Last updated: 6 June 2026
1. Who we are
This Privacy Policy explains how ABCwebsites, operated by Kyle Atkins (“we”, “us”, “ABCwebsites”), collects and uses personal data in connection with the RdR Library Network Toolkit (the “Service”), available at https://www.abcwebsites.online/rdr/. We are based in Malta and act in accordance with the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act. For questions, contact kyle@abcwebsites.online.
2. Our two roles
Controller — For data about our direct customers and account holders (subscriber name, email, billing, access token), we decide why and how the data is used, so we are the controller.
Processor — When a subscribing library or organisation (“Customer”) uses the Service to collect data from their own audiences (poll responses, form submissions, questions, reading-project entries), the Customer is the controller and we process that data on their behalf as a processor, under our Data Processing Agreement. If you are an end participant, please refer to the relevant library’s own privacy notice.
3. What data we collect
Account & billing data (we are controller): name and email; subscription tier, status and access token; payment metadata (handled by Stripe — we do not store full card numbers); communications you send us.
Customer-content data (we are processor): responses, submissions, votes, questions, names/nicknames and any other information end users enter into a tool, as configured by the Customer.
Technical data: aggregated, cookieless usage analytics via Plausible (no cross-site tracking, no advertising cookies); standard server logs (IP, timestamp, page) for security and reliability.
4. Why we use it and our legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service | Contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Contract (Art. 6(1)(b)) |
| Send service emails (access codes, account notices) | Contract (Art. 6(1)(b)) |
| Security, fraud prevention, reliability | Legitimate interests (Art. 6(1)(f)) |
| Aggregated, privacy-friendly analytics | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal/tax obligations | Legal obligation (Art. 6(1)(c)) |
| Optional marketing emails (if any) | Consent (Art. 6(1)(a)) — withdrawable anytime |
For Customer-content data, the lawful basis is determined by the Customer (controller).
5. Who we share data with (sub-processors)
| Provider | Purpose | Location / safeguard |
|---|---|---|
| Stripe | Payment processing | EU/US — SCCs / EU-US Data Privacy Framework |
| Brevo (Sendinblue) | Transactional email | EU (France) |
| Make (Make.com / Celonis) | Workflow automation & member data store | EU (eu1 servers) |
| DreamHost | Website & application hosting | United States — international transfer; see Section 7 |
| Plausible Analytics | Cookieless, aggregated analytics | EU |
We do not sell personal data, and we do not allow advertisers to pay to target you within the Service.
6. How long we keep it
- Account and access-token data: for the life of your subscription and 24 months after, then deleted or anonymised.
- Billing records: for the period required by Maltese tax law (generally at least 6 years).
- Customer-content data: as configured by the Customer; deleted or returned at the end of the Customer’s contract per our DPA.
- Server logs: 90 days.
7. International transfers
Some providers (notably DreamHost, our current host) are based in the United States, so some data may be transferred outside the EEA. Where this happens we rely on appropriate safeguards such as Standard Contractual Clauses and/or the EU-US Data Privacy Framework.
8. Your rights
Under the GDPR you have the right to access, correct, erase, restrict or object to processing, data portability, and to withdraw consent at any time. To exercise these, email kyle@abcwebsites.online. If your data is Customer-content, contact the relevant library/organisation (the controller). You may also complain to the Maltese supervisory authority, the Information and Data Protection Commissioner (IDPC) — https://idpc.org.mt.
9. Security
We apply reasonable technical and organisational measures, including encrypted connections (HTTPS), access controls, and data minimisation. No system is perfectly secure; please keep your access code private.
10. Children
The Service is intended for libraries and organisations, not for direct use by children. Where a Customer uses a tool with minors, the Customer is responsible for any required parental consent and an appropriate lawful basis.
11. Changes
We may update this policy. Material changes will be posted here with a new “Last updated” date and, where appropriate, notified by email.
12. Contact
ABCwebsites (Kyle Atkins) · Triq Censu Borg, Ħamrun, Malta · kyle@abcwebsites.online