Oavo — Wirral Community Stories, Guides & Church Hub

What this is: Independent Wirral community storytelling.

Not official: Not an official body • Not endorsed unless stated.

Hi Community

Welcome To oavo’sWorld

Local stories, Wirral pride, and a little bit of cheek ✦
⛪ Explore Church Hub 📝 Read Daily Blogs
Find out who
oavo is ?
No ads • IndependentCorrections/Removal welcomeBuilt for big taps + readability

Privacy Policy

Privacy Policy — oavo.co.uk

Privacy Policy — oavo.co.uk

For the Wirral community (and anyone who visits from further afield)
Last updated: 5 February 2026

oavo.co.uk is a community storytelling website created and run by Karl M Loftus. This Privacy Policy explains, in clear everyday language:

  • what personal data may be involved when you use the site
  • why it’s used and the lawful basis for using it
  • who it may be shared with (service providers)
  • how long it’s kept
  • how cookies/embeds work (UK PECR)
  • your rights under UK data protection law and how to use them

This policy is written for oavo.co.uk only.

Quick contents

1234567891011121314151617181920212223242526

Tip: click a number to jump to that section.

1) Who we are (the Data Controller)

Data Controller: Karl M Loftus (owner/operator of oavo.co.uk)

What the site does:
oavo.co.uk publishes community stories, photos, and local reflections with a “face-to-face matters” spirit and a calm, respectful tone.

Privacy contact (email): karloavopp@gmail.com

2) Privacy contact (data protection lead)

oavo.co.uk is a one-person community site. A formal Data Protection Officer (DPO) is not normally required.

Data protection lead: Karl M Loftus
Email: karloavopp@gmail.com

3) What personal data we may process (categories)

oavo.co.uk is designed to be simple: no public accounts, no memberships, no checkout, no contact forms, and no public comments.

Personal data may be involved in four main areas:

A) Automatic browsing / technical data (when you visit)
This can include: IP address (or shortened/anonymised form depending on settings), approximate location derived from IP (country/city level), device/browser/OS, user-agent string, pages requested, date/time, referral info, and security/error logs.

B) Identifiable content in stories, reviews, and photos (published content)
Personal data can exist within content if someone is identifiable by name, image/likeness, voice, or distinctive context.

C) Information you choose to send us (email)
If you email us, your message may include your name, email address, what you write, attachments, and any information you choose to include.

D) Future features (if added later)
If we add features (e.g., submissions, newsletters, interactive tools), we will update this policy before or at launch so it stays accurate.

4) Where personal data comes from (including “not collected from you” situations)

Personal data may come from: you directly (email), automatic technical systems (logs), first-hand community context (observations in public/community settings), and rarely publicly available sources (typically historical/public facts).

UK GDPR “not collected directly” (Article 14 reality)

Sometimes content may include or refer to an identifiable person even though we did not collect the information directly from them. Where Article 14 applies, we provide privacy information within one month unless an exception applies.

Article 14 exceptions we may rely on (rare, and handled carefully)

In limited cases, Article 14 does not require us to provide individual privacy information (or allows modified handling). Examples include where:

  • providing the information is impossible (e.g., no reasonable way to identify/contact the person), or
  • it would involve disproportionate effort (for example, older/archived community storytelling where contacting every potentially identifiable person would be unrealistic), or
  • the data must remain confidential due to legal professional privilege or a specific legal restriction, or
  • another UK GDPR exemption clearly applies.

If we rely on an exception, we aim to do it fairly, keep a brief record of why, and we still provide this public policy and a fast route for concerns, corrections, and removals.

