Last Updated: 2025
Effective Date: 2025
Introduction and Scope
Data Controller Information
What Personal Data We Collect
How We Collect Your Personal Data
Why We Collect Your Data (Legal Basis)
How We Use Your Personal Data
Third-Party Service Providers and Data Processors
International Data Transfers
Cookies and Tracking Technologies
Email Marketing and Communications
Your Privacy Rights
Data Retention and Deletion
Data Security Measures
Children's Privacy
Automated Decision-Making and Profiling
California Privacy Rights (CCPA/CPRA)
Australian Privacy Rights
Changes to This Privacy Policy
How to Contact Us
Supervisory Authority and Complaints
This Privacy Policy describes how GutSignals ("we," "us," or "our") collects, uses, discloses, and protects the personal information of:
Newsletter subscribers
Website visitors
Anyone who interacts with our content or services
We are committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains your privacy rights and how the law protects you.
This Privacy Policy is designed to comply with privacy laws in:
European Union (General Data Protection Regulation - GDPR)
Germany (Bundesdatenschutzgesetz - BDSG)
United States (including state-specific laws like CCPA/CPRA)
Australia (Privacy Act 1988, Australian Privacy Principles)
By subscribing to our newsletter, using our website, or interacting with our services, you acknowledge that you have read, understood, and agree to this Privacy Policy.IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, DO NOT SUBSCRIBE TO OUR NEWSLETTER OR USE OUR SERVICES.
For the purposes of data protection law, the data controller is:GutSignals
Berzan Keskin c/o MDC Management#4146 Welserstraße 387463 Dietmannsried
Düsseldorf, North Rhine-Westphalia, GermanyContact:
Email: [email protected]
Website: www.gutsignals.com
As the data controller, we determine the purposes and means of processing your personal data. We are responsible for ensuring your data is processed in accordance with applicable privacy laws.
Given the scale of our operations, we are not currently required to appoint a formal Data Protection Officer (DPO) under GDPR Article 37. However, for all privacy-related inquiries, please contact us at: [email protected]
When you subscribe to our newsletter:
Email address (required)
First name (optional)
Last name (optional)
Subscription preferences (content types, frequency)
Communication preferences
When you contact us:
Name
Email address
Message content
Any other information you choose to provide
When you make a purchase (if applicable in future):
Billing information
Payment information (processed by third-party payment processors)
Shipping address (if applicable)
When you interact with our emails:
Email open data (whether you opened an email)
Click data (which links you clicked)
Time and date of opens and clicks
Device type used to open email
Email client used
Approximate geographic location (based on IP address)
When you visit our website:
IP address
Browser type and version
Operating system
Device information (type, model, manufacturer)
Pages visited and time spent
Referring website/source
Date and time of visit
Clickstream data (navigation patterns)
Cookies and similar technologies:
Session cookies (temporary)
Persistent cookies (long-term)
Analytics cookies
Preference cookies
See Section 9 for detailed cookie information
We may receive information about you from:
Social media platforms (if you interact with our social media content)
Analytics providers (aggregated demographic data)
Affiliate partners (if you click through affiliate links)
Public databases (for verification purposes only)
We do not purchase email lists or contact information from data brokers.
WE DO NOT INTENTIONALLY COLLECT SENSITIVE PERSONAL DATA including:
Health information or medical records
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Sexual orientation or sex life
Criminal convictions or offenses
Do not send us sensitive personal data. If you inadvertently provide such information, we will delete it immediately upon becoming aware of it.
While our newsletter discusses gut health topics, subscription to health-related content does not constitute processing of special category data under GDPR Article 9, as:
We do not collect information about your specific health conditions
Subscription indicates general interest, not health status
Content is educational, not medical service provision
Newsletter signup forms:
Website subscription forms
Landing page forms
Pop-up forms
Embedded forms on partner sites
Direct communications:
Email inquiries sent to [email protected]
Replies to our newsletter emails
Contact form submissions
Account creation (if applicable):
User registration for paid tiers
Preference center updates
Email tracking pixels:
Invisible images embedded in emails
Track email opens and engagement
Standard practice in email marketing
Website analytics:
Analytics scripts (e.g., Beehiiv analytics)
Server logs
Error tracking
Cookies and similar technologies:
Browser cookies
Local storage
Session storage
See Section 9 for details
Beehiiv (our email service provider):
Collects data on our behalf when you subscribe
Tracks email engagement automatically
Stores subscriber data on their servers
Payment processors (if applicable in future):
Collect payment information during checkout
We do not directly store full payment card details
Under GDPR Article 6, we must have a lawful basis for processing your personal data. Our legal bases are:
When you consent to:
Receive our newsletter
Receive marketing communications
Receive promotional content and affiliate offers
Cookie usage on our website (non-essential cookies)
Characteristics of valid consent:
Freely given (no negative consequences for refusing)
Specific (clear what you're consenting to)
Informed (you understand how data will be used)
Unambiguous (clear affirmative action required)
You can withdraw consent at any time by:
Clicking "unsubscribe" in any email
Updating preferences in our preference center
Emailing [email protected]
Withdrawal does not affect lawfulness of processing before withdrawal
When necessary to provide services you've requested:
Delivering newsletter content you subscribed to
Processing payments for paid subscriptions (if applicable)
Providing customer support
Fulfilling product purchases
When required by law:
Complying with tax and accounting requirements
Responding to lawful requests from authorities
Maintaining records required by law
Anti-fraud and security obligations
When necessary for our legitimate interests (and not overridden by your rights):Our legitimate interests include:
Improving newsletter content based on engagement data
Detecting and preventing fraud or abuse
Network and information security
Internal administration and business operations
Analyzing website traffic and user behavior
Sending service-related communications (non-marketing)
Enforcing our terms and policies
Balancing test: We have assessed that these interests do not override your fundamental rights and freedoms.You have the right to object to processing based on legitimate interests. See Section 11 for details.
