Press "Enter" to skip to content

Privacy Policy

Important

Privacy Policy – The Reasonable Adjustment

Privacy Policy

Last updated:

Recent changes (14 January 2026): Added Formspree (contact forms), Google Search Console Insights, and Bing Webmaster Tools (aggregated search reporting). Removed WebGL from fingerprinting signals.

Important: This website is not designed to process or securely handle special category data such as health conditions, disability related information, or medical history. If such information is submitted by mistake, it will be securely deleted.

In exceptional circumstances, and only with your explicit written consent, I may handle special category data, for example if you explicitly ask me to advocate on your behalf. This is rare and handled under strict safeguards, with consent recorded in writing. For clarity, I am not a solicitor and nothing on this website or in my advocacy should be regarded as the provision of regulated legal services under the Legal Services Act 2007.

1. Who I am (Controller)

I am Kieron JH, founder of The Reasonable Adjustment. I act as the data controller for this site.

Contact: [email protected]

Note: I am not required to appoint a Data Protection Officer under UK GDPR. Use the email above for privacy queries.

2. What this policy covers

  • What personal data I collect
  • Why I collect it
  • How I use it and the lawful basis
  • Who receives it and international transfers
  • How long I keep it
  • Your rights and how to exercise them

3. Data I collect

  • Contact (direct), name and email address, when you contact me by email
  • Contact forms (Formspree), name, email address, message content, and technical metadata associated with submitting the form (for example IP address and user agent)
  • Technical and security, passive fingerprinting and telemetry signals, for example browser, OS, screen, user agent, visibility state, IP address, ASN and organisation name, country or region, Cloudflare PoP or colo, protocol or TLS details, requested URL
  • Analytics, page views, referrer, time on site, via Plausible, cookieless and aggregated
  • Search visibility reporting, aggregated search performance and query trends via Google Search Console, Search Console Insights, and Bing Webmaster Tools

I do not seek special category data. If you send it inadvertently, I will delete it unless you have explicitly asked me to process it for advocacy and provided written consent.

4. Fingerprinting, analytics, and webmaster reporting

I use passive fingerprinting to monitor traffic patterns and enhance security. This does not rely on cookies and is used strictly for security and accountability purposes.

I use Plausible Analytics (EU-hosted, cookieless) for aggregated usage statistics only.

I use Google Search Console and Search Console Insights to understand how the site appears in Google Search and how content performs in aggregate (for example clicks, impressions, and broad query trends). This is reporting about the site, not advertising profiling of visitors on this website.

I also use Bing Webmaster Tools for similar aggregated reporting and diagnostics relating to Bing search visibility and indexing.

See the Legitimate Interests Assessment (PDF) for details of the balancing test.

Clarity on fingerprinting: fingerprinting is strictly for security, cookie-free, and limited to technical signals. No advertising profiles are created. Signals are minimised, rotated, and retained for 6 months, longer only where there is a reasonable concern as described below.

5. Security and edge logging

This site uses Cloudflare security services to protect against abuse and suspicious traffic. When you access the site, Cloudflare provides technical metadata, including IP address, ASN or organisation, country or region, Cloudflare PoP or colo, and protocol or TLS details, used to detect hostile patterns and protect the service.

This information is used exclusively for:

  • Detecting and delaying automated scanning or hostile requests
  • Presenting interstitial notices to flagged IP addresses or ASNs
  • Maintaining security and accountability, including Discord webhook alerts to the site operator

Lawful basis: legitimate interests, UK GDPR Article 6(1)(f), maintaining the security and integrity of this website and protecting against abuse.

Retention: security logs and webhook alerts are typically retained for up to 6 months.

Third parties: Cloudflare for security and performance, and Discord for delivery of webhook alerts, may process this technical information in line with their own privacy notices.

