Your European Roots

Privacy Policy

Privacy Policy

Last updated: 2 June 2026. This template requires review by the operator and, ideally, a lawyer before reliance.

This Privacy Policy explains how Your European Roots (“we”, “us”, “our”) collects, uses, shares and protects personal information when you visit youreuropeanroots.com (the “Website”), create an account, sign up for our email list, or purchase our digital products. We sell digital-only products (an eBook and printable PDF genealogy cheat sheets) worldwide, with a primary audience in the United States, Canada and Australia. Because we operate from the European Union, the EU General Data Protection Regulation (GDPR) and Polish data-protection law apply to our processing. We have also added specific sections for California (CCPA/CPRA), Canada (PIPEDA), Australia (Privacy Act / APPs) and the UK (UK GDPR).

1. Who We Are (Data Controller)

  • Controller: [PLACEHOLDER: legal entity name]
  • Registered address: [PLACEHOLDER: registered address]
  • Business / registration number: [PLACEHOLDER: NIP / REGON or company number]
  • VAT ID: [PLACEHOLDER: VAT ID]
  • Contact email: hello@youreuropeanroots.com

We have not appointed a Data Protection Officer, as we are not required to. For all privacy matters, please use the contact email above.

2. What Personal Data We Collect

We collect only the data we need to run our shop, deliver your purchases and communicate with you.

  • Account data: name (or display name), email address, hashed password, and your order history. You need an account to access and re-download your digital products.
  • Order data: the products you buy, the price paid, the date/time of purchase, billing details (including country, needed for tax purposes), and invoices.
  • Email opt-in data: if you request our free “Getting Started” cheat sheet or subscribe to our newsletter, we collect your email address (and, where given, your first name) together with a record of your consent (double opt-in confirmation, date, time and IP address).
  • Payment data: card payments are handled directly by Stripe. We do not see or store your full card number, expiry date or security code. We receive only limited confirmation data from Stripe (for example, a payment token, the last four digits, card brand, and whether the payment succeeded).
  • Support / correspondence data: the content of any email you send us and our replies.
  • Server logs & technical data: our hosting provider automatically records technical information such as IP address, browser/user-agent, requested pages, timestamps and error logs. This is used for security, fraud prevention, debugging and to keep the Website running.
  • Cookies & similar technologies: see our Cookie Policy for details. Non-essential cookies (e.g. analytics or marketing, if enabled) are only set with your consent.

We do not intentionally collect special-category (sensitive) personal data. Please do not send us such data unless strictly necessary.

3. Legal Bases for Processing (GDPR)

Under the GDPR we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): to create and manage your account, process your order, deliver the digital product, and provide download access and support.
  • Consent (Art. 6(1)(a)): to send you marketing emails after double opt-in, and to set non-essential cookies. You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)): to secure and maintain the Website, prevent fraud and abuse, keep basic records, and (where permitted) tell existing customers about similar products. We balance these interests against your rights.
  • Legal obligation (Art. 6(1)(c)): to keep accounting, tax and VAT records (including VAT on digital services supplied to EU consumers) and to respond to lawful requests.

4. Purposes of Processing

  • Operating our shop and fulfilling your orders (delivery of digital downloads).
  • Managing your customer account and giving you ongoing access to your purchases.
  • Taking payment and issuing receipts/invoices.
  • Sending transactional emails (order confirmations, download links, account notices).
  • Sending marketing emails where you have opted in.
  • Providing customer support and handling refund/help requests.
  • Maintaining security, preventing fraud and complying with our legal and tax obligations.
  • Improving the Website and, if analytics are enabled, understanding aggregate usage.

