Scope and Controller

This Data Protection Notice describes how Alexandria Apothecary Archive (the “Service”) collects, uses, discloses, and safeguards personal information in accordance with applicable laws of the United States of America, and, where relevant, the European Union General Data Protection Regulation (GDPR) and the UK GDPR.

Controller: Alexandria Apothecary Archive, owned and operated by Dorian Salkett, 450 10th St, San Francisco, CA 94103, United States. Email: [email protected].

Effective date of this Notice: 05 September 2025.

Categories of Personal Information We Collect

We collect the following categories of information, which may be considered personal information or personal data under applicable law:

• Identifiers and contact information: name, email address, mailing address, telephone number (when you contact us or subscribe to communications).
• Internet or device information: IP address, device and browser type, operating system, referral URLs, pages viewed, timestamps, and general location derived from IP address.
• Usage data: interaction with pages, features, and content; search queries; preferences.
• Communications content: messages or inquiries you send to us and associated metadata.
• Marketing preferences and consent records: opt-ins/opt-outs, cookie consent choices.
• Professional information: if you voluntarily provide your role or affiliation.
• Sensitive information: we do not intentionally collect sensitive personal information; do not submit health, financial, or government ID numbers through this Service.

Sources of Personal Information

We collect information directly from you (e.g., when you contact us), automatically through cookies and similar technologies, and from service providers assisting us with hosting, analytics, email delivery, security, and error monitoring.

Purposes of Processing

We process personal information for the following purposes:

• To operate, maintain, and secure the Service, including troubleshooting, analytics, and performance monitoring.
• To communicate with you, respond to inquiries, and provide requested information.
• To personalize content, remember preferences, and improve usability.
• To measure and improve the quality, relevance, and safety of our content and features.
• To comply with legal obligations and enforce our terms, or to establish, exercise, or defend legal claims.
• With your consent, to send newsletters or promotional communications, where applicable.

Legal Bases for Processing (GDPR/UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Consent: for optional communications and certain cookies or similar technologies.
• Legitimate interests: to secure and improve the Service; to understand usage; to prevent fraud and abuse; balanced against your rights and freedoms.
• Legal obligation: to comply with applicable laws and regulations.
• Contract: where processing is necessary to provide requested services or information.

Disclosures to Processors and Third Parties

We disclose personal information to service providers that act on our behalf and under our instructions (“processors”), including hosting providers, analytics services, security and anti-abuse tools, email delivery platforms, and error monitoring services. We require these processors to implement appropriate security measures and to process personal information only as instructed.

We may also disclose information to: (a) competent authorities when legally required; (b) professional advisers under confidentiality; (c) parties to a business transaction (e.g., merger or reorganization), subject to appropriate safeguards.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California law. If our practices change, we will update this Notice and provide applicable rights and opt-out mechanisms.

Cookies and Similar Technologies

We use cookies and similar technologies to operate and improve the Service, for security, and to understand aggregate usage. Categories include:

• Strictly necessary cookies: essential for core functions and security.
• Performance and analytics cookies: help measure traffic and usage.
• Preference cookies: remember your settings and choices.

You can control cookies through browser settings, including blocking and deleting cookies. Disabling certain cookies may affect site functionality.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Notice, including compliance with legal, accounting, or reporting obligations, dispute resolution, and security. Typical retention periods are:

• Contact and communications records: up to 3 years after last interaction, unless a longer period is needed for legal purposes.
• Analytics and log data: 12–24 months, unless aggregated or anonymized sooner.
• Consent and preference records: for the duration of the consent and up to 5 years thereafter to demonstrate compliance.

Data Security

We implement appropriate technical and organizational measures designed to protect personal information, including encryption in transit, access controls, least-privilege principles, monitoring, secure development practices, and regular backups. No security measure is absolute; we maintain and improve safeguards on an ongoing basis.

Children’s Data

The Service is not directed to children under 13 years of age, and we do not knowingly collect personal information from children. If you believe a child has provided personal information, please contact us at [email protected] so we may take appropriate steps.

International Data Transfers

We are based in the United States and your information may be processed in the United States and other jurisdictions that may have different data protection laws than your home country. Where required by the GDPR/UK GDPR for transfers from the EEA/UK/Switzerland, we rely on appropriate safeguards, such as European Commission-approved Standard Contractual Clauses, and implement supplementary measures where necessary.

Your Rights Under US State Laws

California Residents (CCPA/CPRA)

Subject to exceptions, California residents have rights to:

• Know/access: request disclosure of the categories and specific pieces of personal information collected, the sources, purposes, and categories of third parties to whom information was disclosed.
• Delete: request deletion of personal information.
• Correct: request correction of inaccurate personal information.
• Opt-out of sale/share: we do not sell personal information or share it for cross-context behavioral advertising. If this changes, we will provide a method to opt out.
• Limit use of sensitive personal information: we do not use or disclose sensitive personal information for purposes requiring a right to limit.
• Non-discrimination: we will not discriminate against you for exercising your rights.

Virginia, Colorado, Connecticut, and Utah Residents

Depending on your state, you may have rights to access, correct, delete, obtain a portable copy of your data, and opt out of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell personal data or engage in profiling that produces such effects. If we engage in targeted advertising in the future, we will provide an opt-out mechanism.

Exercising Your Rights and Verification

To exercise your rights, contact us at [email protected] or by mail at 450 10th St, San Francisco, CA 94103, United States. Please provide sufficient information for us to reasonably verify you are the consumer about whom we collected personal information (e.g., email address used with the Service) and describe your request with sufficient detail.

We will respond within the time required by applicable law (generally 45 days, extendable once by an additional 45 days where reasonably necessary). If we cannot verify your identity, we may request additional information or deny the request as permitted by law.

Appeals of Rights Decisions

Residents of Virginia, Colorado, and Connecticut may appeal a denial of a rights request by replying to our decision email or by sending an email with the subject line “Appeal of Privacy Request” to [email protected]. We will respond within the timeframe required by applicable law with an explanation of our decision.

Your Rights Under the GDPR/UK GDPR

If you are located in the EEA, UK, or Switzerland, and subject to legal limitations, you have the right to request access, rectification, erasure, restriction, portability, and to object to processing based on our legitimate interests, as well as the right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). You also have the right to lodge a complaint with your supervisory authority.

Do Not Track and Global Privacy Control

Some browsers transmit “Do Not Track” or Global Privacy Control signals. There is no consensus on how to interpret these signals for all contexts. Where legally required and technically feasible, we will treat qualifying signals as requests to opt out of sale/share or targeted advertising, as applicable to our practices.

Third-Party Links and Content

The Service may reference external content. If you navigate to third-party resources, their privacy practices govern your use. We are not responsible for third-party privacy practices.

Changes to This Notice

We may update this Notice from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The “Effective date” above indicates when this Notice was last revised. Material changes will be communicated as required by law.

Contact Information

For questions, requests, or complaints regarding this Notice or our data practices, contact: Alexandria Apothecary Archive, c/o Dorian Salkett, 450 10th St, San Francisco, CA 94103, United States. Email: [email protected].