Privacy Policy
ColorPageLab — colorpagelab.com
Operated by: Miartmedia LTD
Contact: [email protected]
Effective Date: February 28, 2026
Last Updated: March 6, 2026
1. Who We Are
ColorPageLab is operated by Miartmedia LTD, the data controller for personal data processed through this Service. For any privacy questions, contact us at [email protected].
2. What This Policy Covers
This Privacy Policy explains what data is collected when you use colorpagelab.com (the "Service"), why it is collected, who it is shared with, how long it is retained, and what rights you have. It reflects what the Service actually does at the Last Updated date above.
3. What We Collect and Why
3.1 Browsing the Site — Google Analytics 4
Every public page on the Service loads Google Analytics 4 (GA4) in production. GA4 automatically collects:
- Pages visited and navigation path
- Browser type and version
- Operating system and device type
- Country and region (derived from IP address, which is then discarded by Google before storage)
- Session duration and pages per session
- Referring URL (where you came from)
We have configured GA4 so that full IP addresses are not stored by Google. We use this data solely to understand how the Service is used so we can improve it.
We track the following custom GA4 events specifically:
| Event name | What triggers it |
|---|---|
visit | Home page loaded |
gallery_view | Gallery page viewed |
product_view | A coloring page detail page viewed |
category_view | A category landing page viewed |
blog_view | A blog post page viewed |
download_pdf | A PDF downloaded (includes paper size: A4 or US Letter) |
download_image | A PNG downloaded |
print | Direct browser print triggered |
support_click | The support payment button clicked |
pin_click | Pinterest "Pin It" clicked on a product page |
None of these GA4 events include your name, email address, or any identifier that can be linked to you personally.
GA4 is not loaded on localhost, in admin routes, or in non-production environments.
3.2 First-Party Analytics — Server-Side Event Collection
In addition to GA4, the Service collects its own server-side analytics events and stores them in our database. This first-party telemetry is used to power the admin reporting dashboard and to understand which content is most used.
What is stored per event:
| Field | Description |
|---|---|
event_id | A randomly generated identifier for the event record |
event_name | The type of event (see table above) |
session_id | A randomly generated identifier assigned to your browser session |
page_path | The URL path of the page where the event occurred |
referrer | The URL you arrived from, if available |
ip_address | Your IP address at the time of the event |
user_agent | Your browser and device string |
metadata | Additional event context (e.g., format downloaded, paper size) |
occurred_at | The timestamp of the event |
How session IDs are used: Session IDs allow us to distinguish new visitors from returning visitors within the admin reporting dashboard (e.g., "total sessions this week", "new vs. returning sessions"). This is pseudonymous analytics — we do not attempt to link session IDs to real-world identities, names, or email addresses, and we do not build individual user profiles.
IP address use: IP addresses are stored for the purposes of security monitoring, abuse prevention, and rate limiting. We do not use IP addresses to build visitor profiles or for marketing purposes. IP address fields are nulled after 90 days (see Section 8).
This first-party analytics data is processed and stored on infrastructure operated by Neon, Inc. (database) and DigitalOcean, LLC (application hosting). See Sections 7 and 9 for details on processors and international data transfers.
3.3 Downloading a Coloring Page
When you download a PDF or PNG, the system records:
- Which coloring page was downloaded (its internal ID and slug)
- The format (PDF or PNG) and paper size selected (A4 or US Letter)
- A timestamp
An aggregate download count is incremented on the coloring page record in our database to show which pages are popular. This aggregate count is not linked to any individual visitor identity.
A corresponding first-party analytics event is also recorded as described in Section 3.2.
3.4 Making a Voluntary Support Payment — Stripe
If you click "Support" and complete a payment, Stripe, Inc. handles all payment processing. We never see or store your card number, CVV, expiry date, or billing address.
What Miartmedia LTD receives from Stripe after a completed payment:
- The Stripe checkout session ID (a reference code)
- The payment amount
- A confirmation that payment succeeded
We store these items for financial record-keeping. We do not create a user profile from your payment or use it for marketing. Stripe may email you a receipt directly. We do not receive your email address from this transaction flow.
By making a payment you also agree to Stripe's Privacy Policy.
3.5 Social Sharing — Pinterest, Facebook, X, WhatsApp
The Service includes sharing buttons for Pinterest, Facebook, X (Twitter), and WhatsApp. These are outbound links that open the relevant platform in a new tab. We do not send any data to these platforms on your behalf merely from loading the page (except as described for Pinterest's script below).
Pinterest script: The Service loads Pinterest's pinit.js script on all public pages to enable the "Pin It" button. This script may set a Pinterest cookie or record your visit to the page if you are logged into Pinterest in the same browser. We do not control this behaviour. See Pinterest's Privacy Policy.
3.6 Affiliate Links — Amazon Associates
Some blog posts on the Service contain affiliate links to products on Amazon. ColorPageLab participates in the Amazon Associates Program, an affiliate advertising programme designed to provide a means for sites to earn fees by linking to Amazon.
