docs: add comprehensive privacy policy and analytics documentation

New documentation:
- PRIVACY.md: Complete privacy policy covering Matomo analytics, cookies, and data handling
- Clear opt-out instructions and developer guidelines

README.md updates:
- Add Privacy & Analytics section with clear disclosure
- List what's tracked vs. what's NOT tracked
- Add "Privacy-Friendly Analytics" to features list
- Add critical configuration requirements for template users
- Crystal clear instructions: MUST change Matomo Site ID and server URL
- OR remove analytics entirely if not needed

CUSTOMIZATION.md updates:
- Add comprehensive "Analytics Configuration" section (120+ lines)
- Option 1: Configure your own Matomo instance (step-by-step)
- Option 2: Remove Matomo completely (clean removal steps)
- Option 3: Use alternative analytics providers (Google Analytics, Plausible, etc.)
- Include exact file locations and line numbers for changes
- Privacy compliance checklist (GDPR, CCPA, cookie banners)
- Testing instructions to verify analytics configuration

Key highlights for template users:
- MUST change: Site ID (line 644), Server URL (line 642), CSP headers
- MUST update: PRIVACY.md with own contact info
- Complete removal guide if analytics not wanted
- Legal compliance reminders

All documentation is crystal clear with exact locations, code examples, and warnings.

CUSTOMIZATION.md

@@ -16,6 +16,10 @@
   - [Layout Changes](#layout-changes)
   - [Branding](#branding)
 - [Template Customization](#template-customization)
+- [Analytics Configuration](#analytics-configuration)
+  - [Option 1: Use Your Own Matomo](#option-1-use-your-own-matomo-instance)
+  - [Option 2: Remove Matomo](#option-2-remove-matomo-entirely)
+  - [Option 3: Use Alternative Analytics](#option-3-use-google-analytics-or-other-service)
 - [Advanced Customization](#advanced-customization)
 - [Testing Your Changes](#testing-your-changes)
 - [Examples](#examples)
@@ -89,6 +93,7 @@ open http://localhost:1999
 4. Replace `education` section
 5. Update `skills` section
 6. Replace profile photo
+7. **Update Matomo analytics** (see [Analytics Configuration](#analytics-configuration) below)
 
 ---
 
@@ -1012,6 +1017,135 @@ tmpl := template.New("").Funcs(funcMap)
 
