Privacy Policy
Effective date: May 1, 2026 · Last updated: May 2026
This policy explains what personal data is processed when you visit tiredkoala.com, why, on what legal basis, and what rights you have — whether you are in the EU, UK, USA, Canada, Brazil, or anywhere else. Written in plain language. No important information buried in boilerplate.
1. Controller
The controller responsible for data processing on this website within the meaning of the GDPR and applicable data protection laws is:
We do not have a designated Data Protection Officer (DPO) as we do not meet the thresholds requiring mandatory DPO appointment under Art. 37 GDPR. For all data protection enquiries, contact us at privacy@tiredkoala.com.
2. What data we process and why
2.1 Server and access logs
When you access this website, our hosting provider automatically records technical access data in server logs. This includes your IP address, the page requested, date and time, browser type and version, operating system, and referring URL.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring the security, stability, and correct operation of this website.
Retention: Automatically deleted by our hosting provider within 7–30 days, unless a security incident requires longer retention.
2.2 Direct email contact
If you contact us by emailing hello@tiredkoala.com, we process your name (if provided), email address, and the content of your message solely for the purpose of responding to your enquiry. We do not use a contact form — all communication is via direct email.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in responding to communications directed at us. Where the enquiry relates to a potential business relationship, Art. 6(1)(b) GDPR may also apply.
Retention: Retained for as long as necessary to resolve the enquiry, and up to 3 years thereafter for documentation purposes, unless a longer statutory retention period applies.
2.3 Browser localStorage (display preference)
This website stores two items in your browser's localStorage:
- ›theme — your chosen display mode (light or dark). Set only when you actively toggle the theme button.
- ›tk_consent_v1 — your cookie consent choice (granted or denied). Set when you interact with the consent banner.
Both items are stored entirely on your device and are never transmitted to our servers. They contain no personal data. They can be deleted at any time by clearing your browser's site data.
Legal basis: These do not constitute processing of personal data under the GDPR as the data never leaves your device. Both are strictly necessary for the functionality you have actively used and are exempt from consent requirements under the ePrivacy Directive.
3. Cookies and similar technologies
A complete inventory of all cookies and browser storage used on this website:
| Name | Type | Purpose | Duration | Consent |
|---|---|---|---|---|
| theme | localStorage | Display preference (light/dark mode) | Persistent (until cleared) | Not required |
| tk_consent_v1 | localStorage | Stores your cookie consent choice | Persistent (until cleared) | Not required |
| _ga | Cookie | Google Analytics — distinguishes users | 2 years | Required |
| _ga_* | Cookie | Google Analytics — session persistence | 2 years | Required |
| _gid | Cookie | Google Analytics — distinguishes users | 24 hours | Required |
| _gat | Cookie | Google Analytics — throttle request rate | 1 minute | Required |
Google Analytics cookies are only set if you accept analytics in the consent banner. They are not present on this site by default.
4. What we do not do
- ✓We do not sell, rent, or trade your personal data to any third party.
- ✓We do not use advertising cookies, tracking pixels, Meta Pixel, Hotjar, or any advertising analytics.
- ✓We do not share your data with data brokers or advertising networks.
- ✓We do not load fonts from external CDNs. All fonts are self-hosted — no data is transmitted to Google Fonts or any third-party font provider.
- ✓We do not create user profiles or track your behaviour across other websites.
- ✓We do not use automated decision-making or profiling as defined in Art. 22 GDPR.
- ✓We use Google Analytics only with your explicit consent (see Section 5).
5. Google Analytics
We use Google Analytics 4 (provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to understand how visitors interact with this website. Google Analytics is loaded only after you explicitly accept analytics cookies in the consent banner.
For performance reasons, Google Analytics runs inside a Partytown web worker — a browser technology that executes the script off the main thread. This does not change what data Google Analytics collects; it only changes where in your browser it runs.
What Google Analytics collects (when consent is given):
- ›Pages visited and time spent on each page
- ›General geographic location (country/city level — never precise location)
- ›Browser type, device type, and operating system
- ›Traffic source (search, direct, referral, social)
Google Consent Mode v2 and cookieless signals:
We implement Google Consent Mode v2. When you decline analytics, no cookies are set and no identifying data is collected. Google may, however, receive limited aggregated and cookieless signals (such as page view counts with no user identifiers) solely to model conversion statistics. This modelled data contains no personal information and cannot be traced back to any individual. You can prevent even this by installing the Google Analytics Opt-out Browser Add-on.
Privacy safeguards we apply:
- ✓IP anonymisation — the last octet of your IP address is masked before any data is stored.
- ✓Advertising features disabled — no remarketing, interest-based advertising, or demographic reporting.
- ✓Data sharing with Google for advertising purposes is disabled.
- ✓Data retention set to 14 months, after which data is automatically deleted.
Legal basis: Art. 6(1)(a) GDPR — your explicit consent. You may withdraw consent at any time via the "Cookie Settings" link in the footer.
