Deskrune Privacy · Issue 01

What we don't collect.

Most privacy policies are written for the company. This one is written for the buyer. The shape of it: the catalog collects almost nothing, runs no third-party trackers, and treats the email address you give at checkout as the only piece of personal data on the site. Below is what that means in practice, the GDPR and CCPA rights you have, and the single inbox that handles requests within two working days.

Last updated9 May 2026 Reading time5 minutes ComplianceGDPR · CCPA Contact[email protected]
  • No tracking pixels
  • No Google Analytics
  • No Facebook SDK
  • No third-party ad cookies
  • No data sold or shared
  • One inbox for all requests
Sections
  1. What we collect
  2. What we don't collect
  3. How long we keep things
  4. Your rights
  5. Third-party relationships
  6. How to contact us

01/ 06What we collect

The short list.

The catalog collects two things at most: the email address you provide at checkout (so the kit can be delivered, and so any later revision lands in the same downloads folder), and whatever payment data Stripe needs to clear the charge. That's it. No demographic profile is built. No browsing history is logged for advertising. No cross-site identifier is dropped on your browser.

  • Email address Stored by Deskrune. Used to deliver the kit, send receipt confirmation, and (if you opt in) the newsletter. Never sold, rented, or shared with another company. Held in our list provider until you ask for deletion.
  • Payment data Held by Stripe. Card number, expiry, and billing details are sent directly to Stripe's PCI-compliant servers. The team never sees a card number. A redacted record (last four digits, brand, country) is visible to the team for refund and dispute handling.
  • Order metadata Held by Deskrune and Stripe. Date of purchase, kit purchased, refund status. Used to honour refund requests, deliver revisions, and answer support emails. Retained for the period required by tax law (typically 6–7 years depending on jurisdiction).
  • Email replies Stored in the inbox. Anything you send to [email protected] sits in a regular email account a single human reads. Deleted on request.
  • Server access logs Held by Cloudflare. Standard web server logs (IP address, timestamp, requested URL, user-agent) for security and abuse prevention. Cloudflare retains these per their own privacy policy; the team uses them only for incident response.
The catalog collects almost nothing because almost nothing is what it needs to do its job.

— The minimal-data rule

02/ 06What we don't collect

What's not on this site.

This list is longer than the previous one and that's the point. The default for a commerce site is to load tracking scripts from a dozen vendors so the marketing dashboard can produce a number. Deskrune does not run that stack.

  • No Google Analytics No GA4, no Universal Analytics, no Tag Manager. The team does not see which page you read, how long you stayed, or where you scrolled. There is no "session recording" tool.
  • No Facebook Pixel No Meta Pixel, Conversions API, or any other Facebook / Instagram tracking. Nothing you do on Deskrune is reported back to a social ad network.
  • No tracking cookies No third-party advertising cookies. The site sets only the strictly-necessary cookies it needs to remember theme preference (light or dark) and to persist a session through checkout. None of these cookies follow you off the site.
  • No behavioral profiles The team does not build a profile of your interests, your reading habits, or your purchase history beyond what's required to deliver the kits you bought. There is no "lookalike audience" being built from your data.
  • No data sale Personal data is never sold, rented, or licensed to a third party. This is the CCPA "Do Not Sell" baseline applied to every visitor by default — there is no opt-out switch because there is no opt-in to begin with.
  • No fingerprinting No browser fingerprinting, no canvas fingerprinting, no IP-to-identity stitching. The site doesn't try to recognize you across sessions if you clear your cookies.

03/ 06How long we keep things

The retention calendar.

Different pieces of data have different lives. Some are needed for tax law for years; some are deleted as soon as the kit lands in your inbox. Below is the calendar.

Email address (newsletter list). Held until you unsubscribe, or until you ask for deletion via [email protected]. Unsubscribe links are at the bottom of every email and they work without any "are you sure?" gauntlet.

Order records. Date of purchase, kit purchased, redacted payment details, and refund status are retained for the minimum period required by tax law in the jurisdiction the order was placed (typically 6–7 years in the US and EU). After that period, records are deleted.

Stripe payment data. Stripe retains payment data per their own privacy policy. The team does not retain anything past the redacted receipt — the full card number was never visible in the first place.

