Privacy Policy
Last Updated: March 22, 2026
Data Controller: Garnett Publishing Inc. Contact: review@garnett-ks.com Website: https://garnett-ks.com
1. Introduction
This privacy policy describes how Garnett Publishing Inc. (“we,” “us,” or “our”) collects, uses, stores, and protects personal data when you interact with our digital newspaper edition service powered by the Newspaper Digital Edition plugin. We are committed to protecting your privacy and handling your data transparently and in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Personal Data We Collect
2.1 Data You Provide Directly
| Data | When Collected | Purpose |
| Email address | When you request access to a digital edition via the access form | Deliver your unique access link, verify subscription or purchase status, and communicate edition availability |
| Name | When provided by an administrator or during account setup | Personalize email communications |
2.2 Data Collected Automatically
| Data | When Collected | Purpose |
| IP address | Each time you access a digital edition PDF | Abuse prevention (rate limiting), security auditing, and access logging |
| Browser information (user agent) | Each time you access a digital edition PDF | Debugging technical issues and security monitoring |
| Access timestamps | Each time you view a digital edition | Record when editions were first and last accessed |
| Access count | Each time you view a digital edition | Track how many times a specific link has been used |
2.3 Payment Data
| Data | When Collected | Purpose |
| Payment transaction ID | When you purchase a digital edition | Link your purchase to your account for access verification |
| Purchase amount and currency | When you purchase a digital edition | Maintain transaction records |
| Payment status | When you purchase a digital edition | Track whether payment was completed or refunded |
| Square customer ID | When you make a purchase through Square | Associate your contact record with the Square payment platform |
Important: We do not collect, store, or process credit card numbers, bank account details, or other direct financial instrument data. All payment processing is handled entirely by Square (Block, Inc.) through their hosted checkout page. Your payment details are entered directly on Square’s secure platform and never pass through our systems.
3. How We Use Your Data
We process your personal data for the following purposes:
- Edition delivery — Generate and send unique, secure access links to your email address so you can view digital editions you are entitled to.
- Access verification — Confirm that you hold a valid subscription or have purchased the requested edition before granting access.
- Rate limiting and abuse prevention — Use IP-based and email-based rate limiting to prevent automated abuse of our access system.
- Security and auditing — Maintain access logs to detect unauthorized access attempts and investigate security incidents.
- Payment processing — Record purchase transactions to verify your access rights and support refund requests.
- PDF watermarking — Embed your email address as a visible watermark in digital edition PDFs to deter unauthorized redistribution (see Section 8).
- Email communications — Send you access links for new editions you are subscribed to or have purchased.
Legal Basis for Processing (GDPR)
| Purpose | Legal Basis |
| Edition delivery and access verification | Performance of a contract (fulfilling your subscription or purchase) |
| Rate limiting and security | Legitimate interest (protecting the service and its users) |
| Payment processing | Performance of a contract |
| PDF watermarking | Legitimate interest (copyright protection) |
| Access logging | Legitimate interest (security and abuse prevention) |
| Email communications | Performance of a contract (delivering purchased content) |
4. Cookies and Similar Technologies
We use a single, essential cookie:
| Cookie Name | Purpose | Duration | Type |
| nde_pdf_session_* | Authenticates your browser session while viewing a PDF, allowing the PDF viewer to load the document in segments | 15 minutes | Strictly necessary (HttpOnly, Secure, SameSite=Lax) |
This cookie is required for the PDF viewer to function and cannot be disabled. It does not track you across websites, is not accessible to JavaScript (HttpOnly), and expires automatically after 15 minutes.
We do not use any advertising, analytics, or tracking cookies.
5. Third-Party Services
5.1 Square (Block, Inc.)
We use Square as our payment processor for digital edition purchases. When you initiate a purchase, the following data is transmitted to Square:
- Your email address (to pre-populate the checkout form)
- Edition metadata (title, price)
- Edition preview images (for catalog display)
Square processes your payment on their hosted checkout page. We receive a confirmation of the transaction from Square via a secure webhook but never receive your credit card or bank details.
Square’s Privacy Policy: https://squareup.com/legal/privacy
5.2 Cloudflare CDN
Our PDF viewer component (PDF.js) may be loaded from Cloudflare’s content delivery network (cdnjs.cloudflare.com). This is a standard library request that transmits your IP address and browser information to Cloudflare as part of normal web traffic. If the CDN is unavailable, a locally hosted copy is used instead.
Cloudflare’s Privacy Policy: https://www.cloudflare.com/privacypolicy/
We do not share your personal data with any advertising networks, analytics services, data brokers, or other third parties beyond those listed above.
6. Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period | Deletion Method |
| Contact records (email, name, subscription info) | Retained until you request deletion or an administrator removes your record | Manual deletion by administrator; cascading deletion removes all associated data |
| Access links and tokens | Retained until the associated contact or edition is deleted | Automatically deleted when contact or edition is removed |
| Access logs (IP, user agent, timestamps) | 90 days, then automatically purged | Automatic daily cleanup |
| Email delivery records | 30 days, then automatically purged | Automatic daily cleanup |
| Purchase records | Retained indefinitely for transaction history and dispute resolution | Manual deletion by administrator |
| Superseded tokens (old access links) | Retained indefinitely to provide helpful error messages if you use an outdated link | Deleted when the associated contact is removed |
| Debug logs | Rolling file, maximum 5 MB; oldest entries overwritten automatically | Automatic rotation |
7. Data Security
We implement the following measures to protect your personal data:
- Cryptographic access tokens — Edition access links use cryptographically secure random tokens verified with HMAC-SHA256, preventing unauthorized access or link forgery.
- Prepared database statements — All database queries use parameterized statements to prevent SQL injection.
- CSRF protection — All form submissions and interactive requests are protected with WordPress nonce verification.
- Secure cookies — Session cookies are HttpOnly (not accessible to JavaScript), use the Secure flag (transmitted only over HTTPS), and enforce SameSite=Lax policy.
- Content Security Policy — PDF viewer pages include CSP headers to mitigate cross-site scripting attacks.
- Bot protection — Honeypot fields detect and reject automated form submissions.
- Log file protection — Debug log files are protected from direct web access via server configuration.
- Rate limiting — Automated per-IP and per-email rate limiting prevents brute-force access attempts.
- No stored payment credentials — Credit card and financial data are never stored on our servers; all payment processing occurs on Square’s PCI-compliant platform.
8. PDF Watermarking
When you access a digital edition, your email address is embedded as a visible watermark on each page of the PDF. This watermark includes:
- The text “Licensed to: [your email address]”
- The date and time of access
- A notice that redistribution is prohibited
This watermarking is applied to deter unauthorized sharing of digital editions and to protect the copyright of the publication’s content. The watermarked PDF is generated on-the-fly and is not permanently stored on our servers.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
9.1 For All Users
- Right to know — You may request information about what personal data we hold about you.
- Right to deletion — You may request that we delete your personal data. Upon deletion, all associated data (access links, access logs, purchase records, email records, and group memberships) will be permanently removed.
- Right to correction — You may request that inaccurate personal data be corrected.
9.2 Additional Rights Under GDPR (EU/EEA/UK)
- Right to access — Obtain a copy of your personal data.
- Right to restrict processing — Request that we limit how we use your data.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests.
- Right to lodge a complaint — File a complaint with your local data protection authority.
9.3 Additional Rights Under CCPA (California)
- Right to know — Request disclosure of the categories and specific pieces of personal information collected.
- Right to delete — Request deletion of personal information collected.
- Right to opt out of sale — We do not sell your personal information to third parties.
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.
How to Exercise Your Rights
To exercise any of these rights, please contact us at review@garnett-ks.com. We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.
10. Data Transfers
If you are located outside the country where our servers are hosted, your personal data may be transferred to and processed in a different jurisdiction. We take appropriate safeguards to ensure that your data is protected in accordance with this privacy policy and applicable data protection laws.
Square (Block, Inc.) may process payment data in the United States. For details on Square’s data transfer practices, please refer to their privacy policy.
11. Children’s Privacy
Our digital edition service is not directed at children under the age of 16 (or 13 in jurisdictions where that threshold applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at review@garnett-ks.com and we will promptly delete the information.
12. Do Not Track
Our service does not respond to “Do Not Track” browser signals. However, we do not engage in cross-site tracking, behavioral advertising, or profiling. No analytics or advertising trackers are used.
13. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the “Last Updated” date at the top of this policy. We encourage you to review this policy periodically.
14. Contact Us
If you have questions about this privacy policy or our data practices, please contact us:
- Email: review@garnett-ks.com
- Phone: (785) 448-3121
- Address: 112 W 6th Ave, Garnett, KS 66032
For data protection inquiries in the EU/EEA, you may also contact your local supervisory authority.
15. Summary of Data Processing Activities
| Activity | Data Involved | Legal Basis | Retention |
| Edition access delivery | Email, name | Contract | Until deletion requested |
| Access verification | Email, IP address | Contract | Until deletion requested |
| Rate limiting | IP address (hashed), email (hashed) | Legitimate interest | 1–15 minutes (transient) |
| Access logging | IP address, user agent, timestamps | Legitimate interest | 90 days |
| Payment processing | Email, transaction ID, amount | Contract | Indefinite |
| PDF watermarking | Email address | Legitimate interest | Duration of PDF viewing session |
| Email delivery | Email, name, edition details | Contract | 30 days (job records) |
| Debug logging | IP address, email, user agent | Legitimate interest | Rolling 5 MB file |