To send you our newsletter:
Weekly Saturday newsletter
Mid-week Wednesday newsletter (when applicable)
Any other content you've subscribed to
To communicate with you:
Respond to your inquiries
Provide customer support
Send service announcements
Notify you of changes to our services or policies
To improve our content:
Analyze which topics receive highest engagement
Understand which content types resonate with subscribers
Identify optimal sending times
Test different subject lines and formats
To personalize your experience:
Segment subscribers by interests and engagement
Send targeted content based on preferences
Recommend relevant resources
Customize content delivery based on behavior
Note: See Section 15 for information about automated decision-making and profiling.
If you've consented to receive promotional content:
Product recommendations (including affiliate offers)
Information about paid tiers or courses
Special offers and discounts
Partner promotions (with your separate consent)
We clearly label promotional content and provide easy opt-out options in every communication.
To understand our audience:
Aggregate demographic data (location, device type)
Subscriber growth and churn analysis
Content performance metrics
Engagement patterns and trends
Note: Analytics are typically aggregated and anonymized. Individual behavior analysis (if any) is covered under legitimate interests or consent.
To protect our services:
Detect and prevent spam subscriptions
Identify suspicious activity or abuse
Prevent unauthorized access
Ensure system security and integrity
To meet legal obligations:
Maintain required records
Respond to legal processes (subpoenas, court orders)
Comply with tax and accounting requirements
Report to regulatory authorities when required
For internal business purposes:
Billing and payment processing (if applicable)
Record keeping and documentation
Quality assurance
Staff training
Business development and strategy
We share your personal data with the following types of service providers who process data on our behalf:
Beehiiv, Inc.
Location: United States
Service: Email newsletter platform and hosting
Data processed: Email address, name, subscription preferences, engagement data (opens, clicks), IP address, device information
Purpose: Newsletter delivery, list management, analytics
Data Processing Agreement: Beehiiv provides Standard Contractual Clauses (SCCs) for EU data transfers
Privacy Policy: https://www.beehiiv.com/privacy
International data transfer safeguards:
Standard Contractual Clauses (SCCs) approved by European Commission
Beehiiv's commitments under EU-US Data Privacy Framework (if applicable)
Technical and organizational security measures
Current providers may include:
Cloud hosting services
Content delivery networks (CDNs)
Domain registrars
SSL certificate providers
These providers may access technical data and server logs for service provision and security purposes.
We may use:
Beehiiv's built-in analytics
Google Analytics (if implemented)
Other web analytics tools
Data processed: Aggregate traffic data, user behavior patterns, device information
If we implement paid subscriptions or products:
Stripe, Inc. (United States)
PayPal Holdings, Inc. (United States)
Other payment gateways
We do not store complete payment card information. Payment processors handle sensitive financial data under PCI-DSS compliance standards.
As our business grows, we may engage additional service providers including:
Customer relationship management (CRM) systems
Marketing automation platforms
Survey and feedback tools
Customer support platforms
Affiliate management platforms
Course hosting platforms (if we create courses)
We will update this Privacy Policy when adding new processors that significantly change data processing practices.
All third-party processors are required to:
Process data only on our documented instructions
Maintain appropriate technical and organizational security measures
Assist us with data subject rights requests
Delete or return data upon termination of services
Allow audits and provide information about processing activities
Not engage sub-processors without our authorization
Data Processing Agreements (DPAs): We maintain written agreements with all processors as required by GDPR Article 28.
We do NOT:
Sell your personal data to third parties
Rent or lease email lists
Share your data with data brokers
Provide your information to advertisers for their own marketing (unless you specifically consent to partner promotions)
Share data with social media platforms for advertising purposes (unless you consent to cookies that enable this)
As GutSignals is based in Germany but uses service providers located outside the European Economic Area (EEA), particularly in the United States, your personal data may be transferred to and processed in countries outside your jurisdiction.
Primary transfer: Your data is transferred from the EU to the United States when processed by Beehiiv, Inc.Safeguards in place:
Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with US-based processors
EU-US Data Privacy Framework: Service providers may participate in this framework (if applicable)
Supplementary measures: Encryption in transit and at rest, access controls, regular security audits
Contractual obligations: Processors must implement technical and organizational measures to protect EU data
For Australian subscribers, data may be transferred to:
United States (Beehiiv, payment processors)
European Union (if we use EU-based services)
Australian Privacy Principle (APP) 8 compliance:
We take reasonable steps to ensure overseas recipients comply with APPs
We use contractual clauses requiring data protection
We inform you of overseas transfers (via this Privacy Policy)
Under GDPR: You have the right to obtain information about safeguards in place for international transfers. Contact us for copies of relevant Standard Contractual Clauses.Under Australian law: You can request information about overseas disclosure and how we ensure compliance with APPs.
Primary storage locations:
United States (Beehiiv servers)
May include backup locations in other countries
We do not guarantee data will remain within any specific geographic boundary. International transfers are necessary for service provision.
Cookies are small text files placed on your device when you visit websites or open emails. They help websites function properly and provide information about how the site is used.
Purpose: Essential for website functionality
Examples: Session management, security, load balancing
Legal basis: Legitimate interest (necessary for service provision)
Can you opt out? No - these are required for the site to function
Purpose: Understand how visitors use our website
Examples: Page views, navigation paths, time on site, bounce rates
Legal basis: Consent (obtained through cookie banner)
Can you opt out? Yes - through cookie preferencesSpecific analytics tools:
Beehiiv analytics (first-party)
Google Analytics (if implemented - third-party)
Purpose: Remember your preferences and choices
Examples: Language preferences, content preferences, remembered settings
Legal basis: Consent or legitimate interest
Can you opt out? Yes - but this may affect functionality
Purpose: Deliver relevant advertisements and track campaign effectiveness
Examples: Retargeting cookies, conversion tracking
Legal basis: Consent (explicit opt-in required)
Can you opt out? Yes - through cookie preferences or browser settingsCurrently: We do not use advertising cookies, but may implement them in the future with proper consent mechanisms.
What they are: Invisible 1x1 pixel images embedded in emailsWhat they track:
Whether you opened an email
What time you opened it
What device/email client you used
Approximate location (based on IP address)
Legal basis: Legitimate interest for engagement analytics, or consent depending on jurisdictionHow to block: Most email clients allow you to disable automatic image loading. This prevents tracking pixels from functioning.
