The Archival Club
Privacy Policy
Last updated · 30 May 2026
In plain English
- — We collect the minimum data needed to run the Club.
- — We do not sell, rent, or trade your personal data. Ever.
- — We hide your data from everyone we can, including ourselves where possible.
- — You can ask us to show, correct, or delete what we hold, any time.
1.Who we are
The Archival Club ("we", "us", "the Club") operates the website at thearchival.club and the associated members' area. We are the data controller for the personal data described in this policy under Article 4(7) of the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
Contact for privacy matters: privacy@archival.club.
2.What we collect and why
We process the smallest amount of data we can get away with:
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address | To create your account, send waitlist confirmations, order updates, and giveaway notifications. | Art. 6(1)(b) GDPR — contract |
| Name & shipping address | Only when you place an order or claim a bag, to ship the item. | Art. 6(1)(b) GDPR — contract |
| Payment metadata | Stripe handles card data on its own infrastructure. We only store the Stripe customer ID and order status. | Art. 6(1)(b) GDPR — contract |
| Authentication logs | IP, timestamp and user-agent of sign-in events, to detect suspicious activity. | Art. 6(1)(f) GDPR — legitimate interest in security |
| Aggregate analytics | Anonymous page views, no third-party ad trackers. | Art. 6(1)(f) GDPR — legitimate interest |
We do not knowingly collect data from anyone under 16. If you believe a minor has registered, email us and we will delete the account.
3.What we will never do
- Sell your personal data to advertisers, data brokers or marketplaces.
- Rent, lease, or "exchange" your email with affiliate partners.
- Build advertising profiles or sync identifiers with ad networks.
- Place tracking cookies from Meta, Google Ads, TikTok or similar.
- Disclose what you have bought, requested, or browsed to anyone outside the strict service providers listed below.
It is in our commercial interest to be the discreet place — not the leaky one.
4.Who has access
Your data is shared only with processors strictly necessary to run the service, each bound by a Data Processing Agreement under Art. 28 GDPR:
- Supabase — database & authentication (EU region).
- Stripe — payments (PCI-DSS Level 1).
- Hostinger — transactional email delivery.
- Cloudflare — DDoS protection and CDN.
We do not transfer data outside the EU/UK except via Standard Contractual Clauses (Art. 46 GDPR) where a provider operates globally.
5.How long we keep it
- Account data — for as long as your account exists, plus 30 days after deletion.
- Order & invoicing data — 10 years, as required by EU tax law (Art. 5(1)(e) GDPR; statutory obligation).
- Authentication / security logs — 90 days.
- Waitlist emails — until launch or until you unsubscribe.
6.Your rights
Under Articles 15–22 of the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data — the "right to be forgotten" (Art. 17).
- Restrict or object to processing (Arts. 18, 21).
- Receive your data in a portable format (Art. 20).
- Lodge a complaint with your local supervisory authority (Art. 77).
To exercise any right, email privacy@archival.club. We respond within 30 days as required by Art. 12(3) GDPR.
7.How we protect your data
In line with Article 32 GDPR ("Security of processing") we apply technical and organisational measures appropriate to the risk:
- TLS 1.3 in transit, AES-256 at rest.
- Row-Level Security on every database table — by default you can only see your own rows.
- Passwords hashed with bcrypt; we never see them in plain text.
- Two-factor authentication on every administrative account.
- Least-privilege access: most of our team cannot read member data at all.
- Quarterly review of access logs and dependencies.
8.Changes to this policy
If we update this policy in a way that materially affects your rights, we will email you at least 14 days before the change takes effect. The latest version always lives at this URL with a "Last updated" date at the top.
Questions? Write to privacy@archival.club. We read every message.