Privacy Policy
ColorPageLab — colorpagelab.com
Operated by: Miartmedia LTD
Contact: Contact page
Effective Date: February 28, 2026
Last Updated: March 17, 2026
1. Who We Are
ColorPageLab is operated by Miartmedia LTD, the data controller for personal data processed through this Service. For any privacy questions, contact us via our contact page.
2. What This Policy Covers
This Privacy Policy explains what data is collected when you use colorpagelab.com (the "Service"), why it is collected, who it is shared with, how long it is retained, and what rights you have. It reflects what the Service actually does at the Last Updated date above.
3. What We Collect and Why
3.1 Browsing the Site — Google Analytics 4
Every public page on the Service loads Google Analytics 4 (GA4) in production. GA4 automatically collects:
- Pages visited and navigation path
- Browser type and version
- Operating system and device type
- Country and region (derived from IP address, which is then discarded by Google before storage)
- Session duration and pages per session
- Referring URL (where you came from)
We have configured GA4 so that full IP addresses are not stored by Google. We use this data solely to understand how the Service is used so we can improve it.
We track the following custom GA4 events specifically:
| Event name | What triggers it |
|---|---|
visit | Home page loaded |
gallery_view | Gallery page viewed (includes category and search query if present) |
product_view | A coloring page detail page viewed |
category_view | A category landing page viewed |
blog_view | A blog post page viewed |
download_pdf | A PDF downloaded (includes paper size: A4 or US Letter) |
download_image | A PNG downloaded |
print | Direct browser print triggered |
support_click | The support payment button clicked |
pin_click | Pinterest "Pin It" clicked on a product page |
collection_add | A coloring page added to a collection |
collection_remove | A coloring page removed from a collection |
collection_export_pdf | A collection exported as PDF |
collection_export_png | A collection exported as PNG |
collection_print | A collection printed |
collection_share | A collection shared |
contact_page_view | Contact page viewed |
contact_submit_success | Contact form submitted successfully |
contact_submit_error | Contact form submission failed |
None of these GA4 events include your name, email address, or any identifier that can be linked to you personally.
GA4 is not loaded on localhost, in admin routes, or in non-production environments.
3.2 Downloading a Coloring Page
When you download a PDF or PNG, an aggregate download count is incremented on the coloring page record in our database to show which pages are popular. This count is not linked to any individual visitor identity. No per-download event records are stored in our database.
3.3 Making a Voluntary Support Payment — Stripe
If you click "Support" and complete a payment, Stripe, Inc. handles all payment processing. We never see or store your card number, CVV, expiry date, or billing address.
What Miartmedia LTD receives from Stripe after a completed payment:
- The Stripe checkout session ID (a reference code)
- The payment amount
- A confirmation that payment succeeded
We store these items for financial record-keeping. We do not create a user profile from your payment or use it for marketing. Stripe may email you a receipt directly. We do not receive your email address from this transaction flow.
By making a payment you also agree to Stripe's Privacy Policy.
3.4 Social Sharing — Pinterest, Facebook, X, WhatsApp
The Service includes sharing buttons for Pinterest, Facebook, X (Twitter), and WhatsApp. These are outbound links that open the relevant platform in a new tab. We do not send any data to these platforms on your behalf merely from loading the page (except as described for Pinterest's script below).
Pinterest script: The Service loads Pinterest's pinit.js script on all public pages to enable the "Pin It" button. This script may set a Pinterest cookie or record your visit to the page if you are logged into Pinterest in the same browser. We do not control this behaviour. See Pinterest's Privacy Policy.
3.5 Affiliate Links — Amazon Associates
Some blog posts on the Service contain affiliate links to products on Amazon. ColorPageLab participates in the Amazon Associates Program, an affiliate advertising programme designed to provide a means for sites to earn fees by linking to Amazon.
When you click an affiliate link:
- You are redirected to the Amazon website (amazon.com or the relevant regional Amazon site)
- Amazon may set cookies on your device to track the referral
- If you make a purchase on Amazon within the applicable attribution window, we may receive a small commission at no additional cost to you
- We do not receive your name, email address, payment details, or any personal information from Amazon as a result of this referral
Amazon's collection and use of data when you visit their site is governed entirely by Amazon's Privacy Notice. We have no control over Amazon's data practices.
Affiliate links are clearly identified within blog content. Our participation in the Amazon Associates Program does not influence our editorial content or product recommendations — we only recommend products we consider genuinely useful to our audience.
