus 24 months
Azure Table Storage audit log Hashed IP, User-Agent, outcome flag — no message content 12 months, then automatically deleted
Application Insights (where enabled) Operational request metadata 30 days (default)
Resend logs and email content Outbound email logs and content 30 days (Resend default across Free, Pro and Scale tiers)
Cloudflare Turnstile signals Challenge telemetry "No longer than a few weeks" (Cloudflare-stated; not contractually fixed)

§ 09Your rights, and the ICO

Under the UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("the right to be forgotten").
  • Restriction — ask us to limit how we use your data while a question is being resolved.
  • Portability — receive your data in a structured, commonly-used format.
  • Objection — object to our reliance on legitimate interests as a lawful basis.

To exercise any of these rights, email info@thecodeabides.co.uk. We will respond within one calendar month, as required by Article 12(3) of the UK GDPR. We may ask one corroborating question to verify your identity before releasing or deleting data.

You also have the right to complain to the supervisory authority — the Information Commissioner's Office, ico.org.uk — if you believe we have not handled your data correctly. We would prefer the chance to put it right ourselves first, but the right is yours either way.

§ 10Subprocessors

UK GDPR requires us to inform you of the parties processing personal data on our behalf. The list below is current as of the date at the foot of this notice; it is updated whenever a subprocessor is added, removed or replaced.

Subprocessor Purpose Location Transfer mechanism
Microsoft Azure Site hosting (Static Web Apps), bundled Functions runtime Ireland / Netherlands (selected region) Intra-UK/EEA — no transfer mechanism required
Microsoft 365 Mailbox for info@thecodeabides.co.uk Ireland Intra-UK/EEA — no transfer mechanism required
Resend (Plus Five Five, Inc.) Transactional email delivery (contact form) United States (storage); regional egress optional EU-US DPF + UK Extension (primary); EU SCCs + UK IDTA (deemed-entered fallback)
Cloudflare, Inc. Bot mitigation (Turnstile) on the contact form, with secondary use as independent controller for service improvement United States parent; UK/EU PoP at request time EU-US DPF + UK Extension (primary, Participant ID 5666); EU SCCs + UK IDTA (deemed-entered fallback)
GitHub (Microsoft) Source-code repository (no personal data of visitors) United States Not a processor in the GDPR sense — repository contains no visitor PII

§ 11Changes to this notice

If we change how we handle personal data, we will update this page and refresh the date below. Material changes — for example, adding a subprocessor, extending a retention period, or changing a transfer mechanism — will also be reflected in our internal compliance records and, where appropriate, communicated directly.

Last updated · 28 April 2026