Last updated / Última actualización: 19/05/2026
1. Identity of the Data Controller / Identidad del Responsable
Daniel Millán (operating from British Columbia, Canada and Mexico City, Mexico) (“we,” “us,” “our,” or “the Controller”), with contact email daniel@dbmillan.com, is the data controller responsible for the processing of personal data collected through dbmillan.com (the “Site”).
Daniel Millán, con domicilio de contacto en el correo daniel@dbmillan.com, es el responsable del tratamiento de los datos personales recabados a través del sitio dbmillan.com.
2. What Personal Data We Collect
Depending on how you use the Site, we may collect:
Collected automatically when you visit the Site:
- IP address and approximate geographic location (city/country level);
- Browser type, operating system, and device information;
- Pages visited, time of visit, and referring website;
- Cookies and similar technologies (see Section 8).
Collected only when you actively provide it:
- Newsletter: name (optional) and email address;
- Contact form: name, email address, and the contents of your message;
- Purchases (when available): name, shipping and billing address, email, phone number, and order details. Payment card information is processed directly by our third-party payment processor and is not stored on our servers.
We do not knowingly collect data from minors under 13 years of age (or the equivalent age of consent in your jurisdiction).
3. Purposes of Processing / Finalidades del Tratamiento
We process personal data for the following primary purposes (necessary for the relationship with you):
- To operate and maintain the Site;
- To respond to your inquiries submitted through the contact form;
- To send newsletter emails you have subscribed to;
- To process and fulfill orders for books, prints, or other products;
- To comply with legal, tax, and accounting obligations.
We may also process data for the following secondary purposes (not necessary, requiring separate consent under Mexican law):
- To analyze Site traffic and improve content;
- To send occasional marketing communications about new projects or products (separate from newsletter content).
If you do not wish your data to be used for secondary purposes, you may indicate this when subscribing or by emailing daniel@dbmillan.com. Refusing consent for secondary purposes will not affect the primary services we provide to you.
4. Legal Basis for Processing (GDPR / UK GDPR)
For users in the European Union and the United Kingdom, we rely on the following legal bases:
- Consent for newsletter subscriptions, marketing emails, and non-essential cookies (Article 6(1)(a) GDPR);
- Contract performance for processing purchases and contact-form responses (Article 6(1)(b));
- Legal obligation for tax and accounting records (Article 6(1)(c));
- Legitimate interests for basic Site security, fraud prevention, and aggregate analytics (Article 6(1)(f)).
5. Data Sharing and Transfers / Transferencias
We do not sell your personal data. We share data only with the following categories of third parties, and only as needed to provide the services:
- Hosting provider [insert name, e.g., SiteGround / Kinsta / etc.] — for storing the Site and its data;
- Email service provider [insert name when applicable, e.g., Mailchimp / Buttondown / etc.] — for sending newsletters;
- Payment processor [insert name when applicable, e.g., Stripe / PayPal / etc.] — for processing purchases;
- Analytics provider [insert name if used, e.g., Plausible / Google Analytics / etc.] — for Site traffic analysis;
- Government authorities when required by law.
International data transfers: some providers are located in the United States, Canada, or the European Union. Where required by law, we ensure appropriate safeguards (Standard Contractual Clauses for EU transfers; PIPEDA-compliant agreements for Canadian data; contractual safeguards for LFPDPPP compliance).
6. Data Retention / Conservación
We retain personal data only as long as needed for the purposes described above:
- Newsletter subscribers: until you unsubscribe;
- Contact form messages: up to 2 years after the last communication;
- Order records: as required by Mexican, Canadian, or U.S. tax law (typically 5–7 years);
- Server logs and analytics: up to 14 months.
After these periods, data is securely deleted or anonymized.
7. Your Rights / Sus Derechos
Under Mexican law (LFPDPPP) — Derechos ARCO
You have the right to:
- Acceso (Access) — know what data we hold about you;
- Rectificación (Rectification) — correct inaccurate data;
- Cancelación (Deletion) — request deletion of your data;
- Oposición (Objection) — object to certain processing.
You may also revoke your consent at any time and limit the use or disclosure of your data.
To exercise these rights, send a request to daniel@dbmillan.com including: your full name, contact information, a copy of an official ID (passport, INE, or equivalent) to verify identity, a clear description of the right you wish to exercise, and any document supporting your request. We will respond within 20 business days as required by Article 32 of the LFPDPPP.
If you believe your rights have not been respected, you may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) at inai.org.mx.
Under Canadian law (PIPEDA / Quebec Law 25)
You have the right to access, correct, and withdraw consent for the processing of your personal information. Requests can be sent to daniel@dbmillan.com. Complaints may be filed with the Office of the Privacy Commissioner of Canada (priv.gc.ca), or, if you are a Quebec resident, with the Commission d’accès à l’information du Québec (cai.gouv.qc.ca), or, as applicable, with the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca).
Under EU/UK law (GDPR)
You have the rights of access, rectification, erasure, restriction, portability, and objection. You also have the right to lodge a complaint with your national data protection authority.
Under U.S. law (CCPA/CPRA and similar)
California residents (and residents of other U.S. states with similar laws — Virginia, Colorado, Connecticut, Utah, etc.) have the right to know what personal information is collected, to delete it, to correct it, and to opt out of any sale or sharing. We do not sell personal data.
8. Cookies and Tracking Technologies
The Site uses cookies and similar technologies for:
- Strictly necessary functions (e.g., session management) — these cannot be disabled;
- Analytics (if enabled) — to understand how visitors use the Site;
- Functional preferences — such as remembering settings.
You can control cookies through your browser settings. Disabling cookies may affect Site functionality.
We do not currently use cookies for advertising or cross-site tracking.
9. Data Security
We implement reasonable technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction. No method of transmission over the internet is 100% secure, however, and we cannot guarantee absolute security.
In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.
10. Children’s Privacy
The Site is not directed to children under 13 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us so we can delete it.
11. Changes to This Policy / Cambios
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated through a notice on the Site or, where applicable, by email to subscribers.
Podemos actualizar este Aviso de Privacidad. Cualquier cambio será publicado en esta misma página y, cuando sea aplicable, comunicado por correo electrónico.
12. Contact / Contacto
For any questions about this Privacy Policy or to exercise your rights, contact:
daniel@dbmillan.com