Privacy Policy.
Plain language, not boilerplate. Here is exactly what happens to your data when you use this site.
Last updated: 8 July 2026. I may update this policy as the site evolves; the date above reflects the version in force, and material changes will be reflected here.
Who I am
I am Nijat Hummatović, an AWS Cloud & DevOps Engineer based in Italy, and I run this site as a personal and professional portfolio. Under the EU General Data Protection Regulation (GDPR) and the Italian Codice Privacy (d.lgs. 196/2003, as amended by d.lgs. 101/2018), I am the data controller for any personal data processed through this site.
Although this is a personal site, the GDPR applies because the site is publicly accessible, processes personal data from third parties (contact form submissions and CV requests), and serves a professional purpose. The obligations described here are proportionate to the minimal data the site actually handles.
You can reach me at any time at mail@hummatovic.com. Because I am an individual and not a company, I do not publish a physical address. My supervisory authority is the Garante per la protezione dei dati personali, the Italian data protection authority.
What this site does and does not do
This is a portfolio site with no backend database. It has no analytics, no advertising, no newsletter, no profiling, and no tracking of any kind. Form submissions are delivered to me by email only. Your theme preference (light or dark) and blog reading mode are saved in your own browser using local storage and are never transmitted to me. A small timestamp is also saved in your browser only to keep a reading-time note from appearing too often — it is not personal data and is never sent to me.
The site's own code does not set any cookies. Cloudflare, which hosts and serves the site, may set one or more strictly necessary cookies for security and performance. These include __cf_bm(bot detection, 30 minutes) and, when Cloudflare's challenge platform is triggered, cf_clearance. Cloudflare classifies all of these as strictly necessary for service delivery. Because there are no tracking or analytics cookies, no consent banner is required and none is shown.
A practical note: please do not include sensitive information in the contact form or the CV request form. Passwords, credentials, identity documents, payment details and similar data are never needed to reach me or to receive my CV. Including them creates an unnecessary risk for you and serves no purpose here.
Processing activities
Every way personal data passes through this site is listed below, with the purpose, the data involved, the legal basis, how long I keep it, and who receives it.
1. Contact form
When you use the contact form on /connect, you send me your name, email address, a subject, and a message.
Purpose: to let you reach me and to let me reply.
Data involved: whatever you type into the form (typically your name, email, subject, and message).
Legal basis: legitimate interest under Article 6(1)(f) GDPR. I have a legitimate interest in responding to people who contact me, and you set that process in motion by writing to me.
Retention: I keep the email in my inbox for up to 12 months after our exchange ends, then I delete it. I will delete it sooner if you ask.
Recipients:the email is sent via Amazon Web Services (SES) from the Frankfurt region (eu-central-1) and is routed through a Cloudflare Worker. For more detail on how each provider handles data, including processing they perform independently of my instructions, see the "Who else touches this data" section below.
2. CV request
When you request my CV through the /whoami page, you provide your name, work email address, company name, and optionally your phone number and a short note about the role. Only business email addresses are accepted (personal addresses like Gmail or Outlook are rejected), because the CV is intended for professional hiring contacts.
Purpose: to send you my CV and to keep a record of who I have shared it with. This form is for requesting my CV only: I never ask you to upload or send me your own CV through this site.
Data involved: your name, work email, company, and any phone number or role note you choose to include.
Legal basis: legitimate interest under Article 6(1)(f) GDPR. I have a legitimate interest in knowing who holds my CV, both to protect my personal data and to protect the CV as my own copyrighted work.
Retention: I keep the lead notification email for up to 24 months, then I delete it. I will delete it sooner if you ask.
Recipients:the CV is emailed to you via Amazon Web Services (SES) from the Frankfurt region. A copy of your details is also emailed to me so I know who requested it. A Cloudflare Worker handles the validation and routing, and Cloudflare Turnstile may run a bot check (see the next section). For more detail on how each provider handles data, see the "Who else touches this data" section below.
3. Spam and bot protection
Both the contact form and the CV request form include protections against spam and automated abuse.
Purpose: to stop bots from flooding the forms or using them to send spam.
Data involved: your IP address, cached very briefly for rate limiting. The contact form uses an invisible spam trap (a hidden field that bots fill in but humans never see) and a minimum fill time check. The CV form adds Cloudflare Turnstile, which processes your browser and interaction data to tell humans from bots.
Legal basis: legitimate interest under Article 6(1)(f) GDPR. Security of the site and protection against abuse.
Retention: where rate limiting is active, IP addresses are cached for up to 15 minutes and then automatically expire. No IP address is stored long term or placed in a database. Turnstile data is handled by Cloudflare under its own retention policies, described in the Cloudflare Privacy Policy. The minimum fill time check does not record any personal data; it only compares a client-measured timestamp, which is not stored.
4. Serving and securing the site
The site is hosted and served through Cloudflare.
