Privacy Policy
Last updated: 1 January 2025
1. Who We Are (Controller Identity)
GRCBlueprints.com operates as the data controller for personal data collected through this website. For privacy enquiries or to exercise your rights, contact: privacy@grcblueprints.com.
2. Data We Collect
We collect only the minimum personal data necessary to provide our services:
| Data Type | Purpose | Legal Basis (GDPR) | Retention |
|---|---|---|---|
| Email address (newsletter) | Sending compliance update newsletters | Art. 6(1)(a) — Consent | Until unsubscribe + 30 days |
| Order data (name, email, billing country) | Processing purchases via Lemon Squeezy | Art. 6(1)(b) — Contract performance | 7 years (tax/accounting obligations) |
| Consent records (timestamp, choices) | Demonstrating GDPR Art. 7(1) compliance | Art. 6(1)(c) — Legal obligation | 3 years from consent date |
| Analytics data (if consented) | Understanding site usage (Plausible — cookieless) | Art. 6(1)(a) — Consent | 24 months (Plausible default) |
3. Sub-Processors
We use the following sub-processors to deliver our services:
| Sub-processor | Role | Data Transferred | Location |
|---|---|---|---|
| Lemon Squeezy | Merchant of Record / payment processing | Order data, billing details | USA (SCC basis) |
| Netlify / Vercel | Website hosting | IP address (server logs, ephemeral) | EU / USA (adequacy/SCC) |
| Brevo (newsletter) | Email delivery | Email address, consent timestamp | EU (Paris data centres) |
| Plausible Analytics (if consented) | Privacy-preserving analytics | No personal data — aggregate only | EU (Germany) |
4. International Transfers
Where data is transferred outside the EEA (e.g., to Lemon Squeezy in the USA), such transfers are made on the basis of Standard Contractual Clauses (SCCs) adopted under Commission Decision 2021/914, or an applicable adequacy decision.
5. Your Rights (GDPR)
Under GDPR, EU/EEA residents have the following rights:
- Access (Art. 15) — request a copy of your personal data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — request deletion ("right to be forgotten")
- Portability (Art. 20) — receive data in machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interests
- Withdraw consent (Art. 7(3)) — at any time, without detriment
To exercise any right, email privacy@grcblueprints.com. We respond within 30 days (extendable to 90 days for complex requests). You also have the right to lodge a complaint with your national supervisory authority.
6. CCPA/CPRA Rights (California Residents)
California residents have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know — categories and specific pieces of personal information collected
- Right to Delete — request deletion of personal information
- Right to Correct — correct inaccurate personal information
- Right to Opt-Out — opt out of the sale or sharing of personal information
- Right to Non-Discrimination — we will not discriminate for exercising CCPA rights
Do Not Sell or Share My Personal Information: GRCBlueprints does not sell personal information to third parties. We share order data only with Lemon Squeezy as Merchant of Record for transaction processing, which is necessary to fulfil your purchase. To exercise CCPA rights, email privacy@grcblueprints.com with "CCPA Request" in the subject line.
7. PIPEDA Rights (Canadian Residents)
Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access personal information held about them and to withdraw consent for non-essential processing. We collect information only with your knowledge and consent. To withdraw consent or access your data, contact privacy@grcblueprints.com.
8. Cookies
We use only essential cookies (consent management) by default. Analytics and marketing cookies are only loaded with your explicit consent. See our Cookie Policy for full details.
9. Security
We implement appropriate technical and organisational measures including HTTPS/HSTS, Content Security Policy headers, and minimised data collection. We do not store payment card data — all payment processing is handled by Lemon Squeezy.
10. Changes to This Policy
We will notify newsletter subscribers of material changes to this policy and update the "Last updated" date above. Continued use of the site following notification constitutes acceptance of the updated policy.
11. Contact
For any privacy queries: privacy@grcblueprints.com