Privacy Policy

Published 7 June 2023 by Chris Rosser | 5 min read


In this document, I describe how and why I collect, store and use personal data for the daily operation of and Scriptorium. In an ideal world, I wouldn't collect a single shred of data. However, running a website with a membership and newsletter component requires that I collect and use personal information.

Privacy is important to me. Yes, that's easy to say and harder to prove, but I hope this document alleviates any concerns you might have.

Guiding principles

In collecting, storing, and using data, I adhere to the following principles:

  • Your data is yours, not mine, nor does it belong to big tech and media companies.
  • I collect and use only the information I need to run my website and membership business.
  • I put privacy before profit.
  • I never sell personal information.
  • When I delete data, it's gone for good.
  • I take security seriously.

Your rights

I believe privacy is a universal human right regardless of where you live and what jurisdiction governs your life.

  • You have the right to know what information I collect and how I use it.
  • You have the right to ask for and receive a copy of the information I hold.
  • You have the right to withdraw consent to use your information.
  • You have the right to have your information deleted upon your request.
  • You have the right to be forgotten.

Why I collect data

  • Allow people to join my website with a free or premium membership account.
  • Send newsletters and updates to members.
  • Analyse aggregated visitor data.
  • Automate aspects of member management.
  • Protect my website and server from malicious actors.
  • When I delete data
  • When a member asks me to.
  • When a member unsubscribes from my newsletter.

Binding legislation

As a resident of Australia, I am bound to act under Commonwealth and Victorian Government privacy legislation.

As my site allows access to and collects data from citizens of the United Kingdom and the European Union, I am also bound by the requirements of the GDPR.

Children's Privacy

My website is not intended to be viewed by anyone under 18. I do not knowingly collect data from children, and should I learn if this has happened, I will immediately remove their data from my services and terminate their account.

What I collect

Casual visitors

If you are a casual visitor, I ask for and collect nothing. My analytics software logs your time on my site (more on that below), but this data is anonymised before being stored in my database. Members

Should you join my site, I ask for your email address and name. The name is optional, and you are free to omit it entirely or use an alias, should you wish. My website's membership system also attempts to record and store your general location and country, for example, Melbourne, Australia. Logging into my website logs your IP address, and the time you logged in.

I use your email address to send out login links, my newsletter, and important notices, such as changes to this policy.

Premium members

I use the payment gateway Stripe to collect billing details for premium subscribers who pay a subscription to support my writing and access all my site's content. Your email and credit card details are encrypted using Stripe's API. This is done on my behalf, and I cannot access your credit card details. You can read Stripe's Privacy Policy and security measures.


I collect visitor reading habits data using analytics software. I do so only to gauge what articles are popular, where my readers originate, and how readers are referred to my website from sources such as Google search, social media, or direct.

This information includes:

  • Browser type and version
  • Device type (i.e. mobile or desktop)
  • Time zone and country
  • Operating system and platform

To collect analytics, I use an open-source, self-hosted installation of Umami. Umami is privacy-focused. Umami does not collect identifiable information; all data is anonymised before it is stored in my website's database and presented to me in aggregate.

Data storage, security, and retention

The data I collect is stored in a MySQL database hosted on Virtual Private Server (VPS) in Australia. This database only permits connections from Ghost and Umami, which run locally on the same machine. Root access to the VPS and database is disabled. As Ghost uses magic links, no member passwords are stored in the database.

I retain data only for as long as necessary to fulfil the functions of my website. If I don't need it, I delete it.


A cookie is a small piece of data stored on your device by the websites you visit.

My website stores a member's session information using cookies, allowing them to log in and access member-only content.

My payment provider, Stripe, may store cookies on your device to facilitate payment.

While I limit the presence of third-party cookies, some pages may contain them as a result of embedding widgets such as Twitter posts and Amazon Kindle reading previews.

Integration with third-parties

Pipedream and Slack

I use Pipedream to send notifications to Slack when a member unsubscribes from my newsletter. Upon which, I delete that member's account from my website.

Additionally, Premium subscribers have the option to join my private Slack channel; however, this is not mandated, and members are invited only on request. You can read Slack's privacy policy here.

Transaction and direct mail

Mail service, Mailgun, handles all transactional and marketing emails I send to my website's members as login links, newsletters, serialised stories, news updates, and general notices.

Stripe (payments)

I provide premium subscriptions using a third-party payment processor, Stripe.

I do not store or collect your payment details. Billing data is provided directly to Stripe via their API whose use of your personal information is governed by their Privacy Policy. Stripe adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council.


I reserve the right to update this privacy policy at any time. I will notify you about any change using your registered email within 24 hours.


You can direct any question about this privacy policy to [email protected].

Update log

  • 2023-06-07 Server moved from DigitalOcean to an Australian-based host.
  • 2022-02-15 removed as a third-party service.
  • 2022-01-04 Fastmail is no longer used to send login links.
  • 2021-10-17 Unsubscribed accounts are now deleted automatically.
  • 2021-09-07 Minor corrections.
  • 2021-08-08 Initial release.
© 2007 – 2024, Chris Rosser. All rights reserved.
Some affiliate links in use.