Privacy Policy

Effective date:

1) Who we are

Controller: Spoken Past (Australia). Contact: [email protected].

This policy explains what we collect, why we collect it, and your choices.

2) What we collect

We keep data collection limited to what is needed to run the site, provide accounts and purchases, respond to messages, measure performance, and show advertising. We allow user accounts, but we do not provide public comment features.

  • Account registration and login: name, email address, username, password credentials handled by our WordPress account system, email verification status, authentication cookies, and account settings.
  • Contact form: name, email, subject, and your message. Used to read and reply. Submissions are processed through our WordPress form system and may be delivered to our email inbox.
  • Purchases and donations (Stripe Checkout): amount, currency, payment status, purchased items, Stripe customer/payment identifiers, and the email used for the receipt. Card data never touches our servers (handled by Stripe).
  • Logs & performance: standard hosting/edge logs (IP, user agent, page path, timestamps) for security and diagnostics.
  • Analytics: Vercel Analytics & Speed Insights, plus Google Analytics, to understand aggregate usage and improve the site.
  • Advertising: Google AdSense and its partners may use cookies, device identifiers, IP address, page views, and interaction data to serve, limit, measure, and personalize ads where permitted.

We do not intentionally collect special category data.

5) Who processes data for us

  • WordPress / Spoken Past CMS — account records, purchased guide access, contact form entries, and content management.
  • Vercel (hosting/CDN; also Vercel Analytics & Speed Insights) — logs and performance metrics.
  • Stripe (Checkout & receipts) — processes purchases and donations; we can see customer email, payment status, item, and amounts in Stripe.
  • Google — Google Analytics, Google AdSense, and related advertising technologies.
  • Resend — sends account verification and password-related emails when needed.
  • Cloudflare Turnstile — helps prevent abusive registration attempts.

Data may be processed in the EU, US, and other locations. Where required, transfers rely on appropriate safeguards (e.g., Standard Contractual Clauses).

6) Retention

  • Account records: kept while your account remains active, unless deletion is requested or retention is legally required.
  • Contact form messages: kept only as long as needed to handle your request; deleted afterwards.
  • Purchase and donation records (Stripe): retained 7 years for tax and record-keeping.
  • Server/edge logs: typically ~30 days (hosting defaults).
  • Analytics: retained per provider defaults; we use aggregate reporting.
  • Advertising data: retained according to Google AdSense and advertising partner settings and policies.

7) Your rights

Where applicable (e.g., under GDPR/UK GDPR), you may request access, rectification, erasure, restriction, portability, or objection. Contact [email protected].

You may lodge a complaint with your local authority (e.g., OAIC in Australia, an EU Data Protection Authority, or the UK ICO).

California (CCPA/CPRA)

We do not sell personal information for money. Some advertising activity may be considered "sharing" for cross-context behavioral advertising under CPRA. California residents have rights to know, delete, correct, opt out of sale/share where applicable, and to non-discrimination for exercising those rights. Contact us to make a request.

8) Security

We use HTTPS, least-privilege access, and provider-level protections. Payment card data never touches our servers (Stripe handles it). No method is perfect, but we work to keep your data safe.

9) Children

The site (including accounts, purchases, and donations) is intended for users aged 16+.

10) Changes

We may update this policy. The effective date above will change, and we will provide a notice on the site if the changes are material.

11) Contact

Email: [email protected]