Who is responsible

Simoné Deyzel ("I", "me") is the data controller for personal data processed through this website. I operate as an independent cybersecurity consultant based in Porto, Portugal. Contact: via the contact form.

What I collect

  • Contact form: your name, email address, any subject or message you provide, a Cloudflare Turnstile anti-spam token, and your IP address (for rate-limiting). I use this only to respond to your enquiry.
  • Traffic and security logs: IP address, User-Agent string, request path and response status — processed by my CDN/WAF provider (Gcore) and retained in my security monitoring system for up to 90 days. Used to operate and protect the site.

I do not use advertising, analytics, profiling, or third-party tracking cookies.

Why I process it (legal bases)

  • Consent — when you submit the contact form.
  • Legitimate interests — to secure the website against abuse, detect and block attacks, prevent spam, and respond to enquiries.
  • Contract — if you engage me for professional services, to scope, deliver and invoice that work.
  • Legal obligation — where required to retain or disclose data by law.

Who processes data for me

  • Infomaniak Network SA (Switzerland, EU adequacy decision) — cloud hosting and email relay. This website and its infrastructure run on Infomaniak VMs in Switzerland.
  • Gcore Luxembourg S.A. (Luxembourg, EU) — content delivery network (CDN), web application firewall and DDoS protection. All traffic to simone-deyzel.com passes through Gcore edge nodes, which process IP addresses, request headers and User-Agent strings for security purposes.
  • Cloudflare, Inc. (USA, SCC) — Turnstile bot-protection on the contact form. Cloudflare may set a strictly-necessary cookie to distinguish humans from bots; it is not used for advertising or cross-site tracking.
  • Google LLC (USA, SCC) — the Geist and Newsreader fonts are loaded from Google Fonts. This means your IP address and browser information are sent to Google's servers when you visit any page on this site. No other Google services are used.

I never sell personal data. Where providers process data outside the EEA, this is done under Standard Contractual Clauses or an EU adequacy decision.

How long I keep it

  • Contact form messages: retained only as long as needed to respond to your enquiry, then deleted.
  • Security and traffic logs: automatically purged after 90 days.
  • Engagement records: if we work together, records are retained for the duration required by applicable law and our agreement, then securely deleted.

Your rights

Under the GDPR you may request access to, rectification or erasure of your personal data, restriction of processing, portability, or object to processing on grounds of legitimate interests. To exercise any of these rights, contact me via the contact form. You also have the right to lodge a complaint with your local EU supervisory authority.

How I protect it

Key measures: TLS 1.2+ encryption in transit enforced at the CDN edge; SSH key-only access to all server infrastructure; network-level firewalling (UFW) restricting inbound traffic to Gcore CDN CIDR ranges only; web application firewall and DDoS protection (Gcore WAAP); host-based intrusion detection and automated blocking (CrowdSec); security event monitoring (Wazuh SIEM); all service credentials stored in OpenStack Barbican and never written to disk in plaintext; 90-day traffic log retention and automatic purge.

See the Cookie Policy for details about cookies and local storage.

Changes & contact

I may update this policy; the "last updated" date above will change. Questions: contact form.