Data Controller
Under the General Data Protection Regulation (EU) 2016/679 (βGDPRβ), the data controller for MRVA.com is:
Morteza Riahi
Full-Stack Developer & Senior SEO/SEM Strategist
Website: mrva.com
Email: [email protected]
As data controller, we determine why and how personal data is processed. If you have questions or wish to exercise your rights, contact us directly at the address above.
Lawful Basis for Processing
The GDPR requires a valid lawful basis for every processing activity. MRVA.com relies on the following bases:
| Processing Activity | Lawful Basis | Article |
|---|---|---|
| Serving web pages and delivering content | Legitimate interests (Article 6(1)(f)) β essential to operate the site | Art. 6(1)(f) |
| Server log data & security monitoring | Legitimate interests β prevent fraud, diagnose errors | Art. 6(1)(f) |
| Analytics cookies (Google Analytics) | Consent β obtained via cookie banner | Art. 6(1)(a) |
| Google Fonts delivery | Legitimate interests β visual presentation of the site | Art. 6(1)(f) |
| Responding to contact or privacy enquiries | Legitimate interests / legal obligation | Art. 6(1)(c)/(f) |
Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You have the right to object to legitimate-interest processing at any time (see Your Rights).
Personal Data We Collect
MRVA.com is a personal portfolio and blog. We collect the minimum data necessary to operate the site. Categories of personal data processed include:
- Technical identifiers: IP address, browser fingerprint components (browser type, OS, screen resolution), device type.
- Usage data: Pages visited, time on page, entry/exit pages, referral URLs, click events (via analytics).
- Location data: Approximate geographic location derived from IP address (country/region level only β we never store precise location).
- Communication data: Name and email address if you contact us directly via email.
We do not collect: payment information, national ID numbers, biometric data, special category data (health, race, religion, etc.), or children's data. We do not build individual profiles for advertising purposes.
IP Address Processing
Your IP address is processed by MRVA.com and its infrastructure providers in several ways:
- Web server logs: Every HTTP request to our server records the source IP, timestamp, URL requested, HTTP status code, and user-agent string. This is standard infrastructure behaviour and cannot be disabled.
- Security: IP addresses are used to detect and block malicious requests, brute-force attempts, and bot traffic. This processing is based on legitimate interests (site security).
- Analytics: When analytics is active and you have given consent, your IP address is sent to Google Analytics. Google anonymises IP addresses by truncating the last octet (IPv4) or the last 80 bits (IPv6) before the data is stored. We do not retain full IP addresses in analytics.
- Geolocation: IP-derived location is used at country/city level only for understanding where our audience is located. Raw IP addresses are not stored beyond server log retention (90 days).
Retention: Server log IP data is automatically purged after 90 days. Anonymised analytics data (without full IP) may be retained for up to 26 months.
Cookie Table
The following cookies may be set when you visit MRVA.com. You can manage them via the cookie banner or your browser settings.
| Cookie Name | Category | Purpose | Duration | Provider |
|---|---|---|---|---|
mrva_cookie_consent | Stores your cookie consent choice so the banner does not reappear | 1 year | MRVA.com | |
mrva_admin | Admin session authentication (only set on the /admin route β invisible to visitors) | 7 days | MRVA.com | |
_ga | Distinguishes users for Google Analytics reporting | 2 years | Google LLC | |
_ga_XXXXXXXX | Persists Google Analytics session state | 2 years | Google LLC | |
_gid | Distinguishes users for Google Analytics (short-lived) | 24 hours | Google LLC | |
_gat | Throttles request rate to Google Analytics | 1 minute | Google LLC |
Analytics cookies (_ga, _gid, _gat) are only set if you accept cookies via the banner. Essential cookies may be set regardless of your preference as they are strictly necessary for the site to function.
Google Analytics
We use Google Analytics 4 (GA4), operated by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), to collect anonymised statistics about how visitors interact with this site.
What Google Analytics collects (on your behalf, after consent):
- Anonymised IP address (last octet masked before storage)
- Pages visited and time spent on each page
- Device, browser, and OS information
- Traffic source (organic search, direct, referral)
- Approximate geographic location (country/city, from IP)
- User interactions (scroll depth, link clicks) if event tracking is configured
Data transfer: Google Analytics data is transferred to and stored on Google's servers, which may be located in the United States. This transfer is governed by the EU Standard Contractual Clauses (SCCs) as adopted by Google in its Data Processing Amendment.
