Privacy and Cookie Policy

Last updated: October 27, 2025

Key Points

  • We do not collect personal data directly.
  • We do not use tracking or analytics cookies.
  • Your privacy is protected by design.
  • Only essential technical data is processed for security purposes.
  • You have full control over your data rights.

1. Data Controller and Commitment to Privacy

The data controller for this website is myself, Diego Orlando, a professional photographer, with a professional address in the city of San Sebastián, Gipuzkoa, Spain. You can contact me regarding privacy matters at the email address provided in the footer of this site.

This site has been designed and developed following the principle of "privacy by design", as recognized by the General Data Protection Regulation (GDPR) in Article 25. The protection of personal data has been considered a fundamental element from the project's inception, materializing in a technical structure that minimizes personal data collection and maximizes information protection measures. My commitment is to protect your privacy.

2. Data Processing: Minimization and Purposes

This website operates under the data minimization principle (Art. 5.1.c GDPR). I do not directly collect any personally identifiable information. I have not implemented contact forms, do not require user account creation, and do not maintain databases with personal information on my direct servers.

To ensure the proper technical functioning, security of the website, and protection of the intellectual property rights of the displayed photographic content, it is necessary to process limited technical data through specialized service providers:

  1. Cloudflare, Inc.: Used for secure hosting (static hosting), efficient content delivery (CDN), threat protection (WAF security, DDoS), and to obtain basic site usage metrics without using cookies or local storage.
  2. SmartFrame Technologies Limited: Used exclusively for protecting the copyright of images and their secure display, as I have technically disabled its analytics and tracking features that could involve the use of local storage.

The processing carried out by these providers is strictly limited to the technical data essential for providing these core services, as detailed in Section 3.

I have eliminated the previous use of local storage (localStorage) for user preferences. The site now automatically detects browser settings (language and visual theme) for the initial session display without storing these preferences on the user's device, based on the legitimate interest of facilitating navigation.

2.1. Temporary Storage of Preferences

During the active browser session, sessionStorage is used solely to maintain the consistency of the user experience for the following functionalities:

Visual theme preferences: It temporarily stores if the user has manually switched from the system-detected theme (light/dark) to their personal preference. If there is no manual intervention, the browser's setting is respected without storage.

Manual language changes: When the user actively selects a different language from the one automatically detected by the browser, this preference is temporarily maintained during the session.

Confirmation of reading the cookie notice: It temporarily records that the user has read and closed the cookie information banner to avoid repeatedly showing it during the same session.

Operation and expiration of sessionStorage:

SessionStorage is a browser technology that automatically expires when:

  1. The browser tab or window is closed.
  2. The browsing session ends.
  3. The browser is restarted.

This information does not persist between sessions and is not shared between different tabs, ensuring that each new visit starts with automatic system preference detection without any previously stored data on the device.

The primary legal basis for processing the necessary technical information is my legitimate interest (Art. 6.1.f GDPR) in:

  1. Providing a functional, secure, and high-performing web service.
  2. Protecting the intellectual property rights over the displayed photographic content.

This processing is always carried out under the principle of data minimization and by applying appropriate technical and organizational measures to ensure privacy.

3. Third-Party Services and Specific Processing

3.1 Cloudflare (Hosting, CDN, Security, and Cookie-less Analytics)

The website is hosted on Cloudflare's infrastructure (Cloudflare Pages) and utilizes its CDN and security services. The data processing performed by Cloudflare is based on my legitimate interest (Art. 6.1.f GDPR) to:

  • Ensure the technical security of the site and protect it against cyber threats.
  • Guarantee the availability and optimal performance of the service.
  • Provide a secure connection via SSL/TLS encryption.
  • Prevent fraudulent access and protect the integrity of the site.
  • Obtain basic aggregated metrics on website traffic (via Cloudflare Web Analytics) to understand its general use.

In this context, Cloudflare processes essential technical information such as the visitor's IP address, user agent data (browser/device), and connection metadata to route traffic, apply security rules, and mitigate attacks. This processing is indispensable for the service to function.

Cookies and local storage (Cloudflare): In line with its privacy-focused design, Cloudflare Web Analytics does not use cookies or local storage on the user's device to collect metrics. Occasionally, for specific security functions (such as advanced anti-bot protection), Cloudflare may need to set a strictly necessary cookie (e.g., __cf_bm), which is exempt from prior consent as it is essential for the protection of the service. You will find more information in the cookie policy section (Section 8).

International transfers: Cloudflare is a U.S. company. International data transfers (such as IP addresses) to the U.S. are conducted under the protection of Cloudflare's certification in the EU-U.S. Data Privacy Framework (DPF), which is recognized by the European Commission as a mechanism that offers adequate safeguards.

