simcreatio / 심크리티오 (the “Site”) is a website where JaeKyeung Sim / 심재경 publishes projects and blog posts under the brand name "simcreatio" / "심크리티오". This Privacy Policy describes the limited categories of personal data that are processed in connection with the Site, in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the U.S. Children's Online Privacy Protection Act (COPPA), and other applicable laws.
1. Identity of the Data Controller
The data controller responsible for the processing of your personal data is:
- Operator: simcreatio / 심크리티오 (JaeKyeong Sim / 심재경)
- Email: [email protected]
The Site is operated by a single individual; no separate Data Protection Officer (DPO) is appointed. The controller above directly handles all data subject requests.
2. Categories of Personal Data Processed
The Site processes only the limited categories of personal data necessary to provide engagement features. The Site does not offer user registration, does not operate its own email server, does not display advertising, does not use Google Analytics or any other behavioral analytics tool, and does not collect payment information.
| Category | Description |
|---|---|
| Comment content | Free-form text voluntarily entered by visitors. Comments are always posted anonymously; no name, email, or contact information is collected as part of the comment feature. |
| Anonymous identifier | A one-way cryptographic value derived from a random per-visitor token combined with connection metadata. By itself, this value cannot be used to identify a natural person. |
| Connection data | IP address and browser information used solely to compute the anonymous identifier and to enforce rate limiting. The raw IP and browser values are discarded immediately and are not stored on the Site's servers. |
| On-device storage | Two values stored in the visitor's browser: a random per-visitor token and the selected interface language. These values are stored on the visitor's device only and are not transmitted to the Site's servers as identifiers. |
The Site does not knowingly process special categories of personal data under GDPR Art. 9 (e.g., race, religion, political opinions, health, biometric, genetic data, sexual orientation).
3. Purposes of Processing
The Site processes personal data for the following purposes:
- Operation of engagement features — likes, comments, follows.
- Prevention of abuse — blocking automated bots and limiting flooding by the same visitor.
- Persistence of language preference — remembering the visitor's selected interface language.
The Site does not engage in profiling or automated decision-making with legal or similarly significant effects under GDPR Art. 22.
4. Legal Basis for Processing (GDPR)
For visitors located in the European Economic Area, the United Kingdom, or Switzerland, the Site relies on the following lawful bases under GDPR Art. 6:
- Legitimate interests (Art. 6(1)(f)) for operating engagement features and preventing abuse, balanced against fundamental rights through immediate hashing of raw connection data and storage of only an anonymous identifier.
- Consent (Art. 6(1)(a)) for the voluntary submission of comment content. Consent may be withdrawn at any time by deleting the comment.
5. Recipients of Personal Data
Personal data is shared only with the following recipients, acting as processors under contractual safeguards:
| Recipient | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Bot mitigation (Turnstile), CDN delivery, IP-based abuse prevention | United States |
| Supabase, Inc. | Hosting of comment, like, and follow records (Postgres database and storage) | United States |
| Google LLC | External "Subscribe to updates" form (Google Forms), reachable from project and blog detail pages | United States |
Personal data is not sold, rented, or shared with third parties for marketing purposes. Under the CCPA/CPRA, the Site does not "sell" or "share" personal information as those terms are defined; the Global Privacy Control (GPC) signal is treated accordingly.
6. International Transfers
The processors listed above are located in the United States. When personal data is transferred from the EEA, the United Kingdom, or Switzerland to the United States, the Site relies on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by encryption in transit (TLS 1.3 or higher) and minimization through anonymization (only an anonymous, one-way transformed identifier is persisted).
The Site loads typefaces from Google Fonts, which may transmit the visitor's IP address to Google as part of the font request.
7. Retention
| Data | Retention period |
|---|---|
| Comment content | Until the service ends or the visitor deletes the comment |
| Likes and follow records | Until the service ends or the visitor reverses the action |
| Anonymous identifier | Until the service ends |
| Rate-limit counters | Refreshed automatically on a 60–300 second sliding window depending on the action |
| On-device storage | Until cleared by the visitor through browser settings |
The Site does not operate a separate automatic deletion mechanism beyond the rate-limit window. Other retention is governed by the platform-log policies of the processors.
8. Your Rights
Subject to applicable law, you have the following rights with respect to your personal data:
- Access (GDPR Art. 15) — to obtain confirmation of whether personal data is processed and to receive a copy.
- Rectification (GDPR Art. 16) — to have inaccurate personal data corrected.
- Erasure (GDPR Art. 17) — to have personal data erased, subject to legal limits.
- Restriction (GDPR Art. 18) — to limit processing in certain circumstances.
- Portability (GDPR Art. 20) — to receive personal data in a structured, machine-readable format.
- Objection (GDPR Art. 21) — to object to processing based on legitimate interests.
- Withdraw consent (GDPR Art. 7) at any time without affecting prior lawful processing.
- Lodge a complaint with a supervisory authority (e.g., your local data protection authority in the EEA/UK; the Personal Information Protection Commission in Korea — privacy.go.kr · 1833-6972; the California Attorney General — oag.ca.gov/privacy/ccpa).
California residents may additionally exercise the rights to know, delete, correct, opt out of sale/sharing, and limit the use of sensitive personal information under the CCPA/CPRA without discrimination. Requests may be sent to the contact in Section 11.
9. Children's Privacy
The Site is not directed to children under 13 (or under 16 in the EEA, where applicable) and does not knowingly process personal data of children. The Site does not require account creation, and the comment feature collects no name, email, or age. If you believe that personal data of a child has been provided to the Site, please contact the controller in Section 11 for prompt removal.
10. Security Measures
The Site implements the following technical and organisational measures to protect personal data:
- Operational minimisation: a single individual operates the Site; personnel with access to personal data is limited to that individual.
- Encryption in transit: all communications use HTTPS (TLS 1.3 or higher).
- Anonymisation at ingestion: where visitor identification is required for engagement features, only an anonymous, one-way transformed identifier is stored; raw IP and browser values are discarded immediately.
- Access control: database access is governed by Postgres Row Level Security (RLS) with a default-deny policy; service-role keys are never exposed to client environments.
- Bot mitigation: Cloudflare Turnstile blocks automated abuse before requests reach the Site's backend.
- Reliance on processors' physical security: the Site does not operate its own data centre and depends on Cloudflare (ISO/IEC 27001 and SOC 2 certified) and Supabase (SOC 2 certified) for physical and platform-level security.
11. Contact and Complaints
Requests under this Privacy Policy and inquiries about data processing may be sent to:
- Operator: simcreatio / 심크리티오 (JaeKyeong Sim / 심재경)
- Email: [email protected]
You may also lodge a complaint with the supervisory authority of your habitual residence (in the EEA), the Information Commissioner's Office (in the United Kingdom), the Personal Information Protection Commission (in Korea — privacy.go.kr · 1833-6972), or the California Attorney General (in California — oag.ca.gov/privacy/ccpa).
12. Changes to This Privacy Policy
This Privacy Policy may be updated to reflect changes in legal requirements or in the operation of the Site. Material changes will be announced on the Site at least 7 days before they take effect, and 30 days before for changes that materially affect data subject rights. The "Last Updated" date at the top of this document will be revised accordingly.
References
- General Data Protection Regulation (Regulation (EU) 2016/679) — Articles 12, 13, 14, 15–22, 28
- California Consumer Privacy Act / California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.)
- Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506)
- Korean Personal Information Protection Act