Privacy Policy

Last updated: April 2026

This is the privacy policy for debbiejenkins.com and the Book Question diagnostic at question.debbiejenkins.com. It explains what data I collect, why, what I do with it, and what rights you have over it. Plain English. No legalese where it can be avoided.

I take privacy seriously. Not in a fluffy “we value your trust” way, in a “I deliberately keep data collection minimal and tell you exactly what happens to what I do collect” way. If anything here is unclear, email me at debs@debbiejenkins.com.

Who I am

I’m Debbie Jenkins, the controller of any personal data collected through this website and the diagnostic. For the purposes of GDPR and UK GDPR, my contact details are:

Debbie Jenkins

Apartado de Correo, 178

30320 Fuente Alamo

Murcia, Spain

Phone: +34 630 775 854

Email for privacy queries: debs@debbiejenkins.com

Email for admin/system matters: debsjenkins.spain@gmail.com

What data I collect, and why

I collect data in three different contexts. Each one has a different reason and a different processor.

1. If you sign up to my newsletter

What I collect: your email address, your first name (if you give it), the date you signed up, and the IP address you signed up from (for fraud prevention only).

Why: to send you the newsletter you asked for.

Legal basis: your consent (Article 6(1)(a) GDPR).

Where it’s stored: SwipeOne, my CRM. SwipeOne is a third-party processor based in Singapore. Their privacy policy is at https://www.swipeone.com/privacy.

How long: until you unsubscribe, or until the data is no longer needed for the purpose you gave it for.

How to leave: every newsletter has an unsubscribe link at the bottom. One click. Done.

2. If you take the Book Question diagnostic

The Book Question is a free diagnostic at question.debbiejenkins.com. It works in two stages, and they collect different data.

Stage 1: Taking the quiz (anonymous).

While you’re answering questions, I track what you do anonymously so I can understand how the tool is being used. Specifically:

  • A randomly generated session ID stored in your browser (so I can connect “this person started the quiz” with “this person finished it” without knowing who you are)
  • Which questions you answered and which answers you picked
  • Which verdict you received
  • Whether you clicked any of the buttons on the verdict page
  • Your browser type, the page that referred you, and the date/time
  • A hashed version of your IP address (the IP itself is not stored, only an irreversible cryptographic hash, used to detect bots)

Why: to understand whether the diagnostic works, where people drop off, and how to improve it.

Legal basis: legitimate interest in product improvement (Article 6(1)(f) GDPR), with no impact on your rights since the data is anonymous.

Where it’s stored: a Supabase database (Supabase is a cloud platform owned by Supabase Inc., based in the US, with EU data residency available). The diagnostic itself is built on Lovable, a development platform.

How long: indefinitely as anonymous data, since it cannot be linked back to you.

Stage 2: Submitting your email for the verdict report (identified).

At the end of the diagnostic, you can choose to submit your email address to receive a written copy of your verdict and a few short follow-up emails. If you do:

  • I collect your first name, your email, your verdict, and a record of which consent boxes you ticked
  • You explicitly tick a required consent box agreeing to receive the report and the two follow-up emails
  • You can also tick an optional second consent box to subscribe to my weekly newsletter
  • Both consent statements, plus the timestamp of when you ticked them, are stored as an audit trail

Why: to send you the report and follow-up emails you asked for, and only those.

Legal basis: your explicit consent (Article 6(1)(a) GDPR), recorded with timestamp and exact wording.

Where it’s stored: SwipeOne (the same CRM as the newsletter). The diagnostic’s submission is sent via a Supabase edge function which forwards the data to SwipeOne.

How long: until you unsubscribe or ask me to delete your data.

How to leave: every email has an unsubscribe link. You can also email debs@debbiejenkins.com to have your data deleted entirely.

3. If you book a call with me

What I collect: whatever you provide on Calendly when booking (typically name, email, and answers to a few short questions).

Why: to schedule the call and prepare for it.

Legal basis: consent (Article 6(1)(a) GDPR) and pre-contractual measures (Article 6(1)(b) GDPR).

Where it’s stored: Calendly (a third-party booking service based in the US). Their privacy policy is at https://calendly.com/privacy.

How long: Calendly retains booking data per their own retention policy. After the call, I keep notes only as long as necessary to follow up.

Analytics on debbiejenkins.com

I use Google Analytics 4 to understand who visits debbiejenkins.com and how they use the site. Google Analytics is configured with IP anonymisation enabled, which means your IP address is truncated before any geographic lookup happens. I don’t use the data for ad targeting or anything beyond improving the site.

Legal basis: legitimate interest in understanding website usage (Article 6(1)(f) GDPR), balanced against the minimal impact on you due to IP anonymisation.

How to opt out: install the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout, or use any browser’s “do not track” / private browsing mode.

