1. Who We Are
Grande Web Network ("GWN," "we," "us," or "our") is a network of educational, entertainment, and utility websites operated by Scott Gilley, an individual operator based in the United States.
Data Controller:
Scott Gilley
Grande Web Network
Email: [email protected]
Our network includes, but is not limited to, the following properties: grandewebnetwork.com, a2zwordfinder.com, a2zwords.com, ifindwines.com, a2zarcade.com, a2zlessons.com, a2ztrivia.com, a2znews.com, a2zmemes.com, a2zmahjong.com, a2zpuzzles.com, puzzledepot.com, wordlewonk.com, crossbingo.com, wordunscrambler.ai, frame-games.com, wunzzles.com, iwordfinder.com, lettersintowords.com, and affiliated satellite domains.
2. Data We Collect
We collect information in the following categories:
2.1 Information You Provide Directly
- Email address — when you subscribe to our newsletter via Kit (ConvertKit) or create an account on any GWN property
- Account credentials — username and password (hashed) for member areas powered by aMember Pro
- Payment information — processed by Stripe; we do not store full card numbers. Stripe retains billing details under its own privacy policy.
- Communications — email, feedback forms, or support requests you send us
2.2 Information Collected Automatically
- Usage data — pages visited, time on site, referrer URL, search queries entered in our tools
- Device & browser data — browser type and version, operating system, screen resolution, language preferences
- IP address — used for geolocation (country/region level), fraud prevention, and security (processed by Cloudflare and our analytics providers)
- Log data — server access logs including timestamps, URLs requested, HTTP status codes, and bytes transferred (retained for security purposes)
2.3 Information from Third Parties
- Advertising signals — ad networks may share aggregated audience and performance data with us
- Analytics enrichment — Google Analytics 4 may associate your sessions with demographic or interest data based on your Google account (if applicable)
3. How We Use Your Data
Service Delivery
Providing access to word games, wine pairing tools, trivia, educational content, and other GWN services.
Analytics & Improvement
Understanding how visitors use our sites so we can improve features, fix bugs, and prioritize development.
Advertising
Serving relevant display advertisements to support free access to our services. We share data with ad partners as described in Section 6.
Email Communications
Sending newsletters, product updates, and promotional messages to subscribers (with your explicit consent).
Security & Fraud Prevention
Detecting and preventing abuse, scraping, bot traffic, unauthorized access, and fraudulent activity.
Legal Compliance
Fulfilling legal obligations including responding to lawful data access requests and enforcing our Terms of Use.
Legal Basis for Processing (GDPR)
| Purpose | Legal Basis |
|---|---|
| Service delivery, account management | Contractual necessity (Art. 6(1)(b)) |
| Analytics (GA4) | Legitimate interests (Art. 6(1)(f)) |
| Advertising cookies & profiling | Consent (Art. 6(1)(a)) |
| Newsletter & email marketing | Consent (Art. 6(1)(a)) |
| Security logs, fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Legal obligations | Legal obligation (Art. 6(1)(c)) |
5. Third-Party Services
We share data with the following third-party service providers who assist us in operating our network:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google LLC (Analytics) | Google Analytics 4 — usage analytics | IP (anonymized), browser, session data, events | Link |
| Google LLC (Ads) | Google Ad Manager, AdSense — ad serving | IP, device, cookie IDs, page context | Link |
| Amazon Web Services (APS) | Amazon Publisher Services — header bidding | IP, cookie IDs, bid request data | Link |
| Cloudflare, Inc. | CDN, DDoS protection, DNS, security | IP, request headers, page URLs | Link |
| Kit (ConvertKit) | Email list management, newsletter delivery | Email address, subscription preferences | Link |
| Stripe, Inc. | Payment processing for member subscriptions | Name, email, billing address, payment method | Link |
| Linode / Akamai | Web server hosting (node1, node2, node3) | Log data, server-processed requests | Link |
| UDM Serve | Display advertising | IP, device, cookie IDs | Available on request |
| PixFuture Media | Display advertising | IP, device, cookie IDs | Link |
We do not sell your personal data to these providers. They act as data processors or independent data controllers under their own privacy policies, as applicable.
6. Advertising Partners
Our websites are supported by advertising. To serve relevant ads and measure their performance, our advertising partners may use cookies, device identifiers, and similar tracking technologies to collect data about your interactions with our sites and across the web.
Interest-Based Advertising
Some of our partners may build a profile of your interests based on browsing behaviour to deliver personalized ads. You can opt out of interest-based advertising by visiting the Digital Advertising Alliance opt-out page or the European Interactive Digital Advertising Alliance (EDAA) for EU residents.