Session cookies: Deleted when you close your browser
Persistent cookies: Remain for specified period (typically 30 days to 2 years)Specific retention periods depend on the cookie type and purpose.
Through our cookie banner:
Accept all cookies
Reject non-essential cookies
Customize cookie preferences
Through your browser:
Most browsers allow you to block or delete cookies
Settings vary by browser (Chrome, Firefox, Safari, Edge, etc.)
Blocking all cookies may affect site functionality
Useful resources:
Your browser's help documentation
Through third-party opt-out tools:
Network Advertising Initiative opt-out: optout.networkadvertising.org
Digital Advertising Alliance opt-out: optout.aboutads.info
European Interactive Digital Advertising Alliance: youronlinechoices.eu
Some browsers transmit "Do Not Track" signals. Currently, there is no industry standard for how to respond to DNT signals. As such, we do not currently respond to DNT signals, but we honor your cookie preferences set through our cookie banner or browser settings.
Third-party services we use may set their own cookies on your device:
Social media embeds (if present)
Video players (if present)
Analytics tools
Payment processors (during checkout)
We do not control third-party cookies. Review third-party privacy policies for information about their cookies.
Purpose: Facilitate your use of our services
Legal basis: Contract performance or legal obligation
Examples:
Subscription confirmation (double opt-in)
Password reset emails (if accounts implemented)
Receipt or invoice emails (if purchases made)
Service announcements or changes
You cannot opt out of transactional emails as they are necessary for service provision.
Purpose: Deliver content you've subscribed to
Legal basis: Consent
Frequency: Weekly (Saturday), with occasional mid-week content
Content: Gut health insights, education, research summariesYou can unsubscribe anytime via the link in every email.
Purpose: Promotional content, product offers, affiliate recommendations
Legal basis: Consent (separate from newsletter consent in some cases)
Content:
Product recommendations
Affiliate offers
Information about paid tiers or courses
Special discounts or promotions
You can opt out of marketing emails while continuing to receive the newsletter.
Double opt-in process (required in Germany, best practice elsewhere):
You enter email address in signup form
We send confirmation email with verification link
You click link to confirm subscription
Confirmation timestamp and IP address recorded
This provides strong evidence of informed, unambiguous consent.
Requirements we meet:
Freely given consent (no negative consequences for refusing)
Specific consent (clear what you're signing up for)
Informed consent (privacy policy and terms provided at signup)
Unambiguous consent (affirmative action required - no pre-checked boxes)
Easy withdrawal (unsubscribe link in every email)
Documented consent (records maintained with timestamp, IP, consent text)
Requirements we meet:
Accurate "From," "To," and "Reply-To" information
Truthful subject lines
Clear identification as advertisement (for promotional content)
Valid physical postal address in every email
Clear, conspicuous unsubscribe mechanism
Honor opt-out requests within 10 business days
No email transmission after opt-out (except transactional)
Requirements we meet (if Canadian subscribers present):
Express consent obtained through double opt-in
Clear identification of sender
Contact information provided
Unsubscribe mechanism in every email
Honor unsubscribes promptly
Maintain consent records
Note: We primarily serve EU, US, and Australian audiences, but CASL may apply if we knowingly send to Canadian addresses.
Requirements we meet:
Consent obtained before sending
Accurate sender information
Functional unsubscribe facility in every email
Unsubscribes honored within 5 business days
Standard frequency:
1 email per week (Saturday newsletter)
Occasional additional emails (Wednesday deep-dives)
Rare special announcements
Maximum frequency: Typically no more than 2-3 emails per weekYou can adjust frequency preferences through our preference center.
How to unsubscribe:
Click "Unsubscribe" link in any email footer
Confirm unsubscribe (one-click process)
Processed immediately (removed within 10 business days for CAN-SPAM, faster in practice)
How to manage preferences:
Click "Manage Preferences" or "Update Preferences" in email footer
Choose which types of emails you want to receive
Adjust frequency settings
Update anytime
What happens after unsubscribe:
You'll receive a confirmation email
No more marketing or newsletter emails (except transactional if needed)
Your data is retained for compliance purposes (30 days minimum), then deleted
You're added to suppression list to prevent re-subscription
Under the General Data Protection Regulation, you have the following rights:
What it means: You can request a copy of the personal data we hold about you.What we'll provide:
Confirmation of whether we process your data
Copy of your personal data
Information about processing purposes, categories, recipients
Retention period
Information about your rights
Source of data (if not collected directly from you)
How to exercise: Email [email protected] with subject "Data Access Request"Response time: Within 30 days (may extend to 60 days for complex requests with notice)Format: Electronic format (PDF or structured data file)Fee: Free for first request; reasonable administrative fee for excessive or repeated requests
What it means: You can request correction of inaccurate or incomplete personal data.Examples:
Correcting misspelled name
Updating email address
Completing missing information
How to exercise:
Update directly in preference center
Email [email protected]
Reply to any newsletter with corrections
Response time: Within 30 daysFee: Free
What it means: You can request deletion of your personal data in certain circumstances.When this applies:
Data no longer necessary for original purpose
You withdraw consent (and no other legal basis exists)
You object to processing (and no overriding legitimate grounds exist)
Data processed unlawfully
Legal obligation requires erasure
Data collected from children without proper consent
Exceptions (when we may refuse):
Legal obligation requires retention
Exercise or defense of legal claims
Public interest or scientific research (with appropriate safeguards)
How to exercise: Email [email protected] with subject "Deletion Request" or click unsubscribe and request full deletionResponse time: Within 30 daysWhat we'll do:
Delete your data from active systems
Notify third-party processors to delete
Confirm deletion in writing
What may remain:
Backup copies (deleted in next backup cycle)
Anonymized data used for analytics
Minimal data for legal compliance (e.g., proof of consent withdrawal)
What it means: You can request we limit how we use your data in certain circumstances.When this applies:
You contest accuracy of data (restriction during verification)
Processing is unlawful but you don't want erasure
We no longer need data but you need it for legal claims
You objected to processing (restriction while verifying legitimate grounds)
Effect: Data stored but not actively processed (except with your consent or for legal claims)How to exercise: Email [email protected]Response time: Within 30 days
What it means: You can receive your personal data in a structured, machine-readable format and transmit it to another controller.Conditions:
Processing based on consent or contract
Processing carried out by automated means
What we'll provide:
Email address
Name
Subscription date
Preferences
Engagement data (if requested)
Format: CSV, JSON, or other structured formatHow to exercise: Email [email protected] with subject "Data Portability Request"Response time: Within 30 daysFee: FreeDirect transmission: We'll make reasonable efforts to transmit directly to another controller if technically feasible
What it means: You can object to processing based on legitimate interests or for direct marketing.Direct marketing objection:
Absolute right - we must stop immediately
No justification needed
Applies to all direct marketing
Legitimate interest objection:
Must provide grounds relating to your particular situation
We must cease unless we demonstrate compelling legitimate grounds that override your interests
Applies to processing under Article 6(1)(f) - legitimate interests
How to exercise:
Click unsubscribe for marketing objection
Email [email protected] for other objections
Response time: Immediate for marketing; within 30 days for other objections
What it means: Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.Our practices: We do not engage in automated decision-making that produces legal effects or similarly significant effects. See Section 15 for details on any profiling.If applicable in future: You'll have right to human intervention, explanation, and right to contest the decision.
