Effective date: 5th November 2025

Controller: Vincent Coraldean

1. What we collect

A. Information you provide

• Email address, name, user reviews, comments, ratings, profile preferences.

• Payment info: we do not collect or store payment details unless you purchase a product/service on a third-party checkout — we may collect invoicing details if we sell products directly.

B. Automatically collected information

• IP address, browser user agent, device and usage analytics, pages viewed, referral URL, click events, and region derived from IP.

• Cookies and local storage data (see Cookie Policy).

C. Third-party data

• We may receive book metadata from Google Books, Open Library, Hardcover, BooksData, and ratings from other services.

• If you authenticate with third-party services (e.g., social login), we receive profile info as permitted.

2. How we use data

• Provide and operate the Site and features (accounts, preferences).

• Personalise content (recommendations) and measure performance.

• Send marketing emails (newsletter) — you can opt out anytime.

• Fraud detection, legal compliance, and security.

3. Legal bases for processing (GDPR)

If you are in the EU/EEA:

• Performance of contract: account creation and delivery of services.

• Legitimate interests: analytics, fraud prevention, improving services.

• Consent: marketing communications & non-essential cookies.

4. Cookies & tracking

We use cookies and third-party analytics using Google Analytics, marketing pixels, and A/B testing tools. See our full Cookie Policy for more information.

5. Sharing & third-party processors

We may share personal data with service providers acting as processors:

• Hosting & CDN: Vercel

• Database: Supabase

• CMS: Sanity

• AI & summarization: OpenAI (or other AI vendors)

• Affiliate platforms: Amazon Associates and Bookshop.org,

We sign data processing agreements with providers as required.

6. International transfers

Some processors (like OpenAI, Vercel) may process data outside your country. We ensure transfers are lawful (standard contractual clauses, adequate protections).

7. Data retention

We retain data for as long as necessary to provide services, comply with legal obligations, and for legitimate business purposes (e.g., analytics). This will usually be for a period of 5 years after your last interaction.

8. Your rights (EU/EEA & applicable regions)

• Access, rectification, deletion (right to be forgotten), object to processing, data portability, and withdraw consent.

• To exercise rights, contact us via our contact page. We will respond within 15 working days of your request.

9. Children

The Site is not for children under 13 (or local age). We do not knowingly collect data from children; if you believe we have, contact us via our contact page to request deletion.

10. Security

We implement reasonable technical and organisational measures to protect data (encryption at rest/in transit, access controls), but no system is perfectly secure.

11. Changes

We'll update this Policy when necessary and indicate the effective date.

12. Contact

Contact us via our contact page for any questions about your privacy on this website.