When you click an affiliate link:
- You are redirected to the Amazon website (amazon.com or the relevant regional Amazon site)
- Amazon may set cookies on your device to track the referral
- If you make a purchase on Amazon within the applicable attribution window, we may receive a small commission at no additional cost to you
- We do not receive your name, email address, payment details, or any personal information from Amazon as a result of this referral
Amazon's collection and use of data when you visit their site is governed entirely by Amazon's Privacy Notice. We have no control over Amazon's data practices.
Affiliate links are clearly identified within blog content. Our participation in the Amazon Associates Program does not influence our editorial content or product recommendations — we only recommend products we consider genuinely useful to our audience.
3.7 Error Monitoring
The Service includes infrastructure for error monitoring. When errors occur, error details (including the error message, stack trace, and request context) may be captured and stored server-side or transmitted to a connected monitoring service (e.g., Sentry). Error data is used solely for diagnosing and fixing technical issues. We do not include payment card data, passwords, or sensitive PII in error logs.
3.8 Operational Telemetry and Security Logging
The Service logs inbound requests and service interactions for the purposes of security monitoring, abuse prevention, rate-limit enforcement, and operational performance. This may include IP addresses, request paths, HTTP status codes, and timing data. These logs are retained for a limited period (see Section 8) and are not used for marketing or user profiling.
3.9 What Is Stored in Our Database
Our database (hosted by Neon, Inc.) stores:
- Coloring page content: titles, slugs, category names, image URLs, download counts
- Admin account credentials: a single bcrypt-hashed password and admin email address — never in plaintext
- Stripe session IDs and payment amounts for financial records
- First-party analytics events as described in Section 3.2
The database does not store visitor accounts, email addresses of visitors (unless voluntarily provided via a future email signup feature, which will be separately disclosed), or payment card data.
4. Data We Do Not Collect
To be explicit:
- We do not collect your name or email address through normal use of the Service (browsing or downloading).
- We do not build identity-based user profiles or track named individuals across sessions.
- We do not sell, rent, or trade personal data to third parties.
- We do not currently run display advertising on the Service. If advertising is added in the future, this policy will be updated before it goes live.
- We do not share data with anyone except the service providers listed in Section 7, and only to the extent needed to operate the Service.
5. Cookies
Admin session cookies
An httpOnly, secure, SameSite=Strict session cookie is set only after a successful admin login. Regular visitors never receive this cookie.
Analytics cookies (Google Analytics 4)
GA4 sets the following cookies for public visitors in production:
| Cookie | Duration | Purpose |
|---|---|---|
_ga | 2 years | Distinguishes unique visitors |
_ga_<ID> | 2 years | Session state |
_gid | 24 hours | Differentiates sessions |
First-party analytics
The Service's server-side first-party analytics do not set or rely on browser cookies. Session identification is handled server-side and is not exposed to third parties via cookies.
The Pinterest pinit.js script may set its own cookies if you are logged into Pinterest. These are outside our control and governed by Pinterest's own privacy policy.
Amazon Associates
When you click an affiliate link and visit Amazon, Amazon may set cookies on your device to track the referral for commission attribution purposes. These cookies are set by Amazon, not by us, and are governed by Amazon's Privacy Notice and Cookie Policy.
Cookie consent (EU/UK visitors)
If you are visiting from the EU or UK, GA4 analytics cookies require consent under the ePrivacy Directive and UK PECR. We are implementing a compliant cookie consent mechanism. Until it is live, you can opt out at any time using the Google Analytics Opt-Out Browser Add-on. Server-side first-party analytics are collected on the basis of legitimate interests (see Section 10) and do not rely on cookie consent.
6. How We Use Your Data
| Purpose | Data used | Legal basis (EU/UK) |
|---|---|---|
| Delivering the Service (gallery, download, print) | Page path, session data, download events | Legitimate interests / contract performance |
| Understanding usage and improving the Service | GA4 analytics, first-party analytics events | Legitimate interests |
| Security monitoring and abuse prevention | IP addresses, request logs, rate-limit data | Legitimate interests |
| New vs. returning visitor reporting | Session IDs and first-seen timestamps (pseudonymous) | Legitimate interests |
| Financial record-keeping | Stripe session ID, payment amount | Legal obligation |
| Technical error resolution | Error logs, request context | Legitimate interests |
| Affiliate programme operation | Outbound click referral to Amazon via affiliate link | Legitimate interests |
7. Third-Party Services and Processors
| Service | Role | Privacy Policy |
|---|---|---|
| Google Analytics 4 (Google LLC) | Usage analytics | policies.google.com/privacy |
| Stripe, Inc. | Voluntary support payment processing | stripe.com/privacy |
| ImageKit.io | Hosting and delivering coloring page images via CDN | imagekit.io/docs/legal |
| OpenAI, LLC | AI image generation (admin-only; no visitor data is ever sent to OpenAI) | openai.com/privacy |
| Neon, Inc. | PostgreSQL database hosting (stores first-party analytics events, download records, payment records) | neon.tech/privacy |
| DigitalOcean, LLC | Cloud application hosting (processes all inbound web requests) | digitalocean.com/legal/privacy-policy |
| Pinterest, Inc. | pinit.js script for share button | policy.pinterest.com |
| Amazon.com Services LLC | Affiliate programme (Amazon Associates); processes data when you click affiliate links and visit Amazon | amazon.com/privacy |
OpenAI is used exclusively as a backend admin tool to generate coloring page artwork. No visitor data is ever sent to OpenAI.