What it means: Where processing is based on consent, you can withdraw it at any time.Effect:
Withdrawal does not affect lawfulness of processing before withdrawal
We'll stop processing unless another legal basis applies
We'll inform you of consequences of withdrawal
How to exercise:
Unsubscribe link in emails
Preference center
Email [email protected]
Response time: Immediate
What it means: You can complain to a data protection supervisory authority about our processing.German supervisory authorities: See Section 20 for contact informationPreferred approach: Contact us first so we can address your concerns directly
If you're a California resident, you have specific rights under the California Consumer Privacy Act and California Privacy Rights Act:
What information we collect about you:
Categories of personal information
Specific pieces of personal information
Sources of information
Purposes for collection
Categories of third parties with whom we share data
How to exercise: Email [email protected] with subject "California Right to Know Request"Verification: We'll verify your identity before respondingResponse time: Within 45 days (may extend to 90 days with notice)Frequency: Up to twice per 12-month period
What it means: Request deletion of personal information we collected from you (subject to exceptions)Exceptions (when we may retain):
Complete transaction or provide requested service
Detect security incidents or protect against fraud
Debug to identify and repair errors
Comply with legal obligations
Internal uses reasonably aligned with your expectations
How to exercise: Email [email protected] with subject "California Deletion Request"Response time: Within 45 days
Our practice: We do NOT sell your personal information and do not share it for cross-context behavioral advertising.If this changes: We'll provide prominent "Do Not Sell or Share My Personal Information" link and honor opt-out requests.
What it means: Request correction of inaccurate personal informationHow to exercise: Update via preference center or email [email protected]Response time: Within 45 days
Our practice: We do not collect or use sensitive personal information as defined by CPRA.Sensitive information includes: Social security numbers, financial account information, precise geolocation, genetic data, etc.
What it means: We cannot discriminate against you for exercising your CCPA/CPRA rights.Prohibited actions:
Denying goods or services
Charging different prices or rates
Providing different quality of service
Suggesting you'll receive different service
Permitted actions:
Offering financial incentives for data collection (with explicit consent)
What it means: You can designate an authorized agent to make requests on your behalf.Requirements:
Written authorization from you
Proof of agent's identity
Verification of your identity
How to use: Have your agent email [email protected] with proper documentation
If you're an Australian resident, you have rights under the Australian Privacy Principles (APPs):
What it means: Request access to personal information we hold about youHow to exercise: Email [email protected]Response time: Within 30 daysFee: We may charge reasonable cost for providing access (will inform you in advance)Exceptions: We may refuse access in certain circumstances (legal requirements, unreasonable impact on others' privacy, etc.)
What it means: Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading informationHow to exercise: Update via preference center or email [email protected]Response time: Within 30 daysIf we refuse: We'll provide written reasons and information about complaint mechanismsAssociate a statement: If we don't correct the information, you can request we associate a statement that you believe it's inaccurate
What it means: Complain to us or the Australian Information Commissioner about privacy concernsHow to complain to us: Email [email protected] with subject "Privacy Complaint"Our response time: Within 30 daysIf unsatisfied: You can complain to the Office of the Australian Information Commissioner (OAIC) - see Section 20
General process:
Submit request: Email [email protected] with:
Your name and email address
Specific right you're exercising
Details about your request
Proof of identity (if required)
Verification: We'll verify your identity to protect against fraudulent requests
Processing: We'll process your request within applicable timeframes
Response: We'll inform you of action taken or reasons for refusal
No fee for most requests unless excessive or manifestly unfounded (GDPR) or reasonable cost recovery (Australia)Response format: Electronic communication (email) unless you request otherwise
We retain personal data only as long as necessary for the purposes for which it was collected, and to comply with legal, accounting, or reporting requirements.Factors affecting retention periods:
Legal and regulatory requirements
Limitation periods for legal claims
Need to defend potential legal claims
Operational needs
User consent and preferences
While you remain subscribed:
Email address and name: Retained indefinitely while subscribed
Subscription preferences: Retained indefinitely while subscribed
Engagement data (opens, clicks): Retained for 2 years, then anonymized
Communication history: Retained for 2 years
Purpose: Deliver services, improve content, comply with legal obligations
Immediately after unsubscribe:
Added to suppression list (permanent - prevents re-subscription)
Active marketing ceases immediately
Access to data restricted
30 days after unsubscribe:
Personal data deleted from active systems
Suppression list entry remains (email address only, hashed)
Backup retention:
May remain in backups for up to 90 days
Not actively accessible
Deleted in normal backup rotation
Legal hold exceptions:
Data related to active legal claims retained until resolution
Data required by law retained for applicable period
Under GDPR and CASL: Must prove valid consent was obtainedRetention period:
Minimum: 3 years after relationship ends
Recommended: 7 years after relationship ends
Or: Indefinitely if no legal storage limitation period
What we retain:
Email address (hashed)
Timestamp of consent
Consent text shown at time of signup
IP address (if collected)
Method of consent (form, page, etc.)