3.6 Error Monitoring
The Service includes infrastructure for error monitoring. When errors occur, error details (including the error message, stack trace, and request context) may be captured and stored server-side or transmitted to a connected monitoring service (e.g., Sentry). Error data is used solely for diagnosing and fixing technical issues. We do not include payment card data, passwords, or sensitive PII in error logs.
3.7 Operational Telemetry and Security Logging
The Service logs inbound requests and service interactions for the purposes of security monitoring, abuse prevention, rate-limit enforcement, and operational performance. This may include IP addresses, request paths, HTTP status codes, and timing data. These logs are retained for a limited period (see Section 8) and are not used for marketing or user profiling.
3.8 What Is Stored in Our Database
Our database (hosted by Neon, Inc.) stores:
- Coloring page content: titles, slugs, category names, image URLs, download counts
- Admin account credentials: a single bcrypt-hashed password and admin email address — never in plaintext
- Stripe session IDs and payment amounts for financial records
- Product metadata and aggregate operational counters needed to run the Service
The database does not store visitor accounts, email addresses of visitors from normal browsing or downloading, or payment card data. If you voluntarily submit the contact form, the details you provide (such as your name, email address, subject, and message) are transmitted through our email provider to our inbox so we can respond, but they are not stored in the application database.
4. Data We Do Not Collect
To be explicit:
- We do not collect your name or email address through normal use of the Service (browsing or downloading). We only receive that information if you choose to send it to us through the contact form.
- We do not build identity-based user profiles or track named individuals across sessions.
- We do not sell, rent, or trade personal data to third parties.
- We do not currently run display advertising on the Service. If advertising is added in the future, this policy will be updated before it goes live.
- We do not share data with anyone except the service providers listed in Section 7, and only to the extent needed to operate the Service.
5. Cookies
Admin session cookies
An httpOnly, secure, SameSite=Strict session cookie is set only after a successful admin login. Regular visitors never receive this cookie.
Analytics cookies (Google Analytics 4)
GA4 sets the following cookies for public visitors in production:
| Cookie | Duration | Purpose |
|---|---|---|
_ga | 2 years | Distinguishes unique visitors |
_ga_<ID> | 2 years | Session state |
_gid | 24 hours | Differentiates sessions |
The Pinterest pinit.js script may set its own cookies if you are logged into Pinterest. These are outside our control and governed by Pinterest's own privacy policy.
Amazon Associates
When you click an affiliate link and visit Amazon, Amazon may set cookies on your device to track the referral for commission attribution purposes. These cookies are set by Amazon, not by us, and are governed by Amazon's Privacy Notice and Cookie Policy.
Cookie consent (EU/UK visitors)
If you are visiting from the EU or UK, GA4 analytics cookies require consent under the ePrivacy Directive and UK PECR. We are implementing a compliant cookie consent mechanism. Until it is live, you can opt out at any time using the Google Analytics Opt-Out Browser Add-on.
6. How We Use Your Data
| Purpose | Data used | Legal basis (EU/UK) |
|---|---|---|
| Delivering the Service (gallery, download, print) | Page path, download events | Legitimate interests / contract performance |
| Understanding usage and improving the Service | GA4 analytics | Legitimate interests |
| Security monitoring and abuse prevention | IP addresses, request logs, rate-limit data | Legitimate interests |
| New vs. returning visitor reporting | GA4 visitor metrics and aggregated event reporting | Legitimate interests |
| Financial record-keeping | Stripe session ID, payment amount | Legal obligation |
| Technical error resolution | Error logs, request context | Legitimate interests |
| Affiliate programme operation | Outbound click referral to Amazon via affiliate link | Legitimate interests |
7. Third-Party Services and Processors
| Service | Role | Privacy Policy |
|---|---|---|
| Google Analytics 4 (Google LLC) | Usage analytics | policies.google.com/privacy |
| Stripe, Inc. | Voluntary support payment processing | stripe.com/privacy |
| ImageKit.io | Hosting and delivering coloring page images via CDN | imagekit.io/privacy-policy-new |
| OpenAI, LLC | AI image generation (admin-only; no visitor data is ever sent to OpenAI) | openai.com/privacy |
| Neon, Inc. | PostgreSQL database hosting (stores content, aggregate download counts, payment records) | neon.com/privacy-policy |
| DigitalOcean, LLC | Cloud application hosting (processes all inbound web requests) | digitalocean.com/legal/privacy-policy |
| Pinterest, Inc. | pinit.js script for share button | policy.pinterest.com |
| Amazon.com Services LLC | Affiliate programme (Amazon Associates); processes data when you click affiliate links and visit Amazon | amazon.com/privacy |
OpenAI is used exclusively as a backend admin tool to generate coloring page artwork. No visitor data is ever sent to OpenAI.