5) How personal data is collected

  • Automatically when you browse (server/security logging and technical systems)
  • Directly from you (if you email us)
  • Via published community context (if someone is identifiable in a story/photo/review)

6) Why we use personal data (purposes)

A) Keeping the website safe and running properly
B) Basic site reliability and improvement (not advertising)
C) Responding to messages and requests
D) Publishing community storytelling and reviews
E) Meeting legal obligations (rare for this site)

7) Lawful bases (and a clear “purpose → lawful basis” map)

  • Security, anti-abuse, and technical operation → Legitimate Interests
  • Basic reliability and improvement → Legitimate Interests
  • Responding to emails and rights requests → Legitimate Interests (and rarely Contract if we agree to provide something specific at your request)
  • Publishing community stories/reviews/photos → Legitimate Interests, and sometimes Consent (especially close-ups, children, or sensitive situations)
  • Legal compliance → Legal obligation (only where required)

8) Legitimate Interests “fairness promise” (our safeguards)

When we rely on Legitimate Interests, our legitimate interests are:

  • keeping the site secure and working properly
  • maintaining a calm community storytelling record with minimal privacy impact
  • responding to genuine requests and keeping a sensible record of outcomes

We aim to:

  • minimise personal data and avoid unnecessary identifying detail
  • focus on place/community experience rather than “calling out” individuals
  • respond promptly to removal/correction concerns
  • use extra care in sensitive settings (see Section 11)

Legitimate Interests mini-summary (LIA “at a glance”)
Purpose test: We have a real purpose (secure website + community storytelling that helps locals feel confident face-to-face).
Necessity test: We use the least data we can (no accounts, no comments, minimal logging, minimal identifying detail in stories where possible).
Balancing test: We reduce privacy impact (avoid naming private individuals, minimise/crop/blur where needed, quick removal route, right to object respected).
We can provide a fuller summary of our Legitimate Interests Assessment approach on request.

9) RIGHT TO OBJECT (important)

Where we rely on Legitimate Interests (e.g., security logs and some storytelling content), you have the right to object at any time.

Email: karloavopp@gmail.com

If you object, we will stop processing unless we have a compelling lawful reason to continue.

10) Storytelling “fairness test” (how we decide what’s OK to publish)

We check: identifiability, sensitivity, potential harm/distress, and whether the story works without identifying details. If concerns exist, we aim to minimise first (anonymise/crop/blur/remove details) and, where appropriate, remove.

11) Sensitive settings and special category data

We do not set out to collect or publish special category personal data (e.g., health data, religious beliefs). However, storytelling can sometimes unintentionally reveal sensitive information (for example, linking an identifiable person to a faith setting, care/support environment, health situation, or safeguarding context).

Practical rule (firm default)
If content would reveal special category data about an identifiable person, then we will not publish it unless:

  • we have explicit consent from the person (or parent/guardian where appropriate), or
  • the content is edited so the person is no longer identifiable (e.g., anonymise, crop, blur, remove names/unique context), or
  • a rare legal exception clearly applies (unlikely for this kind of community website).

Photos priority:
If an identifiable person objects to being shown in a photo on oavo.co.uk, we will normally prioritise removing or minimising it (crop/blur/remove), unless there is a strong and fair reason to keep it (rare).

12) Community reviews of face-to-face places (how we handle people in reviews)

We focus on the place/service and visitor experience, avoid naming private individuals or publishing private contact details, avoid personal accusations, and will consider minimising/correcting/removing content if someone is identifiable by mistake and raises a reasonable concern.

13) Who we share data with (service providers / processors)

We do not sell personal data. Limited data may be processed by providers needed to run and protect oavo.co.uk. We share only what is necessary.

Typical categories of service provider (processors) may include:

  • Website hosting provider (servers, storage, access logs, uptime)
  • Managed website platform services (core site operation, updates, performance features)
  • Security services at hosting or website level (firewall, bot/rate-limiting, attack detection, malware scanning)
  • Backup services (site backups for recovery and resilience)
  • Email provider (Gmail / Google) for messages you send to us and our replies

If a provider is used, it may process technical data (like IP/logs) as part of delivering the service. We aim to use reputable providers and appropriate settings suitable for a one-person community site.

14) Embedded content and third-party features (“just-in-time” transparency)

If we use embeds (e.g., videos/external media), the third party may receive your IP and may set cookies under their own policies. Where we use embeds, we aim to place a short note near the embed warning visitors.

15) International access and transfers

The site can be viewed worldwide. Some services may process data outside the UK. Where relevant, we rely on appropriate safeguards recognised under UK data protection law (e.g., adequacy and/or contractual safeguards such as UK IDTA plus organisational measures).

