PRIVACY NOTICE · LAST UPDATED 20 MAY 2026
Privacy notice
The short version: we collect very little, and we tell you what we do. VeganArchive is a public archive of company replies, not an advertising product. There is no tracker, no ad network, no third-party analytics watching you read.
Who runs this
VeganArchive is operated by an individual (the "archivist") based in the United Kingdom. The site has no employees and no investors. The archivist is the data controller for the purposes of UK GDPR and the Data Protection Act 2018.
For any data request — access, deletion, correction, complaint — write to archivist@veganarchive.com. A real person reads that inbox.
What we collect
Three small streams, all listed in plain language below.
The newsletter
If you subscribe to The Acquisitions List, we store your email address and your first name (when you give one). We also note which page of the site you signed up on, so we can see which entry points are useful. You receive a confirmation email; until you click the link, the signup is "pending" and you receive no further mail. You can unsubscribe from any issue we send — the link is at the bottom of every one — and that is the end of the relationship: we delete your row.
The request form
If you file a missing product via /submit, we store the email address you give us, the brand and product you named, and any note you added. We also store a one-way hash of your IP address — not the IP itself — so we can flag obvious spam floods without keeping anything that identifies you on a network.
We use your email address only to write back when there is news on that case file. We do not add request submitters to the newsletter, and we do not use the email for anything else.
The "interested" nudge buttons
Some case files have an "I'm interested" button. Clicking it stores the case file ID and a one-way hash of your IP. Nothing else. The nudge counts shape which cases we re-contact first; nothing on the public page identifies you.
What we do not collect
- No tracking cookies. No analytics scripts. No advertising pixels.
- No third-party social embeds (no Facebook, no Twitter, no TikTok loaders).
- No browser fingerprinting.
- No account system, so no passwords or session data.
- No location data beyond what Cloudflare needs to route a request.
Who else sees the data
We use three operational services. Each sees a small slice of the archive, listed below. We do not sell or share data with anyone else.
Cloudflare
Hosts the site and routes our email. Sees the standard HTTP request metadata any host sees (IP, user agent, time). Cloudflare may also set a minimal session cookie for security purposes (DDoS protection). Their own privacy policy covers this in detail.
Resend
Delivers our outbound email — the outreach to companies, the newsletter, and the confirmation/notification mails. Resend sees the recipient address and the message body, the same as any email provider. Their policy is here.
Anthropic
Reads the body of company replies for the parser that extracts a suggested verdict (we then read it ourselves before publishing). Anthropic never sees newsletter subscribers, request submitters, or any reader of the public site — only the contents of email replies from companies, plus the brand name when we use the research tool. Their policy is here.
Cookies
We set no cookies of our own. We use no analytics that set cookies.
Cloudflare may set a brief technical cookie for security
(__cf_bm and similar) — it expires quickly and
contains nothing about you personally. There is no consent banner
because there is nothing to consent to.
How long we keep things
- Newsletter rows. Until you unsubscribe. Unsubscribing deletes the row.
- Request submissions. While the case file is in the archive. If the case is closed we keep the request linked to it for continuity (we may need to write back), but the request can be deleted on demand.
- IP hashes (nudges + request spam protection). Kept indefinitely because they are one-way hashes and contain no original IP. They cannot be reversed back to you.
- Email threads with companies. Kept indefinitely — these are the receipts, and the receipts are the point of the archive. Personal names in company replies are redacted on public pages by default.
Your rights under UK GDPR
You have the following rights with respect to any personal data we hold about you:
- Access. Ask what we hold and we will send you a copy.
- Rectification. Ask us to correct something that is wrong.
- Erasure. Ask us to delete what we hold. We will, unless we are legally required to keep it (we are usually not).
- Restriction. Ask us to keep but stop processing something while a question is resolved.
- Portability. Ask for an export of your data in a machine-readable format. For an email subscriber this is one CSV row; for a request submitter it is the same.
- Objection. Object to a particular use. If we cannot continue without your consent, we will stop.
- Withdraw consent. Where we rely on your consent (newsletter), you can withdraw it at any time by unsubscribing or writing to us.
Write to archivist@veganarchive.com and we will respond within one calendar month. We do not charge for any of these requests.
If you are not happy with how we handled a request, you can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint. We would always prefer the chance to put it right ourselves first, but the route is there.
Lawful basis
For the curious: we rely on three lawful bases under UK GDPR Article 6.
- Consent for the newsletter (you confirm a double-opt-in before we send anything).
- Legitimate interest for the request form (we need your email to write back about the case you filed).
- Legitimate interest for the IP-hash spam protection on nudges and requests (we keep the archive working without processing identifying data).
If this changes
We will update the "last updated" date at the top of this page and link to the previous version. If a change is material — new category of data, new processor — we will say so in the next newsletter issue.
Questions: archivist@veganarchive.com.