Arts of Bodhi East Asian Buddhist art

Privacy

Published 9 May 2026

Arts of Bodhi is a static reading site. It carries no advertising, runs no client-side analytics, and sets no cookies. This page documents what is collected, by whom, on what legal basis, and how to exercise your rights under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Dutch Uitvoeringswet AVG.

Data controller

Sam Shephard, independent editor, the Netherlands. The editor is the data controller for the purposes of GDPR Article 4(7). Contact details are on the contact page.

What is collected

Server access logs. Each HTTP request to the site is recorded by the hosting infrastructure for security, debugging, and aggregate traffic analysis. The recorded fields are: the requested path, the HTTP referrer, a user-agent class (browser family, not a unique fingerprint), the response status code, and the request timestamp. IP addresses are not retained beyond the rolling buffer the hosting provider uses for abuse mitigation — typically 24 to 72 hours, after which the IP field is truncated or discarded.

No analytics. No Google Analytics, Plausible, Umami, Matomo, or equivalent. No gtag, no Segment, no Mixpanel, no Hotjar, no Sentry, no session-replay or heatmap tooling.

No cookies. The site sets no cookies. The only persistent client-side storage is a single browser-local preference for the dark or light theme (localStorage["bodhi-theme"]). This is a reader-set preference, not transmitted to any server, and can be cleared from browser settings.

No third-party embeds. No YouTube, no Twitter, no social-media widgets, no live chat, no fonts loaded from a CDN. Typography is bundled and served from the site’s own origin.

No tracking pixels in the RSS feed.

Lawful basis

The minimal server access logging described above is processed under the legitimate-interest basis of GDPR Article 6(1)(f) — the legitimate interest being to operate, secure, and maintain a public reading site. The processing is necessary, proportionate, and balanced against reader expectations (no profiling, no commercial use, no third-party transfer).

Reader-initiated correspondence (emails to the editor, GitHub issues, takedown requests) is processed under Article 6(1)(b) — necessary to respond to the reader’s request — and where applicable, Article 6(1)(c) where a legal obligation applies (rights-holder takedown notices).

Retention

  • Server access logs: retained for up to 30 days, then aggregated or discarded. IP addresses truncated or discarded within 72 hours.
  • Reader correspondence: retained for as long as the matter is open, plus a reasonable archival period (typically two years) for editorial audit purposes. On request, sooner.
  • Theme preference (localStorage): persists until you clear it; never leaves your browser.

Third parties

The site is served from a static-hosting provider. The provider has access to server access logs as described above; their own data-processing practices are governed by their published terms. Outbound links to museum collections, Wikidata, GitHub, and primary-text repositories are explicit and labelled — visiting those linked pages is governed by their privacy practices, not bodhi’s.

The site does not transfer reader data to any party for marketing, advertising, profiling, or commercial purposes.

International transfers

Static site content is delivered through a content-delivery network with edge nodes in multiple jurisdictions. Cached HTML and image assets are the only data on those edges; no personal data is transferred for storage or processing outside the EEA.

Your rights

Under GDPR Articles 15–22, every reader resident in the EEA has the right to:

  • Access any personal data being processed (Article 15).
  • Rectification of inaccurate personal data (Article 16).
  • Erasure (“right to be forgotten”) (Article 17).
  • Restriction of processing (Article 18).
  • Data portability (Article 20).
  • Object to processing on legitimate-interest grounds (Article 21).

To exercise any of these rights, write to the editor via the contact page. The standard response time is 30 days, as required by Article 12(3); shorter in practice. Identity verification may be requested where the request is non-trivial.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) if you believe the processing of your data infringes the GDPR.

Children

The site is a public reference resource and does not knowingly process the personal data of children under 16. No registration, account, comment system, or upload mechanism is offered.

Changes to this notice

Material changes are noted by updating the last updated date at the top of this page. Substantive revisions are also logged in the colophon acknowledgments section.

Contact

Editorial, rights-holder, or privacy correspondence: see the contact page for routing of GDPR data-subject requests, image-rights takedowns, and editorial corrections.