Legal
Privacy policy
Last updated: 22 April 2026
1. Who we are
The Reading Room (thereadingroom.app) is operated by Shane Dunne, a sole trader based in Ireland. When this policy says —we,— —us,— or —our,— it means Shane Dunne trading as The Reading Room.
If you have any questions about how we handle your data, you can reach us at hello@thereadingroom.app.
2. What data we collect
We only collect what we need to give you good recommendations and keep the service running. Here is exactly what that means:
Account information
- Email address (to sign in and contact you)
- Display name (optional, shown on your profile)
- Password (stored as a salted hash — we never see or store your plaintext password)
Reading data
- Books you add to your shelves, ratings, and favourites
- Onboarding preferences: genres, mood sliders, content boundaries, format preferences
- Imported reading history (if you choose to import)
Usage data
- Interactions with recommendations and search (which books you view, shelf, or skip) — used to improve your recommendations, not for advertising
- Error and performance logs (via Sentry) to keep the service reliable
Payment data
- If you subscribe to Premium, Stripe processes your payment. We never see or store your full card number. We receive your Stripe customer ID, subscription status, and the last four digits of your card for display purposes only.
What we do not collect
- We do not track you across other websites
- We do not build advertising profiles
- We do not sell, rent, or trade your data to anyone
3. Why we process your data and on what legal basis
Under the General Data Protection Regulation (GDPR), we need a lawful basis for every type of processing. Here is how each one maps:
| Purpose | Legal basis |
|---|---|
| Providing the service (account, shelves, recommendations, search) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (welcome, password reset, receipts) | Performance of contract (Art. 6(1)(b)) |
| Improving recommendations using your reading behaviour | Legitimate interest (Art. 6(1)(f)) — providing a better service |
| Error monitoring and performance (Sentry) | Legitimate interest (Art. 6(1)(f)) — maintaining service reliability |
| Sending marketing emails or recommendation digests | Consent (Art. 6(1)(a)) — you can withdraw at any time |
| Cookies beyond essential functionality | Consent (Art. 6(1)(a) + ePrivacy Directive) |
4. Who we share your data with
We do not sell your data. We share it only with the services we need to run The Reading Room:
- Anthropic (San Francisco, USA) — powers our recommendation explanations, natural-language search, and Reading DNA. When we send data to Anthropic’s API, we send only your reading preferences and shelf data — never your email, name, or payment information. Anthropic does not use your data to train its models.
- Stripe (USA) — processes Premium subscription payments. Stripe is a PCI DSS Level 1 certified payment processor. See Stripe’s privacy policy.
- SendGrid (USA, Twilio) — delivers transactional and marketing emails on our behalf.
- Sentry (USA) — receives error reports to help us fix bugs. These may include technical metadata but never include your reading data or personal details by design.
- Vercel (USA) — hosts our website.
- Railway (USA) — hosts our backend services and database.
5. International data transfers
Several of our service providers are based in the United States. We rely on the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives an adequate level of protection when transferred outside the EEA.
6. Cookies
We use a small number of cookies:
- Essential cookies — keep you signed in and remember your preferences. These are strictly necessary and do not require consent.
- Analytics cookies — if we add analytics in the future, we will ask for your explicit consent first via a cookie banner. We do not currently use any third-party analytics.
We do not use advertising cookies or tracking pixels. We never will.
7. How long we keep your data
- Account data and reading history — kept for as long as your account is active.
- After account deletion — all personal data is permanently removed within 30 days of your deletion request. Anonymised, aggregated statistics (e.g. total books rated across all users) may be retained, but these cannot be linked back to you.
- Payment records — Stripe retains transaction records as required by financial regulation. We retain subscription status and Stripe customer IDs for the duration of your account.
- Error logs — Sentry retains error data for 90 days.
8. Your rights
Under GDPR, you have the following rights. We will respond to any request within 30 days.
- Access — request a copy of all personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your account and all associated data. You can do this directly from your profile settings, or by emailing us.
- Data portability — export your reading data in a machine-readable format (JSON or CSV) at any time from your profile settings.
- Restriction — ask us to temporarily stop processing your data while we resolve a concern.
- Object — object to processing based on legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds.
- Withdraw consent — where we process data based on consent (e.g. marketing emails), you can withdraw at any time by clicking —unsubscribe— in any email or by updating your preferences in your profile.
To exercise any of these rights, email hello@thereadingroom.app. We may ask you to verify your identity before processing your request.
9. Automated decision-making
Our recommendation engine uses automated processing to suggest books based on your reading history and preferences. This processing does not produce legal effects or similarly significant effects on you — it simply helps you find books you might enjoy. You can always browse, search, and choose books independently of our recommendations.
10. Children and age requirements
The Reading Room is not intended for anyone under the age of 16, in accordance with the Irish Digital Age of Consent (Section 31 of the Data Protection Act 2018). We do not knowingly collect data from anyone under 16. If you believe a child under 16 has created an account, please contact us and we will delete it promptly.
11. How we protect your data
We take reasonable technical and organisational measures to protect your personal data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Encrypted database storage at rest
- Salted and hashed passwords (bcrypt)
- Rate limiting on authentication and public endpoints
- Regular dependency auditing
No system is perfectly secure. If we ever become aware of a data breach affecting your personal data, we will notify you and the Data Protection Commission without undue delay, and in any event within 72 hours where feasible, as required by GDPR Article 33.
12. Complaints
If you are unhappy with how we handle your data, please contact us first at hello@thereadingroom.app and we will do our best to resolve it.
You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC):
- Website: www.dataprotection.ie
- Phone: +353 (0)1 765 0100 / 1800 437 737
- Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
13. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or by placing a prominent notice on the site before the changes take effect. The —last updated— date at the top of this page will always reflect the most recent revision.
–If you have any questions at all, we’re at hello@thereadingroom.app.