Firstly, it’s not a privacy policy. It’s a privacy notice. But such is the way of Substack. Anyway.

Privacy Notice

Last updated: 2024-12-14

Congrats, if you're here, you actually read privacy notices, and that brings me joy.

I try to keep these short, sweet, and compliant. Since I am based in the Republic of Ireland, I mostly abide by the GDPR. However, for you exotic California/US types, I have thrown some specific bits in for you too.

How I Process Data & Data I Collect

Unless I state otherwise, legally I am acting as a controller of your personal data for the following processing activities.

All subscriptions:

• If you subscribe to the newsletter, I will see your name and email address, as well as your profile ID, profile picture, and other details you make available on your public Substack account.

• Substack also provides a star-ranking which shows if you read a lot of my posts or not.

• Substack processes this information on my behalf, and as a controller in their own right.

Paid subscriptions:

• If you become a paid or founding member, I see all of that + evidence you paid.

• If you subscribe to the special Privacat Cat Lounge Slack channel, I will see information you provide, including your email address, profile name/ID, profile photo, and any comments you leave/share.

• Stripe, Slack, and Substack process this information on my behalf. Stripe and Substack will also be collecting other information in their own capacities as controllers.

Email correspondence:

• If you email me (e.g., to give me kudos, tell me I’m wrong, or report a privacy disaster), I will obviously collect and process your email address and any other personal information you include in the email (such as your name or contact number).

• My email provider (proton.com) will also see email header information.

If you like, restack, or comment on a post, Substack Note, or leave a message in the chat:

• I will see whatever information you include in your Substack profile, including your name, profile ID, profile picture, other newsletters you subscribe to, and whatever else you choose to share in any comments.

• I will see that you specifically liked / restacked my posts. Thanks!

• Substack processes this information on my behalf. But they are also acting as controllers in their own right.

• Note: If you send a Direct Message, this is not end-to-end encrypted. Substack can see it all. Use Signal or email instead.

External referrer links:

• If you find my posts from another site (LinkedIn, Bluesky, Twitter, etc.), I will see details about referrer traffic, though it isn’t tied to you directly. Substack (and the various social networks) will see this information though, and probably collect IP address, machine identifier, and other more granular data.

• Ditto for links you click on if you’re subscribed via the Substack App or email.

• I can’t disable this, even though I don’t really care. Blame the socials.

• These services are acting as controllers here, but despite my lack of access, I am also a controller. *sigh*

If you read a post:

• I don’t collect anything, but my CDN provider Cloudflare will see your IP address and machine identifiers.

• Cloudflare collects this information to protect and secure this site from attackers and bots, though I do not have access to this information. All I can see is aggregate country information.

• Substack will also see your IP address and browser information.

• Cloudflare and Substack are processing this information directly as controllers.

Cookies:

• I hate them. Whenever possible, I drop any cookies/UTM links when sharing posts or content. I do not have any additional trackers or cookies enabled.

• However, Substack still insists on using cookies. Substack lists various Strictly Necessary, Performance, and Functionality cookies (even though the latter two aren’t actually recognized different things under the ePrivacy Directive).

• Information on Substack’s cookies is available here, though if you want to just automatically reject them, using a browser like Brave will do it automatically.

Legal Basis for Processing

If you send me an email, leave a comment, subscribe to the super-secret Slack channel, or otherwise engage, I will be processing that information based on your consent.

If you sign up as a subscriber, I am processing your data in order to fulfill a contract with you.

For other personal data being processed, I am doing so based on legitimate interests — the interest being that I use Substack, Slack, Stripe, and Cloudflare to host and manage this newsletter, and they collect a load of things I don’t need, but cannot meaningfully disable. They need this information allegedly in order to run their businesses, and I use these platforms because I want to write, not play privacy absolutist gotcha games.

Data Retention

I do not have a specific storage retention period for emails.

Substack retains “information about you only for as long as reasonably necessary to fulfill the purposes for which it was collected”. Cloudflare stores information “for a period of time that is consistent with the business purposes.” Slack stores chat conversations for 90 days, and profile/account information for as long as you have an account. Stripe has a detailed retention schedule here.

Sub-Processors

I use the following sub-processors to manage this website, security, and receive emails.

• Substack: I use Substack to host this newsletter, to engage with my adoring readership, and to host the Chance Conversations podcast. Substack is based in the US and abides by the EU-US Data Privacy Framework (DPF), for what it’s worth. (Substack Privacy Policy)

• Stripe: I use Stripe to process payments from subscribers. Stripe is based in the US and abides by the DPF. (Stripe Privacy Policy)

• Slack: I use Slack to maintain the Privacat Cat Cafe Slack channel. Slack is based in the US. Slack relies on Standard Contractual Clauses. (Slack Privacy Policy)

• Cloudflare: Cloudflare is used to secure this website and prevent DDoS and other nastiness (as well as blocking bots). Cloudflare is based in the US and relies on the DPF. (Cloudflare’s Privacy Policy)

• Proton Mail: Based in Switzerland, I use Proton Mail as my primary email provider. I rely on legitimate interests for this processing. (Proton Privacy Policy)

Your Rights

You have the following rights regarding your information:

• Access: You may request access to any information you have provided to me. Note, if you have a Substack account, you may also access, edit, or delete much of the Personal Information Substack has collected about you through your account settings. “What Personal Information can I access?,” has more details.

• Sale or Sharing: Since I do not ‘sell or share’ personal information as defined under laws like the CCPA, this isn’t really applicable. This information may be provided to the service providers which I have disclosed above.

• Non-Discrimination: You have the right not to receive discriminatory treatment for the exercise of your rights under the CCPA.

• Deletion: You can request that I delete your emails or other information you have provided, or to unsubscribe you/remove subscription information.

• Correction/Rectification: You can request to change the email address associated with your Privacat Insights subscription, though it’s probably going to be easier to just do that within Substack.

• Objection & Restriction of Processing: If applicable, you can object to the processing of your data, or you can ask that I restrict that processing.

• Complain to a Supervisory authority: You have the right to lodge a complaint with the Irish Data Protection Commission (DPC), since I’m based in Ireland. The DPC has a very helpful ‘Contact the DPC’ questionnaire you can use, or you can take the more conventional route by contacting them via email, phone, or mail.

Contact Me

If you have questions about this notice or want to exercise your rights, please email me at [email protected].