Privacy

What this site collects and why

axilog.io is a small documentation site for the Axioma framework. Its data handling reflects that scope: server access logs for operations and security, cookieless analytics for understanding how the documentation is used, nothing else. This page records what's collected, on what legal basis, how long it's kept, and what rights you have.

Last reviewed:

Spey Systems Ltd is the data controller for personal data processed through axilog.io. Operator details are on the Legal Notice; the registered company number is SC889983 and the Information Commissioner's Office registration number is ICO[TBC] (both pending confirmation at the time of writing).

For data-handling enquiries, including any of the rights described below, the contact route is security@speytech.com.

Two categories of data are processed when you visit axilog.io:

Server access logs. The web server (nginx) records each request to the site. Each log line captures: your IP address, the date and time of the request, the URL requested, the HTTP status code returned, the response size in bytes, the referring URL (if any), and your browser's user-agent string. This is the standard nginx combined log format. A second log captures the same data in a different layout for analysing search-engine and crawler traffic; the underlying fields are the same.

Cookieless analytics. The site uses a self-hosted Umami analytics instance at umami.speytech.com. Umami counts page views, referring sources, and user-agent categories without setting cookies and without forwarding personally identifying data. Unique-visitor counts are derived from a daily-rotated hash that cannot be linked back to an individual visitor.

That is the complete inventory. The site sets no cookies (see Cookies), uses no third-party analytics, uses no advertising trackers, runs no fingerprinting scripts, and operates no contact forms or accounts that would collect additional data.

Server access logs are processed under the legitimate interest basis (UK GDPR Article 6(1)(f)): the legitimate interest is operating the site securely, diagnosing technical issues, and maintaining audit-trail evidence of how published material has been accessed. The processing is limited to what's necessary for those purposes, the retention is short, and the data is not combined with other sources to build profiles of visitors.

Cookieless analytics are similarly processed under legitimate interest, on the basis that understanding which documentation pages are useful informs ongoing maintenance of the framework specifications. Because no cookies are set and no personally identifying data is captured, PECR consent requirements do not apply.

Server access logs are retained for 90 days and then automatically deleted by the system's log-rotation mechanism. No archive of older log data is kept.

Analytics data retained by the Umami server follows the retention policy configured on that server. The retention window is finite and aligned with the legitimate-interest purpose; Umami stores aggregated statistics, not per-visitor records that could be tied to an individual.

Access to server logs and the Umami analytics instance is limited to the operator (Spey Systems Ltd) and the hosting infrastructure on which the site runs. Logs are not shared with third parties, not sold, not used for marketing purposes, and not transferred outside the United Kingdom or the European Economic Area.

The site does not embed third-party services that would themselves receive visitor data — no Google Analytics, no social-media widgets, no advertising networks, no embedded video players. Outbound links to other sites are plain hyperlinks; clicking one is governed by that site's own privacy practices.

Under UK GDPR, visitors have rights to:

  • Access — request a copy of any personal data held about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of personal data where there is no overriding legitimate interest in keeping it.
  • Restriction — request that processing be limited in specific circumstances.
  • Objection — object to processing carried out under the legitimate-interest basis.
  • Portability — receive personal data in a structured, commonly used, machine-readable format.

In practice, because the site's data handling is limited to time-bounded server logs without any account or login context, the only data that could be identified as relating to a specific visitor would be log lines matching a known IP address within the 90-day retention window. Requests should be made to security@speytech.com with enough detail to locate the relevant records (typically the IP address used and an approximate date range).

If you have a concern about how Spey Systems Ltd handles your personal data, the first step is to contact us at security@speytech.com so the issue can be addressed directly. If the response is unsatisfactory, you have the right to lodge a complaint with the Information Commissioner's Office, the UK's independent data-protection regulator:

ico.org.uk/concerns — online complaint route.
ICO helpline: 0303 123 1113.

This notice is reviewed at least annually, and amended whenever the underlying data handling changes materially. The "Last reviewed" date at the top of the page records the most recent revision. Earlier versions of this notice can be requested by contacting Spey Systems Ltd at security@speytech.com.