Withdrawal timestamp (if applicable)
Purpose: Defend against spam complaints, regulatory inquiries, legal claims
If you make purchases:
Transaction records: 7 years (tax and accounting requirements)
Invoice and payment data: 7 years
Payment card details: NOT stored (handled by payment processors)
Jurisdiction requirements:
Germany: Minimum 6-10 years for tax records (depending on type)
US: IRS recommends 3-7 years
Australia: ATO requires 5 years
Customer support emails:
Retained for 2 years after last interaction
Purpose: Improve service, train staff, resolve disputes
General inquiries:
Retained for 1 year after response
Purpose: Reference for follow-up questions
IP addresses and device information:
Anonymized after 14 months (if using Google Analytics)
Aggregated data retained indefinitely
Cookie data:
Retained according to cookie duration (typically 30 days to 2 years)
See Section 9 for specific cookie retention
When we delete data:
Active databases: Permanent deletion using secure deletion methods
Backups: Deleted in next backup rotation cycle
Archives: Securely destroyed or overwritten
Third-party processors: Instructed to delete (verified through DPAs)
Anonymization alternative:
Some data may be anonymized rather than deleted
Anonymized data cannot be re-identified and is not personal data
Used for statistical analysis and business intelligence
We may retain data longer if:
Required by law or regulation
Necessary for establishing, exercising, or defending legal claims
You've consented to longer retention
Anonymization is not technically feasible
You'll be informed if legal hold prevents deletion of your data upon request.
We implement appropriate technical and organizational measures to protect your personal data against:
Unauthorized or unlawful processing
Accidental loss, destruction, or damage
Unauthorized access or disclosure
However, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but use industry-standard practices.
Data in transit:
TLS/SSL encryption for all website connections (HTTPS)
Encrypted email transmission where supported
Secure API connections to third-party services
Data at rest:
Beehiiv employs encryption for stored data
Password hashing using industry-standard algorithms
Encrypted database backups
Administrative access:
Multi-factor authentication (MFA) required
Role-based access control (RBAC)
Principle of least privilege (minimum necessary access)
Regular access reviews and revocations
Data access logging:
All data access logged and monitored
Audit trails maintained
Anomaly detection for suspicious activity
Infrastructure protection:
Firewalls and intrusion detection systems
Regular security patches and updates
DDoS protection
Secure network architecture
Beehiiv security:
Relies on Beehiiv's enterprise-grade infrastructure
AWS-hosted with multi-layer security
Regular security audits and penetration testing
Secure coding practices:
Input validation and sanitization
Protection against common vulnerabilities (SQL injection, XSS, CSRF)
Regular security code reviews
Dependency vulnerability scanning
Access restrictions:
Limited personnel have access to personal data
Background checks where appropriate and legally permitted
Confidentiality agreements
Security awareness training
Current access:
Newsletter creator/operator (sole proprietor)
Future staff will be bound by same security requirements
Vendor management:
Due diligence before engaging processors
Review of security certifications and audits
Data Processing Agreements requiring security measures
Regular vendor security assessments
Beehiiv security standards:
SOC 2 Type II certified (or similar)
Regular third-party security audits
Contractually obligated to maintain security
Data breach procedures:
Immediate containment and assessment
Investigation to determine scope and impact
Notification to affected individuals (within 72 hours under GDPR if high risk)
Notification to supervisory authorities (within 72 hours under GDPR)
Remediation to prevent future breaches
Post-incident review and improvements
What we'll tell you:
Nature of the breach
Categories of data affected
Likely consequences
Measures taken to address breach
Recommendations to protect yourself
Backup and recovery:
Regular automated backups
Geographically distributed backup locations
Tested disaster recovery procedures
Business continuity planning
To protect your data:
Use strong, unique passwords (if accounts implemented)
Enable two-factor authentication (if available)
Keep your devices and software updated
Be cautious of phishing emails claiming to be from us
Verify email authenticity before clicking links
Report suspicious activity to [email protected]
We'll never:
Ask for passwords via email
Request sensitive personal information via unsolicited email
Send emails with suspicious attachments
If we discover a data breach affecting your personal data:EU/GDPR:
Notify supervisory authority within 72 hours (if breach likely to result in risk)
Notify affected individuals without undue delay (if high risk to rights and freedoms)
Document all breaches (including those not reported)
US:
No federal general breach notification law
State-specific notification requirements (most states require notification)
Typically 30-90 days after discovery
Australia:
Notify OAIC and affected individuals as soon as practicable if serious data breach
Serious breach: likely to result in serious harm
Our commitment:
Prompt investigation
Transparent communication
Assistance to affected individuals
Steps to prevent recurrence
Our newsletter and services are not directed at children under 16 years of age (or under 13 in the US).We do not knowingly:
Collect personal information from children
Market to children
Allow children to subscribe without parental consent
Under GDPR Article 8:
Children under 16 need parental consent for information society services (may be lower depending on member state law)
Germany: Age 16 applies
We make reasonable efforts to verify parental consent where necessary
Under Children's Online Privacy Protection Act:
Children under 13 require verifiable parental consent
We do not knowingly collect information from children under 13
Immediate action:
Delete all personal information collected from the child
Unsubscribe the email address
Not contact the child
Add to suppression list to prevent re-subscription
How we discover:
Self-disclosure by child or parent
Parental complaint
Unusual behavior patterns
If you believe your child has subscribed:
Email [email protected] immediately
Include child's email address
We'll delete all associated data promptly
We request parents:
Monitor children's internet usage
Supervise children's email subscriptions
Contact us immediately if concerned
Article 22 GDPR prohibits decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect individuals—unless explicitly authorized.
