Privacy Policy

Preamble

In this document, I describe how and why I collect, store and use personal data for the daily operation of ChrisRosser.net. In an ideal world, I wouldn't collect a single shred of data, however running a website with a membership, comments, and newsletter component requires that I collect and use some personal information.

Privacy is important to me. Yes, that's easy to say, and harder to prove, but it is my hope this document alleviates any concerns you might have.

Guiding principles

In collecting, storing, and using data, I adhere to the following principles:

  1. Your data is yours, not mine, nor does it belong to big tech and media companies.
  2. I collect and use only the information I need to run my website and membership business.
  3. I put privacy before profit.
  4. I never sell personal information.
  5. When I delete data, it's gone for good.
  6. I take security seriously.

Your rights

Regardless of where you live, and what jurisdiction governs your life, I believe privacy is a universal human right.

  • You have the right to know what information I collect, and how I use it.
  • You have the right to ask for and receive a copy of the information I hold.
  • You have the right to withdraw consent to use your personal data.
  • You have the right to have your information deleted upon your request.
  • You have the right to be forgotten.

Why I collect data

  1. Allow people to join my website with a free or premium membership account.
  2. Send newsletters and updates to members.
  3. Allow members to comment on articles.
  4. Analyse aggregated visitor data.
  5. Automate aspects of member management.
  6. Protect my website and server from malicious actors.

Binding legislation

As a resident of Australia, I am bound to act under Commonwealth and Victorian Government privacy legislation.

As my site allows access to, and collects data from, citizens of the United Kingdom and European Union, I am also bound by the requirements of the GDPR.

Children's Privacy

My website is not intended to be viewed by anyone under the age of 18. I do not knowingly collect data from children, and should I learn if this has happened, I will take immediate steps to remove their data from my services and terminate their account.

What I collect

Casual visitors

If you are a casual reader of my site, I ask for and collect nothing. Your time on my site is logged by my analytics software (more on that below), but this data is anonymised before it is stored in my database.

Members

Should you choose to become a member of my site, I ask for your email address and name. The name is optional, and you are free to omit it entirely, or use an alias, should you wish. Additionally, my website's membership system will attempt to record and store your general location and country, for example, Melbourne, Australia. Logging into my website also records your IP address, and the time you logged in.

I use your email address to send out login links, my fortnightly newsletter, and important notices such as changes to this policy.

Premium members

For premium subscribers, those who pay a subscription to support my writing and access all my site's content, I use payment gateway Stripe to collect billing details. Your email and credit card details are sent encrypted to Stripe using Stripe's API. This is done on my behalf, and I cannot access your credit card details at all. You can read Stripe's Privacy Policy here, and their security measures here.

Analytics

I collect visitor reading habits data using analytics software. I do so only to gauge what articles are popular, note where my readers originate, and how readers are referred to my website from sources such as Google search, social media, or direct.

This information includes:

  • browser type and version
  • device type (i.e. mobile or desktop)
  • time zone and country
  • operating system and platform

To collect analytics, I use an open-source, self-hosted installation of Umami. Umami is privacy-focused. Umami does not collect identifiable information, and all data is and anonymised before it is stored in my website's database, and presented to me in aggregate.

Data storage, security, and retention

Data I collect is stored in a MySQL database hosted on a DigitalOcean Virtual Private Server (VPS) located in the United States. This database only permits connections from Ghost and Umami, which run locally on the same machine. Root access to the VPS and database is disabled. As Ghost uses magic links, no member passwords are stored in the database.

I retain data only for as long as necessary to fulfill the functions of my website. If I don't need it, I delete it.

Cookies

A Cookie is a small piece of data stored on your device by my website.

My website uses Cookies to store a member's session information, allowing them to log in and access member-only content.

Additionally, my payment provider, Stripe may store cookies on your device to facilitate payment.

While I limit the presence of third-party cookies, some pages may contain them as a result of embedding widgets such as Twitter posts, and Amazon Kindle reading previews.

Integration with third-parties

Pipeline and Slack

I use Pipeline to send notifications to Slack when a member unsubscribes from my newsletter. Upon which, I delete that member's account from my website.

Additionally, Premium subscribers have the option to join my private Slack channel, however, this is not mandated and members are invited only on request. You can read Slack's privacy policy here.

Cove.chat

I use Cove.chat to provide a comments feature on my articles. This feature is only available and visible to members. Cove integrates tightly with Ghost's membership feature, and some member data is transmitted to Cove when a member writes a comment. For more information, refer to Cove's privacy policy here.

Transaction and direct mail

Bulk mail service, Mailgun, handles all transactional emails I send to my website's members as newsletters, updates, and notices.

My website emails login links directly to individual members using Fastmail.

Stripe (payments)

I provide premium subscriptions using a third-party payment processor, Stripe.

I do not store or collect your payment details. Billing data is provided directly to Stripe via their API whose use of your personal information is governed by their Privacy Policy. Stripe adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council.

Changes

I reserve the right to update this privacy policy at any time. I will notify you about any change using your registered email within 24 hours of the change.

Questions

You can direct any question about this privacy policy to support@chrisrosser.net.

Update log

  • 2021-09-07 Minor corrections
  • 2021-08-08 Initial release