Last updated: May 6, 2026
This Privacy Policy explains how we collect, use and protect your personal data when you use the TeaTime Chinese website, podcast platform and related services (the "Service"). It is to be read together with our Terms of Service.
1. Data controller
- [COMPANY LEGAL NAME] — [LEGAL FORM, e.g. SARL / Association loi 1901]
- Registered office: [STREET, POSTAL CODE, CITY, COUNTRY]
- Registration: RCS [CITY] [NUMBER] / SIRET [NUMBER] (where applicable)
- Contact: hello@teatimechinese.com
We have not appointed a Data Protection Officer; processing volumes do not trigger the obligation under Article 37 GDPR. You may contact us at the address above for any data-protection question.
2. Personal data we process
- Account data — email, display name, hashed password.
- OAuth data — when you sign in with Google: profile picture, Google account ID, the email returned by Google.
- Community content — letters, comments and replies you publish.
- Donation data — amount, currency, donor name, email, Stripe payment reference. Card numbers are processed by Stripe directly and never reach our servers.
- Newsletter data — email address, opt-in timestamp.
- Server logs — IP address, browser user-agent, requested URL, response code, timestamp.
Browser-side preferences (theme, language, audio settings) are stored locally on your device and are not personal data we process.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Operating the Service and your account | Performance of a contract — Art. 6(1)(b) |
| Processing donations and issuing receipts | Performance of a contract — Art. 6(1)(b) |
| Sending the newsletter | Consent — Art. 6(1)(a) |
| Security, fraud prevention, server logs | Legitimate interest — Art. 6(1)(f) |
| Tax, accounting and legal record-keeping | Legal obligation — Art. 6(1)(c) |
| Responding to user inquiries | Legitimate interest — Art. 6(1)(f) |
4. Recipients and processors
We share personal data only with the processors below, each bound by a written agreement:
- Stripe Payments Europe Ltd. (Ireland) — payment processing.
- Brevo SAS (France) — newsletter delivery.
- Google Ireland Ltd. — OAuth sign-in (only if you choose this method).
- [HOSTING PROVIDER] ([COUNTRY]) — application and database hosting.
We do not sell, rent or trade your personal data.
5. International transfers
Most processing takes place within the European Economic Area. Where a processor transfers data outside the EEA (for example, Stripe to the United States), the transfer is covered by the European Commission's Standard Contractual Clauses or an equivalent adequacy mechanism. A copy of those safeguards is available on request.
6. Retention periods
| Category | Retention |
|---|---|
| Account data | While the account is active; deleted within 30 days after closure. |
| Community content | Until you delete it or close your account; anonymized thereafter. |
| Donation records | 10 years from the donation, as required by accounting and tax law. |
| Newsletter data | Until you unsubscribe; address kept on suppression list to honour your opt-out. |
| Server logs | 30 days, except where extended for security investigation. |
7. Cookies and similar technologies
We use only strictly necessary cookies, which do not require prior consent under Article 82 of the French Data Protection Act:
- an HttpOnly, Secure session token to keep you signed in;
- a CSRF protection token.
Theme, language and audio preferences are stored in your browser's local storage. We do not use advertising, analytics or third-party tracking cookies.
8. Security
We apply technical and organisational measures appropriate to the risk: encrypted transport (HTTPS/TLS), password hashing, HttpOnly cookies, role-based access control, regular backups and software updates. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform you where required (GDPR Art. 33–34).
9. Your rights
Subject to applicable law, you have the right to:
- access your personal data and obtain a copy (Art. 15);
- request rectification of inaccurate data (Art. 16);
- request erasure (Art. 17);
- restrict or object to certain processing (Art. 18, 21);
- receive your data in a portable format (Art. 20);
- withdraw your consent at any time, without affecting the lawfulness of prior processing (Art. 7);
- define directives for the fate of your data after death (Loi 78-17 art. 85).
To exercise these rights, write to hello@teatimechinese.com. We respond within one month. If you are not satisfied, you may lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL), 3 place de Fontenoy, 75007 Paris, www.cnil.fr, or with the supervisory authority of your habitual residence.
10. Children
The Service is not intended for users under 15 in France, 16 in EEA member states where local law so provides, or 13 elsewhere. We do not knowingly collect personal data from children below the applicable threshold. If you become aware that a child has provided us with personal data, contact us so we can delete it.
11. Automated decisions and profiling
We do not engage in automated decision-making producing legal or similarly significant effects, nor in profiling within the meaning of Article 22 GDPR.
12. Changes to this policy
We may update this Privacy Policy. The "Last updated" date at the top reflects the latest version. Material changes are announced on the Service at least 15 days before they take effect.
13. Contact
For any privacy question, write to hello@teatimechinese.com.