Privacy Policy
How we collect, use, share, and protect your personal information.
This Privacy Policy describes how The Digital Weekly (“we,” “us,” “our”) collects, uses, shares, and protects information about you when you visit thedigitalweekly.com or interact with our services, products, newsletters, and other digital properties (collectively, the “Services”).
This policy is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data-protection laws. By using our Services, you agree to the practices described in this policy.
Effective date: January 1, 2024. Most recent update shown at the top of this page.
Who we are (data controller)
The Digital Weekly is the data controller for personal information collected through the Services. For data-protection inquiries, our contact is:
Privacy Office, The Digital Weekly
Email: privacy@thedigitalweekly.com
Postal contact via legal@thedigitalweekly.com
EU and UK readers may also contact their local supervisory authority — see “Lodging a complaint” below.
Information we collect
Information you provide directly
- Newsletter signup: email address, optionally a first name, optionally interests/preferences you select.
- Contact forms and email: name, email address, message content, any attachments you send.
- Account creation (if/when account features launch): email address, password (stored as a salted hash, never readable to us), display name, optional profile information.
- Comments (if/when commenting launches): name, email (not displayed publicly), website (optional), comment content.
- Tips and sources: any information you choose to share via tip channels. For sensitive tips, we honor source-protection agreements documented in our editorial guidelines.
- Career applications: resume, work history, references, and any other information you submit.
- Advertising and partnership inquiries: business contact details and the content of your inquiry.
Information collected automatically
- Server logs: IP address (anonymised to /24 within 24 hours for non-EU traffic, immediately for EU traffic), browser user agent, requested URL, referrer URL, response code, and timestamp. Retained for 30 days for security and diagnostics.
- Cookies and similar technologies: See our Cookie Policy for the full list. Categories: strictly necessary, preferences, analytics, advertising (only if you consent).
- Analytics data: aggregate site usage via Google Analytics 4 (with anonymised IP and respect for “Do Not Track” / Global Privacy Control signals).
- Newsletter analytics: opens, clicks, and unsubscribe events linked to your subscriber record (via pixel tracking that you can disable in your email client).
- Performance data: page load times, error reports, and similar diagnostic information.
Information from third parties
- Social-sign-in providers (if you sign in via Google, Apple, etc., when account features launch): the information that provider shares with us, typically your name, email, and avatar.
- Payment processors (if/when subscriptions launch): we receive transaction confirmations but do not store card numbers ourselves.
- Advertising attribution platforms: aggregate reports on ad-campaign performance, no individual-level personal data.
How we use information
We use the information described above for these purposes:
- Provide the Services: deliver requested content, send the newsletter you signed up for, respond to your inquiries.
- Improve the Services: analyze aggregate usage to identify which content and features readers value.
- Protect the Services: detect and prevent fraud, abuse, spam, automated scraping, and security threats.
- Communicate with you: send the newsletter, respond to your messages, send administrative notices about your account.
- Comply with legal obligations: respond to lawful requests from authorities, retain records required by law, defend our legal interests.
- Develop new services: in aggregate and de-identified form, use your interaction data to inform product decisions.
What we do NOT do with your information
- We do not sell personal information to third parties.
- We do not share newsletter subscriber lists with advertisers.
- We do not use AI training on identifiable user data.
- We do not create individual-level advertising profiles.
- We do not use sensitive personal information (health, race, sexual orientation, political views) for any commercial purpose.
Legal basis for processing (GDPR / UK GDPR)
If you are in the European Economic Area, UK, or Switzerland, our legal basis for processing your personal information depends on the purpose:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Newsletter signup and delivery | Consent (6(1)(a)) |
| Account services (if applicable) | Contract performance (6(1)(b)) |
| Site security and fraud prevention | Legitimate interests (6(1)(f)) |
| Aggregate analytics and product improvement | Legitimate interests (6(1)(f)) |
| Responding to your inquiries | Legitimate interests / Contract performance |
| Compliance with legal obligations | Legal obligation (6(1)(c)) |
| Marketing communications other than newsletter | Consent (6(1)(a)), revocable any time |
Sharing your information
We share information only with the following categories of recipients, under written contracts requiring confidentiality and use restrictions:
Service providers acting on our behalf
- Hosting and infrastructure: our web hosting provider, CDN, and backup storage. Limited to operational data needed to deliver the Services.
- Email delivery: our email service provider for newsletter delivery (information: your email address and engagement data).
- Analytics: Google Analytics 4 (with IP anonymisation and respect for GPC signals). We do not provide them with PII.
- Security: our DDoS-protection and WAF provider, processing request metadata to detect attacks.
- Customer support tools (if any): processing email communications you send us.
Each service provider is bound by data-processing agreements (Article 28 DPAs for EU data) limiting their use of the data to providing services to us.
Legal disclosures
We may disclose personal information when required by valid legal process (subpoena, court order, lawful regulatory request). We evaluate every request for legitimacy, scope, and necessity. We will challenge overbroad or improper requests through every available legal channel. Where legally permitted, we notify affected users before disclosure.
Source protection
Personal information of confidential sources is protected with elevated care. We do not store source-identifying information in cloud systems where it could be subpoenaed. We resist legal demands for source identification through every available legal channel.
