The Tea List

Privacy Policy

Last updated · May 2026

The Tea List ("we", "us", "our") is a small, independent editorial blog. This Privacy Policy explains what information we collect when you use thetealist.com and our APIs, why we collect it, how we use it, and the choices you have. We've tried to write it the way we'd want one written to us — plainly and without tricks.

1. Who runs the site

The Tea List is operated by Sameera, a small family in Melbourne, Australia. You can reach us any time at sameera@thetealist.com.

2. What we collect

We collect only the information needed to run the site:

  • Newsletter signups. If you subscribe to our dispatch, we store your email address. Nothing else.
  • Comments. If you leave a comment on a post, we store the name, email and comment text you submit. Your name and comment are public; your email is not displayed.
  • Admin login. The site's editor logs in with an email and password. Passwords are stored only as bcrypt hashes; we never see or store your plaintext password.
  • Affiliate-link click tracking. When you click an affiliate or sponsored link, we record the destination URL, the post you clicked from, the referrer header, your browser's user-agent, and a one-way salted hash of your IP address (we never store the IP itself). This lets us see which articles drive interest, without identifying you personally.
  • Server logs. Like every web server, ours records standard request information (path, status, timestamp, IP) for short-term debugging and abuse prevention.

We use Google Analytics 4 — and only if you click "Accept" on our cookie banner. It helps us see which posts resonate (pageviews, referrers, broad location) without identifying individual readers. IP addresses are anonymised and no advertising cookies are set. If you click "Reject", no analytics scripts load and nothing is sent to Google. Opt out any time by clearing your site data in the browser, or by enabling "Do Not Track".

3. Cookies

We use a single cookie — access_token — for the site editor's login session. It is HttpOnly, Secure, and SameSite=Lax. If you accept analytics on the cookie banner, Google Analytics 4 will also set its own first-party cookies (typically _ga and _ga_*) to measure aggregate site usage. We set no advertising, remarketing or cross-site tracking cookies.

4. How we use your information

  • To send you the newsletter you asked for.
  • To display the comment you submitted.
  • To authenticate the editor and run the back office.
  • To understand which posts and links resonate with readers, in aggregate.
  • To detect and prevent abuse (e.g., brute-force login attempts).

5. We don't sell your data

We do not sell, rent, or trade your personal information to anyone, ever. If that ever changes, we will update this policy and give you advance notice through the newsletter.

6. Service providers

To run the site we rely on a small number of standard infrastructure providers (cloud hosting, database, email delivery, image generation). They process information on our instructions and only as needed to provide the service. We do not give them permission to use your information for their own purposes.

7. International users and the GDPR / Australian Privacy Act

We're based in Australia and our practices are aligned with the Australian Privacy Principles. If you are in the UK, EU, or EEA, you also have rights under the GDPR — including the right to access, correct, or delete the personal information we hold about you, and to object to or restrict its processing. To exercise any of these rights, email sameera@thetealist.com and we will respond within 30 days.

8. Retention

We keep newsletter emails until you unsubscribe (a one-click link is in every email). Comments stay published unless you ask us to remove them. Affiliate-click records are kept for up to 24 months, then anonymised or deleted. Server logs are kept for 30 days.

9. Children

The Tea List is not directed at children under 16 and we do not knowingly collect information from them. If you believe we have, email us and we will delete it.

10. Security

Connections to the site are encrypted with TLS. Login cookies are HttpOnly and Secure. Passwords are bcrypt-hashed. We employ defence-in-depth measures including security response headers and brute-force protection. No system is perfectly secure, but we take reasonable precautions and treat the small amount of data we hold with care.

11. External links

Articles on this site link to third-party websites — tea estates, retailers, research papers, news pieces. Their privacy practices are their own, not ours. We encourage you to read their policies before sharing personal information with them.

12. Changes to this policy

If we change this policy in any meaningful way, we will update the "Last updated" date above and announce the change in the newsletter. Material changes affecting how we use existing personal information will not be applied retroactively without your consent.

13. Contact

Questions, concerns, removal requests, or just a hello — sameera@thetealist.com.

The Tea List dispatch

One letter. One tea.
Every Sunday morning.

Slow reading for slow drinkers. No spam, unsubscribe in a single click.