Our Advertising Partners Include:
- Google Ad Manager (GAM) — programmatic display advertising, network ID 2799772
- Google AdSense — publisher ID ca-pub-1346844459042569
- Amazon Publisher Services (APS) — header bidding with 48+ demand partners
- UDM Serve — display and sticky advertising units
- PixFuture — display advertising across approved GWN properties
- Prebid.js partners — Sovrn, Index Exchange, Criteo, and other supply-side platforms participating in header bidding auctions
When advertising is served, the following data may be transmitted to ad partners: your approximate geographic location (country/region), device type, browser, the URL of the page you are viewing, and a pseudonymous identifier. No name, email address, or payment information is shared with ad partners.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Server access logs | 90 days | Security monitoring and abuse prevention |
| Google Analytics 4 data | 14 months (GA4 default) | Trend analysis; configurable in GA4 admin |
| Email subscriber data | Until unsubscribe or deletion request | Newsletter delivery (Kit/ConvertKit) |
| Member account data | Duration of account + 2 years after closure | Subscription records, legal and tax obligations |
| Payment records | 7 years | Tax and accounting legal requirements |
| Cloudflare security logs | Up to 30 days | DDoS and threat analysis (Cloudflare retention) |
| Support communications | 3 years | Resolution records and quality assurance |
Upon receiving a verified deletion request (see Section 14), we will erase your personal data within 30 days, except where we are required to retain it by law.
8. International Data Transfers
Grande Web Network is operated from the United States. If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data transfer restrictions, your personal information will be transferred to and processed in the United States.
We rely on the following safeguards for international transfers:
- EU-US Data Privacy Framework — Google LLC and Amazon Web Services, Inc. are certified under the EU-US Data Privacy Framework, which the European Commission has recognized as providing adequate protection.
- Standard Contractual Clauses (SCCs) — Where we engage processors not covered by an adequacy decision, we rely on SCCs approved by the European Commission pursuant to Article 46(2)(c) of the GDPR.
- Consent — In limited cases, for services where you have been explicitly informed of the transfer, your consent under Article 49(1)(a) GDPR.
You may request a copy of the transfer safeguards applicable to any third-party processor by contacting us at [email protected].
9. EU & EEA Resident Rights (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
Right of Access (Art. 15)
Request a copy of the personal data we hold about you and information about how it is used.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to Restriction (Art. 18)
Request that we limit our processing of your data in certain circumstances.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, machine-readable format and transfer it to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including profiling for direct marketing purposes.
Right to Withdraw Consent
Where we process your data based on consent (e.g., email marketing, advertising cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).
Response Timeline
We will respond to verified rights requests within 30 days. Complex requests may require up to 90 days with notice. We do not charge a fee for reasonable requests.
How to Exercise Your Rights
Submit requests by email to [email protected] with the subject line "GDPR Rights Request." We will verify your identity before processing any request.
10. California Resident Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.
Do We Sell Personal Information?
We do not sell personal information in the traditional sense. However, some of our advertising practices (behavioral advertising cookies shared with ad partners) may constitute a "sale" or "sharing" under the CCPA's broad definition. You have the right to opt out of this.
Your California Rights
- Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources of collection, the business purpose for collection, and categories of third parties with whom we share information.
- Right to Delete — Request deletion of personal information we have collected about you, subject to certain exceptions (e.g., legal obligations, ongoing business relationships).
- Right to Correct — Request correction of inaccurate personal information we maintain about you.
- Right to Opt Out of Sale/Sharing — Direct us not to sell or share your personal information with third parties for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information — Request that we limit use of sensitive personal information to what is necessary to provide our services.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights. We will not deny services, charge different prices, or provide a different quality of service.
Categories of Personal Information Collected (Last 12 Months)
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | IP address, email, cookie IDs | Yes |
| Internet activity | Pages visited, search queries, interactions | Yes |
| Geolocation data | Country/region from IP (not precise location) | Yes |
| Commercial information | Purchase history for member subscriptions | Yes (members) |
| Inferences | Interests inferred by Google for ad targeting | Via Google |
| Financial information | Credit/debit card numbers | No (Stripe only) |
| Biometric data | Fingerprints, facial recognition | No |
| Sensitive personal information | SSN, health data, precise geolocation | No |
Exercising Your California Rights
Submit a verifiable consumer request by emailing [email protected] with the subject line "CCPA Rights Request." You may also designate an authorized agent to submit requests on your behalf. We respond within 45 days (extendable by 45 days with notice).
11. Children's Privacy
Our services are intended for users aged 13 and older. We do not knowingly collect personal information from children under the age of 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at [email protected] and we will delete the information promptly.
For users in the EU/EEA, consent to data processing is required from a parent or guardian for children under 16 years of age (or the applicable age in your member state).
12. Data Security
We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- TLS 1.2+ encryption for all data in transit (enforced via Cloudflare)
- HSTS (HTTP Strict Transport Security) on all domains
- PBKDF2 key derivation with 600,000 iterations for password hashing in member areas
- Cloudflare DDoS protection, Web Application Firewall (WAF), and rate limiting
- SSH key-only server access (password authentication disabled)
- Regular security audits and monitoring
- Access controls limiting data access to authorized personnel only
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach that poses a high risk to your rights and freedoms, we will notify affected individuals and applicable supervisory authorities as required by law.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Post a notice on our main website
- Send an email notification to subscribers (for material changes)
Your continued use of our services after the effective date of any changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.
14. Contact & Data Requests
For any privacy-related questions, concerns, or to exercise your data rights, please contact:
Grande Web Network — Privacy Team
Name: Scott Gilley
Email: [email protected]
Subject line: "Privacy Request" or "GDPR Rights Request" or "CCPA Rights Request"
We aim to acknowledge all privacy inquiries within 3 business days and resolve them within 30 days. For complex requests, we may request additional time (up to 90 days total for GDPR, 90 days total for CCPA) with written notice.
For EU residents, if you are not satisfied with our response, you may escalate to your local data protection authority.