Privacy Policy
The L663 · l663.guide
Operated by YNOT Creative LLC · Washington State, USA
Contact: hello@l663.guide
Effective date: March 23, 2026
Last updated: March 23, 2026
Version: 1.0
1. Who We Are
The L663 ("we," "us," "our") is an independent editorial platform for Land Rover Defender L663 owners and prospective buyers. We are operated by YNOT Creative LLC, a Washington State limited liability company. We are not affiliated with, endorsed by, or connected to Land Rover, Jaguar Land Rover Limited, or any of its subsidiaries or dealers.
If you have questions about this Privacy Policy or your personal data, contact us at hello@l663.guide.
Mailing address:
720 Seneca St Ste 107, #908, Seattle, WA 98101
2. What Data We Collect
2.1 Data You Provide Directly
When you subscribe to our newsletter or create an account, we collect:
- Email address (required)
- Content interest selections — which topics you are interested in (reliability and known issues, modification guides, Pivi Pro updates, buying guidance)
- GDPR consent confirmation — whether you have explicitly consented to receive marketing communications, along with the timestamp, IP address, and privacy policy version at the time of consent
2.2 Poll Response Data (Members Only)
If you are a paid member and participate in polls on content pages (e.g., reporting your experience with a known issue or voting on a Pivi update), we collect:
- Poll response value — your selected option (e.g., "experiencing this now," "fixed now")
- Content reference — which content entry the response relates to
- User ID — your authenticated account identifier, used to enforce one response per member per poll
Poll responses are used to aggregate community feedback and inform editorial decisions (e.g., gauging severity of a known issue based on how many owners report experiencing it). Individual responses are not published — only aggregate counts are displayed.
GDPR erasure and poll data: If you request erasure of your personal data, your user ID will be nullified on all poll responses. The response values themselves are retained as anonymous aggregate data, as they no longer identify you once the user ID is removed. This ensures community signal is preserved while your personal data is deleted.
2.2a Data Collected Automatically
When you visit l663.guide, the following data is collected automatically:
- Traffic analytics — page views, referral source, browser type, device type, and country. This data is collected by Plausible Analytics, which is cookieless and does not track individual visitors. No personal data is collected or stored by our analytics provider. Plausible is hosted in the EU and is fully GDPR compliant without requiring consent.
- UTM source parameter — if you arrive via a campaign link, the source parameter (e.g., "google_ads," "organic") is stored alongside your subscriber record to help us understand how readers find us.
- IP address — processed temporarily by Cloudflare as part of standard web infrastructure (CDN, security, DDoS protection). We do not log or store IP addresses for analytics purposes. Your IP address is recorded at the time of consent as part of our GDPR audit trail.
- Error data — if a technical error occurs, Sentry may capture technical context (browser, URL, error stack trace) to help us diagnose and fix issues. This data may include general session context but is used solely for error resolution.
2.2b Payment Data
When you purchase a membership, payment is processed entirely by Stripe (stripe.com/privacy). We do not collect, store, or have access to your full card number, CVV, or complete billing address.
We do store:
- Stripe Customer ID — a reference identifier linking your account to your Stripe payment record
- Membership tier — whether your account is free or member
- Member since date — the date your membership was activated
- Subscription status — active, cancelled, or expired (synced via Stripe webhooks)
All payment processing, card storage, and PCI compliance is handled by Stripe. Your billing address is collected on Stripe's hosted checkout page and is stored by Stripe, not by us.
2.2c Build Submission Data
When you submit your build for a feature on the platform, we collect:
- Vehicle details — variant (90, 110, 130), model year, powertrain
- Modification list — part name, brand, and cost for each modification
- Editorial responses — favorite modification, what you would do differently
- Total spend range — a predefined range (e.g., "Under $5,000," "$5,000–$10,000")
- Photographs (3–5 images) — GPS coordinates, device information, and timestamps are automatically removed from photographs (EXIF stripping) before storage to protect your privacy
- Permission confirmation — your explicit grant of permission to publish (see Terms of Service §9.3)
Submitted photographs are stored in our database provider's secure storage (Supabase Storage). Build submissions may be published on the platform with editorial framing per the license granted in the Terms of Service.
2.3 Data We Do Not Collect
- We do not collect or store your full card number, CVV, or complete billing address. Payment processing is handled entirely by Stripe.
- We do not collect data from minors. You must be at least 16 years old to use this platform. See Section 9.