6. How I use data, purposes and lawful basis

Purposes and lawful bases
Purpose What is processed Lawful basis
Security and abuse prevention, including tarpits or interstitials and Discord alerts IP, ASN or organisation, country, user agent, Cloudflare PoP or colo, TLS or HTTP, requested URL, passive fingerprint signals Legitimate interests, site security and integrity
Analytics, service improvement Aggregated, cookieless analytics via Plausible Legitimate interests, audience measurement without cookies
Contact and enquiries (direct email) Name, email, message content Legitimate interests, responding to queries, or performance of a contract where applicable
Contact form handling (Formspree) Name, email, message content, and technical metadata for submission (for example IP address and user agent) Legitimate interests, responding to queries, or performance of a contract where applicable
Search visibility reporting, understanding how content performs in search Aggregated search performance reporting and query trends via Search Console, Search Console Insights, and Bing Webmaster Tools Legitimate interests, improving content discoverability without advertising tracking
Advocacy by explicit request Only what you provide, may include special category data Explicit consent, Article 9(2)(a)

6a. Use of AI tools, ChatGPT and similar

To help me draft and manage correspondence, I sometimes use third party AI services, including OpenAI’s ChatGPT. This is part of how I manage my work effectively as an autistic person, so I can maintain productivity and respond clearly.

  • What is processed: the content of emails or messages you send me, including names, contact details, and any information in your message. I minimise or redact identifiers where possible, and I do not intentionally submit special category data, for example health or disability details.
  • Lawful basis: legitimate interests in responding to enquiries efficiently and clearly, and in ensuring I can maintain productivity and accessibility in communication.
  • International transfers: AI providers may process data outside the UK, for example in the United States. Where this occurs, transfers rely on recognised safeguards such as the UK-US Data Bridge or Standard Contractual Clauses.
  • Model training: I configure AI tools not to use your data for training where that option exists. If using consumer services where training cannot be disabled, I avoid sending personal data.
  • Human oversight: AI outputs are always reviewed and edited by me before being used. No decisions with legal or similarly significant effects are made by AI alone.
  • Retention in AI tools: I keep ChatGPT conversations only while they remain relevant to an active matter, and in any event no longer than 12 months. For sensitive topics I use temporary chat modes or disable chat history. These modes instruct the provider to retain the conversation only briefly for safety and abuse prevention before deletion.

7. Cookies and tracking, PECR

This website does not set non-essential cookies and does not use advertising pixels. Security fingerprinting runs without cookies and is necessary to provide the service. Analytics is cookieless and aggregated (via Plausible), and we do not store or read information on your device for advertising purposes.

Search Console, Search Console Insights, and Bing Webmaster Tools provide reporting about site visibility and performance in search. They are not used on this website to run advertising tracking or set marketing cookies.

8. Automated decision making

Basic automated rules may temporarily delay or interpose pages for traffic that appears hostile, for example visits from flagged ASNs. This profiling is solely for security, does not produce legal or similarly significant effects, and you may request a manual review. If you believe you were incorrectly flagged, contact [email protected] for a manual review.

9. Who receives data, processors and recipients

  • Cloudflare, Inc., security and performance services, processor.
  • Plausible Analytics, EU-hosted, cookieless analytics, processor.
  • Formspree, Inc., contact form delivery and storage, processor.
  • Google, Search Console and Search Console Insights (aggregated reporting about search visibility), independent provider.
  • Microsoft, Bing Webmaster Tools (aggregated reporting about search visibility and indexing), independent provider.
  • Discord, delivery of webhook alerts, independent service provider or recipient in the US.
  • OpenAI, provider of ChatGPT, used to assist with correspondence, processor or recipient.

I do not sell or rent your data.