Purpose: to deliver the site to you and keep it secure.
Data involved: your connection data and IP address, processed by Cloudflare as the host and content delivery network. Cloudflare may set one or more strictly necessary cookies (such as __cf_bm for bot detection) to protect the site from malicious traffic. These cookies are classified by Cloudflare as strictly necessary; none are used to track you across sites.
Legal basis: legitimate interest under Article 6(1)(f) GDPR.
Retention: transient and handled by Cloudflare under its own retention policies. For how Cloudflare processes data at the CDN level, refer to Cloudflare's privacy policy.
Who else touches this data
Two infrastructure providers are involved in delivering this site and its forms. Where they act as processors under my instructions (for example, sending an email I initiated, or running code I deployed), data processing agreements are in place. Where they operate their own infrastructure independently (CDN security, DDoS protection, service logging), their own privacy documentation applies:
- Amazon Web Services (AWS SES), Frankfurt region (eu-central-1): sends the contact form email to my inbox and sends the CV email to the address you provide. AWS processes email metadata for service operation and billing per its own retention policies. See AWS's GDPR compliance page.
- Cloudflare:hosts and serves the site (Cloudflare Workers, CDN, and DNS), runs the bot check on the CV form (Cloudflare Turnstile), and routes the form submissions. Because Cloudflare serves the whole site, it processes every visitor's IP address and connection data as the host. Cloudflare also processes cookie data in its US data centers by default. See Cloudflare's privacy policy and Cloudflare's DPA.
The destination inbox for form submissions is at my domain (mail@hummatovic.com). For security reasons the MX provider that hosts this inbox is not published here. If you need this information to exercise your data protection rights, email me and I will provide it.
International data transfers
Email content is sent through AWS SES from a Frankfurt, Germany region. However, form submissions first pass through a Cloudflare Worker, which may process data at Cloudflare data centers globally before reaching AWS SES. Cloudflare also operates a global CDN network and processes cookie data in the United States by default. AWS may access data for support purposes outside the EU.
Where that happens, the transfer is protected under the EU-U.S. Data Privacy Framework, to which both AWS and Cloudflare are certified, together with the EU Standard Contractual Clauses included in each provider's data processing agreement. These tools together mean your data receives GDPR-equivalent protection regardless of where it is routed. You can verify the current certification status of both providers on the Data Privacy Framework list. For the detailed terms, see AWS's GDPR compliance page and Cloudflare's Data Processing Addendum.
If I send you my CV
The CV I email you is both my personal data and my own copyrighted work, shared with you for a single purpose: to consider me for a role or opportunity. I ask that you keep it confidential, use it only for that purpose, do not publish it or pass it outside your own hiring process without my consent, and delete it once it is no longer needed. Its wording and layout are protected by copyright, so redistributing them is not yours to do. Once you hold my details, data protection law generally makes you their controller, responsible for handling them lawfully and not keeping them longer than needed.
Your rights
Under the GDPR you have the following rights:
- Right of access (Article 15): you can ask me whether I hold any of your data and, if so, get a copy of it.
- Right to rectification (Article 16): you can ask me to correct any inaccurate data I hold about you.
- Right to erasure (Article 17): you can ask me to delete your data.
- Right to restriction of processing (Article 18): you can ask me to limit how your data is used while a concern is looked into.
- Right to object (Article 21): because all processing on this site is based on legitimate interest, you have the right to object at any time. If you object, I will stop processing your data unless I can show compelling legitimate grounds that override your request.
The right to data portability (Article 20) does not apply here, because it covers only processing based on consent or a contract, and my legal basis is legitimate interest.
To exercise any of these rights, just email me at mail@hummatovic.com. I will respond within one month.
Providing your data is voluntary. If you choose not to provide it, the only consequence is that I cannot reply to your message or cannot send you my CV. There is no automated decision making and no profiling on this site.
If you believe I have not handled your data properly, you have the right to complain to the Garante per la protezione dei dati personali, the Italian data protection authority. You may also contact your local EU supervisory authority.
Photos on this site
The gallery on /whoami is personal: conferences, travel, colleagues, moments from my career. If you appear in a photo here and would rather it were not public, tell me and I will take it down or crop it, no questions asked. Reach me at mail@hummatovic.com.
No ads, no sponsorships, no paid mentions
Nothing on this site is sponsored. I do not run ads, use affiliate or referral links, or get paid to mention a tool, company, or person. Any external link or reference in a post is here because I found it useful or relevant, never because of a payment or partnership.
The design, code, and writing here
© 2026 Nijat Hummatović. All rights reserved. The visual design, source code, and blog writing on this site are my own work and are not open source or licensed for reuse. You are welcome to read, share a link, or quote a short passage with credit. Copying the design, code, or full posts elsewhere is not permitted without asking first. These terms are governed by the laws of Italy.