8. Data Retention
| Data | Retention |
|---|---|
| GA4 analytics events | 14 months (configured in our GA4 property) |
| Stripe payment session records | 7 years (UK financial record-keeping requirement) |
| Coloring page download counts (aggregate, no PII) | Indefinite |
| Admin session cookies | 30 days from login |
| Server and application error logs | 30 days |
| Security and request logs | 90 days |
9. International Data Transfers
Miartmedia LTD is based in the United Kingdom. Our service providers are based in the United States and process data on servers that may be located outside the UK and EEA.
Transfers of personal data from the UK or EEA to the United States are made on the basis of Standard Contractual Clauses (SCCs) incorporated into our agreements with Google LLC, Stripe Inc., Neon Inc., DigitalOcean LLC, Amazon.com Services LLC, and other US-based processors, or other appropriate safeguards as applicable.
10. Legal Bases (GDPR and UK GDPR)
For visitors in the European Economic Area and United Kingdom, the legal bases we rely on are:
| Processing activity | Legal basis |
|---|---|
| GA4 analytics | Legitimate interests — understanding Service usage; configured to avoid individual profiling |
| IP address retention for security/abuse prevention | Legitimate interests — protecting the Service and its users from abuse, DDoS, and fraudulent activity |
| Support payment records | Legal obligation (financial record-keeping) |
Pinterest pinit.js loading | Legitimate interests — enabling share functionality |
| Error and operational logs | Legitimate interests — maintaining service reliability and security |
| Affiliate link referrals (Amazon Associates) | Legitimate interests — generating revenue to fund the free Service; no personal data is transferred to Amazon by us |
You have the right to object to processing based on legitimate interests. To do so, contact us via our contact page.
You have the right to lodge a complaint with your supervisory authority:
- UK: Information Commissioner's Office — ico.org.uk
- EU: Your national authority — edpb.europa.eu
We ask that you contact us first so we can try to resolve your concern directly.
11. Your Rights
Depending on where you are located, you may have the right to:
- Access personal data we hold about you
- Correct inaccurate personal data
- Delete personal data we hold about you ("right to erasure")
- Restrict processing of your personal data
- Object to processing based on legitimate interests
- Portability — receive a copy of your data in a structured, machine-readable format
- Withdraw consent where processing is based on consent (e.g., GA4 analytics cookies)
Because the Service does not require accounts and collects primarily pseudonymous analytics data, there is limited personal data we can identify as belonging to any specific individual. Contact us via our contact page with the subject line "Privacy Request" and we will respond within 30 days.
To opt out of GA4 analytics specifically, use the Google Analytics Opt-Out Browser Add-on.
12. California Users (CCPA / CPRA)
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising.
The personal information we collect is limited to GA4 analytics data, operational security logs, and — if you make a voluntary payment — a Stripe session ID and payment amount.
California residents may submit requests to know, delete, or correct their personal information by using our contact page with the subject line "California Privacy Request". We will respond within 45 days. We will not discriminate against you for exercising your CCPA/CPRA rights.
13. Children
The Service provides content suitable for children but does not target children under 13 as a primary audience and does not knowingly collect personal data from children under 13. The Service does not require account creation.
If you believe a child under 13 has submitted personal data to us, contact us via our contact page and we will delete it promptly.
14. Security
Technical security measures currently in place include:
- HTTPS/TLS for all data in transit
- Rate limiting on the admin login endpoint and public API endpoints
httpOnly,secure,SameSite=Strictsession cookies for admin authentication- bcrypt password hashing — no plaintext credentials stored
- Environment variable validation at application startup
- SSL-enforced database connections in production
- Request body size limits on all upload endpoints
- Security headers: X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, CSP
No security measure is perfect. If you discover a security vulnerability, please report it responsibly via our contact page.
15. Changes to This Policy
We will update the "Last Updated" date at the top of this page when material changes are made. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.
16. Contact
Miartmedia LTD
Contact: Contact page
Website: colorpagelab.com
ColorPageLab is a trading name of Miartmedia LTD.