This site should force HTTPS. If it doesn't let me know, because something's wrong (dorian(at)btrmt.org). This protects the usage of your IP address and other identifiable data in the logging in my webserver from third parties.
Webserver access logs are stored for the default time (about 15 days) before being purged. This is unfortunately essential---all websites need to do some logging to serve you content and protect against malicious actors. This logging is GDPR compliant, not least because in the timeframe between when you ask me to remove your data and when I have to have it removed, your data will have already been purged.
There are only two other instances on this website where I process your data, but in neither case do they go to a third party:
The newsletter is run on Sendy. I track opens so I can clean my list and thus avoid a huge number of regulatory issues. I do not track clicks. I host the instance, so your data doesn't go to any third party. However, I do use Google reCaptcha to protect signups from bots. I have no idea what information that collects about you but the script is only injected when you click on the email form input and doesn't stick around after you're redirected to the confirmation page, so you're google-tracked from when you start typing your email to when you click subscribe. Worth noting.