walking on custard


I'm Neil Hughes, and I barely understand privacy notices at the best of times so I'll try my hardest to keep this simple.

I am essentially just a person with a couple of simple websites, so perhaps having a full-blown Privacy Policy is overkill. Nevertheless, I believe I ought to do my reasonable best to be open and transparent when it comes to your data.

This page applies to my main websites—enhughesiasm.com and walkingoncustard.com—to my mailing list, and also to any little projects I create at enhughesiasm.github.io.

The Short Version

Fundamentally, I'm not very interested in your data. Beyond simple statistics—like anonymously counting website visitors—I don't store much data.

However, if you:

  • Comment on my website(s)
  • Email me
  • Sign up to my email mailing list
  • Submit contributions to interactive parts of the websites
  • Contact me by other means

... then of course I will have whatever data you provided (such as your email address, or the words of your comment, or the name you submit), and I may use that data to reply. Or to send you the mailing list you signed up for, or similar.

If at any point you want to know what personal data I have of yours, you may contact me, and assuming your request is reasonable I'll do my best to send you whatever I have. I will also amend or even delete it on request, if I am legally and practically able to do so.

That's about it! The rest of the page just restates this in waaaaaaay more detail. Read on, if you're interested...

The Long Version

While I have done some reading around this, I can't promise I understand everything about good data practices—I suspect that it takes many years to become an expert in this sort of thing—but at the time of writing this document represents my best understanding of how your data is collected and used.

If I learn anything new about how this all works (for example, if I discover that some website feature is silently collecting more data than I am currently aware of), or if anything substantially changes, then I will update this policy accordingly, and take further action if appropriate.

And if you, the reader, know more about this sort of thing than me and believe there's something I could do better, then please let me know. I value your privacy highly and will never intentionally breach the rules.

As a little-known author/speaker/website-builder, this document is my attempt to be as transparent as possible about my attempts to keep up with a complex, changing set of rules about data and privacy.

🎢 Strap yourself in for an extremely tedious—but important—Rollercoaster Ride of Privacy Policy!

What personal data is collected and why

Submitted Data

If you send data to any of my websites—e.g. to leave a comment, or to participate in an online collaborative story, or similar—then that data will be stored indefinitely, perhaps alongside your IP address and browser data string. This data is collected so the website can function: for example, the collaborative story only works if the website can tell who sent each word. The IP address is used for this purpose.

Comments on posts

When visitors leave comments, the data shown in the comments form is collected, along with the visitor's IP address and browser user agent string. The IP address and browser data are used to help detect spam.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here. After approval of your comment, your Gravatar profile picture is visible to the public in the context of your comment.


If you leave a comment you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. I haven't adjusted the settings for these cookies, so they will last for the default amount of time, which I believe is one year.

If you have an account and you log in, a temporary cookie is set to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, several cookies are set up to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

Currently, only I edit or publish articles. However, if someone else were to edit or publish an article, an additional cookie will be saved in their browser. This cookie includes no personal data and simply indicates the post ID of the article which was just edited. It expires after 1 day.

Embedded content from other websites

My sites may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.


Like many other sites, I use Google Analytics to count visitors to the site and to see which pages are the most popular, so I can improve the site for future visitors. I haven't enabled any of the advertising features, and I've set the configuration to automatically anonymise all IP addresses, so—to the best of my knowledge—no individually-identifiable data is involved. More information is available in Google's own Privacy Policy

Data Backups

Currently, blog posts and comments are automatically backed up, and these backups are stored in the cloud over the secure Dropbox service. Short of a data breach at Dropbox, I believe nobody but me has access to these backups. For more, see the Dropbox privacy policy. The only user data stored in these backups are as discussed above: comment data submitted by users.

Mailing Lists

I have an irregular email newsletter. I hate being sent too many emails, so I try not to send very many myself. This newsletter—the Neil Hughes Occasional Email Experience—goes out at a very variable rate, from "once a month, ish" to "after a gap of a year or two".