We do NOT engage in:
Fully automated decision-making with legal or similarly significant effects
Credit scoring or financial eligibility decisions
Employment or hiring decisions
Automated decisions affecting access to services
We DO engage in:
Limited profiling for marketing purposes (with consent or legitimate interest)
Content personalization based on engagement behavior
Audience segmentation for targeted content delivery
What we analyze:
Open rates (which emails you open)
Click rates (which links you click)
Content preferences (which topics engage you)
Timing preferences (when you're most likely to engage)
How we use it:
Send content more likely to interest you
Optimize sending times for better engagement
Segment subscribers by interest area
Identify inactive subscribers for re-engagement campaigns
Legal basis: Legitimate interest or consent (depending on jurisdiction)Impact: Determines what content you receive and whenYour rights:
Object to profiling (email [email protected])
Request explanation of logic involved
Challenge decisions based on profiling
What we may do:
Group subscribers by behavior patterns (highly engaged vs. rarely engaged)
Segment by content preferences (recipe-focused vs. science-focused)
Identify likely purchasers for paid product offerings
Legal basis: Legitimate interest or consentYour control:
Update preferences in preference center
Object to segmentation
Opt out of personalized content
What we may do in future:
Predict likelihood of purchase
Predict risk of unsubscribing
Recommend content based on similar users' behavior
If implemented:
Will be disclosed in updated privacy policy
Will not produce legal or similarly significant effects
Will allow opt-out
All significant decisions involve human review:
Unsubscribes (if questioned)
Complaints or disputes
Access to paid content
Account terminations (if applicable)
Automated systems support, not replace, human decision-making.
You can:
Request explanation of profiling logic and significance
Object to profiling based on legitimate interests
Opt out of marketing profiling (while remaining subscribed)
Request human intervention if you believe you're subject to harmful automated decisions
How to exercise: Email [email protected] with subject "Profiling Objection" or "Profiling Information Request"
We do NOT profile based on:
Health status or medical conditions (despite health-related content)
Race, ethnicity, political opinions, religious beliefs
Sexual orientation or sex life
Trade union membership
Criminal convictions
General interest in gut health ≠ health status data
This section provides additional disclosures required by California law.
In the past 12 months, we have collected the following categories:CategoryExamplesCollected?Business PurposeIdentifiersName, email address, IP address, device IDYesNewsletter delivery, communication, analyticsCommercial informationPurchase history, payment informationFuture (when paid products implemented)Process transactions, customer supportInternet activityBrowsing history, search history, interaction with emails/websiteYesAnalytics, content improvement, personalizationGeolocation dataApproximate location from IP addressYesAnalytics, content localizationSensory dataAudio, video, thermal, olfactoryNoN/AProfessional informationEmployment, job titleNoN/AEducation informationSchool, degreeNoN/AInferencesPreferences, behavior predictionsYesContent personalization, marketingSensitive personal informationSocial security, financial accounts, precise geolocation, etc.NoN/A
Directly from you:
Subscription forms
Email communications
Preference updates
Purchase transactions (if applicable)
Automatically collected:
Email tracking pixels
Website cookies and analytics
Server logs
From third parties:
Social media platforms (if you interact with our content)
Analytics providers (demographic data)
Affiliate partners (click-through data)
We collect and use personal information for:
Performing services: Delivering newsletter, processing transactions, customer support
Security and fraud prevention: Detecting spam, preventing abuse, securing systems
Debugging: Identifying and fixing errors
Marketing: Sending promotional content (with consent)
Internal research: Analytics and business intelligence
Quality improvement: Testing, research, analysis to improve services
Compliance: Meeting legal obligations
Service providers:
Email service providers (Beehiiv)
Website hosting and infrastructure providers
Analytics providers
Payment processors (future)
Purpose: These parties process data on our behalf under contractAffiliates: None currentlyThird parties for their own purposes: None (we do not sell data)
WE DO NOT SELL YOUR PERSONAL INFORMATION.WE DO NOT SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.If this changes in the future:
We'll update this Privacy Policy
We'll provide "Do Not Sell or Share My Personal Information" link
We'll honor opt-out requests
We'll not discriminate for exercising opt-out rights
See Section 12 for detailed retention information.Summary:
Active subscribers: Data retained while subscribed
After unsubscribe: Deleted within 30 days (except suppression list)
Consent records: 3-7 years after relationship ends
Financial records: 7 years (if applicable)
See Section 11.2 for detailed information about:
Right to Know
Right to Delete
Right to Correct
Right to Opt-Out of Sale/Sharing
Right to Limit Use of Sensitive Personal Information
Right to Non-Discrimination
Civil Code Section 1798.83 allows California residents to request information about disclosure of personal information to third parties for their direct marketing purposes.Our practice: We do not disclose personal information to third parties for their own direct marketing purposes.If you have questions: Email [email protected] with subject "California Shine the Light Request"
California residents can authorize an agent to submit privacy rights requests on their behalf.Requirements:
Signed written permission from consumer
Proof of agent's identity
Verification of consumer's identity
Submit to: [email protected]We may request additional information to verify the agent's authority.
To verify your identity for rights requests:For less sensitive requests (e.g., categories of data collected):
Match email address to our records
Confirm recent interaction
For sensitive requests (e.g., specific pieces of data, deletion):
Confirm email address
Verify information provided at signup
May request additional verification if concerns about identity
We use reasonable verification methods that balance security with accessibility.
We comply with the 13 Australian Privacy Principles under the Privacy Act 1988.
This Privacy Policy fulfills our transparency obligations by clearly explaining:
What data we collect and why
How we use and disclose data
How you can access and correct data
How to complain about privacy breaches
When possible, we allow anonymity or pseudonyms:
Website browsing without providing personal information
General inquiries without identifying yourself
However, newsletter subscription requires email address (service cannot be provided anonymously).
We only collect information reasonably necessary for our functions:
Email address and name for newsletter delivery
Engagement data for content improvement
Payment information for transactions (if applicable)
We do not collect sensitive information (as defined by Privacy Act).
If we receive personal information we didn't solicit:
Determine if we could have collected it lawfully
If not, destroy or de-identify as soon as practicable
If yes, handle according to APPs
This Privacy Policy serves as notification of collection, providing information about:
Identity and contact details
Purposes of collection
Legal consequences (if any) of not providing information
Overseas disclosures
How to access/correct data and complain
We only use or disclose personal information for:
Primary purpose of collection (newsletter delivery)
Secondary purposes you'd reasonably expect
With your consent
As required or authorized by law
We don't use or disclose for direct marketing without consent.