5. Recipients & Data Processors

We do not sell your personal data. We share data only with trusted service providers (“processors”) who act on our instructions, and where required by law. Our main processors are:

  • Stripe (payment processing). Stripe processes your payment details as an independent controller/processor for the transaction. See Stripe’s privacy policy for details.
  • Hosting provider — our Website and database are hosted on a virtual private server with Hetzner Online GmbH, Germany (EU).
  • Email / SMTP provider — [PLACEHOLDER: SMTP / email service provider name] delivers our transactional and marketing emails.
  • Analytics provider (if/when enabled) — [PLACEHOLDER: analytics provider, if used], only with your consent.
  • Professional advisers and authorities — e.g. our accountant, or tax/legal authorities where we are legally required to disclose.

6. International Transfers

Our hosting is located in Germany (EU). However, some of our processors (for example Stripe, and possibly our email or analytics providers) may process data in the United States or other countries outside the European Economic Area. Where that happens, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework (DPF) and equivalent UK/Swiss mechanisms. You may request a copy of the relevant safeguards by emailing us.

7. How Long We Keep Data (Retention)

  • Account & order data: for as long as your account is active, and afterwards as needed to provide re-download access and to handle disputes.
  • Accounting / tax / invoice records: for the period required by Polish and EU law (generally several years).
  • Marketing data: until you unsubscribe or withdraw consent, after which we keep a minimal suppression record so we do not email you again.
  • Server logs: for a short period for security and debugging, then deleted or anonymised.

When data is no longer needed, we delete or anonymise it.

8. Your Rights Under the GDPR

If you are in the EU/EEA (or UK), you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request erasure (“right to be forgotten”) where applicable;
  • restrict or object to certain processing, including direct marketing;
  • data portability (receive your data in a structured, machine-readable format);
  • withdraw consent at any time, without affecting prior lawful processing;
  • not be subject to solely automated decisions with legal effects (we do not carry out such decision-making).

To exercise any of these rights, email hello@youreuropeanroots.com. We will respond within the timeframes required by law. We may need to verify your identity first.

9. California Residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know / access the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it;
  • Delete personal information we hold about you, subject to legal exceptions;
  • Correct inaccurate personal information;
  • Opt out of the “sale” or “sharing” of personal information and of cross-context behavioral advertising;
  • Limit the use of sensitive personal information;
  • Non-discrimination for exercising your rights.

We do not sell your personal information and we do not “share” it for cross-context behavioral advertising as those terms are defined under the CPRA. To make a request, email hello@youreuropeanroots.com. You may use an authorized agent. We will not discriminate against you for exercising these rights.

10. Canadian Residents (PIPEDA)

If you are in Canada, we handle your personal information in line with the Personal Information Protection and Electronic Documents Act (PIPEDA). We collect, use and disclose personal information only for the purposes described above, obtain consent where required (for example for marketing), and keep information only as long as necessary. You may request access to, or correction of, your personal information by emailing us. You may also contact the Office of the Privacy Commissioner of Canada with a complaint.

11. Australian Residents (Privacy Act / APPs)

If you are in Australia, we handle your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This includes being transparent about our practices, collecting only what we need, allowing you to access and correct your information, and taking reasonable steps to keep it secure. Because we use overseas service providers, your information may be disclosed outside Australia (see “International Transfers” above). You may contact us, or the Office of the Australian Information Commissioner (OAIC), with any concern.

12. Children

The Website and our products are intended for adults and are not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Security

We take reasonable technical and organisational measures to protect your data, including encryption in transit (HTTPS), restricted access, hashed passwords, and a reputable EU host. No system is completely secure, but we work to keep your information safe.

14. How to Complain

If you have a concern, please contact us first at hello@youreuropeanroots.com so we can try to resolve it. You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Polish data-protection authority:

  • Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland — uodo.gov.pl

UK residents may complain to the Information Commissioner’s Office (ICO); residents of other EU/EEA states may complain to their local authority.

15. Cookies

For details of the cookies and similar technologies we use, and how to manage your consent, please see our Cookie Policy.

16. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top shows when it was last revised. Material changes will be highlighted on the Website where appropriate.

17. Contact Us

For any privacy question or to exercise your rights, contact: [PLACEHOLDER: legal entity name], [PLACEHOLDER: registered address], hello@youreuropeanroots.com.