Opt-out options:
1. Click βDeclineβ on our cookie banner when you first visit.
2. Install the Google Analytics Opt-out Browser Add-on.
3. Use a browser in private/incognito mode or with an ad/tracker blocker.
4. Clear your cookies β your consent preference will be re-requested on next visit.
Google's privacy policy is available at policies.google.com/privacy. Google Analytics terms of service are at marketingplatform.google.com.
Google Fonts
This site uses Google Fonts to load the Playfair Display and Inter typefaces. When your browser renders a page, it may send a request to fonts.googleapis.com and fonts.gstatic.com.
This request transmits your IP address and browser information to Google's servers. The lawful basis for this is legitimate interests β the font loading is integral to the visual design of the site and has minimal privacy impact.
Google states that font request logs are retained for less than 24 hours and are not used for advertising. See Google Fonts privacy FAQ.
Note: If you wish to prevent Google Fonts from loading, you can use a browser extension that blocks third-party resource loading. This may affect the visual appearance of the site.
International Data Transfers
Some of our service providers are based outside the European Economic Area (EEA). Where personal data is transferred internationally, we rely on one or more of the following safeguards:
- Adequacy decision: Transfer to a country deemed to provide adequate protection by the European Commission.
- Standard Contractual Clauses (SCCs): EU Commission-approved model contracts, used for transfers to Google LLC (USA) for Google Analytics and Google Fonts.
- Supplementary measures: Including IP anonymisation and data minimisation where applicable.
You may request a copy of the applicable safeguards by contacting us at [email protected].
Data Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Server access logs (incl. full IP) | 90 days, then deleted | Security / legitimate interests |
| Analytics data (anonymised, no full IP) | Up to 26 months (GA4 default) | Consent |
| Cookie consent preference | 1 year (browser localStorage) | Essential / consent record-keeping |
| Admin session cookie | 7 days (or until logged out) | Essential |
| Email correspondence | Duration of communication + 12 months | Legitimate interests / legal obligation |
| Google Fonts request logs | <24 hours (Google-side) | Legitimate interests |
You may request deletion of your data at any time by emailing [email protected]. We will process your request within 30 days.
Your 8 GDPR Rights
Under the GDPR, you have the following rights regarding your personal data. These rights are not absolute β exceptions may apply β but we take all requests seriously and respond within 30 days (extendable to 90 days for complex requests).
Request confirmation of whether we process your data, and a copy of it (Art. 15 GDPR).
Request correction of inaccurate or incomplete personal data without undue delay (Art. 16).
Request deletion of your data (βright to be forgottenβ) where there is no compelling reason to continue processing (Art. 17).
Request that processing of your data be paused while a dispute about accuracy or lawful basis is resolved (Art. 18).
Receive personal data you provided to us in a structured, machine-readable format and transmit it to another controller (Art. 20).
Object to processing based on legitimate interests (including analytics and profiling). We must stop unless we demonstrate compelling grounds (Art. 21).
Where processing is based on consent (e.g. analytics cookies), you may withdraw consent at any time via the cookie banner or browser settings. Withdrawal does not affect prior processing (Art. 7(3)).
Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (Art. 22). We do not carry out such processing.
To exercise any of these rights, email [email protected] with the subject line βGDPR Requestβ. We may need to verify your identity before fulfilling the request.
Supervisory Authority & Right to Complain
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a data protection supervisory authority.
You may contact the supervisory authority in your country of residence, your place of work, or the location of the alleged infringement. You are not required to exhaust other remedies before doing so.
Before lodging a complaint, we encourage you to contact us first at [email protected] so we have the opportunity to resolve the issue directly. We aim to respond within 30 days.
A list of EU data protection authorities is available at: edpb.europa.eu β Member DPAs.
GDPR & Privacy Enquiries
For any GDPR-related requests, data subject rights exercises, or privacy questions, contact the data controller directly. We respond to all requests within 30 days.
Email: [email protected]