You agree to the privacy policy below, and the Privacy Policy for Substack, the technology provider.

Privacy Notice

Last updated: 2024-12-14

How I Process Data & Data I Collect

Unless I state otherwise, legally I am acting as a controller of your personal data for the following processing activities.

All subscriptions:

  • If you subscribe to the newsletter, I process your name and email address, as well as your profile ID, profile picture, and other details you make available on your public Substack account.

  • Substack also provides a star-ranking which shows if you read a lot of my posts or not.

  • Substack processes this information on my behalf, and as a controller in their own right.

Paid subscriptions (On Hiatus)

  • If you become a paid or founding member, I process all of that + evidence you paid.

  • Stripe, and Substack process this information on my behalf. Stripe and Substack will also be collecting other information in their own capacities as controllers.

Email correspondence:

  • If you email me I will collect and process your email address and any other personal information you include in the email (such as your name or contact number).

  • My email provider (proton.com) will also process email header information.

If you like, restack, or comment on a post, Substack Note, or leave a message in the chat:

  • I will have access to whatever information you include in your Substack profile, including your name, profile ID, profile picture, other newsletters you subscribe to, and whatever else you choose to share in any comments.

  • Substack processes this information on my behalf. But they are also acting as controllers in their own right.

  • Note: If you send a Direct Message, this is not end-to-end encrypted. Substack can see it all.

External referrer links:

  • If you find my posts from another site (LinkedIn, Bluesky, Twitter, etc.), I can see details about referrer traffic, though it isn’t tied to you directly. Substack (and the various social networks) will likely collect more detailed information though, and this likely includes your IP address, machine identifier(s), and other more granular data.

  • Ditto for links you click on if you’re subscribed via the Substack App or email.

  • I can’t disable this, even though I don’t really care. Blame the socials.

  • These services are acting as controllers here, but despite my lack of access, I am also a controller.

If you read a post:

  • I don’t collect anything, but my CDN provider Cloudflare will collect and process your IP address and machine identifiers.

  • Cloudflare collects this information to protect and secure this site from attackers and bots, though I do not have access to this information. All I can see is aggregate country information.

  • Substack will also process your IP address and browser information.

  • Cloudflare and Substack are processing this information directly as controllers.

Cookies:

  • I hate them. Whenever possible, I drop any cookies/UTM links when sharing posts or content. I do not have any additional trackers or cookies enabled.

  • However, Substack still insists on using cookies. Substack lists various Strictly Necessary, Performance, and Functionality cookies (even though the latter two aren’t actually recognized different things under the ePrivacy Directive).

  • Information on Substack’s cookies is available here, though if you want to just automatically reject them, using a browser like Brave will do it automatically.

Legal Basis for Processing

If you send me an email, leave a comment, or otherwise engage, I will be processing that information based on your consent.

If you sign up as a subscriber, I process your data in order to fulfill a contract with you.

Other personal data being processed is based on legitimate interests — the interest being that I use Substack, Stripe, and Cloudflare to host and manage this newsletter

Data Retention

I do not have a specific storage retention period for emails.

Substack retains “information about you only for as long as reasonably necessary to fulfill the purposes for which it was collected”. Cloudflare stores information “for a period of time that is consistent with the business purposes.” Stripe has a detailed retention schedule here.

Sub-Processors

I use the following sub-processors to manage this website, security, and receive emails.

  • Substack: I use Substack to host this newsletter, to engage with my readership, and to host the Chance Conversations podcast. Substack is based in the US and abides by the EU-US Data Privacy Framework (DPF), for what it’s worth. (Substack Privacy Policy)

  • Stripe: I use Stripe to process payments from subscribers. Stripe is based in the US and abides by the DPF. (Stripe Privacy Policy)

  • Cloudflare: Cloudflare is used to secure this website and prevent DDoS and other nastiness (as well as blocking bots). Cloudflare is based in the US and relies on the DPF. (Cloudflare’s Privacy Policy)

  • Proton Mail: Based in Switzerland, I use Proton Mail as my primary email provider. I rely on legitimate interests for this processing. (Proton Privacy Policy)

Your Rights

You have the following rights regarding your information:

  • Access: You may request access to any information you have provided to me. Note, if you have a Substack account, you may also access, edit, or delete much of the Personal Information Substack has collected about you through your account settings. “What Personal Information can I access?,” has more details.

  • Sale or Sharing: Since I do not ‘sell or share’ personal information as defined under laws like the CCPA, this isn’t really applicable. This information may be provided to the service providers which I have disclosed above.

  • Non-Discrimination: You have the right not to receive discriminatory treatment for the exercise of your rights under the CCPA.

  • Deletion: You can request that I delete your emails or other information you have provided, or to unsubscribe you/remove subscription information.

  • Correction/Rectification: You can request to change the email address associated with your Privacat Insights subscription, though it’s probably going to be easier to just do that within Substack.

  • Objection & Restriction of Processing: If applicable, you can object to the processing of your data, or you can ask that I restrict that processing.

  • Complain to a Supervisory authority: You have the right to lodge a complaint with a supervisory authority.

Contact Me

If you have questions about this notice or want to exercise your rights, please email me at privacy@priva.cat.