Effective date: 2026-01-29
This Privacy Notice explains how Tombert’s Blog (“the Site”) handles personal data. It applies to visitors and to anyone who posts comments.
1) Who is responsible for your data
Controller: Tombert (operator of “Tombert’s Blog”)
Contact: Contact
2) What data the Site stores for comments
When you submit a comment, the Site stores only:
- Display name (may be a pseudonym)
- Comment text
- Timestamp (date/time the comment was published)
- Tripcode (a derived pseudonymous identifier, if you choose to use it)
If you provide a trip secret, the Site generates a tripcode from it. The trip secret itself is not stored.
Do not use a real password as a trip secret.
Tripcodes are pseudonymous identifiers and are not verified identity.
No email address is required for commenting, and the comment system does not store email addresses.
3) How and why comment data is used
Comment data is used to:
- Publish and display comments on the Site
- Maintain discussions (thread context, archives)
- Moderate comments and prevent spam/abuse
- Operate and troubleshoot the comment feature (e.g., backups, migrations, bug fixes)
- Provide a consistent pseudonymous identifier for commenters who choose to use tripcodes
4) Legal basis (GDPR/UK GDPR, where applicable)
Where GDPR/UK GDPR applies, comment data is processed on the basis of legitimate interests: running a comment feature and keeping the Site safe and usable.
Legitimate interests pursued: operating a public comment feature, preserving discussion context, and protecting the Site from spam and abuse.
5) Where data is stored and processed
The Site is hosted using Cloudflare Pages and Cloudflare Workers, and comment data is stored in Cloudflare D1 (SQLite).
Cloudflare is a US-based provider, and Cloudflare may process data in the United States and other countries as part of providing these services.
International transfers: Where GDPR/UK GDPR applies, Cloudflare provides a Customer Data Processing Addendum (DPA) and Standard Contractual Clauses (SCCs) intended to provide appropriate safeguards for international transfers where required. See:
6) Retention
Comments are retained indefinitely (potentially forever) to preserve the continuity and integrity of public discussions, unless:
- a comment is removed through moderation, or
- a valid removal request is processed as described below.
7) Sharing and disclosure
- Comments are public by design: anything you post may be visible to visitors.
- Comment data is shared with service providers only as needed to run the Site (for example, Cloudflare for hosting/infrastructure and anti-abuse services).
- The Site does not sell comment data.
8) Your choices
- Use a pseudonym if you prefer not to post under your real name.
- Do not include sensitive or identifying personal information in a comment unless you want it to be public.
- Do not post someone else’s personal data without their permission.
9) Your rights (GDPR/UK GDPR, where applicable)
Depending on your location and the circumstances, you may have rights to:
- Access the personal data the Site holds about you
- Correction
- Deletion (erasure) in certain cases
- Restriction of processing in certain cases
- Objection to processing based on legitimate interests
- Complaint to your local data protection authority
Some rights are not absolute, and requests may be limited by legal exceptions and competing rights/interests (including preserving discussion context).
10) How to request deletion or access (best-effort identification)
Because the comment system does not require accounts or email addresses and stores only a display name, comment text, and timestamp, the Site may not be able to verify with certainty that a requester is the original commenter in every case.
If you want a comment removed or want to exercise data rights, contact Contact and include:
- the URL of the post.
- the display name used.
- the exact comment text (or a short excerpt) so the comment can be located reliably.
- the tripcode (if applicable).
Verification approach: Tombert will take reasonable steps to confirm the request is legitimate and to avoid deleting or disclosing someone else’s information. If there are reasonable doubts about identity or which comment is being referenced, Tombert may request additional details necessary to locate the correct comment, or may be unable to act on the request.
How deletion is handled: Where possible, deletion may be performed by removing the comment entirely or by anonymising it (for example, replacing the display name with “[deleted]” while removing the text), depending on what best preserves discussion integrity and safety.
11) Cloudflare Turnstile (anti-spam / abuse prevention)
The Site uses Cloudflare Turnstile on the comment form to reduce spam and automated abuse.
When you interact with the Turnstile-protected form, Cloudflare processes certain client-side signals to distinguish humans from bots. Cloudflare states these signals may include items such as client IP address, TLS fingerprint, User-Agent header, and the sitekey/origin associated with the widget.
Cloudflare explains that Turnstile’s signals are processed to detect and block bots, and (separately) may be processed to improve Turnstile’s bot detection. Cloudflare also describes different roles depending on purpose (e.g., acting as a processor for bot-protection on behalf of the site operator, and as a controller for improvement of Turnstile).
For Cloudflare’s own disclosures about Turnstile (including any cookie-related details) and how Cloudflare handles this processing, review:
Tombert’s Blog does not store Turnstile signal data (such as IP address) as part of the comment record; Turnstile processing is performed by Cloudflare as part of providing the anti-abuse service.
12) Children
The Site’s comment feature is not intended for anyone under 18. If you believe someone under 18 has posted personal data, please contact Contact.
13) Changes to this notice
This notice may be updated from time to time. The effective date at the top reflects the latest version.