10. International transfers

Data is primarily processed within the UK. Some processing involves trusted third parties:

  • Cloudflare, security services using a global network, including the EU and US, under recognised safeguards.
  • Plausible Analytics, hosted in the EU, Germany, processes aggregated, cookieless analytics.
  • Formspree, may process form submission data outside the UK depending on provider infrastructure and configuration. Where this occurs, transfers rely on the UK-US Data Bridge or Standard Contractual Clauses under the provider terms.
  • Google, Search Console and Search Console Insights may involve processing outside the UK. Where this occurs, transfers rely on recognised safeguards such as the UK-US Data Bridge or Standard Contractual Clauses, depending on the service setup and provider terms.
  • Microsoft, Bing Webmaster Tools may involve processing outside the UK. Where this occurs, transfers rely on recognised safeguards such as the UK-US Data Bridge or Standard Contractual Clauses, depending on the service setup and provider terms.
  • Discord, webhook alerts may be processed in the US. Where available, transfers rely on the UK-US Data Bridge, the UK extension to the EU-US Data Privacy Framework. Otherwise, appropriate safeguards such as Standard Contractual Clauses apply under the provider terms.
  • OpenAI, AI service provider based in the US. Transfers rely on the UK-US Data Bridge or Standard Contractual Clauses.

11. Your rights, UK GDPR

You have the rights of access (SAR), rectification, erasure, restriction, portability, and objection, including objections to processing based on legitimate interests. You may withdraw consent at any time where consent is the basis. I will respond within one month, extensions only where permitted for complex requests. I may request information to verify your identity.

How to exercise your rights: email [email protected].

Complain to the ICO: If you are unhappy with my response, you can complain to the Information Commissioner’s Office, ICO, at ico.org.uk/make-a-complaint/.

If a request is manifestly unfounded or excessive, I may refuse it or charge a reasonable fee as permitted by law, and if so, I will explain why.

12. Retention

  • Routine correspondence: up to 12 months, unless you ask for deletion sooner.
  • Form submissions (Formspree): up to 12 months, unless you ask for deletion sooner. Depending on configuration, submissions may be stored in Formspree’s dashboard as well as delivered to my email. I delete them when no longer needed.
  • AI assistance records: ChatGPT conversations are kept only while relevant to the active matter, and in any event no longer than 12 months. For sensitive topics I use temporary chat modes or disabled chat history, and the provider keeps such conversations only briefly for safety and abuse prevention before deletion. Any files uploaded to AI tools for drafting are deleted once no longer needed.
  • Security or fingerprinting and webhook alerts: typically 6 months.
  • Extended retention for security: security or fingerprinting alerts may be kept longer where there is a reasonable concern, for example investigation of abuse, repeated hostile activity, or the establishment, exercise, or defence of legal claims. I review necessity and delete when no longer needed.
  • Special category data, by explicit request: only as long as necessary to fulfil your request, then securely deleted.

13. Data security

I use HTTPS, reputable providers, and role limited access. I enforce two factor authentication on provider accounts, including AI tools, hosting, and email. Devices are locked and encrypted. Reasonable steps are taken to protect data from loss, misuse, or unauthorised access. If sensitive data is received in error, it will be securely deleted.

14. Children

This site is not intended for children, and I do not knowingly collect children’s data.

15. Changes to this policy

This policy may be updated periodically. The most recent version will always be published on this page.

16. Secure submissions (Whistleblower tool and PGP encryption)

If you need to send highly sensitive information, for example health, disability, or criminal justice details, you have two secure options:

  • Easy encrypted submission: Use the TRSA Secure Whistleblower Tool. No tech skills needed, just type or paste your message, click a button, and copy the encrypted result to email. No accounts, no setup, just instant privacy.
  • PGP email encryption: If you already use PGP, you can encrypt your message to my public key and email it to [email protected].

