PRIVACY POLICY

Drawn From Publishing is an imprint of Imaginarii, operating at drawnfrom.com ("the Site", "we", "us", or "our"). We publish illustrated comics, soundtracks, and digital media. Contact us at drawnfrom@imagi-narii.com.

We collect the following categories of information:

• Account information: Name and email address when you register or sign in with Google. If you sign in with Google, we receive your basic profile (name, email, profile image) but never your Google password.
• Purchase information: When you buy a digital product, your payment is processed by Stripe. We do not store your credit card number. We receive your email address, the item purchased, and the transaction amount from Stripe.
• Newsletter subscription: If you subscribe to our newsletter, we store your email address (and optional name) in our own database. All newsletter data lives only on our infrastructure.
• Newsletter delivery analytics: When we send you a newsletter, we measure whether the message was opened (via a 1×1 tracking pixel) and which links you clicked (via a redirect through our server). These events are stored as hashed email + event timestamp + (for clicks) the destination URL. We never store the raw email address alongside an event, and IP addresses are truncated to a network prefix before storage. Tracking pixels are well-known to be undercounted (image blocking, mail privacy protection); we treat the resulting numbers as directional.
• Usage data: Anonymous, cookieless analytics (page views, referrer) collected via Vercel Analytics and Ahrefs Web Analytics. No personally identifiable information is included.
• Communications: If you contact us by email, we retain that correspondence so we can answer it.

• To authenticate your account and grant access to purchased content.
• To fulfill digital purchases and maintain your library.
• To send transactional emails (purchase receipts, account notices, gift deliveries).
• To send our newsletter — only if you have opted in. Every newsletter includes a one-click unsubscribe link in the footer.
• To measure (in aggregate) which newsletter content readers engage with, so we can write better dispatches.
• To improve the Site and detect abuse.

We do not sell your personal data, share it with advertisers, or use it for cross-context behavioral advertising.

If you are in the European Economic Area or the United Kingdom, we process your information on the following legal bases:

• Contract: to deliver the digital products you purchase and operate your account.
• Consent: for newsletter subscription and any associated open/click measurement. You may withdraw consent at any time using the unsubscribe link in any newsletter or by emailing us.
• Legitimate interests: for fraud prevention, security, and improving the Site, balanced against your privacy.
• Legal obligation: for tax and accounting record-keeping.

We use the following third-party services, each governed by their own privacy policies:

• Stripe — payment processing. See stripe.com/privacy.
• Google OAuth — optional sign-in via Google.
• Google Workspace (Gmail SMTP) — outbound email delivery for transactional and newsletter messages.
• MongoDB Atlas — primary database for accounts, orders, and newsletter subscribers.
• Vercel — hosting and anonymous analytics.
• Vercel Blob — storage for purchased PDF files, delivered over HTTPS.
• Ahrefs Web Analytics — cookieless aggregate site analytics.

We retain your account data for as long as your account exists. Order records are retained for at least seven years for tax and legal compliance. Newsletter subscription records are retained while you remain subscribed and for a short period after unsubscribe so we can honor suppression. Newsletter open/click events are retained for 18 months and then aggregated. You may request deletion of your account at any time by emailing us; orders may be retained in anonymized form for legal purposes.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Request a portable export of your data.
• Object to or restrict certain processing.
• Opt out of marketing communications at any time using the unsubscribe link in any newsletter or by writing to us.
• Lodge a complaint with your local supervisory authority (EEA/UK).

To exercise any of these rights, email us at drawnfrom@imagi-narii.com. We will respond within 30 days.

If you are a California resident, you have the rights described above (access, deletion, correction, portability) and the right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information as those terms are defined under the CCPA. We do not have a "Do Not Sell or Share" toggle because there is nothing to toggle off.

We use a session cookie to keep you logged in. We do not use advertising or behavioral-tracking cookies. Vercel Analytics and Ahrefs Web Analytics are cookieless. Newsletter open/click instrumentation does not use cookies.

The Site is not directed to children under the age of 13, and we do not target our content, marketing, or services to children. We do not knowingly collect, use, or disclose personal information from anyone under 13. If you are under 13, please do not register an account, subscribe to the newsletter, or send us any personal information. If you are a parent or guardian and believe your child has provided us with personal information, contact us at drawnfrom@imagi-narii.com and we will delete it promptly. We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and the FTC's COPPA Rule (16 CFR Part 312).

All marketing emails we send comply with the U.S. CAN-SPAM Act and Canada's CASL. Every newsletter:

• Identifies the sender (Imaginarii Publishing) honestly.
• Includes our physical mailing address (available on request).
• Includes a one-click unsubscribe link that takes effect immediately.
• Contains no deceptive subject lines or "From" headers.

Our servers are operated by Vercel and MongoDB Atlas, which may store and process data in the United States and other regions. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers of EEA / UK personal data outside those regions.

We use HTTPS for all traffic, hashed passwords (bcrypt), token-bound unsubscribe links, and access controls on administrative tooling. No system is perfectly secure, but we treat your data as we'd treat our own.

We may update this policy from time to time. The effective date at the top of this page will reflect the date of the most recent revision. For material changes affecting how we use your data, we will notify subscribers by email before the change takes effect.

Questions about this policy? drawnfrom@imagi-narii.com