This Privacy Policy explains what personal information Arcanist’s Guidebook collects, how we use it, and what rights you have over it. We are based in Canada and this policy is written with the Personal Information Protection and Electronic Documents Act (PIPEDA) as its baseline, with additional notes for visitors covered by the EU/UK General Data Protection Regulation (GDPR) and Canada’s Anti-Spam Legislation (CASL).
Account information (via Supabase Authentication): your email address, a securely hashed password (or your OAuth provider identity if you sign in that way), and your account creation date.
Usage and progress data (via Supabase database): your Journal entries, Athenaeum (“Great Work”) stage and Insight progress, discipline selections, and exam history — this is the data that lets your progress follow you across devices when logged in.
Payment and subscription information: payment processing is handled entirely by Lemon Squeezy, acting as Merchant of Record. We do not receive or store your full card number or billing details. We do receive, from Lemon Squeezy, your subscription status (active/canceled, monthly/yearly, renewal date) so we can grant or remove premium access.
Local device storage: some preferences (citation display toggle, Bran dismissal state, local session cache) are stored in your browser’s localStorage and stay on your device — they are not transmitted to us except where noted above as synced progress data.
Technical/server data: Cloudflare, our hosting and content-delivery provider, processes standard web request data (IP address, browser/device type, request timestamps) as part of operating the Service, consistent with Cloudflare’s own privacy practices.
We do not use third-party advertising trackers or sell any data to advertisers.
We use the information above to: create and maintain your account; save and sync your Journal and Athenaeum progress; determine and grant premium access based on your subscription status; respond to support requests you send us; maintain the security and integrity of the Service; and comply with legal obligations.
Under PIPEDA, we collect and use your information based on the consent you provide when creating an account and agreeing to these terms, and as reasonably necessary to provide the Service you’ve requested. For visitors covered by GDPR, our legal bases are: consent (account creation, optional communications) and contract necessity (processing required to deliver the subscription you’ve purchased).
The Service uses localStorage (not third-party tracking cookies) to remember preferences such as your citation display setting and whether you’ve dismissed Bran. Supabase’s authentication layer sets a session token needed to keep you logged in. We do not use behavioral advertising cookies.
We rely on the following processors, each of which may process your information under their own privacy policies:
We choose processors that are reputable and widely used, but we encourage you to review their respective privacy policies for details on their own data handling.
We do not sell your personal information. We share it only with the third-party processors listed above, to the extent necessary for them to perform their function, or where required by law (for example, in response to a valid legal request).
Because Supabase, Cloudflare, and Lemon Squeezy operate infrastructure that may be located outside Canada, your information may be processed in other countries, including the United States. Where this occurs, we rely on our processors’ own safeguards for cross-border data transfer.
We retain your account and progress data for as long as your account remains active. If you delete your account or request deletion, we will delete your personal data within a reasonable period, except where we are required to retain limited records (such as transaction records) for legal, tax, or accounting purposes.
Canadian users (PIPEDA): you have the right to access the personal information we hold about you, request correction of inaccurate information, and withdraw consent (which may mean closing your account, since some data is necessary to operate it). Contact us to exercise these rights; we aim to respond within 30 days.
EU/UK users (GDPR): in addition to the above, you have the right to erasure (“right to be forgotten”), data portability, and the right to object to certain processing. Contact us to exercise these rights.
Email/marketing (CASL): we will not send you marketing or promotional email without your consent, and every such email will include a working unsubscribe mechanism. Transactional emails (password resets, receipts, service notices) are not affected by an unsubscribe from marketing email.
The Service is intended for users 13 and older; users under 18 require parental or guardian involvement (see our Terms of Service). We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us.
We rely on our processors’ security practices (Supabase and Cloudflare both maintain industry-standard security programs) and take reasonable measures to protect your information. No system is completely secure, and we cannot guarantee absolute security of information transmitted to or stored by the Service.
We may update this Privacy Policy from time to time. If changes are material, we will provide notice (via email or an in-app notice) before they take effect.
Questions, access requests, correction requests, or deletion requests: [email protected]. We aim to respond to any rights request within 30 days.