3. How We Use Your Data
We use the data we collect for the following purposes:
- Delivering our newsletter — sending you the weekly editorial newsletter and any transactional emails (signup confirmation, welcome email)
- Personalising content — using your interest selections to improve the relevance of content we produce and to personalise newsletter content delivery
- Processing payments — managing your membership subscription, processing payments via Stripe, and maintaining your membership status
- Understanding our audience — using anonymised, aggregate analytics to understand how readers find and use l663.guide, which content resonates, and how to improve the platform
- Maintaining platform integrity — using Cloudflare Turnstile to protect our signup form from automated abuse, and Sentry to detect and resolve technical errors
- Affiliate attribution — tracking which content drives affiliate link clicks (using cookieless Plausible custom events, not personal data) to inform editorial decisions
- Google Ads conversion tracking — if you arrived via a Google advertisement and have granted marketing consent, a conversion event is recorded to help us evaluate the effectiveness of paid campaigns. This tag fires only after you have granted consent. For visitors in the EU, the default is deny — no tracking occurs without explicit opt-in.
4. Lawful Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction where GDPR applies, we process your data under the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Marketing email (newsletter) | Consent — you actively opt in at signup |
| Transactional email (confirmation, welcome) | Contractual necessity — required to fulfill the service you requested |
| Analytics (Plausible) | Legitimate interest — cookieless, no personal data processed |
| Error monitoring (Sentry) | Legitimate interest — maintaining platform stability |
| Payment processing (Stripe) | Contractual necessity — required to fulfill your membership purchase |
| Fraud prevention (Cloudflare Turnstile) | Legitimate interest — preventing automated abuse |
| Google Ads conversion tracking | Consent — tag fires only after explicit marketing consent |
You may withdraw your consent at any time by unsubscribing from our newsletter (link in every email) or contacting us at hello@l663.guide. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
5. Data Processors and Third Parties
We share your data with the following third-party processors, solely for the purposes described above. We do not sell, rent, or trade your personal data to anyone.
| Processor | Function | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Email, interest selections, consent data, UTM source, membership tier, build submission data, photographs (Supabase Storage) | supabase.com/privacy |
| Stripe | Payment processing | Email, billing address (on Stripe's hosted checkout), Stripe Customer ID, subscription status | stripe.com/privacy |
| Loops | Email delivery — newsletter and transactional | Email, interest selections, membership tier | loops.so/privacy |
| Cloudflare | Infrastructure — CDN, Workers, Turnstile (CAPTCHA), KV caching | IP address (processed, not stored by us), request metadata | cloudflare.com/privacypolicy |
| Plausible Analytics | Traffic analytics — cookieless, EU-hosted | No personal data — aggregate pageview and referral data only | plausible.io/privacy |
| Sentry | Error monitoring | Technical error context (browser, URL, stack trace) | sentry.io/privacy |
| Sanity | Content management system | User reference ID for attributed build features (no email or PII) | sanity.io/legal/privacy |
| ProtonMail | Inbound email correspondence | Email address and message content (when you email us) | proton.me/legal/privacy |
| Ads and conversion tracking | Conversion event (only after consent granted) | policies.google.com/privacy |
We require all processors to handle your data in accordance with applicable data protection laws. Where required, we execute Data Processing Agreements (DPAs) with our processors.
6. Cookies and Tracking Technologies
The L663 is designed to minimise the use of cookies and tracking technologies.
- Plausible Analytics — cookieless. No cookies are set. No personal data is collected.
- Cloudflare Turnstile — may set a cookie classified as "strictly necessary" for fraud prevention on the signup form. This does not require consent under GDPR.
- Google Ads — sets cookies only if you have granted marketing consent. For EU visitors, the default is deny (Google Consent Mode v2). No cookies are set without your explicit opt-in.
- Affiliate links — when you click an affiliate link that takes you to a third-party retailer, that retailer may set their own cookies subject to their own privacy policies. We do not control those cookies.
