Last updated · 2026-04-23

Privacy

I keep this site small and your data handling simple. This page tells you exactly what is collected, why, how long it sticks around, and how to make it stop. If anything here is unclear, write to me at the address in the box below — I read that mailbox personally.

1. Who runs this site

Operated by
Tomislav Ivanović
Based in
Serbia
Contact
privacy@cloud-lord.com

I am the data controller for everything on cloud-lord.com. There is no company behind this site, no co-controllers, and no third-party processors beyond the hosting provider described in Section 10.

2. What data is collected

When you visit with analytics consent enabled, a self-hosted Matomo instance records:

  • Pageviews — which pages you opened and in what order
  • Referrers — the link or search result that sent you here (if any)
  • Country — derived from an anonymized IP (the last two bytes are stripped before storage)
  • Device basics — screen size, browser name, operating system family
  • Session duration — how long the visit lasted

That is the entire list.

3. What is NOT collected

To be explicit about what this site does not do:

  • No names, email addresses, or user accounts — there are no logins on cloud-lord.com
  • No advertising trackers, pixels, or fingerprinting
  • No cross-site tracking — analytics cookies are first-party only and scoped to this domain
  • No data sold, shared, or handed to any third party — not advertisers, not data brokers, not “analytics partners”
  • No heatmaps, session replay, or form analytics — these plugins are disabled on the Matomo server
  • No tracking before you consent — nothing loads, no cookies are set, and no requests go to the analytics server until you accept the banner

4. Cookies used

Only three cookies are set, all first-party, all from the analytics tool. They are set only after you click Accept on the consent banner.

NamePurposeLifetime
_pk_idPersistent visitor ID — groups your visits so repeat visits don't count as new visitors13 months
_pk_sesActive session marker — tells Matomo the current visit is still ongoing30 minutes
_pk_refRemembers which referrer brought you to the site originally6 months

No other cookies are set by this site. If you clear these three in your browser, you are fully detached from any existing analytics record.

5. Legal basis

This site has visitors from both Serbia and the EU/EEA, so both legal frameworks apply. In both jurisdictions the basis is the same: your explicit consent, given through the banner.

Visitors in Serbia
Processing is based on your unambiguous consent under the Serbian Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti). You can withdraw that consent at any time using the controls in Section 7 below, and withdrawal is as easy as giving it.
Art. 12 ZZPL — consent
Visitors in the EU / EEA
Processing is based on your freely given, specific, informed, and unambiguous consent under the General Data Protection Regulation. The same withdrawal controls in Section 7 apply, and withdrawing consent does not affect the lawfulness of processing before the withdrawal.
Art. 6(1)(a) GDPR — consent

6. Your rights

Under both the GDPR and the Serbian ZZPL you have the right to:

  • Access — ask what data, if any, is tied to your visitor ID
  • Rectification — correct inaccurate data (unlikely to apply given how little is held)
  • Deletion — ask that records tied to your visitor ID be removed
  • Restriction — ask that processing of your records be paused
  • Objection — object to the processing described on this page
  • Data portability — receive your records in a machine-readable JSON export
  • Withdrawal of consent — revoke your consent at any time

To exercise any of these, email privacy@cloud-lord.com. Because the data is pseudonymous — tied to a cookie-held visitor ID rather than a name or email — I will ask you to include the value of your _pk_id cookie in your request so the right records can be located. If you cannot provide it, GDPR Art. 11 and the equivalent provision in ZZPL apply: I am not required to collect extra identifying data just to answer the request, but clearing the _pk_* cookies from your browser detaches you from any future session regardless.

7. Your choices

Enable or disable analytics at any time, and erase any data already collected about this browser.

// Analytics

Analytics disabled (no tracking)

No cookies are being set.

Saved

Your consent choice is recorded with a timestamp and can be changed or withdrawn at any time using the control above.

// Erase my data

Remove any analytics data associated with this browser from our server. This is immediate and permanent.

Your consent choice is recorded with a timestamp and can be changed at any time.

8. Right to complain

If you believe your data has been handled improperly, you can complain to the supervisory authority for your jurisdiction.

If you are in Serbia
File with the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik).
poverenik.rs →
If you are in the EU / EEA
File with your national Data Protection Authority. The full list of EU/EEA DPAs is maintained by the European Data Protection Board.
edpb.europa.eu →

Under GDPR Art. 77 and the ZZPL equivalent, the right to complain to a supervisory authority is unconditional and does not prejudice any other legal remedy available to you.

9. Retention periods

  • Raw analytics logs — deleted after 12 months (365 days). The Matomo server has an automatic deletion job that removes raw visit rows once they reach this age.
  • Aggregated reports — retained for 24 months. These are anonymous traffic summaries (e.g., “monthly pageviews per country”) with no record-level detail.
  • Consent records — retained for the duration of your consent plus 2 years, so that a regulator asking “did you actually have consent on date X” can be answered.

After retention expires, records are permanently deleted from the analytics database.

10. Where the data lives

  • Stored in Germany (EU/EEA) on self-operated infrastructure at Hetzner Online GmbH
  • Single dedicated server, managed by me — no managed-analytics SaaS, no data-warehouse export
  • Encrypted backups to AWS S3 in the Frankfurt region (also EU/EEA), using local GPG encryption before upload so the storage provider never sees plaintext
  • No transfer to third parties, no transfer outside the EU/EEA, no processors beyond the infrastructure provider

11. Last updated

Last updated · 2026-04-23

Material changes to this page will be noted here with a new date. Trivial copy edits (typos, clarifications) do not bump the date.