Skip to content

Privacy & Cookie Policy

Last updated June 2026. This policy explains what data this website collects, why, the legal basis, who processes it, and the rights you have over it.

This policy reflects the site’s actual data flows. It is provided in good faith but is not legal advice — review and adapt it for your jurisdiction (consider professional legal counsel) before relying on it.

Who we are & data-protection contact

This is the personal website of Shawn Tjai (“we”, “the site”), served at shawntjai.com. For any privacy question, request, or complaint, please use the contact form, or email the data-protection contact contact@shawntjai.com.

What we collect & why

  • Contact form

    When you use the contact form, we collect the name, email address, and message you enter, solely to read and reply to you. Your submission is sent to a Cloudflare Worker that verifies an anti-spam challenge (Cloudflare Turnstile) server-side and then relays the message to the owner’s inbox via an email provider. It is not stored in a database on this site — it exists only as the email delivered to the owner.

  • Analytics (only with your consent)

    We use Google Analytics 4 and Microsoft Clarity to understand how the site is used. These load only after you accept the analytics category in the consent banner; until then no analytics script runs and Google Consent Mode is set to denied by default. You can change your choice at any time via the Cookie settings control in the footer.

  • Cookieless web analytics (always on)

    Cloudflare Web Analytics measures aggregate page/visit counts. It sets no cookies, does not fingerprint you, and collects no personal data, so it runs without a consent prompt. It is disclosed here for transparency.

  • Security & delivery data

    As with any website, our host (Cloudflare) processes connection metadata such as your IP address to deliver pages, defend against abuse, and terminate TLS. This is the minimum necessary to operate the site securely.

Lawful basis

  • Contact form — your consent and/or our taking steps at your request to respond to you (GDPR Art. 6(1)(a)/(b)). You provide this data voluntarily to reach us.
  • Analytics (GA4 & Clarity) — your consent (GDPR Art. 6(1)(a)), captured via the consent banner. Withdrawable at any time.
  • Cookieless web analytics & security — our legitimate interest in operating and securing the site (GDPR Art. 6(1)(f)); no cookies are set and no personal profiles are built.

Retention

  • Contact-form messages are not stored by the site. The resulting email is kept in the owner’s mailbox only as long as needed to handle your enquiry, then deleted in the normal course.
  • GA4 / Clarity retain data per each provider’s configured retention (GA4 user-level data is set to the shortest practical window; Clarity recordings expire per Microsoft’s default, typically ~30 days).
  • Cloudflare Web Analytics holds only aggregate, cookieless metrics for a limited window; no per-visitor records.

Who processes your data

We rely on the following processors / sub-processors. We do not sell your data or use it for advertising profiling.

Processors and the data each handles
Processor Role Data handled Transfer
Cloudflare, Inc. Hosting (Cloudflare Pages), bot protection (Turnstile), cookieless Web Analytics, CDN/WAF/TLS. Page requests and IP (for security/CDN); Turnstile challenge signals; aggregate, cookieless analytics. Global edge network, including the United States.
Google LLC (Google Analytics 4) Aggregate, anonymised traffic measurement — loaded ONLY after you accept the analytics category. Pseudonymous usage events, approximate (IP-derived, then discarded) geo, device class, referrer. United States.
Microsoft Corporation (Clarity) Masked session replay & heatmaps — loaded ONLY after you accept the analytics category. Interaction patterns (clicks, scroll, layout) with ALL text and inputs masked — no typed content captured. United States.
Email delivery provider (e.g. Resend) Relays your contact-form message to the owner’s inbox. The message is not stored on this site. The name, email address, and message you submit, transmitted as an email to the owner. United States.
GitHub, Inc. (a Microsoft company) Source code hosting and CI/CD that builds and deploys the site. No visitor data flows here. None from visitors — repository content and build logs only. United States.

Session-recording disclosure

If — and only if — you accept analytics, Microsoft Clarity records anonymised session interactions (clicks, scrolling, mouse movement, and page layout) to produce heatmaps and replays that help improve the site. All text and all input fields are masked: Clarity is loaded with mask: true and maskAllInputs: true, so anything you type or read is never captured — only structural interaction. A short data-protection impact assessment for this processing is maintained in the project’s compliance docs.

International transfers

Some processors above are based in, or process data in, the United States. Where personal data is transferred outside your region, it is protected by appropriate safeguards — principally the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework — as set out in each provider’s data-processing terms.

Your rights

Subject to your local law (e.g. GDPR / UK GDPR), you have the right to:

  • Access — ask what personal data we hold about you.
  • Correction — ask us to fix inaccurate data.
  • Deletion — ask us to erase your data.
  • Restriction / objection — limit or object to certain processing.
  • Portability — receive your data in a portable form.
  • Withdraw consent — turn off analytics at any time via the Cookie settings control in the footer; withdrawal does not affect prior lawful processing.

To exercise any right, use the contact form or email contact@shawntjai.com. You also have the right to lodge a complaint with your local data-protection authority.

Cookies

The site is cookie-light by default. Only strictly-necessary state (e.g. your consent choice) is stored until you opt into analytics. For the full per-cookie breakdown — provider, purpose, and retention — and how to withdraw consent, see the cookie policy.

Changes to this policy

We may update this policy as the site evolves. Material changes are reflected in the “last updated” date above and, where they affect consent, by re-prompting via the consent banner.