For full details, see our Cookie Policy.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active subscriber records | Retained while you remain subscribed |
| User account data | Retained while your account is active |
| Unsubscribed records | Soft deleted immediately upon unsubscribe. PII nullified upon erasure request. Non-PII fields (created date, interest selections, source) retained as anonymised aggregate data. Hard deleted after 12 months. |
| Membership and payment records | Stripe Customer ID and subscription status retained while account active. Stripe maintains its own transaction records per its retention policy. |
| Build submission records | Retained per the content license granted in Terms of Service §9.3. Deleted upon erasure request. |
| Build submission photographs | Retained in Supabase Storage while submission exists. Deleted upon erasure request. |
| Poll responses | Retained indefinitely as anonymous aggregate data. User ID nullified upon erasure request; response values preserved. |
| Database backups (Supabase) | 90-day rolling cycle — overwritten on next export |
| Erasure request log | Retained indefinitely as GDPR compliance evidence |
| Loops contact data | Deleted within 30 days of actioning an unsubscribe or erasure request |
| Google Ads data | Per Google's own data retention policies |
8. Your Rights
8.1 Rights Under GDPR (EEA and UK Residents)
If you are located in the EEA or UK, you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure ("right to be forgotten") — request deletion of your personal data
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — request your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — withdraw consent at any time without affecting prior processing
Erasure procedure: Upon receiving an erasure request, we will nullify your email address and all personally identifiable fields in our database within 30 days. Your contact record in Loops will be deleted. Poll response user IDs will be nullified (response values retained as anonymous aggregate data). Build submission records will be deleted, including photographs in storage. Non-PII fields (created date, interest selections, source attribution) will be retained as anonymised aggregate data. Database backup exports may retain data until the next overwrite cycle (up to 90 days). An erasure request log entry will be maintained as compliance evidence.
Data portability: Upon request, we will provide your personal data in CSV or JSON format within 30 days.
To exercise any of these rights, contact us at hello@l663.guide. We will respond within 30 days. For data protection inquiries from the EU, contact hello@l663.guide.
You also have the right to lodge a complaint with your local data protection authority.
8.2 Rights Under CCPA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to know — what personal information we collect, use, and share
- Right to correct — request correction of inaccurate personal information
- Right to delete — request deletion of your personal information
- Right to opt out of sale — we do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
- Right to non-discrimination — we will not discriminate against you for exercising your privacy rights
To exercise these rights, contact us at hello@l663.guide.
8.3 Rights Under Other US State Privacy Laws
If you reside in Colorado, Connecticut, Virginia, Utah, Montana, Delaware, or another US state with an applicable consumer privacy law, you may have rights similar to those described above, including the right to access, correct, delete, and port your personal data, and the right to opt out of targeted advertising or the sale of personal data.
We do not sell your personal information. We do not use your personal information for targeted advertising beyond our own platforms.
To exercise these rights, contact us at hello@l663.guide. We will respond to verifiable requests within 45 days.
8.4 Rights for All Users
Regardless of your location, you can:
- Unsubscribe from our newsletter at any time using the unsubscribe link in every email
- Request a copy of your data by emailing hello@l663.guide
- Request deletion of your data by emailing hello@l663.guide
9. Children's Privacy
The L663 is not directed at children. You must be at least 16 years old to subscribe to our newsletter or use our platform.
In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal data from anyone under 13. If we learn that we have collected data from a person under 13, we will delete it immediately. For users aged 13–15, parental consent may be required in some jurisdictions.
If you believe a child under 16 has provided us with personal data, please contact us at hello@l663.guide.
10. International Data Transfers
Our primary infrastructure is hosted in the United States (Supabase, Cloudflare). Our analytics provider (Plausible) is hosted in the EU. If you are accessing l663.guide from outside the United States, your data may be transferred to and processed in the United States. We rely on the data protection safeguards provided by our processors, including Standard Contractual Clauses where applicable.
11. Do Not Sell My Personal Information
We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. If you would like to submit a "Do Not Sell" request for your records, contact us at hello@l663.guide.
12. Security
We take reasonable measures to protect your personal data, including:
- Row-level security policies on our database (Supabase)
- Encrypted data transmission (HTTPS enforced via Cloudflare)
- Rate limiting on form submission endpoints
- CAPTCHA protection (Cloudflare Turnstile) on signup forms
- Access to subscriber data limited to the platform operator
No method of transmission or storage is 100% secure. If you have reason to believe your data has been compromised, contact us immediately at hello@l663.guide.
12.1 Data Breach Notification
In the event of a confirmed data breach involving your personal data, we will notify affected users without undue delay and, where required by law, within 72 hours of confirming the breach. Notification will be sent via email to the address on file and will include: what data was affected, the likely consequences, the measures we have taken in response, and how to contact us with questions.
13. Artificial Intelligence
The L663 may use AI-powered tools to assist in content drafting, editing, and research. We do not use your personal data (email, name, interest selections, poll responses) to train AI models. Aggregate, anonymised usage data may inform editorial decisions but is not shared with third-party AI providers for model training purposes.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify subscribers via email before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Your continued use of l663.guide after changes are posted constitutes acceptance of the updated policy.
15. Contact
For privacy-related inquiries, data requests, or complaints:
Email: hello@l663.guide
Mailing address: 720 Seneca St Ste 107, #908, Seattle, WA 98101