The mailing list is optional, and opt-in. In other words, to join you must enter your email address and click a link in your email to confirm. Every single email provides an opportunity to unsubscribe, in the (unlikely?!) event that my infrequent ramblings are no longer welcome.

This mailing list is managed by a third-party provider, MailChimp, to deliver this newsletter. MailChimp gather statistics around email opening and clicks using industry standard technologies which helps me monitor and improve the newsletter. (Usually, I just use this to find out which puns in the subject line were SO bad that more people unsubscribed than usual.)

For more information on all of this, please see MailChimp's privacy notice . You can unsubscribe to these mailouts by clicking the unsubscribe link at the bottom of any of our emails. Or if you email neil@walkingoncustard.com I will unsubscribe you manually as soon as I get the chance.

As part of the optional registration process for this newsletter, personal information is collected. This includes your email address (of course!), but also your IP address, data provided by your browser (including location), and (optionally) your name. Your email address and name is used to keep you updated about things you've asked to be updated about; i.e. being sent an irregular newsletter of silly stories and occasional marketing information.

Currently I don't use your location data for any purpose. However, I believe Mailchimp collects such data automatically to provide me with the facility to send mailouts to people in particular locations: for example, on a hypothetical future book tour this provides me the facility to inform mailing list subscribers in a particular location that I am visiting their city and they might wish to come along to the event.

(I have no plans to use this sort of location data at the moment. As with all personal data I hold, if you have subscribed and wish to see/amend/delete your data, you can contact me at neil@walkingoncustard.com and I will do my best to help you out. From my limited experience, Mailchimp seem to be very good at providing me with the ability to assist with such requests.)


I'm not sure if this needs saying, but obviously, if you email me then I will have your email address, along with your name and any data you send via that email.

(This is just… how email works, and presumably most people are aware of the necessity of sending the actual email in order to have sent an email. But for thoroughness I thought I ought to mention it.)

I use Gmail (by Google) to manage email, so this provided email data will be stored on Google's servers and managed according to their privacy policy .

I keep most of my emails, but I do delete some to free up space.

I don't know where the boundary lies between private email communications and data processing obligations, but I would like to err on the side of greater transparency unless there is a good reason not to. So if you have emailed me and want to know if I retain any of your data then feel free to, um, email me* and I'll do my best to help you with any reasonable requests. Assuming I don't need to keep your email address or email data for some legal, administrative or security reason, I expect I would be happy to delete them.

* this seems silly but I can't think of a way around it!

Who I share your data with

Visitor comments may be checked through an automated spam detection service, specifically AntiSpam Bee, a common spam detection service. (Since easily 99% of the 'comments' on this site are caught in the anti-spam net, this is a very good thing, in my opinion. Without services like this the entire internet would be an unreadable mess… more so than usual!)

Other than the services already mentioned in this privacy policy — Dropbox (for backups) and (optionally for mailing list subscribers) Mailchimp and Google — I don't share any data with anyone. As big technology companies, I expect these services have the resources to do a far better job than I could to secure this data — that's why why I don't manage my mailing list personally in the first place.

Currently I don't share my websites nor my mailing list with anybody else, and I have no plans to do so. In the unlikely event that this changes (say, hiring an assistant, which at the time of writing is a hilariously unlikely prospect) I will update this policy.

How long I retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so follow-up comments can be approved automatically instead of holding them in a moderation queue.

For users that register on the website, the personal information provided is stored in your user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on either site, or have left comments, you can request to receive an exported file of the personal data I hold about you, including any data you have provided to me. You can also request that I erase any personal data I hold about you by emailing neil@walkingoncustard.com and explaining your request. This does not include any data I am obliged to keep for administrative, legal, or security purposes.

Lawful basis for processing data

To my limited understanding, the EU GDPR regulations require a lawful basis for any data processing (which appears to be a fairly broad term covering even simple things like 'saving an email address to a mailing list when someone asks to join').