International transfer: Google may process data on servers in the United States. This transfer is covered by Google's EU Standard Contractual Clauses (SCCs) approved under Art. 46(2)(c) GDPR and the EU–US Data Privacy Framework. See Google's Privacy Policy and Google Ads Data Processing Terms.
How to withdraw consent or opt out:
- ›Click "Cookie Settings" in the footer of any page and choose "Decline".
- ›Clear your browser's cookies and site data — the consent banner will reappear.
- ›Install the Google Analytics Opt-out Browser Add-on.
6. Fonts
All typefaces used on this website (Plus Jakarta Sans and Inter) are served directly from our own server via self-hosted font files. No request is made to Google Fonts, Adobe Fonts, or any external font service. No IP address or other personal data is transmitted to third parties as a result of loading this website's fonts.
7. Links to external platforms
This website contains links to external social media platforms including Instagram, TikTok, Twitter/X, YouTube, LinkedIn, Facebook, and Reddit. These links open in a new browser tab. We have no control over the data practices of these platforms. When you click a link and visit an external platform, that platform's own privacy policy applies. We recommend reviewing the relevant privacy policies before interacting with those platforms.
8. Hosting and infrastructure
This website is hosted on servers operated by a third-party hosting provider. The hosting provider processes access log data (including IP addresses) on our behalf as a data processor under Art. 28 GDPR. We have entered into, or will enter into, a Data Processing Agreement (DPA) with our hosting provider.
We aim to host within the European Economic Area (EEA). To the extent any hosting infrastructure is located outside the EEA, data transfers are covered by appropriate safeguards (Standard Contractual Clauses or adequacy decisions under Art. 46 GDPR). Note: Google Analytics data is processed by Google and may be transferred to the United States — this is addressed in Section 5.
9. Automated decision-making and profiling
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR. No decisions with legal or similarly significant effects are made about you automatically based on your personal data.
10. Your rights
10.1 Rights under GDPR (EU / EEA)
Contact us at privacy@tiredkoala.com. We will respond within 30 days.
Obtain a copy of your personal data and information on how it is processed.
Request correction of inaccurate or completion of incomplete data.
Request deletion where data is no longer necessary, consent is withdrawn, or you have objected.
Request we restrict processing while accuracy is contested or objection is assessed.
Receive your data in a structured, machine-readable format where processing is consent- or contract-based.
Object to processing based on legitimate interests. We will cease unless compelling grounds override your interests.
Withdraw consent at any time without affecting the lawfulness of prior processing.
Lodge a complaint with the supervisory authority in your EU/EEA member state of residence or where the alleged infringement occurred.
10.2 Rights under UK GDPR (United Kingdom)
UK residents have equivalent rights under the UK GDPR and Data Protection Act 2018. You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10.3 Rights under CCPA / CPRA (California, USA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Request disclosure of the categories and specific pieces of personal information we have collected about you.
Request deletion of personal information we have collected about you, subject to certain exceptions.
Request correction of inaccurate personal information we maintain about you.
We do not sell, share, or otherwise disclose your personal information to third parties for monetary or other valuable consideration. There is nothing to opt out of.
We will not discriminate against you for exercising any of your CCPA/CPRA rights.
We do not sell or share personal information. To exercise your California rights, email privacy@tiredkoala.com. We will respond within 45 days as required by CCPA.
10.4 Rights under LGPD (Brazil)
If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you rights including access, correction, deletion, data portability, information on sharing, and the right to revoke consent. Contact us at privacy@tiredkoala.com. You may also contact the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
10.5 Rights under PIPEDA (Canada)
Canadian residents may request access to and correction of their personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA). Contact us at privacy@tiredkoala.com. You may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.
11. Supervisory authorities (EU / EEA)
EU and EEA residents have the right to lodge a complaint with the supervisory authority in their country of residence or the country where the alleged infringement occurred. Each EU member state has its own authority. A full list is available at edpb.europa.eu.
Examples include the BfDI (Germany), CNIL (France), Datatilsynet (Denmark/Norway), AP (Netherlands), and DPC (Ireland).
12. Children's privacy
This website is not directed at children. We do not knowingly collect personal data from children under the age of 13 (the threshold under the US Children's Online Privacy Protection Act, COPPA) or under the age of 16 (the default threshold under Art. 8 GDPR, subject to member state variation). If you believe a child has provided us with personal data, please contact us at privacy@tiredkoala.com and we will delete it promptly.
13. Data security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with Art. 32 GDPR. This website is served exclusively over HTTPS (TLS encryption). Access to any personal data we hold is restricted to those with a legitimate operational need.
14. Changes to this policy
We may update this policy as our website evolves or as legal requirements change. The effective date at the top of this page reflects when the current version took effect. The last updated date reflects when it was most recently revised. Material changes will be communicated by updating both dates. We encourage you to review this policy periodically.
15. Contact
For any questions about this policy, to exercise your rights, or to raise a concern about how we handle your data:
Response time: within 30 days for GDPR requests; within 45 days for CCPA requests.