Privacy Policy
Last updated: April 28, 2026
Introduction
Andrew Garden ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit andrewgarden.com and use our services — including our blog, CENSOREDx podcast content, music and theatre project pages, and online shop.
We are based in Cyprus and operate in compliance with the General Data Protection Regulation (GDPR) and applicable Cypriot data protection law. By using this website, you agree to the practices described in this policy.
Information We Collect
We collect information in the following ways:
Information you provide directly
- Account registration: name, email address, and password when you create an account.
- Shop orders: shipping address, billing details, and order history when you purchase merchandise (e.g. branded T-shirts, accessories).
- Newsletter sign-up: email address if you opt in to receive updates about new blog posts, podcast episodes, or project releases.
- Contact forms: name and message content if you reach out to us directly.
Information collected automatically
- Usage data: IP address, browser type, operating system, referring URLs, pages visited, and time spent — collected via server logs and, with your consent, analytics tools.
- Cookies and local storage: session tokens, preferences, and cart state. See our Cookies section below.
Payment data
Payments are processed exclusively by Stripe, Inc. We do not store your full card number, CVV, or bank details on our servers. Stripe provides us with a payment token and limited transaction metadata. Stripe's privacy policy is available at stripe.com/privacy.
How We Use Your Information
We use your data only for the following purposes:
- To create and manage your account.
- To process and fulfil shop orders, including shipping of physical merchandise.
- To send order confirmations, shipping updates, and receipts.
- To send newsletters and content updates — only if you have explicitly opted in.
- To improve the website, our podcast content, blog, and shop experience.
- To detect and prevent fraud or abuse.
- To comply with legal obligations (e.g. tax records for EU VAT purposes).
We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal effects.
Legal Bases for Processing (GDPR)
Where GDPR applies, we process your data under the following legal bases:
| Purpose | Legal basis |
|---|---|
| Account management | Contract performance |
| Order processing & fulfilment | Contract performance |
| Newsletter / marketing emails | Consent (opt-in) |
| Analytics cookies | Consent (opt-in via cookie banner) |
| Fraud prevention | Legitimate interests |
| Tax & legal compliance | Legal obligation |
Who We Share Your Data With
We share data only with trusted service providers who process it on our behalf:
- Stripe — payment processing and fraud prevention.
- Cloudinary — media file hosting (images used on the site; no personal user data is shared).
- Hosting provider — our server/cloud infrastructure provider for website hosting and database storage.
- Email delivery service — for transactional emails (order confirmations, password resets) and, with your consent, newsletters.
All processors are bound by data processing agreements. We do not share your data with advertisers or social media platforms without your explicit consent.
Your Rights Under GDPR
If you are based in the EEA or UK, you have the following rights:
Access
Request a copy of all personal data we hold about you.
Rectification
Ask us to correct inaccurate or incomplete data.
Erasure
Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
Restriction
Ask us to pause processing of your data while a dispute is resolved.
Portability
Receive your data in a machine-readable format to transfer to another service.
Objection
Object to processing based on legitimate interests or for direct marketing.
Withdraw consent
Withdraw any previously given consent at any time without affecting prior processing.
Complaint
Lodge a complaint with the Cyprus Commissioner for Personal Data Protection (dataprotection.gov.cy) or your local supervisory authority.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
Cookies
- Essential cookies: required for login sessions, cart state, and site security. Always active.
- Analytics cookies: help us understand how visitors use the site (e.g. which blog posts or podcast episodes are most popular). Only set with your consent.
- Marketing cookies: used to personalise content recommendations. Only set with your consent.
You can manage your preferences at any time via the cookie banner or by adjusting your browser settings.
Data Retention
- Account data: retained for as long as your account is active, plus 2 years after deletion to resolve disputes.
- Order records: retained for 7 years to comply with EU VAT and tax obligations.
- Newsletter subscribers: until you unsubscribe.
- Analytics data: anonymised within 14 months.
Security
We implement industry-standard security measures: HTTPS/TLS encryption for all data in transit, bcrypt password hashing, HTTP-only session cookies, rate limiting, and regular dependency audits. Payment data is handled entirely by Stripe's PCI-DSS certified infrastructure.
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data with reasonable and appropriate measures.
To protect our forms from automated abuse, we use Cloudflare Turnstile. This service analyses browser signals to distinguish humans from bots without tracking cookies or intrusive challenges. For details, see the Cloudflare Turnstile Privacy Addendum.
Children's Privacy
Our services are not directed at children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the site or, where appropriate, by email. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the site after changes constitutes acceptance of the updated policy.
Contact Us
For any privacy-related questions, data subject requests, or concerns:
Email: [email protected]
Controller: Andrew Garden
Address: Nicosia, Cyprus
Supervisory Authority: Commissioner for Personal Data Protection, Cyprus