Privacy Policy
Privacy Policy
1. Who I Am (Data Controller)
Project Surf Helmet (projectsurfhelmet.com) is a personal hobby site operated by one individual. I am not a company. For the purposes of privacy law, I am the sole data controller for any personal information processed through this site.
2. What Data I Collect and Why
Analytics
This site uses StatCounter to understand traffic patterns — which pages are popular, roughly where visitors come from, and how the site is used. StatCounter collects anonymized data including IP addresses (which StatCounter may use to derive approximate location), browser type, and pages visited. I do not use this data to identify individual visitors.
Cookies & Consent Management
Cookie consent on this site is managed through Cookiebot, which gives you granular control over which cookies you allow before they are set. The site uses the following types of cookies:
- Necessary cookies — Required for the site to function (including Cookiebot's own consent cookie, which remembers your preferences).
- Statistics cookies — Set by StatCounter to track anonymized visit patterns.
- Affiliate cookies — When you click an affiliate link (e.g., to Amazon), the retailer sets a cookie to attribute any resulting purchase so I can receive a small commission. I do not set or control these cookies — they are governed by the retailer's own privacy policy.
You can change or withdraw your cookie consent at any time via the cookie banner on this site, or by adjusting your browser settings. Withdrawing consent for statistics cookies does not affect your ability to read the site.
Contacting Me
The only way to contact me directly is by email:cole@projectsurfhelmet.com. There is no contact form. If you email me, I receive your email address and message. I use this only to reply to you and do not share it with anyone.
Affiliate Links
Clicking an affiliate link on this site may pass a referral identifier to the linked retailer (e.g., Amazon). What that retailer does with that data is governed by their privacy policy, not mine.
3. What I Do NOT Do
- I do not sell your personal information — ever.
- I do not run advertising networks or serve behaviorally targeted ads.
- I do not build personal profiles of visitors.
- I do not send marketing emails.
- I do not collect payment information.
- I do not have user accounts or registration.
- I do not collect sensitive data (no SSNs, financial details, health data, etc.).
4. Third-Party Services
The following third-party services may collect data independently per their own policies:
- StatCounter — Anonymized analytics.StatCounter Privacy Policy. You can opt out at statcounter.com/about/set-refusal-cookie.
- Cookiebot (Usercentrics) — Cookie consent management.Cookiebot Privacy Policy.
- Amazon Associates and other affiliate programs — Governed by the respective retailer's privacy policy when you click through.
- Site hosting / CDN providers — May log standard server access data (IP addresses, browser type, access times) for security and operational purposes.
5. Your Rights
EU / EEA / UK Residents (GDPR & UK GDPR)
Under the General Data Protection Regulation (GDPR) and UK GDPR, you have the right to:
- Access — Request a copy of personal data I hold about you.
- Rectification — Request correction of inaccurate data.
- Erasure — Request deletion of your personal data ("right to be forgotten").
- Restriction — Request that I limit how I process your data.
- Objection — Object to processing based on legitimate interests.
- Portability — Request your data in a portable format.
- Withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
My legal basis for analytics processing is consent (via Cookiebot, before StatCounter cookies are set). For email correspondence, the legal basis isperformance of a request (responding to your message).
You also have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your EU member state's DPA).
California Residents (CCPA / CPRA)
Under the California Consumer Privacy Act (CCPA) and CPRA, you have the right to:
- Know what personal information is collected about you and how it is used.
- Request deletion of your personal information.
- Opt out of the sale of personal information — note: I do not sell personal information.
- Non-discrimination for exercising any of these rights.
- Correct inaccurate personal information I hold about you.
To exercise these rights, contact:cole@projectsurfhelmet.com. I will respond within 45 days.
If you have an unresolved complaint, you may contact the California Department of Consumer Affairs at 1625 North Market Blvd, Suite N 112, Sacramento, CA 95834 / (800) 952-5210.
Canadian Residents (PIPEDA)
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access the personal information I hold about you and to request corrections. Contact me atcole@projectsurfhelmet.com to make a request.
Australian Residents (Australian Privacy Act 1988)
Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to access and seek correction of personal information I hold about you. You also have the right to complain to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy rights have been breached. Contact me first at cole@projectsurfhelmet.com.
Brazilian Residents (LGPD)
Under Brazil's Lei Geral de Proteção de Dados (LGPD), you have rights of access, correction, anonymization, portability, and deletion of your personal data. Contact me at cole@projectsurfhelmet.com to make a request.
All Other Visitors
Regardless of where you live, I aim to handle any personal data responsibly and minimally. If you have any concerns about your data, email me and I will do my best to address them.
6. Data Retention
- Analytics data — Retained per the analytics provider's default retention settings (typically 14–26 months for Google Analytics).
- Contact form messages — Retained until the correspondence is resolved, then deleted.
- Server logs — Retained briefly by hosting infrastructure for security purposes, then automatically purged.
7. Data Security
I take reasonable precautions to protect data, including using HTTPS and secure hosting. However, no internet transmission is 100% secure. Please do not send sensitive personal information through this site's contact form.
8. International Data Transfers
This site is hosted in the United States. If you are visiting from outside the US, your data may be transferred to and processed in the US. Third-party services (e.g., Google Analytics) may also transfer data internationally per their own data transfer mechanisms (e.g., Standard Contractual Clauses for EU data).
9. Children's Privacy
This site is not directed at children under 13 (or under 16 for EU residents). I do not knowingly collect personal information from minors. If you believe a child has submitted data through this site, contact me and I will delete it promptly.
10. Links to Other Sites
This site links to third-party websites. I am not responsible for the privacy practices of any external site. Review each site's own privacy policy before providing any personal information.
11. Changes to This Policy
I may update this privacy policy at any time. The "Last Updated" date at the top of this page will reflect changes. For significant changes, I will make reasonable efforts to notify users (e.g., a notice on the site homepage).
12. Contact & Rights Requests
To exercise any privacy rights, ask questions, or raise concerns about this policy:
cole@projectsurfhelmet.com
Response times: within 30 days generally; 45 days for CCPA requests; one month for GDPR requests (extendable by two months for complex requests, with notice).