8. Data Retention
| Data | Retention |
|---|---|
| GA4 analytics events | 14 months (configured in our GA4 property) |
First-party analytics events (analytics_events table) | 24 months from the date of collection, after which records are permanently deleted |
| IP addresses in analytics events | 90 days, after which the ip_address field is overwritten with null |
| Stripe payment session records | 7 years (UK financial record-keeping requirement) |
| Coloring page download counts (aggregate, no PII) | Indefinite |
| Admin session cookies | 30 days from login |
| Server and application error logs | 30 days |
| Security and request logs | 90 days |
9. International Data Transfers
Miartmedia LTD is based in the United Kingdom. Our service providers are based in the United States and process data on servers that may be located outside the UK and EEA.
Transfers of personal data from the UK or EEA to the United States are made on the basis of Standard Contractual Clauses (SCCs) incorporated into our agreements with Google LLC, Stripe Inc., Neon Inc., DigitalOcean LLC, Amazon.com Services LLC, and other US-based processors, or other appropriate safeguards as applicable.
First-party analytics event data (including IP addresses and session data) is stored and processed by Neon, Inc. and DigitalOcean, LLC, both US-based. By using the Service, you acknowledge that your data may be transferred to and processed in the United States subject to these safeguards.
10. Legal Bases (GDPR and UK GDPR)
For visitors in the European Economic Area and United Kingdom, the legal bases we rely on are:
| Processing activity | Legal basis |
|---|---|
| GA4 analytics | Legitimate interests — understanding Service usage; configured to avoid individual profiling |
| First-party analytics events (page views, downloads, session tracking) | Legitimate interests — service improvement, content optimisation, new/returning visitor reporting; data is pseudonymous and not used for identity-based profiling |
| IP address retention for security/abuse prevention | Legitimate interests — protecting the Service and its users from abuse, DDoS, and fraudulent activity |
| Support payment records | Legal obligation (financial record-keeping) |
Pinterest pinit.js loading | Legitimate interests — enabling share functionality |
| Error and operational logs | Legitimate interests — maintaining service reliability and security |
| Affiliate link referrals (Amazon Associates) | Legitimate interests — generating revenue to fund the free Service; no personal data is transferred to Amazon by us |
You have the right to object to processing based on legitimate interests. To do so, contact us at [email protected].
You have the right to lodge a complaint with your supervisory authority:
- UK: Information Commissioner's Office — ico.org.uk
- EU: Your national authority — edpb.europa.eu
We ask that you contact us first so we can try to resolve your concern directly.
11. Your Rights
Depending on where you are located, you may have the right to:
- Access personal data we hold about you
- Correct inaccurate personal data
- Delete personal data we hold about you ("right to erasure")
- Restrict processing of your personal data
- Object to processing based on legitimate interests
- Portability — receive a copy of your data in a structured, machine-readable format
- Withdraw consent where processing is based on consent (e.g., GA4 analytics cookies)
Because the Service does not require accounts and collects primarily pseudonymous analytics data, there is limited personal data we can identify as belonging to any specific individual. Contact us at [email protected] (subject: "Privacy Request") and we will respond within 30 days.
To opt out of GA4 analytics specifically, use the Google Analytics Opt-Out Browser Add-on.
12. California Users (CCPA / CPRA)
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising.
The personal information we collect is limited to pseudonymous analytics data (session IDs, IP addresses, page paths, event data) used for service improvement and security, and — if you make a voluntary payment — a Stripe session ID and payment amount.
California residents may submit requests to know, delete, or correct their personal information by contacting [email protected] (subject: "California Privacy Request"). We will respond within 45 days. We will not discriminate against you for exercising your CCPA/CPRA rights.
13. Children
The Service provides content suitable for children but does not target children under 13 as a primary audience and does not knowingly collect personal data from children under 13. The Service does not require account creation.
If you believe a child under 13 has submitted personal data to us, contact [email protected] and we will delete it promptly.
14. Security
Technical security measures currently in place include:
- HTTPS/TLS for all data in transit
- Rate limiting on the admin login endpoint and public API endpoints
httpOnly,secure,SameSite=Strictsession cookies for admin authentication- bcrypt password hashing — no plaintext credentials stored
- Environment variable validation at application startup
- SSL-enforced database connections in production
- Request body size limits on all upload endpoints
- Security headers: X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, CSP
No security measure is perfect. If you discover a security vulnerability, please report it responsibly to [email protected].
15. Changes to This Policy
We will update the "Last Updated" date at the top of this page when material changes are made. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.
16. Contact
Miartmedia LTD
Email: [email protected]
Website: colorpagelab.com
ColorPageLab is a trading name of Miartmedia LTD.