1) Who we are
Controller: Spoken Past (Australia). Contact: [email protected].
This policy explains what we collect, why we collect it, and your choices.
2) What we collect
We keep data collection minimal and do not run accounts or comments.
- Contact form: name, email, and your message. Used to read and reply. Delivered to our email inbox (Gmail). Protected by Google reCAPTCHA (for anti-abuse).
- Donations (Stripe Checkout): amount, currency (EUR), payment status, and the email used for the receipt. Card data never touches our servers (handled by Stripe).
- Logs & performance: standard hosting/edge logs (IP, user agent, page path, timestamps) for security and diagnostics.
- Analytics: Vercel Analytics & Speed Insights, plus Google Analytics, to understand aggregate usage and improve the site. No advertising profiles.
We do not intentionally collect special category data.
3) Cookies & consent
We present a cookie/consent banner. In the EEA/UK, optional cookies (e.g., Google Analytics) run only after consent. You can withdraw or change consent via the banner at any time. reCAPTCHA may set cookies when you submit the contact form to prevent abuse.
4) Why we use data (legal bases)
- Contact & replies: Legitimate interests (to answer you).
- Donations via Stripe: Contract (to process your donation) and legal obligation (records/tax).
- Security & anti-abuse: Legitimate interests.
- Analytics: Legitimate interests; consent in the EEA/UK for Google Analytics.
5) Who processes data for us
- Vercel (hosting/CDN; also Vercel Analytics & Speed Insights) — logs and performance metrics.
- Stripe (Checkout & receipts) — processes donations; we can see donor email and amounts in Stripe.
- Google — Gmail (receives contact messages), Google Analytics (optional, consent-based in EEA/UK), and reCAPTCHA (spam/fraud prevention on the contact form).
Data may be processed in the EU, US, and other locations. Where required, transfers rely on appropriate safeguards (e.g., Standard Contractual Clauses).
6) Retention
- Contact form messages: kept only as long as needed to handle your request; deleted afterwards.
- Donation records (Stripe): retained 7 years for tax and record-keeping.
- Server/edge logs: typically ~30 days (hosting defaults).
- Analytics: retained per provider defaults; we use aggregate reporting.
7) Your rights
Where applicable (e.g., under GDPR/UK GDPR), you may request access, rectification, erasure, restriction, portability, or objection. Contact [email protected].
You may lodge a complaint with your local authority (e.g., OAIC in Australia, an EU Data Protection Authority, or the UK ICO).
California (CCPA/CPRA)
We do not sell or share personal information as defined by CPRA. California residents have rights to know, delete, and correct personal information, and to non-discrimination for exercising those rights. Contact us to make a request.
8) Security
We use HTTPS, least-privilege access, and provider-level protections. Payment card data never touches our servers (Stripe handles it). No method is perfect, but we work to keep your data safe.
9) Children
The site (including donations) is intended for users aged 16+.
10) Changes
We may update this policy. The effective date above will change, and we will provide a notice on the site if the changes are material.
11) Contact
Email: [email protected]