For direct marketing (promotional emails):
Obtain consent before sending
Provide simple opt-out mechanism in every email
Honor opt-outs promptly
Don't use sensitive information for marketing
Australian subscribers can opt out of marketing while continuing to receive newsletter.
We disclose personal information overseas (primarily to Beehiiv in the United States).Safeguards:
Data Processing Agreements requiring APP-equivalent protections
Beehiiv contractually obligated to protect data
Technical security measures
Standard Contractual Clauses (for EU compliance, benefiting Australian data)
You consent to overseas disclosure by subscribing (this Privacy Policy constitutes reasonable notice).We remain accountable under APPs for overseas disclosures.
We do not collect government identifiers (e.g., passport numbers, driver's license numbers) unless required by law.
We take reasonable steps to ensure data is:
Accurate
Up-to-date
Complete
Relevant
You can update information via preference center or by contacting us.
We take reasonable steps to protect personal information from:
Misuse, interference, loss
Unauthorized access, modification, disclosure
See Section 13 for detailed security measures.We destroy or de-identify information no longer needed (unless required by law to retain).
You can request access to your personal information.See Section 11.3.1 for detailed access rights.We may charge reasonable fee for providing access (will inform you in advance).
You can request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information.See Section 11.3.2 for detailed correction rights.
We comply with the Spam Act by:
Obtaining consent before sending commercial emails
Including accurate sender information
Providing functional unsubscribe facility in every email
Honoring unsubscribes within 5 business days
If we experience a serious data breach:
Assess whether breach is likely to result in serious harm
If yes, notify OAIC and affected individuals as soon as practicable
Provide information about breach and remedial steps
Serious harm includes: Identity theft, financial loss, serious physical or psychological harm, serious harm to reputation, etc.
Nothing in this Privacy Policy excludes, restricts, or modifies any consumer rights under Australian Consumer Law that cannot be lawfully excluded.See Section 14.4 of Medical Disclaimer for ACL provisions.
We reserve the right to update or modify this Privacy Policy at any time to reflect:
Changes in our data practices
New legal or regulatory requirements
New technologies or services
Feedback from users or regulators
Business changes or growth
How we'll notify you:For material changes:
Email notification to all subscribers
Prominent notice on website
Updated "Last Updated" date at top of policy
For minor changes:
Updated "Last Updated" date
Changes reflected in policy text
No separate notification required
Material changes include:
New types of personal data collected
New purposes for processing
New third-party processors
Changes to your rights
Changes to retention periods
International data transfer changes
Changes take effect:
Immediately upon posting for non-material changes
30 days after notification for material changes (or as required by law)
Your continued use after effective date constitutes acceptance of the updated Privacy Policy.
We recommend:
Review this Privacy Policy periodically
Check "Last Updated" date when you visit
Read notification emails about changes
Contact us if you have questions about changes
If you don't agree with updated Privacy Policy:
You may unsubscribe before changes take effect
Your data will be handled under the previous policy until you unsubscribe
After unsubscribe, deletion follows standard procedures (Section 12)
For questions about this Privacy Policy or our privacy practices:Email: [email protected]
Subject Line: "Privacy Inquiry"
Website: www.gutsignals.comResponse Time: We'll respond within 7 business days for general inquiries, within legal timeframes for rights requests.
To exercise your privacy rights (access, deletion, correction, etc.):Email: [email protected]
Subject Line: "[Your Right] Request" (e.g., "Data Access Request", "Deletion Request")Include:
Your name
Email address subscribed
Specific right you're exercising
Any additional information needed for verification
Response Time:
GDPR requests: Within 30 days (may extend to 60 days for complex requests)
CCPA requests: Within 45 days (may extend to 90 days)
Australian APP requests: Within 30 days
To unsubscribe or update preferences:Fastest method: Click "Unsubscribe" or "Manage Preferences" in any email footerAlternative: Email [email protected] with subject "Unsubscribe" or "Update Preferences"
To file a privacy complaint:Email: [email protected]
Subject Line: "Privacy Complaint"Include:
Detailed description of complaint
Date and circumstances
Impact on you
Desired resolution
Our complaint handling process:
Acknowledge receipt within 3 business days
Investigate thoroughly
Respond with findings and resolution within 30 days
Escalate to appropriate authorities if unresolved
To report a security concern or potential breach:Email: [email protected]
Subject Line: "SECURITY CONCERN - [Brief Description]"We take security reports seriously and will investigate promptly.
Currently: We do not have a designated Data Protection Officer (DPO) as we're not required to under GDPR Article 37.Privacy-related matters: Direct to [email protected]If we grow to require a DPO: This section will be updated with DPO contact information.
For formal legal notices or written correspondence:GutSignals
c/o MDC Management#4146
Welserstraße 387463
Dietmannsried
Düsseldorf, North Rhine-Westphalia
GermanyNote: Email is preferred for faster response, but postal mail is available if required.