 ---
 
+## Analytics Configuration
+
+**CRITICAL:** If you use this template, you **MUST** update or remove the Matomo analytics configuration.
+
+### Option 1: Use Your Own Matomo Instance
+
+**Step 1:** Set up your own Matomo server
+- Install Matomo on your server or use a hosted service
+- Create a new website in Matomo dashboard
+- Note your Site ID and server URL
+
+**Step 2:** Update tracking code in `templates/index.html` (around line 635-649)
+
+Find this section:
+```javascript
+<!-- Matomo -->
+<script>
+    var _paq = window._paq = window._paq || [];
+    _paq.push(['trackPageView']);
+    _paq.push(['enableLinkTracking']);
+    (function() {
+        var u="https://matomo.drolo.club/";  // ← CHANGE THIS
+        _paq.push(['setTrackerUrl', u+'matomo.php']);
+        _paq.push(['setSiteId', '4']);      // ← CHANGE THIS
+        var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
+        g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
+    })();
+</script>
+<!-- End Matomo Code -->
+```
+
+**Change:**
+1. **Line 642:** Replace `https://matomo.drolo.club/` with your Matomo server URL
+2. **Line 644:** Replace `'4'` with your Site ID from Matomo dashboard
+
+**Step 3:** Update Content Security Policy in `internal/middleware/security.go` (lines 33, 37)
+
+Find and update these lines:
+```go
+// Line 33: Allow your Matomo domain for scripts
+"script-src 'self' 'unsafe-inline' https://unpkg.com https://code.iconify.design https://YOUR-MATOMO-DOMAIN.com; " +
+
+// Line 37: Allow your Matomo domain for API calls
+"connect-src 'self' https://api.iconify.design https://YOUR-MATOMO-DOMAIN.com; " +
+```
+
+Replace `https://matomo.drolo.club` with your Matomo domain.
+
+**Step 4:** Create your own privacy policy
+- Copy `PRIVACY.md` and update with your contact information
+- Update cookie disclosure with your Matomo server details
+- Ensure compliance with GDPR/privacy laws in your jurisdiction
+
+### Option 2: Remove Matomo Entirely
+
+If you don't want analytics:
+
+**Step 1:** Remove tracking code from `templates/index.html`
+
+Delete lines 623-649 (the entire Matomo section):
+```javascript
+// Delete this entire block:
+// Track HTMX navigation events with Matomo
+document.body.addEventListener('htmx:afterSwap', function(evt) { ... });
+
+<!-- Matomo -->
+<script> ... </script>
+<!-- End Matomo Code -->
+```
+
+**Step 2:** Remove Matomo from CSP headers in `internal/middleware/security.go`
+
+Remove `https://matomo.drolo.club` from lines 33 and 37:
+```go
+// Before:
+"script-src 'self' 'unsafe-inline' https://unpkg.com https://code.iconify.design https://matomo.drolo.club; " +
+
+// After:
+"script-src 'self' 'unsafe-inline' https://unpkg.com https://code.iconify.design; " +
+```
+
+**Step 3:** Update or remove `PRIVACY.md`
+- Remove analytics section
+- Keep only essential privacy information
+
+### Option 3: Use Google Analytics or Other Service
+
+If you prefer Google Analytics, Plausible, or another service:
+
+1. **Remove Matomo code** (see Option 2 above)
+2. **Add your analytics provider's code** in the same location
+3. **Update CSP headers** to allow your analytics domain
+4. **Update PRIVACY.md** with your analytics provider's details
+5. **Ensure compliance** with privacy regulations (GDPR, CCPA, etc.)
+
+### Testing Analytics
+
+After configuration:
+
+```bash
+# 1. Build and run
+go build -o cv-server . && ./cv-server
+
+# 2. Open browser with developer tools
+open http://localhost:1999
+
+# 3. Check Console for errors
+# - Should see Matomo requests if configured
+# - Should see no errors about blocked scripts
+
+# 4. Verify in your analytics dashboard
+# - Real-time visitors should show your session
+# - Language switches should track as pageviews
+```
+
+### Privacy Compliance
+
+**Important legal considerations:**
+
+- ✅ Add cookie banner if required in your jurisdiction (EU requires consent)
+- ✅ Create privacy policy explaining data collection
+- ✅ Provide opt-out mechanism
+- ✅ Comply with GDPR, CCPA, or local privacy laws
+- ✅ Update privacy policy when changing analytics providers
+
+**See [PRIVACY.md](PRIVACY.md) for template privacy policy.**
+
+---
+
 ## Advanced Customization
 
 ### Adding New Languages (Beyond en/es)

PRIVACY.md

@@ -0,0 +1,99 @@
+# Privacy & Cookies Policy
+
+**Last Updated:** November 9, 2025
+
+This website is a personal CV/portfolio site for Juan Andrés Moreno Rubio. This privacy notice explains what data is collected and how it's used.
+
+---
+
+## Analytics & Tracking
+
+### Matomo Analytics
+
+This website uses **Matomo**, a self-hosted, privacy-friendly analytics platform to understand visitor behavior.
+
+**What is collected:**
+- Pages you visit
+- Language preference (EN/ES)
+- Approximate location (country/city level)
+- Browser type and operating system
+- Referring website (if any)
+- Time spent on site
+- Clicks on external links
+
+**What is NOT collected:**
+- Personal identifying information (name, email, phone)
+- Precise geolocation
+- Cross-site tracking data
+
+**Cookies used:**
+- `_pk_id`: Visitor identifier (13 months)
+- `_pk_ses`: Session identifier (30 minutes)
+- `_pk_ref`: Attribution information (6 months)
+
+**Data storage:**
+- All analytics data is stored on my own server (`matomo.drolo.club`)
+- Data is NOT shared with third parties
+- Data is NOT sold or used for advertising
+
+**Opt-out:**
+- Matomo respects "Do Not Track" browser settings
+- You can block cookies in your browser settings
+- You can use browser extensions to block analytics scripts
+
+---
+
+## Other Data Collection
+
+### Language Preference
+
+The site stores your language preference (English/Spanish) in **localStorage** to remember your choice across visits. This is stored only in your browser and is never sent to the server.
+
+### No Account System
+
+This website does NOT require accounts, logins, or user registration. No personal data is collected through forms.
+
+---
+
+## Contact
+
+If you have questions about this privacy policy or data handling:
+
+**Email:** Contact information available on the CV itself
+**GitHub:** [https://github.com/juanatsap/cv-site](https://github.com/juanatsap/cv-site)
+
+---
+
+## For Developers Using This Code
+
+If you fork or use this code as a template:
+
+1. **Update Matomo Site ID** in `templates/index.html`:
+   ```javascript
+   _paq.push(['setSiteId', '4']); // Change to your Matomo site ID
+   ```
+
+2. **Update Matomo Server URL**:
+   ```javascript
+   var u="https://matomo.drolo.club/"; // Change to your Matomo instance
+   ```
+
+3. **Update this privacy policy** with your own contact information and data handling practices.
+
+4. **Configure CSP headers** in `internal/middleware/security.go` to allow your Matomo domain:
+   ```go
+   "script-src 'self' 'unsafe-inline' ... https://your-matomo-domain.com; "
+   "connect-src 'self' ... https://your-matomo-domain.com; "
+   ```
+
+5. **Remove Matomo entirely** if you don't want analytics - just delete the Matomo `<script>` block from `templates/index.html` and remove the matomo.drolo.club entries from CSP headers.
+
+---
+
+## Changes to This Policy
+
+This privacy policy may be updated occasionally. Changes will be reflected with a new "Last Updated" date at the top of this document.
+
+---
+
+**Bottom line:** This site uses self-hosted analytics to understand visitor behavior. No personal data is collected, sold, or shared. You can disable tracking via browser settings or Do Not Track.