I don't really do much data processing, but where you send me data (like signing up for a mailing list, or commenting, for example), I ask for your consent to process this data (by, say, adding you to the mailing list, or displaying your comment!)

I worry that it might be annoying to be asked for consent in all these different places, but this transparency is (hopefully!) better than silent use of your data, and I have done my best to ensure consent is requested in an appropriate manner, and that I'm only asking for the smallest amount of data which is necessary (I can't very well send you newsletters unless you give me your email address!)

As for the mailing list, there is apparently some debate about whether or not 'legitimate interests' or 'consent' is the most appropriate lawful basis. Since lawyers seem to disagree on this, I can't imagine I have much chance of figuring it out. But whichever technical term is most relevant to describe the process, my process remains as simple as I can make it while ensuring you are in control: 1) you want to be on the mailing list 2) you add yourself 3) you confirm 4) I occasionally send you emails 5) you can stop receiving emails at any time.

I recognise that consent is not indefinite, and so I will endeavour to contact inactive members from time to time to request that they refresh their consent to remain on the mailing list.

Additional information

How your data is protected

All of the services I use are protected with strong passwords and two-factor authentication where available. I believe that the services which store personal data (Mailchimp, Google Analytics, etc) all store it appropriately using encryption and so on — though of course I have no way of verifying this beyond taking them at their word. Still, I have done my best to choose reputable organisations to provide these services, and if I discover otherwise then I will take appropriate action immediately.

What data breach procedures we have in place

If any of the organisations which store data — Mailchimp, Google, Dropbox etc — were compromised, I would follow their advice regarding appropriate actions to take.

(Honestly, if Google gets hacked then I can't imagine that Walking on Custard or Enhughesiasm will be high on anyone's worry list. Nevertheless, I will do my best to alert people to the possibility that their data has been accessed, if it is appropriate to do so!)

If my own website gets hacked, there's not a lot I can do: because I don't store data on visitors by default, I don't have a means of alerting them. (However, this means that there is very little (or no?) identifiable data for a theoretical attacker to gain access to, so this may be a good thing.)

In this (hopefully unlikely) event, I will do my reasonable best to alert anybody whose data I believe may have been compromised (in particular, people who have signed up to comment on the blog) in order to inform them that their data may have been accessed, what data is included, and, if appropriate, I will seek advice on the correct steps to take to prevent recurrences in future.

What third parties we receive data from

At the time of writing, I can't think of any third parties I receive data from.

What automated decision making and/or profiling we do with user data

At the time of writing, I don't do any automated decision making or profiling on the website. I don't collect much analytics data (see above), and I barely look at the data I do collect. If this changes, I will update this section accordingly.

As for the mailing list, the tracking of active/inactive subscribers is processed automatically by Mailchimp in accordance with their privacy policy.


My websites may link to external websites, which may perform their own collection and processing of your data.

I would never knowingly link to a nefarious website, and if I accidentally do so I will remove the link as fast as possible and take appropriate steps to alert anybody I can who may have been affected.


I don't know the ages of website visitors, or emailers, or subscribers to my mailing list, and I don't intend to ask. Of course I am happy to assist parents with any requests about data their children may have provided to me by visiting my websites.

Industry regulatory disclosure requirements

Um. I'm told this is a thing, but I don't believe I have any further disclosure requirements. However, if you know better, feel free to let me know and I will update this section accordingly. (Leaving this section in for maximum transparency, even of ignorance!)

Contact information

If you have questions about any of this, or if you'd like to view, amend or delete your personal data, then please feel free to email me via neil@walkingoncustard.com and I will do my best to help you with your request.

Changes to this Privacy Notice

This policy was last reviewed in March 2023. I have set a date to review it again in April 2024.

If anything major changes on my websites in the meantime then I will also endeavour to review this policy.

Wasn't That Fun?

Not going to lie, I am glad to have reached the end of writing this. In the unlikely event anyone has ever read this document, I hope you enjoyed it, and I am pleased that you are so easily entertained 🙂 Love!

© Neil Hughes 2019 — 2024
contact privacy