last_updated: 2026-05-03
VeganStove (“we,” “our,” “the site”) is operated by Sage Bendly from Portland, Oregon, USA. This page explains what data we collect, why we collect it, and the rights you have over it. Plain language version up top, formal sections below.
Effective date: 2026-05-03. Last updated: 2026-05-03. This policy applies to veganstove.com and all subdomains.
The short version
- We collect the email you give us when you subscribe to the newsletter, and the data your browser sends when you load a page (IP, user agent, page URL, referrer).
- We do not sell your data. We do not share it with brokers. We never have.
- We use cookies for the essentials (login, comment authorship, consent state) and for anonymized analytics so we know which recipes are loading slowly.
- You can unsubscribe in one click, ask us to delete your data, or export what we hold on you. Send a message through the contact page.
Who is the data controller
For the purposes of GDPR (EU/UK), CCPA/CPRA (California), and similar laws: the data controller is Sage Bendly, operating VeganStove from Portland, Oregon, USA. To reach the data controller, use our contact page.
What we collect
Information you provide
- Newsletter signup: email address, plus your consent timestamp. Optional first name if you choose to share it.
- Comments: name, email, comment content, optional website URL. Your email is never published. Your name and the comment are.
- Contact form / direct email: whatever you put in the message, including your email address.
- Recipe ratings: the star value you click, no personal data attached.
Information your browser sends automatically
- IP address (truncated for analytics, full for security logs).
- Browser type and version, operating system, screen size.
- Page URL, referring page, time on page, exit page.
- Country-level location inferred from IP. Not your street address.
What we do not collect
- Health, dietary restriction, or medical information beyond what you choose to put in a comment or email.
- Payment information. The site does not sell anything directly.
- Children under 13 are not the audience and we do not knowingly collect their data.
Why we collect it
| What | Why | Legal basis (GDPR) |
|---|---|---|
| Email for newsletter | Send the Friday memo you signed up for | Consent |
| Comment data | Display your comment, prevent spam | Consent + legitimate interest |
| Server logs (IP, user agent) | Security, abuse prevention, debugging | Legitimate interest |
| Analytics (anonymized) | Know which pages load slow or break | Consent (where required) |
| Cookie consent state | Respect your choice on the next page | Legitimate interest |
Cookies and similar technologies
Cookies are small text files stored by your browser. We use:
- Essential cookies. WordPress login, comment authorship, consent banner state. The site does not function correctly without these.
- Third-party cookies from embedded content. If a page embeds a YouTube video, an Instagram post, or a Pinterest pin, those platforms may set their own cookies once the embed loads. Their privacy policies apply to that data.
The site does not currently load analytics or advertising cookies. If we add any in the future, the consent banner will surface them as an opt-in choice before they are set.
Your choice on the cookie banner
The first time you visit, a cookie banner gives you a choice. “Refuse” is presented as a one-click action with the same visual weight as “Accept.” Refusing non-essential cookies will not break any feature you can see on the site. You can change your choice at any time by clearing the consent cookie or using the “Cookie settings” link in the footer.
You can also clear cookies in your browser settings or block them site-wide. Blocking essential cookies may break the comment form.
Global Privacy Control (GPC) and Do Not Track (DNT)
We honor the Global Privacy Control (GPC) signal as a valid opt-out request, as required under California law (CCPA/CPRA, effective 2023). When your browser sends a GPC signal, we treat it as a request to opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising. As stated above, we do not sell or share information for that purpose, but the signal is logged and respected.
We also honor the older Do Not Track (DNT) browser signal. While DNT has no single legal definition, when received we do not load any non-essential third-party trackers for that visit, in addition to the protections already provided by our cookie consent banner.
Who we share data with
The short answer: only the vendors we need to operate the site. The current list:
- Hosting provider: stores the site files and database, sees server-log data.
- Mailchimp (Intuit Inc., USA): stores your email address and sends the newsletter on our behalf. Mailchimp privacy policy.
