In this document, I describe how and why I collect, store and use personal data for the daily operation of ChrisRosser.net and Scriptorium. In an ideal world, I wouldn't collect a single shred of data. However, running a website with a membership and newsletter component requires that I collect and use personal information.
Privacy is important to me. Yes, that's easy to say and harder to prove, but I hope this document alleviates any concerns you might have.
In collecting, storing, and using data, I adhere to the following principles:
- Your data is yours, not mine, nor does it belong to big tech and media companies.
- I collect and use only the information I need to run my website and membership business.
- I put privacy before profit.
- I never sell personal information.
- When I delete data, it's gone for good.
- I take security seriously.
I believe privacy is a universal human right regardless of where you live and what jurisdiction governs your life.
- You have the right to know what information I collect and how I use it.
- You have the right to ask for and receive a copy of the information I hold.
- You have the right to withdraw consent to use your information.
- You have the right to have your information deleted upon your request.
- You have the right to be forgotten.
Why I collect data
- Allow people to join my website with a free or premium membership account.
- Send newsletters and updates to members.
- Analyse aggregated visitor data.
- Automate aspects of member management.
- Protect my website and server from malicious actors.
When I delete data
- When a member asks me to.
- When a member unsubscribes from my newsletter.
As my site allows access to and collects data from citizens of the United Kingdom and the European Union, I am also bound by the requirements of the GDPR.
My website is not intended to be viewed by anyone under 18. I do not knowingly collect data from children, and should I learn if this has happened, I will immediately remove their data from my services and terminate their account.
What I collect
If you are a casual visitor, I ask for and collect nothing. My analytics software logs your time on my site (more on that below), but this data is anonymised before being stored in my database.
Should you join my site, I ask for your email address and name. The name is optional, and you are free to omit it entirely or use an alias, should you wish. My website's membership system also attempts to record and store your general location and country, for example, Melbourne, Australia. Logging into my website logs your IP address, and the time you logged in.
I use your email address to send out login links, my newsletter, and important notices, such as changes to this policy.
I collect visitor reading habits data using analytics software. I do so only to gauge what articles are popular, where my readers originate, and how readers are referred to my website from sources such as Google search, social media, or direct.
This information includes:
- browser type and version
- device type (i.e. mobile or desktop)
- time zone and country
- operating system and platform
To collect analytics, I use an open-source, self-hosted installation of Umami. Umami is privacy-focused. Umami does not collect identifiable information; all data is anonymised before it is stored in my website's database and presented to me in aggregate.
Data storage, security, and retention
The data I collect is stored in a MySQL database hosted on Virtual Private Server (VPS) in Australia. This database only permits connections from Ghost and Umami, which run locally on the same machine. Root access to the VPS and database is disabled. As Ghost uses magic links, no member passwords are stored in the database.
I retain data only for as long as necessary to fulfil the functions of my website. If I don't need it, I delete it.
A cookie is a small piece of data stored on your device by the websites you visit.
My website stores a member's session information using cookies, allowing them to log in and access member-only content.
My payment provider, Stripe, may store cookies on your device to facilitate payment.
While I limit the presence of third-party cookies, some pages may contain them as a result of embedding widgets such as Twitter posts and Amazon Kindle reading previews.
Integration with third-parties
Pipedream and Slack
I use Pipedream to send notifications to Slack when a member unsubscribes from my newsletter. Upon which, I delete that member's account from my website.
Transaction and direct mail
Mail service, Mailgun, handles all transactional and marketing emails I send to my website's members as login links, newsletters, serialised stories, news updates, and general notices.
I provide premium subscriptions using a third-party payment processor, Stripe.
- 2023-06-07 Server moved from DigitalOcean to an Australian-based host.
- 2022-02-15 Cove.chat removed as a third-party service.
- 2022-01-04 Fastmail is no longer used to send login links.
- 2021-10-17 Unsubscribed accounts are now deleted automatically.
- 2021-09-07 Minor corrections.
- 2021-08-08 Initial release.