Email correspondence. Anything sent to [email protected] is held in a regular inbox until it's archived, typically within a year. Deleted on request.

Cloudflare access logs. Held by Cloudflare per their retention policy (typically 30–90 days) for security and abuse prevention.

04/ 06Your rights

What you can ask for, and how.

Under the GDPR (if you're in the EU, EEA, or UK) and the CCPA (if you're in California), you have specific rights over data the team holds about you. The team honours all of them, regardless of which jurisdiction you're writing from. Send the request to [email protected] from the email address you used to buy or subscribe — that's the only verification step. A reply lands within two working days; the action lands within 30 days, which is the GDPR maximum.

  • Right to access.

    You can ask for a copy of the personal data the team holds about you. The team will reply with a plain-text export — email address, order history, newsletter status, and any open support correspondence. No PDF gauntlet.

  • Right to deletion.

    You can ask for your data to be erased. The team will delete your email from the newsletter list, anonymize your record in the order log (preserving only the legally-required tax data with no personally identifying information), and confirm by email when it's done.

  • Right to portability.

    You can ask for your data in a machine-readable format. The team will send a JSON or CSV export. Because the data set is small (a few rows at most), this typically takes one working day.

  • Right to correction.

    If something the team holds about you is wrong, ask for it to be corrected. Email is the channel; the change lands the same day in most cases.

  • Right to object.

    You can object to the processing of your data — for example, by unsubscribing from the newsletter, opting out of any direct marketing, or withdrawing consent for any optional processing. The unsubscribe link at the bottom of every email is the fastest path; email works for everything else.

  • Right to lodge a complaint.

    If you believe the team has mishandled your data, you have the right to complain to your local data protection authority. In the EU, that's your country's data protection regulator; in the UK, the ICO; in California, the California Privacy Protection Agency. The team will cooperate fully with any such inquiry.

05/ 06Third-party relationships

Three vendors, one reason each.

The catalog runs on a small set of third-party services. Each one has access to a specific slice of data, and each one is named here with the reason it exists. There is no fourth one quietly added later — if the list changes, this page changes, and the change shows up in the public revision log.

  • Stripe — payments.

    Card processing for every direct checkout on Deskrune. Stripe sees the card number; the team does not. Stripe is a PCI-DSS Level 1 service provider and is subject to its own privacy policy at stripe.com/privacy. A few legacy product pages still use Gumroad, Payhip, or LemonSqueezy as alternative checkout options; each of those has its own privacy policy linked from the relevant product page.

  • Cloudflare — hosting and security.

    The site is served through Cloudflare's CDN. Cloudflare sees the IP address and user-agent of every request, and uses that to filter abusive traffic. Cloudflare's privacy policy is at cloudflare.com/privacypolicy. The team uses Cloudflare logs only for incident response — no analytics, no behavioural profiling.

  • Resend — transactional email.

    Receipts, kit-delivery emails, and (if you opt in) the newsletter are sent through Resend. Resend sees the recipient email address and the content of each message. Resend's privacy policy is at resend.com/legal/privacy-policy.

06/ 06How to contact us

One inbox, one human.

Every privacy request — access, deletion, portability, correction, objection, complaint — lands in the same inbox. The single channel is [email protected]. There is no support form, no chat widget, and no phone number, because adding any of those would mean passing your data to a fourth vendor and the team isn't doing that.

A subject line of "privacy request" is enough. Send the email from the address the team holds, and that's the verification step. A reply lands within two working days; the action lands within 30 days at the absolute latest, which is the GDPR maximum.

For any other privacy question — what we collect, why we collect it, who runs the catalog, whether the team holds any data about you at all — the same inbox works. A real human reads it.

Children under 13 should not use this site. The team does not knowingly collect personal information from anyone under 13, and any account discovered to belong to a child is deleted on discovery. If a parent or guardian believes a child has provided personal information, write to [email protected] and the team will erase the record.

This page is reviewed every quarter against the same audit cycle the kits go through. If the policy changes, the change lands here, the date at the top updates, and a notice goes to the newsletter list.

Your data is yours.

Email a privacy request

Deskrune. For when you come back.