Privacy Policy
General Principles
Our Privacy Policy is designed to protect you and your personal data. At Royal Palace Media, privacy is not merely a matter of compliance; we view it as a fundamental right that must be safeguarded—even in the absence of a mandatory legal framework.
Privacy as a Fundamental Right
In addition to complying with all applicable privacy protection legislation, including the GDPR, revFADP, and CCPA, we provide the same level of data protection to all of our users, regardless of their location or residence.
Many services purport to care about your privacy, but do they extend the same level of protection to all of their users? If not, this may be a sign they see privacy as an obstacle to their business-model, rather than a fundamental right.
Responsible Data Storage
Our web server and associated infrastructure are hosted in Switzerland, a country that we believe offers a robust legal framework for protecting personal data.
The Court of Justice of the European Union (CJEU) has twice found that United States does not afford the level of personal data protection required to permit data-transfer between the EU and the US. Although the 2022 Trans-Atlantic Data Privacy Framework is the European Commission's latest attempt to allow this type of data transfer, it is likely that the CJUE will once again invalidate the framework for absence of sufficient guarantees on the part of the United States.
Rigorous Data Minimization
Our strict interpretation of the GDPR holds that if there is an option to avoid collecting personal data, that route must always be taken. After all, the best way to protect personal data is to never collect it in the first place.
Accordingly, we see no reason to collect your personal information unless it is required by law or is absolutely necessary for a specific purpose.
If you wish to receive the Royal Palace Media newsletter by email, you must provide a valid email address. However, we do not require users provide any additional information, since to do so would not be strictly necessary for this purpose. Furthermore, we do not track how users interact with our emails.
Services like Apple's Hide My Email or SimpleLogin's Open-Source Anonymous Email, allow you to create random unique email address aliases when signing up for newsletters and online accounts. This hides any personal information you may have in your email address and makes identifying you across different websites more difficult.
True Consent
The GDPR requires that users provide explicit consent before their data may be collected and processed for a specific purpose.
Our interpretation of this principle also supports users' rights to use content blockers, such as uBlock Origin, to protect themselves from tracking, surveillance, unwanted scripts, and advertising. Accordingly, we believe it is unacceptable to condition access to content or services on the disabling of content blockers—as many websites have chosen to do.
Content blockers, like uBlock Origin, are not just about blocking ads. In fact, their main purpose is to prevent websites from executing malicious or otherwise undesirable code from executing in your browser without your knowledge or consent.
Minimal Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The criteria we use to determine retention periods include:
- Legal and Regulatory Requirements: We retain personal data to comply with applicable laws, including tax, legal reporting, and regulatory obligations.
- Contractual Necessity: We keep personal data for the duration of any contract we have with you and for a reasonable period thereafter to address any follow-up requests or obligations.
- Business Purposes: Personal data that is used for legitimate business purposes, such as improving our services or for privacy-preserving analytics, is kept only as long as necessary for those purposes and as permitted by applicable laws.
Data Processing Applicable in All Cases
In this section, we explore the specifics of how your data is collected and processed when accessing any of our websites or services. Additional data may be collected and processed in specific cases, which are addressed in the next section.
Connecting to Our Website
When you, as a user, attempt to reach our website your device will query a so-called Domain Name Server (DNS Server) in order to know where the required IP address to connect to. DNS servers are like the internet's yellow-pages which associate a name (e.g royalpalacemedia.com) with an IP address. Your choice of DNS server is entirely yours (or the organization that manages your endpoint and/or network).
Which DNS server you use and by which protocol you query it, can have an impact on your privacy! When possible, favor using DNS-over-HTTPS and select a trusted DNS server with a robust privacy record.
Our Use of Cloudflare
To protect our services against bots, AI scrapers, DDoS attacks, and other malicious actors, as well as to provide users with faster load times, we rely on Cloudflare to proxy your connection to our servers. As a result, Cloudflare may collect your IP address, user-agent and other device-specific data.
From a technical standpoint, Cloudflare's extensive global network, impressive cybersecurity record, and unprecedented capacity to absorb DDoS attacks are compelling reasons to rely on their services, as do thousands of other websites you visit every day (e.g., Medium, OpenAI, Shopify).