README.md

@@ -27,6 +27,7 @@ A professional, bilingual CV site with server-side PDF generation, HTMX interact
 - [Documentation](#-documentation)
 - [Deployment](#-deployment)
 - [Customization](#-customization)
+- [Privacy & Analytics](#-privacy--analytics)
 - [Contributing](#-contributing)
 - [License](#-license)
 - [Support](#-support)
@@ -42,6 +43,7 @@ A professional, bilingual CV site with server-side PDF generation, HTMX interact
 - ✅ **JSON-Based Content** - Easy to update without touching code
 - ✅ **AI Development Section** - Showcases modern AI-assisted development skills
 - ✅ **Fast & Lightweight** - Go backend with chromedp for PDF generation
+- ✅ **Privacy-Friendly Analytics** - Self-hosted Matomo tracking (no third-party data sharing)
 - ✅ **Security Hardened** - CSP headers, XSS protection, origin validation, rate limiting
 - ✅ **Production Ready** - Systemd service, CI/CD workflows, deployment guides
 - ✅ **Developer Friendly** - Hot reload, clear code structure, comprehensive Makefile
@@ -202,16 +204,48 @@ The [CUSTOMIZATION.md](CUSTOMIZATION.md) guide includes:
 - Adding new languages
 - Advanced customization patterns
 
+## 🔒 Privacy & Analytics
+
+This site uses **self-hosted Matomo analytics** to understand visitor behavior while respecting privacy.
+
+**What's tracked:**
+- Page views and language changes (EN/ES)
+- Visitor country/city (approximate)
+- Browser type and referring site
+- Time on site and navigation patterns
+
+**What's NOT tracked:**
+- Personal identifying information
+- Precise geolocation
+- Cross-site behavior
+- Any data is NOT shared with third parties
+
+**Your privacy:**
+- All data stored on my own server (`matomo.drolo.club`)
+- Respects "Do Not Track" browser settings
+- You can disable cookies in browser settings
+
+See **[PRIVACY.md](PRIVACY.md)** for complete details and opt-out instructions.
+
+---
+
 ## 🤝 Using This Template
 
 **This project is open-source and available for you to use!**
 
-✅ **Fork it** and create your own CV
-✅ **Customize** following [CUSTOMIZATION.md](CUSTOMIZATION.md)
-✅ **Star it** ⭐ if you find it useful
-✅ **Share it** with others who might benefit
+**If you use this as a template, you MUST change:**
+1. **Matomo Site ID** in `templates/index.html` (line 644): Change `setSiteId` from `'4'` to your own
+2. **Matomo Server URL** in `templates/index.html` (line 642): Change `https://matomo.drolo.club/` to your instance
+3. **CSP Headers** in `internal/middleware/security.go`: Update allowed domains for your Matomo server
+4. **OR remove Matomo entirely** if you don't want analytics (see [PRIVACY.md](PRIVACY.md#for-developers-using-this-code))
 
-**Note:** This is a personal portfolio project. I'm not actively accepting contributions, but you're free to use it as a template for your own CV!
+**Other recommended changes:**
+- Update all personal information in `data/cv-en.json` and `data/cv-es.json`
+- Replace profile photo in `static/images/profile/`
+- Update `ALLOWED_ORIGINS` in `.env` for API protection
+- Customize colors and branding in `static/css/main.css`
+
+See **[CUSTOMIZATION.md](CUSTOMIZATION.md)** for the complete customization guide.
 
 ## 📄 License