Privacy Notice

Last updated: 2026-04-28

How I Process Data & Data I Collect

Legally, I am acting as a controller of your personal data for the following processing activities.

Subscriber information

• If you subscribe to the newsletter, I process your name and email address, as well as your profile ID, profile picture, and other details you make available on your public Substack account.

• Substack also provides a star-ranking which shows if you read a lot of my posts or not.

Paid subscriptions

• If you become a paid subscriber, I process evidence that you paid.

Email correspondence

• If you email me I will collect and process your email address and any other personal information you include in the email (such as your name or contact number).

• My email provider (proton.com) will also process email header information.

If you like, restack, or comment on a post, Substack Note, or leave a message in the chat

• I will have access to whatever information you include in your Substack profile, including your name, profile ID, profile picture, other newsletters you subscribe to, and whatever else you choose to share in any comments.

• Note: If you send a Direct Message, this is not end-to-end encrypted. Substack can see it all. If you want it to be secure, send it to my email instead.

External referrer links

• If you find my posts from another site (LinkedIn, Bluesky, Twitter, etc.), I can see details about referrer traffic, though it isn’t tied to you directly. Substack (and the various social networks) will likely collect more detailed information though, and this likely includes your IP address, machine identifier(s), and other more granular data.

• Ditto for links you click on if you’re subscribed via the Substack App or email.

• I can’t disable this, even though I don’t really want this information. Blame the socials.

If you read a post

• I don’t collect anything, but my CDN provider Cloudflare will collect and process your IP address and machine identifiers.

• Cloudflare collects this information to protect and secure this site from attackers and bots, though I do not have access to this information. All I can see is aggregate country information.

• Substack will also process your IP address and browser information.

Cookies

• I hate them. Whenever possible, I drop any cookies/UTM links when sharing posts or content. I do not have any additional trackers or cookies enabled.

• However, Substack still insists on using cookies. Substack lists various Strictly Necessary, Performance, and Functionality cookies (even though the latter two aren’t actually recognized different things under the ePrivacy Directive).

• Information on Substack’s cookies is available here, though if you want to just automatically reject them, using a browser like Brave will do it automatically.

Legal Basis for Processing

If you send me an email, leave a comment, or otherwise engage, I will be processing that information based on your consent.

If you sign up as a subscriber, I process your data in order to fulfill a contract with you.

Other personal data being processed is based on legitimate interests — the interest being that I use Substack, Stripe, and Cloudflare to host and manage this newsletter.

Data Retention

I do not have a specific storage retention period for emails.

Substack retains “information about you only for as long as reasonably necessary to fulfill the purposes for which it was collected”. Cloudflare stores information “for a period of time that is consistent with the business purposes.” Stripe has a detailed retention schedule here.

Sub-Processors

I use the following sub-processors to manage this website, security, and receive emails.

• Substack: I use Substack to host this newsletter, to engage with my readership, and to host the Chance Conversations podcast. Substack is based in the US and abides by the EU-US Data Privacy Framework (DPF), for what it’s worth. (Substack Privacy Policy)

• Stripe: I use Stripe to process payments from subscribers. Stripe is based in the US and abides by the DPF. (Stripe Privacy Policy)

• Cloudflare: Cloudflare is used to secure this website and prevent DDoS and other nastiness (as well as blocking bots). Cloudflare is based in the US and relies on the DPF. (Cloudflare’s Privacy Policy)

• Proton Mail: Based in Switzerland, I use Proton Mail as my primary email provider. I rely on legitimate interests for this processing. (Proton Privacy Policy)

• Substack, Stripe, and Cloudflare also act as controllers in their own right for certain processing activities.

Your Rights

You have the following rights regarding your information:

• Access: You may request access to any information you have provided to me. Note, if you have a Substack account, you may also access, edit, or delete much of the Personal Information Substack has collected about you through your account settings. “What Personal Information can I access?,” has more details.

• Sale or Sharing: Since I do not ‘sell or share’ personal information as defined under laws like the CCPA, this isn’t really applicable. This information may be provided to the service providers which I have disclosed above.

• Non-Discrimination: You have the right not to receive discriminatory treatment for the exercise of your rights under the CCPA.

• Deletion: You can request that I delete your emails or other information you have provided, or to unsubscribe you/remove subscription information.

• Correction/Rectification: You can request to change the email address associated with your Privacat Insights subscription, though it’s probably going to be easier to just do that within Substack.

• Objection & Restriction of Processing: If applicable, you can object to the processing of your data, or you can ask that I restrict that processing.

• Complain to a Supervisory authority: You have the right to lodge a complaint with a supervisory authority.

Contact Me

If you have questions about this notice or want to exercise your rights, please email me at privacy@priva.cat.