bluenhs.org collects aggregate visit statistics through Google Analytics 4 — pageviews, referring source, device type, and approximate country — and nothing else. Advertising features, remarketing, and Google Signals are disabled. IP addresses are processed transiently by Google to derive country and are not stored against any identifier under the controller's account. No mailing list, no comments, no logged-in features. This page explains what is collected, why, the legal basis under UK GDPR and PECR (as updated by the Data (Use and Access) Act), how long it is retained, and how to exercise your rights.
Who is responsible
This site is operated by Dr Rafal Bergman, acting in a personal capacity as author of the Blueprint. The site is hosted on Netlify and uses Google Analytics 4 for aggregate visit statistics. For any privacy enquiry, write to rafal@ctozen.com.
What is collected
Two categories of data are processed when you visit bluenhs.org.
Server logs (Netlify, the hosting provider). Every request to the site generates a standard web-server log entry: the URL requested, the timestamp, the HTTP status, the user agent string, and the requesting IP address. Netlify retains these for operational and security purposes (rate-limiting, abuse detection, debugging). They are not exported to the site operator and are not used for analytics.
Google Analytics 4 (first-party, basic statistics). A small piece of JavaScript on every page sends Google a record of the pageview, the referring page, the device and browser type, the approximate country (derived from your IP address and then discarded), and a randomly generated client identifier stored in the _ga and _ga_* cookies on your device. This identifier lets Google count distinct visitors and distinguish a returning visitor from a new one. It is not linked to any personal account.
The site does not collect:
- Email addresses, names, or any form submission (no contact form, no mailing list, no comments)
- Logged-in accounts (the site has no login)
- Payment information
- Precise location (only approximate country, derived from IP)
- Any data passed to advertising networks or used for remarketing
What Google Analytics is and is not doing on this site
The Google Analytics installation on this site is deliberately configured for basic first-party site statistics only:
- Google Signals is disabled. This means GA does not combine your visit with signed-in Google account data, does not enable cross-device tracking, and does not contribute to Google’s advertising audiences.
- Ads personalisation is disabled (
ads_data_redactionis on;allow_ad_personalization_signalsis off). No data from this site flows to Google Ads, DV360, or any other Google advertising product. - No remarketing audiences are built from visitors to this site.
- No data is shared with third parties other than Google as the analytics processor.
- IP addresses are not stored in Google Analytics 4 (GA4 does not log full IP addresses; it uses them transiently to derive country, then discards them).
This is the configuration the UK Information Commissioner’s Office describes as “low-risk first-party analytics” in its updated guidance on Storage and Access Technologies following the Data (Use and Access) Act 2025.
Cookies set on your device
| Cookie | Set by | Purpose | Expiry |
|---|---|---|---|
_ga | Google Analytics | Distinguishes unique visitors | 2 years |
_ga_3T5KK6W7TN | Google Analytics | Maintains session state for property G-3T5KK6W7TN | 2 years (refreshed each visit) |
No other cookies are set by the site. The site uses no advertising trackers, no social-network share pixels, and no consent-management vendor.
Legal basis
Under the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) as updated by the Data (Use and Access) Act 2025, low-risk first-party analytics cookies used solely to measure site performance are exempt from the prior-consent requirement, provided no data is shared with third parties for advertising or other purposes. The configuration above satisfies that exemption.
The legal basis for processing the resulting aggregate statistics is legitimate interest (UK GDPR Article 6(1)(f)): the operator’s interest in understanding which parts of the Blueprint are read, where readers arrive from, and whether the site is reaching its intended audience. This interest is balanced against minimal impact on the visitor: no profile is built, no contact attempted, no data sold.
Retention
- Google Analytics aggregate data: retained for 14 months (the shortest retention period GA4 offers), after which it is deleted automatically.
- Cookies on your device: as listed above. You can delete them at any time through your browser’s privacy settings.
- Netlify access logs: governed by Netlify’s own retention policy (typically 30 days for raw logs).
Your rights
You have the following rights under UK GDPR in relation to any personal data this site processes about you:
- The right to be informed (this page).
- The right of access — to ask what data is held about you.
- The right of rectification — to correct inaccurate data.
- The right of erasure — to ask for your data to be deleted.
- The right to object to processing based on legitimate interest.
- The right to opt out of analytics. The simplest way is to install the Google Analytics Opt-out Browser Add-on or block the cookies in your browser’s privacy settings.
- The right to complain to the Information Commissioner’s Office at ico.org.uk.
To exercise any of these rights, write to rafal@ctozen.com.
External links
Pages on this site link to external resources — including carenhs.org, Welsh Government and DHCW board pages, news outlets, and academic sources. Once you follow an external link, the privacy policy of that site applies, not this one.
Changes to this policy
If the analytics configuration changes — for example if a mailing list, comment system, or any advertising integration is added — this page will be updated and the “last reviewed” date below will change.
Last reviewed: 2026-05-18.