16) Data retention (how long we keep data)

A) Logs: generally up to 90 days (longer only if investigating a genuine incident)
B) Emails/requests: generally up to 12 months after closure (longer if a dispute/legal reason exists)
C) Published stories/photos: remain while relevant; we will consider correction/minimising/removal for genuine privacy concerns.

D) Backups (retention line)
Backups (if enabled by the hosting/backup system) may keep copies of site data for a limited period (often days or weeks). This means that even after a page is edited or removed, an older copy may temporarily exist in backup storage until it rotates out. If we restore from a backup, removed content could reappear — if that ever happens, contact us and we will correct it again.

17) How we keep data safe (security)

Reasonable measures suitable for a one-person site: limited admin access, strong protections, updates/patching, monitoring/security logging, backups where available, and minimisation.

Breach handling:
If a breach risks people’s rights and freedoms, we will assess promptly and notify the ICO and affected individuals where required.

18) Cookies and similar technologies (UK PECR) — “reality match”

Cookies and similar technologies include cookies, pixels, scripts/tags, device storage (local/session storage), and similar methods.

A) Visitor-facing cookies on oavo.co.uk
Our baseline is: no non-essential cookies for visitors.
That means we do not run: advertising cookies, marketing tags, cross-site tracking, or analytics cookies that require consent.

B) What may still exist even on a simple site (strictly necessary)
Some strictly necessary cookies/tech may still be used for basic operation or security, for example: essential security protection (rate-limiting / bot protection / attack detection) provided by the hosting/security layer. These are used only for essential operation/security, not for advertising profiling.

C) If we add any non-essential cookies later (CONSENT FIRST)
If we ever enable non-essential cookies/tech (for example analytics like Google Analytics, or third-party marketing tags), we will:

  • not run them until you have a genuine choice (Accept / Reject)
  • make Reject as easy as Accept
  • describe them clearly in this policy and/or a cookie notice
  • list key details (provider, purpose, duration, and cookie names where practical)

D) How you control cookies
You can control cookies using browser settings (block/delete). Blocking some cookies may affect basic site functionality.

19) Search performance information (Google Search Console)

We may use Google Search Console to understand how oavo.co.uk appears in Google Search. This is not a visitor analytics tracking script installed on the website.

20) Your rights under UK GDPR

You have rights including access, rectification, erasure, restriction, objection, portability (in certain situations), and rights relating to automated decision-making. We usually respond within one month (extensions possible in complex cases).

21) How to object, request removal, or ask for a correction

If you want to object (especially where we rely on Legitimate Interests) or you want something removed, blurred, cropped, anonymised, or corrected, use this simple route:

Email: karloavopp@gmail.com

Please include:

  • the page link (URL)
  • what you believe identifies you (name/photo/context)
  • what outcome you want (remove / blur / crop / anonymise / correct)
  • anything that helps us understand urgency (for example: “child image concern”)

What we do next (in plain terms):

  • We read the request and may ask one or two quick questions if something is unclear.
  • If identity is genuinely in doubt, we may request a proportionate check to prevent impersonation.
  • If the concern is reasonable, we will normally prioritise minimising (crop/blur/anonymise) or removing the content.
  • If you are making a right to object request, we will stop processing unless we have a compelling lawful reason to continue.

22) Complaints (including the ICO)

If you’re unhappy, contact us first and we’ll try to resolve it calmly and fairly. You also have the right to complain to the ICO at any time.

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk

23) Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects about individuals.

24) Children and young people

We do not knowingly seek personal information from children. If we become aware a child has provided personal data, we will take steps to remove it where possible.

Children-in-photos safety line:
If a child is identifiable in a photo/story and a parent/guardian (or the young person where appropriate) raises a genuine concern, we will normally prioritise removing/blurring/cropping/minimising unless there is a strong and fair reason not to (rare).

Suggested email subject: “Child image/content removal request — oavo.co.uk”

25) Changes and review schedule

We review this policy at least every 3–6 months and whenever site data practices change. If changes are significant, we will try to make it obvious on the site.

26) Whether you must provide data (and consequences)

You can browse without directly providing personal data. Technical data is generated automatically for basic operation/security. If you email us, you must provide enough information for us to respond.

Privacy contact (repeat): karloavopp@gmail.com

Back to top