However, we acknowledge that Cloudflare is an American company in a unique position of controlling a large part of the internet's infrastructure. Traffic from your device to Cloudflare is encrypted in transit and then re-encrypted from Cloudflare to our servers. As a result, this connection scheme does not constitute end-to-end encryption, and we make no such claim.
We would like to offer users true end-to-end encryption without sacrificing the security provided by Cloudflare. To this end, we will continue to investigate alternative solutions, but in the meantime, we believe our users are best served under the current system.
If you are interested in our contractual relationship to Cloudflare, you may review their standard Data Processing Agreement.
For more general information about how Cloudflare complies with GDPR, please visit their "Trust Hub".
During Your Visit
By default, our website does not use cookies, hence why we do not bother our users with the infamous Cookie Banner!
However, user-connections which are flagged by Cloudflare may be presented with a "challenge" requiring you to prove you are a human and not a bot. Once you have completed the challenge, in order to remember you are in fact a human, Cloudflare will store a cookie called "cf_clearance".
In order to avoid this challenge, you might want to consider connecting from trusted IP address ranges which have not been marked as a source of abuse. Connections run over commercial VPN providers are often flagged for this very reason.
You may be interested to learn more about how Cloudflare uses cookies, please see their documentation on the subject.
If our website becomes the target of a DDoS attack, the webmaster and/or Cloudflare's mitigation service may increase the level of scrutiny on user connections. In this case, a larger percentage of traffic will be subject to a Cloudflare challenge until the attack subsides.
Specific Cases
In this section, you will learn about the specifics of what data we collect and process in a given usage scenario, in addition to the minimal data collected in all cases (discussed in the previous section).
Authenticated Users
A user becomes authenticated once they have explicitly completed a login flow by providing valid credentials. Upon completion, a session cookie is stored in your browser, allowing you to remain logged in for the duration of your visit. This cookie is not used for any purpose beyond maintaining your authenticated session.
Payment Flows
We rely on Stripe for all payment processing. Stripe will process, on our behalf, all personal data necessary to complete a transaction. Additionally, they may collect device information as part of their fraud-detection system.
While we believe that Stripe is the most secure way to process your payments, we continuously monitor innovations in privacy-respecting technologies. However, as it stands, we do not view processing payments with cryptocurrency as a viable option from a legal or practical standpoint.
Whether it is our newsletter or an email strictly necessary for facilitating user login, we do not use "magic-pixels" or other invasive techniques to track whether or not you open our emails, click the link inside them, etc. This of course comes at the cost of engagement analytics, a trade-off we are happy to make for our user's privacy.
Most emails from organizations embed "magic pixels" to track whether or not you opened their email, as well as when and from where. They may also track your engagement with the email, collecting data on whether you clicked a link and even monitoring your actions after navigating to that link. You can avoid most of this tracking by disabling automatic image loading in your email client and avoiding clicking directly on links enclosed in an email.
Invoking Your Rights
Residents of a European Union Member State are legally entitled to invoke any of their rights under the GDPR. As a matter of principle, we voluntarily choose to treat requests from non-European residents with the same consideration as those from European residents.
As a reminder, these rights include:
- Right to Access: You have the right to request access to the personal data we hold about you and to receive a copy of that data.
- Right to Rectification: If any of the information we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it.
- Right to Erasure: Also known as the “right to be forgotten,” this allows you to request that we delete or remove your personal data when there is no compelling reason for us to continue processing it.
- Right to Restriction of Processing: You can request that we limit the processing of your personal data in specific cases, such as if you dispute the accuracy of your data or if you have objected to processing based on legitimate interests.
- Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and you may request that we transfer this data to another organization.
- Right to Object: You can object to the processing of your personal data based on legitimate interests, including profiling. You also have the right to object to processing for direct marketing purposes.
- Right to Withdraw Consent: Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
Simply send an email to [email protected] to exercise any of these rights.
Data Controller Information
Royal Palace Media LLC
30 N Gould St N Sheridan, WY 82801
[email protected]