If you're unhappy with how we handle your data, you can complain to a supervisory authority:German Federal Data Protection Authority (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit - BfDI):Graurheindorfer Str. 153
53117 Bonn
GermanyPhone: +49 (0)228 997799-0
Fax: +49 (0)228 997799-5550
Email: [email protected]
Website: www.bfdi.bund.deState-level authorities: Germany also has data protection authorities at the state level (Landesdatenschutzbehörden). You can contact the authority in your state (Bundesland).For North Rhine-Westphalia:Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4
40213 Düsseldorf
GermanyPhone: +49 (0)211 38424-0
Fax: +49 (0)211 38424-10
Email: [email protected]
Website: www.ldi.nrw.deOther EU countries: If you're in another EU country, contact your national supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en
Federal Trade Commission (FTC):For privacy and data security complaints:Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580Phone: 1-877-FTC-HELP (1-877-382-4357)
Website: www.ftc.gov
Complaint form: www.ftccomplaintassistant.govNote: The US doesn't have a single data protection authority like the EU. Different agencies handle different aspects:
FTC: General privacy, consumer protection
State attorneys general: State-level enforcement (varies by state)
California residents: California Attorney General's Office (for CCPA complaints)
Website: oag.ca.gov/privacy/ccpa
Office of the Australian Information Commissioner (OAIC):For privacy complaints under Privacy Act 1988:GPO Box 5218
Sydney NSW 2001
AustraliaPhone: 1300 363 992
Email: [email protected]
Website: www.oaic.gov.au
Online complaint form: www.oaic.gov.au/privacy/privacy-complaintsBefore complaining to OAIC:
Australian law generally requires you to complain to us first
Give us opportunity to resolve the complaint
If unsatisfied with our response (or no response within 30 days), you can escalate to OAIC
Australian Communications and Media Authority (ACMA):For spam complaints under Spam Act 2003:Website: www.acma.gov.au
Online complaint form: www.acma.gov.au/spam-complaint
In addition to regulatory complaints:EU/Germany:
You have the right to an effective judicial remedy against us (if we breach GDPR)
You have the right to judicial remedy against supervisory authority decisions
You can seek compensation for material or non-material damage from GDPR violations
US:
State and federal courts provide judicial remedies for privacy violations
Class action lawsuits available for certain violations
Private right of action varies by statute (e.g., CCPA provides limited private right of action for data breaches)
Australia:
You can apply to court for orders to enforce Privacy Act
Compensation available for loss or damage from interference with privacy
We prefer to resolve complaints directly before involvement of authorities:
Faster resolution
Direct communication
Tailored solutions
Please contact us first: [email protected]However, you have the absolute right to complain to supervisory authorities at any time, and we won't penalize you for doing so.
Our website and emails may contain links to third-party websites, services, or resources:We are not responsible for:
Privacy practices of third-party sites
Content of third-party sites
Cookies or tracking by third parties
Data collected by third parties
This Privacy Policy does not apply to third-party sites.We recommend:
Read privacy policies of sites you visit
Understand how third parties handle your data
Exercise caution when providing personal information to third parties
We include links for:
Convenience and information
Educational resources
Product recommendations (including affiliates)
Research sources
Links do not constitute endorsement of third-party privacy practices.
We may have presence on social media platforms (currently or in future):
Twitter/X
TikTok
YouTube
When you interact with our social media:
Social media platform's privacy policy applies
Platform collects data about your interaction
Platform may share aggregate data with us
We may see your public profile information
We don't control:
Social media platform data practices
What data platforms collect
How platforms use your data
Refer to platform privacy policies:
Instagram: help.instagram.com/privacy
Twitter/X: twitter.com/privacy
Facebook: facebook.com/privacy
LinkedIn: linkedin.com/legal/privacy-policy
If GutSignals is involved in business transaction:
Merger or acquisition
Sale of assets
Bankruptcy or insolvency
Corporate reorganization
Your personal data may be transferred to acquiring party or successor entity.Protections:
Acquiring party bound by this Privacy Policy (or equivalent)
Advance notice provided where feasible
Option to delete your data before transfer (where legally possible)
Successor must honor your privacy rights
We'll notify you via:
Email to all subscribers
Prominent website notice
Updated Privacy Policy
Your options if you object:
Unsubscribe before transfer
Request deletion (subject to legal requirements)
Exercise your privacy rights with new controller
We may create aggregate or anonymized data from personal information:Anonymization means:
Data cannot be re-identified to you
Not considered "personal data" under GDPR, CCPA, or Australian law
Can be used and shared without restriction
Uses of anonymized data:
Industry research and reports
Statistical analysis
Business intelligence
Product development
Public reports (e.g., "% of subscribers interested in X topic")
This Privacy Policy does not restrict our use of anonymized data.
We may disclose personal information when legally required:Legal obligations:
Comply with court orders or subpoenas
Respond to law enforcement requests (with valid legal process)
Meet tax or accounting requirements
Comply with regulatory investigations
Enforce our legal rights
Public interest:
Prevent or investigate fraud
Protect rights, property, or safety of GutSignals, users, or public
Prevent illegal activity
National security or public safety (where legally required)
We'll notify you of legal requests unless:
Legally prohibited from doing so (e.g., gag order)
Emergency circumstances
Notice would undermine investigation
We don't sell data to law enforcement or provide blanket access to authorities.
Some browsers have "Do Not Track" (DNT) signals.Current status: No uniform industry standard exists for responding to DNT signals.Our practice:
We don't currently respond to DNT signals
We honor cookie preferences set through our cookie banner
You can manage cookies through browser settings
If industry standard emerges: We'll evaluate implementation and update this policy.
If any provision of this Privacy Policy is found invalid or unenforceable:
Only that provision is affected
Remaining provisions remain in full effect
Invalid provision replaced with enforceable provision accomplishing original intent
This Privacy Policy is governed by:
Primary: Laws of Germany
Also subject to: GDPR (EU), applicable US state laws, Australian Privacy Act (depending on subscriber location)
Jurisdiction-specific provisions supersede general provisions where required by local law.
This Privacy Policy is provided in English.If translated:
English version is authoritative in case of conflict
Translations provided for convenience only
Legal interpretation based on English version
BY SUBSCRIBING TO OUR NEWSLETTER, ACCESSING OUR WEBSITE, OR USING OUR SERVICES, YOU ACKNOWLEDGE THAT:
✓ You have read this entire Privacy Policy
✓ You understand how we collect, use, and protect your personal data
✓ You understand your privacy rights and how to exercise them
✓ You consent to the data practices described herein
✓ You understand that data may be transferred internationally
✓ You understand our use of cookies and tracking technologies
✓ You agree to this Privacy Policy and any future updates
✓ You have the opportunity to withdraw consent or unsubscribe at any time
IF YOU DO NOT AGREE WITH ANY PART OF THIS PRIVACY POLICY, YOU MUST NOT SUBSCRIBE TO OUR NEWSLETTER OR USE OUR SERVICES.Your privacy matters to us. We're committed to transparency, security, and respecting your rights.Questions? Contact us anytime at [email protected]
Last Updated: 2025
Version: 1.0
Next Scheduled Review: 2026© 2025 GutSignals. All rights reserved.