    Show PGP Public Key 
    -----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGjgzEoBCAC1f7v296odbZkd/1YcRWq5nF89vcbgssfwTUn/ljpmWA4fbTew
gqVI1My8FQfaeAKNK6ItMDy6bX9H3Ks6cwYT/sMbI3qX9bl6TgpL3cSLsclLwhv+
ilhRTPkEt1d1VoiWpKFNdYme32D4mUQ7bkGSkLBLUvQuhhXlmVz6Oz/4W/0lSXYS
mABUPPr/VVTYIOCPkUsxO35YmoOZFohZSBwjNo0qA4huMlle+mKYiYu/ApE1Yl+B
BAFITuafDD8hJyXnQVsIY4M79kNP0mef9hxJLkV/RL0IN+D6pD8/0Gn9/FO755eg
Com6UQUbmvJUy7c4h64p4uCcs51liUME2t2RABEBAAG0QlRoZSBSZWFzb25hYmxl
IEFkanVzdG1lbnQgPGFkdm9jYWN5QHRoZXJlYXNvbmFibGVhZGp1c3RtZW50LmNv
LnVrPokBTgQTAQgAOBYhBMwbkJWq1QzDjLZ8QrbuO4b5qZmJBQJo4MxKAhsDBQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELbuO4b5qZmJgQsIAKMqO7Lc4ytTC93r
nnJyJR/vtk/+IRiOCMf5mdyqB3fcUzFbvsTN1t7Ybl8eUITOqKW67SpVUrN6LmqK
bvKb4mcE6tNE9iWXm7dVNzmmKRm5dgWRYXrtcfLz5h2BpqyxQ08ZQTCyBvOmXDG7
JS7BSCo+GNMEjxf4zYg/dkdJI3IXWtRLW3Ul1kLo/pennKe99D6arYQJyMQp/pUF
O6WfWCCUxuYnTbafJVhUpxxvgr5ss+dEfxKUTicHWN310h5QK3Si1R6fcvyawxh1
0Rtxz5Ng4I/pohlXtAUw7rB2NnPqlLADcsyPFrkMslhQ+FLyp1BvCXeRSXef8Mj3
eiu1joS5AQ0EaODMSgEIAMmGeDOV+psOf1XakNqDZackakFn9n3braG0GemtMsSK
qBaN86wRVJ4Wm+OkxkDnX6WdH7FZvwAA0qDylRdgXwyLlaHTPtMkvSYDMBLd/Ejb
0kOAng3s0WXMgHmM2IPAg9WA6/jBANFAtJT5a5qxQnFtVPhh3yi/y6KSPdbW3PyY
KpPA030kGFULX6N/4M+TZx09rONJsTtqGPOUl7kpYjLydy1yGT1PIvnDcvq8h3Gm
ONlBp3X89g7MGefkozqNSc+hwKXLw3Chn2sOWi8KDf4E4+m0E2p9eF6tylew9tjV
ZYM1rPb+QPgll3ifY2mhMMzeQP0AOcNN1y2vllzPz0cAEQEAAYkBNgQYAQgAIBYh
BMwbkJWq1QzDjLZ8QrbuO4b5qZmJBQJo4MxKAhsMAAoJELbuO4b5qZmJRBcH/ji8
ynCJVBxFAzMUc96krzlfbLo8oJmImmy19oUWvqDHW626kgveZPfjvtQc+iGqhQd9
iJG2IB2yRic2jqvQvqiGccxaKHKND6oTlyW4q9dwZaaTUvtshulICBeIpknyeFB0
sXaUEwcm/XcjtnB+IH6+kZemAWPLrT9gofw/puUnLbmbPv57cu42ocEsw9tJl4gG
Pg9BuLPTkDIjBKHD9UK+rCf8/CrP457cFH0XmojoepPNn/YA6V+cvqaz31IwK+bO
qXw+ZNmwYqEHxo9jqzsA2HrkzBvPtlZdGzzUGzWyH75kQAPI9MNL89xqqb6XoqVu
oDIDOw3/+G60wWUgwHE=
=u8MU
-----END PGP PUBLIC KEY BLOCK-----

If you have questions or concerns, please get in touch. You deserve to know exactly how your information is handled and that it is treated responsibly.

Comments are closed.