Data Processing Agreement: My relationship with Cloudflare is subject to its terms and a Data Processing Agreement (DPA) that governs its obligations as a Data Processor. You can find more information at the Cloudflare Trust Hub: www.cloudflare.com/es-es/trust-hub/gdpr

3.2 Smartframe (Image Protection)

I use the technology of SmartFrame Technologies Ltd. (UK) for the sole purpose of protecting my copyright over the displayed photographic works and ensuring their controlled viewing, preventing unauthorized use.

The information processing by SmartFrame necessary for this purpose includes technical data such as IP address and browser/device data to serve the protected image correctly. The legal basis for this processing is my legitimate interest (Art. 6.1.f GDPR) in safeguarding my intellectual property.

Deactivation of Analytics and Tracking: I have implemented technical measures (specifically, by setting the global variable window.__sfDisableTracking = true) documented by SmartFrame to disable its analytics and tracking functionalities by default. As a result, SmartFrame does not install cookies or use local storage on your device to track interactions or generate usage statistics on our website. Since this secondary processing is not performed, no additional consent is required for it.

International transfers: SmartFrame is based in the United Kingdom, a country with an EU Adequacy Decision. If SmartFrame uses sub-processors in other countries, transfers would be carried out under safeguards such as Standard Contractual Clauses (SCCs).

You can consult SmartFrame's general privacy policy (although its tracking functions are disabled here) at: https://smartframe.io/privacy-policy

3.3 Pirsch Analytics (Cookie-less Analytics)

To complement Cloudflare's aggregated metrics, I use Pirsch Analytics for simple, privacy-focused visit counting.

Own Proxy: For maximum privacy control and to avoid tracker blocking, requests to Pirsch are not sent directly, but through a proxy (a Cloudflare Function) that runs on my own domain.

Cookie-less: Like Cloudflare Web Analytics, Pirsch does not use cookies, generate user profiles, and anonymizes the IP address. Its use is based on my legitimate interest (Art. 6.1.f GDPR) to understand which content is most visited, without tracking individuals.

You can review their privacy policy at: https://pirsch.io/privacy

4. Data Retention Periods

In line with the minimization principle, processed technical data is retained only for the time strictly necessary to fulfill the described purposes.

Technical and Security Logs (Cloudflare): Information such as IP addresses and access logs managed by Cloudflare are generally retained for short periods (typically from a few days to several weeks, according to Cloudflare's internal policies) to ensure security, detect incidents, and comply with potential legal obligations. They are not stored indefinitely.

SmartFrame Data: Since analytics and tracking functions have been disabled, no persistent identifiers or interaction data associated with specific users are stored for these purposes.

Once the data is no longer necessary for the original purpose and there is no legal obligation to retain it, it is securely deleted or anonymized by our providers.

5. Security Measures

The security of the website is based on multiple layers of protection. The first layer consists of SSL/TLS encryption provided by Cloudflare, which ensures that all communications between the user's browser and the website are encrypted and secure. This is evidenced by the "https://" protocol and the padlock icon visible in the browser's address bar.

Cloudflare provides additional security measures including protection against Distributed Denial of Service (DDoS) attacks, a Web Application Firewall (WAF) that filters malicious traffic, and continuous threat monitoring systems. These measures are constantly updated to respond to new security threats.

The implemented static website architecture offers significant security advantages. By not using databases or dynamic server-side processing of information, a wide range of potential attack surfaces is eliminated. This architecture significantly simplifies the security model, as there are no entry points for SQL injections, Cross-Site Scripting (XSS) attacks, or other vulnerabilities common in dynamic websites.

For the protection of visual content, SmartFrame implements specific technologies that prevent the unauthorized copying of images and provide granular control over how content is shared and viewed. This additional security layer ensures the integrity and copyright of the visual content without compromising the user experience.

The website keeps all its security components updated and performs periodic checks to ensure that all protection measures are functioning correctly. These security practices align with current industry standards and best practices recommendations in web security.

6. Email Communication

The website provides an email address in the footer to contact me. This communication method is designed so that the user must use their own email service provider (such as Gmail, Outlook, or others) to send their messages. The website does not incorporate contact forms or direct message submission systems, thus ensuring that communication is established entirely through the user's email servers.

The privacy and security of email communications are subject to various factors that the user should consider. Firstly, they will depend on the security measures implemented by the user's chosen email provider and their corresponding privacy policies. Additionally, the level of privacy will be determined by the amount and type of information the user voluntarily decides to include in their message.

In this context, it is essential to understand that any personal information shared in email communications is done under the express responsibility and decision of the user. Therefore, it is recommended to include only the information strictly necessary for the purpose of the communication, carefully evaluating what personal data is shared in each message.

The links to social media and other external sites provided on the website operate under their own privacy policies. The processing of personal data on these platforms is governed exclusively by their terms, which may differ significantly from those applied here.

The user is strongly advised to consult and review the privacy policies of each external site before interacting with their services or providing personal data. This precaution applies to all external links mentioned on this site, including those of our providers mentioned in this policy.

In compliance with Article 22.2 of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE), and in line with the privacy principles of the GDPR, the use of cookies and similar technologies on this website is detailed below.

