Privacy Policy

Effective date: 5 June 2026
Last updated: 5 June 2026

1. Summary

Schoolfield is a small, informational fitness blog operated by an individual private person in Ukraine. We do not use analytics or advertising trackers, we do not sell or share personal data with marketers, and we do not ask you to register an account. The only personal information we handle is what every website unavoidably receives — the IP address your browser presents when it requests a page — and a small number of strictly necessary cookies that keep the site working.

2. Who we are (data controller)

This site is operated by Schoolfield (an individual private person, Ukraine), acting as the controller of personal data within the meaning of the Ukrainian Law on the Protection of Personal Data and, where applicable to visitors from the European Economic Area, the General Data Protection Regulation (EU) 2016/679 ("GDPR").

For any question about this policy, or to exercise any of the rights described below, write to: [email protected].

3. Information we collect

3.1. Information you give us

Schoolfield has no contact form, no registration, no comments, no newsletter sign-up. We do not actively ask you for any personal information. If you nevertheless email us at the address above, we will use the contents of your message to reply, and nothing else.

3.2. Information collected automatically

Like every website, our server receives technical information with each request, including:

• your IP address;
• the User-Agent string your browser sends (browser name, version, operating system);
• the URL you requested and the URL you came from (Referer header), if your browser sends one;
• the date and time of the request.

This information is recorded in standard server access logs and is used to operate the site, diagnose errors, and detect abusive activity. We do not link this technical information to an identified individual unless we have to (for example, in order to investigate a security incident together with the hosting provider or with law enforcement on the basis of a lawful request).

3.3. Honeypot for automated abuse

The site contains a single hidden, robots-disallowed link to /recent-updates. Real visitors never see or follow it. Automated scrapers and bots that ignore the disallow directive and follow the link are flagged and their IP address is added to a temporary block list (1 hour to 7 days, escalating with repeat offences). This is the only "behavioural" data we record, and it is recorded only when triggered.

3.4. Cookies

We use a very small number of strictly necessary cookies:

• Session cookie (laravel_session or similar) — keeps your session state during a single visit; expires when you close the browser or after a short inactivity period;
• CSRF token cookie (XSRF-TOKEN) — a security cookie that protects against cross-site request forgery on any future form;
• Cookie-consent acknowledgement — set when you click OK on the cookie banner, so we don't show it on every page. Stored for one year.

We do not use any analytics cookies (no Google Analytics, no Yandex Metrica, no Matomo, no Plausible, etc.), no advertising cookies, no social network plugins, and no third-party tag managers. Our cookie banner explains the same in plain language.

4. How we use this information

• To deliver the requested pages (essential cookies and the application session);
• To keep the site secure and resilient against abusive automated traffic (server logs and the honeypot);
• To investigate and fix bugs and outages (server logs);
• To reply to direct emails you send to us.

5. Legal basis for processing (GDPR Art. 6)

• Strictly necessary cookies and server logs: our legitimate interest in operating and securing the website (Art. 6(1)(f) GDPR);
• Cookie-consent acknowledgement: your consent, expressed by clicking OK on the banner (Art. 6(1)(a));
• Replies to direct email: our legitimate interest in answering you (Art. 6(1)(f)) and, where applicable, steps taken at your request prior to entering into an arrangement (Art. 6(1)(b)).

6. Who else processes this information (service providers)

Because the website runs on infrastructure operated by other companies, your IP address and request metadata necessarily pass through them. We use:

• OVH SAS (Roubaix, France, EU) — server hosting. Server logs are processed on OVH infrastructure inside the EU.
• Cloudflare, Inc. (San Francisco, USA, with EU points of presence) — content delivery network and security layer. Cloudflare terminates the TLS connection between your browser and our origin and may process your IP address and request metadata to deliver and protect the service. The transfer to Cloudflare's US infrastructure is covered by Standard Contractual Clauses included in Cloudflare's Data Processing Addendum.

We do not share personal data with any other third party. We do not sell personal data. We do not use any advertising network.

7. International data transfers

Because Cloudflare's network is global, your IP address and request metadata may transit servers located outside the European Economic Area, including in the United States. This transfer is covered by the Standard Contractual Clauses incorporated by Cloudflare's Data Processing Addendum. No other personal data leaves the EU.

8. How long we keep this information

• Server access logs: rotated and deleted after approximately 30 days, unless a longer retention is needed to investigate a specific incident;
• Honeypot block list: 1 hour to 7 days, depending on the number of repeat offences, after which the IP is automatically released;
• Email correspondence: kept in the controller's mailbox for as long as needed to address your enquiry, then deleted on request or in line with our retention review;
• Cookies: as described in section 3.4.

9. Your rights

To the extent the GDPR or the Ukrainian Law on the Protection of Personal Data applies to you, you have the right to:

• access the personal data we hold about you;
• have inaccurate data rectified;
• have your data erased ("right to be forgotten") where the legal grounds for processing no longer apply;
• restrict or object to processing carried out under our legitimate interests;
• data portability, where the processing is based on consent or on a contract and is carried out by automated means;
• withdraw any consent you have given, at any time, without affecting the lawfulness of processing already carried out.

To exercise any of these rights, write to [email protected]. We will respond within one month.

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with a supervisory authority — for residents of Ukraine, this is the Ukrainian Parliament Commissioner for Human Rights (Ombudsman); for residents of the European Economic Area, this is the data protection authority of your country.

10. Children

This site is not directed at children and we do not knowingly collect personal data from children under the age of 14. If you believe a child has provided personal data to us, please contact us and we will take steps to delete it.

11. Security

We take reasonable technical and organisational measures to protect the limited personal data we handle: TLS encryption on every page (HTTPS), modern security response headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy), the honeypot and abuse-throttling described above, and a server stack kept up to date. No transmission over the internet can be guaranteed 100% secure, but we apply the standard of care a small site of this nature reasonably can.

12. Changes to this policy

If we change this policy in a material way, we will update the "Last updated" date at the top of this page and, where appropriate, post a brief notice on the home page. For non-material changes (typos, clarifications), we will only update the date.

13. Contact

Schoolfield — individual private person, Ukraine.
Email: [email protected]