Skip to content

Privacy Policy

Last updated: April 17, 2026

This policy explains what personal information The Bourbon Road LLC ("we", "us", "The Bourbon Road") collects about you when you use thebourbonroad.com, what we do with it, who we share it with, and the rights you have over it. We try to collect as little as we can and explain it in plain English.

Who we are

The Bourbon Road is a podcast and related website produced by The Bourbon Road LLC, a Kentucky limited liability company. The "data controller" for the information described in this policy is The Bourbon Road LLC. You can reach us at privacy@thebourbonroad.com for any privacy question or request.

What we collect

If you only browse the site

We don't require an account to listen to episodes, read tasting notes, or read the blog. When you visit, our content delivery network (Amazon CloudFront) and web logs temporarily record your IP address, browser user-agent, and the pages you requested. These logs are kept for a short period for security and abuse-prevention purposes and are not linked to an identity.

If you create an account

  • Email address — so we can identify you at login and send you account-related messages (confirmation codes, password reset codes).
  • Password — stored only in hashed form in Amazon Cognito. We cannot see or retrieve your password.
  • Display name — the name shown next to comments and on your member card.
  • Facebook display name (optional) — only if you choose to provide it, used to match your account to our Facebook group member list so we can set your "member since" date correctly.
  • Login session records — we store short-lived session tokens in your browser's local storage so you don't have to log in on every page.

If you become a paid supporter

  • Stripe customer ID — a reference to the payment record Stripe holds on your behalf. We do not see, store, or process your payment card details — those live only with Stripe.
  • Subscription tier and status — so we can show the right perks on the site.
  • Shipping address and shirt size — only for supporters at the $10+ tiers who are eligible for a branded t-shirt. Collected through Stripe's checkout and forwarded to our print-on-demand fulfillment partner.

Why we collect it (legal bases)

Under GDPR and similar laws, we collect your information on one of these legal bases:

  • Contract. To give you the account and membership you signed up for.
  • Legitimate interest. To keep the service working, prevent abuse, and protect the site (e.g. web logs, rate limiting, bot prevention).
  • Legal obligation. To keep transaction records required by tax and financial regulations (via Stripe).
  • Consent. For anything optional — for example, if you provide your Facebook name to match your account to our group's member list.

Who we share it with

We share your data only with the service providers we need to operate the site. Each of these is a data processor under our instructions:

  • Amazon Web Services — hosting, database, authentication (Cognito), email delivery. All data stored in US regions.
  • Cloudflare — signup bot prevention (Turnstile). Cloudflare receives your IP address and browser fingerprint at the moment of challenge.
  • Stripe — payment processing for paid supporter subscriptions. Stripe is the sole handler of payment card data.
  • Print-on-demand partner (Printful or Printify) — shipping your t-shirt if you're eligible. Receives your name, shipping address, and shirt size.

We do not sell your data, rent it, or use it for cross-site advertising. We do not share your email with marketing networks.

How long we keep it

  • Account data is kept as long as your account is open.
  • If you delete your account, we remove your personal data from our systems within 30 days, except where we're required to keep it longer — specifically, Stripe retains transaction records for seven (7) years to meet US tax and financial regulations, and our print-on-demand partner retains shipping records under their own policy. These retained records are not used for marketing.
  • Web logs are rotated and deleted on a short cycle (typically under 30 days).
  • Backups may contain residual personal data for up to 30 additional days after deletion request; backup data is never restored for normal operations.

Your rights

Regardless of where you live, you have the following rights over your personal data:

  • Access — request a copy of the data we hold about you.
  • Correction — update inaccurate or incomplete data.
  • Deletion ("right to be forgotten") — request that we delete your account and personal data. We'll act within 30 days.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — ask us to pause processing in specific circumstances.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for anything you provided optionally (e.g. your Facebook name).
  • Complain — if you're in the EU/UK, to your local data protection authority.

To exercise any of these rights, email privacy@thebourbonroad.com from the address associated with your account. We may ask you to confirm your identity.

Cookies and local storage

We use a small number of first-party cookies and browser local storage items for essential site functions only — keeping you logged in, remembering your search/filter preferences, and preventing bots at signup. We do not use third-party tracking cookies, advertising pixels, or cross-site analytics tools.

International transfers

Our systems are hosted in the United States. If you access the site from outside the US, your data will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses with our processors (AWS, Cloudflare, Stripe) for transfers from the EEA and UK.

Children

The Bourbon Road is a site about whiskey and is not directed to anyone under the age of 21. We do not knowingly collect personal data from anyone under 21. If you believe a minor has created an account, please contact us and we will delete it.

Security

We use HTTPS everywhere, store passwords only in hashed form, keep production credentials in AWS Secrets Manager, and restrict access to personal data to the small number of people who need it to operate the site. No system is perfectly secure, but we take reasonable measures to protect your information.

Changes to this policy

When we change this policy, we update the date at the top and, for material changes, we'll notify account holders by email at least 14 days before the change takes effect.

Contact

The Bourbon Road LLC
privacy@thebourbonroad.com