This website has been configured to minimize the use of cookies and similar technologies. Specifically:

  • We do not use cookies or local storage for analytical, advertising, tracking, or profiling purposes.
  • The analytics functions of our provider SmartFrame, which could use local storage, have been technically disabled via the configuration window.__sfDisableTracking = true;.
  • Basic traffic metrics are obtained through Cloudflare Web Analytics, a tool designed by Cloudflare that does not use cookies or local storage on your device to generate statistics.

Since we do not employ technologies that require your prior consent under the LSSI-CE, you will not find a cookie consent banner or panel on this site.

8.2. Potential Strictly Necessary Technical Cookies (Cloudflare)

To ensure the security, performance, and proper delivery of the web service, our infrastructure provider, Cloudflare, Inc., may occasionally need to install cookies that are strictly necessary from a technical standpoint.

Provider: Cloudflare, Inc. (USA)

Purpose: These cookies are essential for functions such as:

  • Identifying secure traffic and distinguishing between legitimate users and malicious bots (e.g., Bot Management).
  • Maintaining the integrity of the user's session against certain threats.
  • Optimizing network performance and load balancing.

Examples: A common example of this type of cookie is __cf_bm, used by Cloudflare's Bot Management service. Others may be used depending on active security settings and traffic conditions. (Note: The presence and exact name of these cookies may vary and may only be visible under certain conditions or in the production environment).

Legal Basis and Consent: As they are strictly necessary for the security and functioning of the service you request by browsing, these cookies are exempt from the obligation to obtain prior consent (according to Art. 22.2 LSSI-CE and the EDPB guidelines). We inform you of their potential use for transparency.

Duration: They are typically session or very short-duration cookies (e.g., __cf_bm typically lasts 30 minutes).

More Information: You can find information on how Cloudflare uses cookies in its official documentation (although the specific applicability to this site is limited to necessary ones).

Although this site is configured not to use cookies that require your consent, your browser allows you to manage and delete cookies stored by any website, including the strictly necessary ones that Cloudflare might occasionally use for the security of this site.

Generally, you can access these options in your browser's privacy and security settings. Within that section, look for options related to "Cookies" or "Site Data". There you will find controls to block them (fully or partially, such as third-party cookies) or to delete cookies already stored on your device. The exact steps may vary slightly between different browsers (such as Chrome, Firefox, Safari, Edge, etc.).

Please be aware that disabling essential cookies could affect the security or proper functioning of some websites, including this one.

9. User Rights

This website operates on the principle of data minimization, and I do not actively collect or store personally identifiable data from visitors through their browsing. The processed information is limited to technical data managed by our providers for security, operational, and content protection purposes, as described.

However, in compliance with the GDPR and the LOPDGDD, I acknowledge your rights in relation to personal data:

  1. Right of access: To know if data concerning you is being processed (primarily technical data like IP address during connection) and to obtain information about it.
  2. Right to rectification: To request the correction of inaccurate data (limited applicability in this context).
  3. Right to erasure ('right to be forgotten'): To request the deletion of data when it is no longer necessary (e.g., old logs), subject to legal retention obligations.
  4. Right to restriction of processing: To restrict processing under certain circumstances provided for in the regulations.
  5. Right to object: To object to processing based on legitimate interest (e.g., IP processing for security) on grounds relating to your particular situation, although this right may be limited if the legitimate interest prevails or is necessary for the defense of legal claims.
  6. Right to data portability: To receive and transfer your data (very limited applicability on this site, as there is no data actively provided by the user nor processing based on contract/consent).
  7. Right not to be subject to automated individual decision-making: Not to be subject to decisions based solely on automated processing which produce legal effects concerning you or similarly significantly affect you (not applicable on this website).

To exercise these rights, you can contact me as the data controller at the email address provided in the footer, specifying your request and attaching proof of identity. I will manage your request within a maximum period of one month from its receipt, to the extent applicable to the technical data processing performed, and will coordinate with my providers if necessary and possible.

The management of consents via a specific banner for cookies or local storage is not required, as, according to our current configuration and the design of the tools used (Cloudflare Web Analytics), we do not employ technologies that require such prior consent under the LSSI-CE. Only strictly necessary cookies for security may be used, about which you are informed in the Cookie Policy.

10. Supervisory Authorities

If you consider that the processing of your data (even technical data) may infringe the regulations, you have the right to lodge a complaint with the competent supervisory authority, in Spain, the Spanish Data Protection Agency (AEPD): www.aepd.es

11. Modifications and Contact

This policy may be updated as necessary to reflect changes in privacy practices or applicable regulations.

I will try to keep the links to the privacy policies of third parties (Cloudflare and SmartFrame) included in this document updated. However, since these policies are managed by their respective companies, it is recommended to always check the latest information directly on their official websites.

For any questions about this policy, you can contact me via the email in the footer.


Last updated: Oct. 27, 2025.