Google’s privacy policy is at https://policies.google.com/privacy

Cookies

I use cookies (small text files stored in your browser) for two purposes:

  • Essential: to make the site work properly (e.g. remembering you’ve logged in if you’re an admin).
  • Analytics: to count visits and understand which pages people read. These come from Google Analytics and from anonymous session tracking on the Book Question diagnostic.

I don’t use cookies for advertising, retargeting, or selling data to third parties.

You can disable cookies in your browser settings at any time. If you do, parts of the site may not work as smoothly, but it won’t break.

Embedded content from other sites

Some pages on debbiejenkins.com may include embedded content like YouTube videos. Embedded content from other websites behaves exactly as if you visited that other website. Those websites may collect data about you, use cookies, embed third-party tracking, or monitor your interaction with the embedded content.

I don’t control what those third parties do. If you’re concerned, the simplest thing is to not click the embed.

Email tracking in newsletters

My newsletter and any emails sent through SwipeOne contain tracking pixels — small invisible images that load when you open the email. These tell me whether the email was opened and which links (if any) were clicked. The data is anonymised aggregate (e.g. “47% of recipients opened this email”). I don’t track individual subscribers obsessively, and I don’t link tracking data to any other system.

If you don’t want this, your email client (Gmail, Apple Mail, Outlook etc.) may have a “load images” toggle you can switch off. With images blocked, the tracking pixel doesn’t fire.

Automated emails to me

I receive a weekly automated email with anonymous statistics about how the Book Question diagnostic is being used. This email contains no personal data — just aggregate numbers (how many people took the diagnostic, what verdicts they got, where they dropped off). The email is sent through Resend, a transactional email service.

Where it’s stored: Resend (US). Their privacy policy is at https://resend.com/legal/privacy-policy.

Third-party processors I use

Here are all the third-party services that touch your data, and what they do:

Service What it does Privacy policy
SwipeOne CRM that stores newsletter and diagnostic email subscribers https://www.swipeone.com/privacy
Lovable Platform that hosts the Book Question diagnostic https://lovable.dev/privacy
Supabase Database holding anonymous diagnostic analytics https://supabase.com/privacy
Resend Sends the weekly internal analytics email to me https://resend.com/legal/privacy-policy
Calendly Handles call bookings https://calendly.com/privacy
Google Analytics Anonymous website analytics https://policies.google.com/privacy

All of these processors are bound by their own GDPR-compliant data processing agreements with me. None of them sell or share your data with anyone else for advertising or any other purpose unrelated to providing the service.

International data transfers

Some of my processors (Lovable, Supabase, Resend, Calendly, Google) are based in the United States. When your data is transferred outside the European Economic Area (EEA) or the UK, it’s protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, OR
  • Adequacy decisions where they exist (e.g. the EU-US Data Privacy Framework for participating US companies), OR
  • The processor’s certification under recognised privacy frameworks.

In practice this means your data has equivalent protection wherever it sits, and I’ve checked each processor’s safeguards before integrating them.

Your rights

Under GDPR (and UK GDPR if you’re in the UK), you have the following rights over your data:

Right to access. You can ask me what data I hold about you and get a copy.

Right to rectification. If anything is wrong, you can ask me to correct it.

Right to erasure. You can ask me to delete your data, and I will, unless I have a legal obligation to keep some of it (rare for what I do).

Right to restrict processing. You can ask me to pause processing of your data while we sort something out.

Right to data portability. You can ask me to send you your data in a machine-readable format, or to send it directly to another service.

Right to object. You can object to my processing of your data, particularly for direct marketing.

Right to withdraw consent. Where I rely on consent (e.g. newsletter, diagnostic submission), you can withdraw that consent at any time. Unsubscribe links work for newsletters, and you can email me for anything else.

Right to complain. You can complain to a supervisory authority. In Spain, that’s the Agencia Española de Protección de Datos (https://www.aepd.es). In the UK, the Information Commissioner’s Office (https://ico.org.uk).

To exercise any of these rights, email me at debs@debbiejenkins.com. I aim to respond within a few days, and I’m required to respond within one month under GDPR.

Automated decision-making

The Book Question diagnostic gives you a verdict (Ship It, Test It, Pivot It, or Park It) based on rules applied to your answers. This is a deterministic rule-based output, not AI or machine learning, and it has no legal or significant effect on you. The verdict is informational. You’re free to ignore it.

I don’t use automated profiling that produces legal or significant effects on anyone.

Data from children

My services are aimed at adults. I don’t knowingly collect data from anyone under 18. If you think I’ve collected data from a minor, email me and I’ll delete it.

Changes to this policy

I update this policy when something material changes about how I handle data. The “Last updated” date at the top tells you when. If a change is significant (new data collection, new processor handling sensitive data), I’ll email anyone affected.

Questions or concerns

Email me at debs@debbiejenkins.com. Real reply, not an autoresponder. I read all of them.

Get the books that will help you scale with your assets, not your time