Privacy and Cookie Policy
geographyalltheway.com
This policy explains how geographyalltheway.com ("GATW", "we", "us", "our") collects, uses, stores and protects your personal data. It applies to all visitors and subscribers of geographyalltheway.com.
We are committed to protecting your privacy and handling your data transparently, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and French data protection law (Loi Informatique et Libertes).
Data Controller
| Legal entity | geographyalltheway SASU |
| Privacy contact | Richard Allaway |
| Address | 102 allee Victor Hugo, 01210 Ferney-Voltaire, FRANCE |
| EU VAT Number | FR 82 531073633 |
| SIRET | 531 073 633 00046 |
| richard@geographyalltheway.com |
What We Do
GATW provides online IB Diploma Programme Geography educational resources on a subscription basis. We offer Individual subscriptions and Whole School subscriptions. Access to subscriber content requires a user account and login.
Personal Data We Collect and How We Use It
The table below sets out each purpose for which we process personal data, the data involved, the legal basis under GDPR, the retention period and any third-party recipients.
| Purpose | Data collected | Legal basis | Retention | Recipients / Processors |
|---|---|---|---|---|
| Subscription management | Name, email address, login credentials, school name (for institutional subscriptions), country | Performance of contract (Art. 6(1)(b)) | Duration of subscription plus 3 years after last subscription expiry | aMember (self-hosted on the same server; no third-party transfer) |
| Payment processing | Payment details (card number, billing information) | Performance of contract (Art. 6(1)(b)) | Transaction records retained for 10 years (French tax law) | Stripe, Inc. (US, EU-US Data Privacy Framework certified); PayPal (US/Luxembourg, EU-US DPF certified). GATW does not store card numbers — payment details are processed directly by Stripe and PayPal. |
| Transactional emails | Name, email address | Performance of contract (Art. 6(1)(b)) | Duration of subscription | Gmail SMTP (Google LLC, US, EU-US DPF certified). Emails include account confirmations, subscription reminders and payment receipts. |
| Credential sharing detection | IP address, approximate geolocation, login timestamps | Legitimate interest (Art. 6(1)(f)) — protecting the service and detecting unauthorised account sharing | 12 months | Processed internally only; no third-party sharing. Human review is carried out before any account action is taken. |
| Website analytics | Anonymised usage data (pages visited, session duration, device type) | Consent (Art. 6(1)(a)) | 14 months (Google Analytics 4 default) | Google LLC (US, EU-US DPF certified). IP anonymisation is enabled. |
| Accounting records | Invoices, payment history, VAT records | Legal obligation (Art. 6(1)(c)) — French tax law (Code General des Impots) | 10 years | Internal use; shared with tax authorities if required by law. |
Cookies
What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They are used to make the site work, to remember your preferences and to understand how the site is used.
Strictly Necessary Cookies (No Consent Required)
These cookies are essential for the site to function. They cannot be switched off.
| Cookie | Purpose |
|---|---|
| WordPress session cookies | Login and authentication |
aMember session cookies (amember_ru and related) | Subscription access and authentication |
| Cookie consent preference cookie | Remembers your cookie consent choice |
| Breeze/caching cookies | Page caching for site performance |
| CSRF/security tokens | Protection against cross-site request forgery |
Analytics Cookies (Consent Required)
These cookies are only set if you give your consent via the cookie banner.
| Cookie | Purpose | Expiry |
|---|---|---|
_ga | Google Analytics — identifies unique visitors | 2 years |
_ga_* | Google Analytics — maintains session state | 2 years |
Managing Your Cookie Preferences
- Cookie banner: When you first visit the site, a cookie banner allows you to accept or refuse non-essential cookies. You can change your preference at any time by using the cookie settings link on the site.
- Browser settings: You can also delete or block cookies through your browser settings. Instructions are available in your browser's help documentation.
- No impact on functionality: Refusing analytics cookies does not affect your ability to use the site or access subscriber content.
- Re-consent: In accordance with CNIL guidelines, your cookie consent expires after 13 months, at which point you will be asked again.
Server and Hosting
The GATW website is hosted on Cloudways (DigitalOcean) with the server located in Amsterdam, Netherlands (EU). Core website data, including all subscription and membership data managed by aMember, remains within the European Union.
International Data Transfers
Certain data is processed by US-based service providers. All are certified under the EU-US Data Privacy Framework (DPF), which provides an adequate level of data protection as recognised by the European Commission:
- Google LLC — Analytics (GA4), email delivery (Gmail SMTP), Search Console
- Stripe, Inc. — Payment processing
- PayPal — Payment processing
If the EU-US Data Privacy Framework adequacy decision is invalidated in the future, we will rely upon Standard Contractual Clauses (SCCs) as an alternative safeguard for international data transfers.
Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15) — You can request a copy of the personal data we hold about you.
- Right to rectification (Article 16) — You can ask us to correct any inaccurate or incomplete data.
- Right to erasure (Article 17) — You can ask us to delete your personal data. Please note that we may need to retain certain data to comply with legal obligations (for example, tax records must be kept for 10 years under French law).
- Right to restriction of processing (Article 18) — You can ask us to restrict how we use your data in certain circumstances.
- Right to data portability (Article 20) — You can request your data in a structured, commonly used, machine-readable format.
- Right to object (Article 21) — You can object to processing based on legitimate interests, including credential sharing detection.
- Right not to be subject to solely automated decision-making (Article 22) — No decisions affecting you are made by purely automated means.
- Right to withdraw consent — Where processing is based on your consent (such as analytics cookies), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to define post-mortem directives — Under French law (Loi Informatique et Libertes, Article 85), you have the right to define directives regarding the storage, deletion and communication of your personal data after your death.
How to Exercise Your Rights
Contact us at richard@geographyalltheway.com. We will respond within one month of receiving your request. If your request is particularly complex, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons for it within the first month.
Right to Lodge a Complaint
If you are not satisfied with how we handle your data or your request, you have the right to lodge a complaint with the French supervisory authority:
CNIL (Commission Nationale de l'Informatique et des Libertes)
3 Place de Fontenoy, TSA 80715
75334 PARIS CEDEX 07, FRANCE
Website: https://www.cnil.fr
Children's Data
- The minimum age for creating an individual GATW subscription account is 15 years, in line with French data protection law.
- Users under 15 must have the consent of a parent or guardian to create an account.
- For institutional (school) subscriptions, the subscribing school is responsible for obtaining any necessary parental or guardian consent for students under 15 who will access the service.
- GATW does not knowingly collect personal data from children under 13 without institutional oversight. If we become aware that data has been collected from a child under 13 without appropriate consent, we will take steps to delete that data promptly.
Information Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:
- Secure, managed hosting infrastructure (Cloudways, Amsterdam, EU)
- HTTPS encryption for all data transmitted between your browser and our servers
- Login credentials stored as securely hashed passwords
- Payment data handled exclusively by PCI-DSS compliant processors (Stripe and PayPal) — we never store your card details
- Web application firewall and regular security monitoring (Imunify360)
While we take all reasonable precautions, no method of data transmission or storage can be guaranteed 100% secure.
Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, as required by GDPR Article 34. We will also notify CNIL within 72 hours of becoming aware of any qualifying breach, in accordance with GDPR Article 33.
Third-Party Links
The GATW website contains links to external websites that are not operated by us. We are not responsible for the content or privacy practices of those external sites. We encourage you to read the privacy policy of any website you visit.
Changes to This Policy
We may update this Privacy and Cookie Policy from time to time to reflect changes in our practices, technology or legal requirements. Where changes are material, we will communicate them via a notice on the website. We encourage you to review this policy periodically.
Last updated: March 2026