Home  ›  Privacy Policy

Privacy Policy

Effective Date: July 10, 2026
Operated by: Evander Blackwood, doing business as Blackwood’s Spellbook (“we,” “us,” “our”), Canada
Site: arcanistguidebook.com
This document is a working draft prepared for launch. It has not been reviewed by a lawyer. Please have it reviewed by a Canadian lawyer familiar with PIPEDA and, if you expect EU/UK visitors, GDPR before relying on it for real transactions.

1. Introduction

This Privacy Policy explains what personal information Arcanist’s Guidebook collects, how we use it, and what rights you have over it. We are based in Canada and this policy is written with the Personal Information Protection and Electronic Documents Act (PIPEDA) as its baseline, with additional notes for visitors covered by the EU/UK General Data Protection Regulation (GDPR) and Canada’s Anti-Spam Legislation (CASL).

2. Information We Collect

Account information (via Supabase Authentication): your email address, a securely hashed password (or your OAuth provider identity if you sign in that way), and your account creation date.

Usage and progress data (via Supabase database): your Journal entries, Athenaeum (“Great Work”) stage and Insight progress, discipline selections, and exam history — this is the data that lets your progress follow you across devices when logged in.

Payment and subscription information: payment processing is handled entirely by Lemon Squeezy, acting as Merchant of Record. We do not receive or store your full card number or billing details. We do receive, from Lemon Squeezy, your subscription status (active/canceled, monthly/yearly, renewal date) so we can grant or remove premium access.

Local device storage: some preferences (citation display toggle, Bran dismissal state, local session cache) are stored in your browser’s localStorage and stay on your device — they are not transmitted to us except where noted above as synced progress data.

Technical/server data: Cloudflare, our hosting and content-delivery provider, processes standard web request data (IP address, browser/device type, request timestamps) as part of operating the Service, consistent with Cloudflare’s own privacy practices.

We do not use third-party advertising trackers or sell any data to advertisers.

3. How We Use Your Information

We use the information above to: create and maintain your account; save and sync your Journal and Athenaeum progress; determine and grant premium access based on your subscription status; respond to support requests you send us; maintain the security and integrity of the Service; and comply with legal obligations.

4. Legal Basis for Processing

Under PIPEDA, we collect and use your information based on the consent you provide when creating an account and agreeing to these terms, and as reasonably necessary to provide the Service you’ve requested. For visitors covered by GDPR, our legal bases are: consent (account creation, optional communications) and contract necessity (processing required to deliver the subscription you’ve purchased).

5. Cookies and Local Storage

The Service uses localStorage (not third-party tracking cookies) to remember preferences such as your citation display setting and whether you’ve dismissed Bran. Supabase’s authentication layer sets a session token needed to keep you logged in. We do not use behavioral advertising cookies.

6. Third-Party Processors

We rely on the following processors, each of which may process your information under their own privacy policies:

  • Supabase — authentication and database hosting
  • Cloudflare — website hosting, content delivery, and the Worker that gates premium content
  • Lemon Squeezy — payment processing and billing (Merchant of Record)

We choose processors that are reputable and widely used, but we encourage you to review their respective privacy policies for details on their own data handling.

7. Data Sharing

We do not sell your personal information. We share it only with the third-party processors listed above, to the extent necessary for them to perform their function, or where required by law (for example, in response to a valid legal request).

8. International Data Transfers

Because Supabase, Cloudflare, and Lemon Squeezy operate infrastructure that may be located outside Canada, your information may be processed in other countries, including the United States. Where this occurs, we rely on our processors’ own safeguards for cross-border data transfer.

9. Data Retention

We retain your account and progress data for as long as your account remains active. If you delete your account or request deletion, we will delete your personal data within a reasonable period, except where we are required to retain limited records (such as transaction records) for legal, tax, or accounting purposes.

10. Your Rights

Canadian users (PIPEDA): you have the right to access the personal information we hold about you, request correction of inaccurate information, and withdraw consent (which may mean closing your account, since some data is necessary to operate it). Contact us to exercise these rights; we aim to respond within 30 days.

EU/UK users (GDPR): in addition to the above, you have the right to erasure (“right to be forgotten”), data portability, and the right to object to certain processing. Contact us to exercise these rights.

Email/marketing (CASL): we will not send you marketing or promotional email without your consent, and every such email will include a working unsubscribe mechanism. Transactional emails (password resets, receipts, service notices) are not affected by an unsubscribe from marketing email.

11. Children’s Privacy

The Service is intended for users 13 and older; users under 18 require parental or guardian involvement (see our Terms of Service). We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us.

12. Data Security

We rely on our processors’ security practices (Supabase and Cloudflare both maintain industry-standard security programs) and take reasonable measures to protect your information. No system is completely secure, and we cannot guarantee absolute security of information transmitted to or stored by the Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice (via email or an in-app notice) before they take effect.

14. Contact

Questions, access requests, correction requests, or deletion requests: [email protected]. We aim to respond to any rights request within 30 days.

Citations & Trust · About · Terms of Service