- Akismet (Automattic Inc., USA): scans comment metadata to flag spam. Automattic privacy policy.
We do not currently run third-party web analytics. If we add a privacy-respecting analytics tool in the future (such as Plausible or Fathom), this list and the cookie section will be updated before it goes live.
We do not sell, rent, or trade your personal information. We do not share it with data brokers. If a vendor changes, this list is updated.
We may disclose data if legally required (court order, subpoena, criminal investigation). We will resist overbroad requests where we can.
How long we keep it
- Newsletter email: until you unsubscribe, then we delete it within 30 days from the active list. We keep a suppression record (your email plus the unsubscribe date) so we do not accidentally re-add you.
- Comments: as long as the post exists, unless you request deletion.
- Server logs: 90 days, then rotated.
- Analytics: 14 months at the analytics provider, anonymized.
- Direct emails to us: as long as is reasonable to maintain a thread, typically 24 months.
Your rights
Everyone
- Unsubscribe from the newsletter (one-click link in every email).
- Email us to delete your account, comments, and any stored data.
- Email us to request a copy of the data we hold on you.
If you are in the EU, UK, or EEA (GDPR / UK GDPR)
You have the right to:
- Access your personal data.
- Rectify inaccurate data.
- Erase your data (“right to be forgotten”).
- Restrict or object to processing.
- Data portability (a machine-readable copy of what we hold).
- Withdraw consent at any time, without affecting the lawfulness of past processing.
- Lodge a complaint with your national data protection authority.
To exercise any of these, send a message through the contact page with the subject line “GDPR request.” We respond within 30 days.
If you are in California (CCPA / CPRA)
You have the right to:
- Know what categories of personal information we collect, the sources, and the purposes.
- Know what we have collected about you specifically (a copy).
- Delete personal information we hold about you.
- Correct inaccurate personal information.
- Opt out of “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but the right exists if our practices ever change.
- Non-discrimination for exercising any of the above.
To exercise: send a message through the contact page with the subject line “CCPA request.” We verify identity by replying through the same channel before processing.
How we secure data
- The site is served over HTTPS only.
- Admin access requires two-factor authentication.
- Backups are encrypted and stored off-site.
- The newsletter list is exported only when needed and is not stored on local devices.
No system is perfectly secure. If we ever experience a breach affecting your data, we will notify affected users within 72 hours of confirming the breach, as required by GDPR and applicable state laws.
International transfers and EU/UK residents
VeganStove is a US-based publication targeted at a US audience. Our hosting, newsletter, and spam-filter vendors are based in the United States. If your data reaches us, it is transferred to and processed in the US.
Newsletter signup is intended for residents of the United States. The newsletter form is configured to discourage signups from EU/UK/EEA residents, and we do not target marketing at those jurisdictions. If you are an EU/UK/EEA resident and you nevertheless subscribe, we will rely on standard contractual clauses (SCCs) for the cross-border transfer of your email address, and you retain all rights described in the “Your rights” section above.
Because our processing of EU personal data is incidental and not directed at the EU market, we do not currently designate an Article 27 representative in the EU. If our targeting changes, this policy will be updated and a representative appointed before any directed marketing begins.
Browsing the public site (reading recipes, calculator pages, etc.) is open to anyone in the world and does not require submission of personal information.
California Online Privacy Protection Act (CalOPPA)
This document is titled “Privacy Policy” as required, is linked from the site footer of every page, and addresses the categories of information collected, the third parties with whom information is shared, and how a user can review and request changes to their information. The “Global Privacy Control and Do Not Track” subsection above describes how we respond to DNT signals.
Children
VeganStove is not directed at children under 13 (or 16 in some jurisdictions). We do not knowingly collect personal information from children. If you believe a child has submitted data here, email us and we will delete it.
Changes to this policy
If we change anything material, we will update the “last updated” date at the top of this page and, for substantial changes, post a notice on the homepage for 30 days. Continued use of the site after a change means you accept the new policy.
Contact
Questions, requests, complaints: send a message through the contact page.