Business transfers
If The Digital Weekly is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. The receiving entity will be bound by terms at least as protective as those in this Policy. We will notify subscribers via email before any such transfer.
International data transfers
The Digital Weekly’s operations include data processing in the United States and other jurisdictions. When we transfer personal information from the EEA, UK, or Switzerland to countries that don’t have an EU adequacy decision, we rely on:
- Standard Contractual Clauses (EU 2021 SCCs and UK IDTA)
- EU-US Data Privacy Framework certification with eligible US recipients
- Other lawful transfer mechanisms as available
You can request a copy of the safeguards we use for international transfers by emailing privacy@thedigitalweekly.com.
Your rights
Depending on where you live, you have some or all of these rights regarding your personal information:
- Right of access — request a copy of the personal information we hold about you
- Right to rectification — request correction of inaccurate or incomplete information
- Right to erasure (“right to be forgotten”) — request deletion of your information, subject to limitations (legal retention obligations, journalistic exemptions)
- Right to restriction — request that we limit how we process your information
- Right to object — object to certain processing, including direct marketing and processing based on legitimate interests
- Right to data portability — receive your data in a structured, commonly-used, machine-readable format
- Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal
- Right against automated decision-making — we do not make decisions about you based solely on automated processing
- Right to lodge a complaint with a supervisory authority
How to exercise your rights
Email privacy@thedigitalweekly.com with:
- Which right you’re exercising
- The email address or other identifier connected to the data
- Enough information for us to verify your identity (we may follow up to confirm)
We respond within 30 days (extendable to 60 days for complex requests, with notice).
California privacy rights (CCPA / CPRA)
California residents have additional rights:
- Right to know what personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share it
- Right to delete personal information we have collected (subject to permitted exceptions)
- Right to correct inaccurate personal information
- Right to opt out of any “sale” or “sharing” of personal information — we do not sell, and we honor the Global Privacy Control signal as an opt-out of sharing
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that require this right to be exercised
- Right to non-discrimination for exercising your rights — we will not deny services or charge different prices for exercising your privacy rights
To exercise California rights, email privacy@thedigitalweekly.com with “California Privacy Request” in the subject line.
Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Newsletter subscription | Until unsubscribe + 6 months | Operational, then permanent deletion |
| Newsletter analytics (opens, clicks) | 2 years | Editorial planning |
| Account data | Until account deletion + 30 days | Operational, deletion grace period |
| Comments | Until removal request or post deletion | Public record |
| Server logs | 30 days | Security, diagnostics |
| Analytics aggregates | 14 months (GA4 default) | Trend analysis |
| Contact form messages | 2 years | Reference, follow-up |
| Career applications (not hired) | 1 year | Future opportunities consideration |
| Legal/compliance records | As required by law | Legal obligation |
Security
We use industry-standard measures to protect your information:
- Encryption in transit: TLS 1.2+ for all connections
- Encryption at rest: database and backup encryption
- Access controls: least-privilege access for staff, MFA required for administrative accounts
- Network security: DDoS protection, WAF, regular vulnerability scanning
- Hashed credentials: passwords stored with bcrypt or argon2id, never plaintext
- Audit logging: administrative access is logged and reviewed
- Incident response: documented procedure for security incidents
No method of transmission or storage is 100% secure. While we use reasonable measures, we cannot guarantee absolute security.
Data breach notification
In the event of a security breach affecting personal data, we will notify affected users without undue delay (within 72 hours of becoming aware of the breach where required by law), and notify relevant supervisory authorities. The notification will include: the nature of the breach, the categories and approximate number of affected individuals, likely consequences, measures we’ve taken, and steps you can take to protect yourself.
Children’s privacy
The Digital Weekly is not directed to children under 13 (US) or 16 (EU). We do not knowingly collect personal information from children under those ages. If we learn we have collected information from a child under those ages without verifiable parental consent, we delete it. If you believe we have such information about a child in your care, contact privacy@thedigitalweekly.com.
Cookies and tracking
See our Cookie Policy for the full list of cookies we use, why, and how to control them.
Newsletter unsubscribe
You can unsubscribe from any newsletter at any time via the “unsubscribe” link at the bottom of every email. The unsubscribe is processed immediately. You will not receive further newsletters at that address. Your subscription record is retained for 6 months for analytics and then permanently deleted.
Lodging a complaint
If you believe we are processing your personal information unlawfully, you have the right to lodge a complaint with a supervisory authority:
- EU: the data-protection authority of your member state — list here
- UK: the Information Commissioner’s Office (ico.org.uk)
- California: the California Privacy Protection Agency (cppa.ca.gov)
We encourage you to contact us first at privacy@thedigitalweekly.com — most issues can be resolved more quickly that way.
Changes to this policy
We update this policy as our practices evolve, as new privacy laws come into effect, or when we add new services. Material changes are:
- Announced in The Weekly Brief at least two weeks before they take effect
- Posted in a notice banner on the site
- Communicated by email to registered users
Non-material changes (typo fixes, clarifications) are made silently with the “Last updated” date at the top reflecting the change.
Contact
Privacy questions, data-subject requests, complaints: privacy@thedigitalweekly.com
Stay informed
The Weekly Brief
Five stories worth reading. Every Sunday. No spam.