Rick Pollick

Legal

Privacy Policy

Version 2026-06-04

1. What we collect

  • Account data. When you create an account we store your email address, an optional display name, the date and version of the Site policies you accepted, and — if you subscribe — your Stripe customer and subscription identifiers, billing status, and current period end.
  • Security data. If you turn on two-factor authentication, we store the encrypted TOTP factor metadata (no plaintext secret after enrollment) and SHA-256 hashes of your single-use backup codes. To prevent password reuse, we keep bcrypt-style hashes of your three most recent passwords (never the passwords themselves). A short-lived “sudo” grant is recorded when you re-confirm your password to access account or billing settings; it expires automatically.
  • Member features. If you create private RSS feed URLs, we store the token, label, and most-recent-use timestamp so we can revoke or display them in your account.
  • Newsletter subscribers. If you submit the blog/podcast alert form (no account required), we store the email address you provide, the page you submitted from, your IP, and user agent at signup. One-click unsubscribe is in every email and in our records.
  • Usage data. Standard server logs (IP address, user agent, requested path) are kept briefly for reliability, error diagnosis, and abuse prevention.
  • Payments. Credit-card numbers are handled directly by Stripe. We never see or store raw card data.
  • Reports and surveys. When you submit the abuse / DMCA report form or the optional cancellation survey, the contents (including the contact email you provide) are emailed to the site owner. Surveys are not retained in the database.

2. What we don't do

  • We don't sell, rent, or trade your personal data.
  • We don't run advertising trackers, remarketing pixels, or session-replay tools.
  • We don't profile you across unrelated sites.
  • We don't use your reading or browsing history for ad targeting.

3. How we use your data

Your information is used to:

  • Authenticate you, verify your second factor when enabled, and protect your account from unauthorized access.
  • Deliver members-only content and, if applicable, process billing.
  • Send transactional and relationship email — confirmations, receipts, sign-in links, security notices, and (if you opted in) new-post alerts.
  • Operate basic security controls: password-reuse prevention, captcha, rate limiting, session timebox, and abuse triage.
  • Understand, in aggregate, how the Site is used — only when you grant analytics consent.
  • Respond to questions, reports, and rights requests you send us.

4. Processors we use

We rely on a small set of trusted providers. Their own privacy policies govern how they handle the data we pass to them:

  • Vercel — hosting, edge delivery, and basic site analytics (cookieless visit counts).
  • Supabase — authentication and Postgres database.
  • Stripe — payments and subscription management.
  • Resend — transactional and notification email delivery.
  • Cloudflare — bot/captcha verification on unauthenticated forms (sees the captcha token and your IP for that check).
  • Sentry — automated error and performance reporting from the running app. Tracebacks may incidentally include the path you were on; we don't intentionally send personal data.
  • Google Analytics — aggregate usage analytics (IP-masked, no remarketing). Loaded only after you grant consent in the cookie banner; declined, unset, or honored GPC signal = not loaded.

5. Cookies

The Site uses a small number of first-party cookies strictly necessary for sign-in and for remembering your theme preference; these are always on. With your consent, we also load Google Analytics, which sets analytics cookies to help us understand how the Site is used. We ask before loading it — decline and no analytics cookies are set — and you can change or withdraw your choice anytime via Cookie preferences in the footer. There are no advertising cookies.

If your browser sends a Global Privacy Control (GPC) signal — Brave, DuckDuckGo, the Firefox extension, and several other browsers do — we honor it as an opt-out and analytics cookies are not loaded unless you explicitly grant consent via the banner.

If you're signed in, we also keep a small pseudonymous record of each consent choice — your account ID (not your IP), the choice, the policy version, and the time — so we can demonstrate when and how consent was given. It is deleted automatically when you delete your account. Signed-out visitors' choices are stored only in your browser.

6. Data retention and deletion

We keep account data for as long as your account is active. Most of it you can manage or remove yourself from your account page: edit your profile, cancel your membership, revoke private feed tokens, or delete your account entirely. Deleting the account removes your profile and, where legally permitted, associated records.

Newsletter subscribers (no account required) can unsubscribe at any time via the one-click link in every email we send.

Backup-code hashes are removed when you disable two-factor or regenerate codes. Password-history hashes are trimmed to the three most recent automatically. Server logs are retained briefly for reliability and abuse prevention.

7. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete personal data we hold about you, and to lodge a complaint with your local regulator. The fastest path for most requests is the self-service controls on the account page. For anything else, write to rick@rickpollick.com and we'll respond within a reasonable time.

8. Children

The Site is not directed at children under 13. We do not knowingly collect personal information from children.

9. Changes

This policy may evolve with the Site. See our Terms of Service for how updates are communicated.

10. Contact

Privacy questions? Write to rick@rickpollick.com.

Privacy Policy — Rick Pollick