Privacy Policy

v3.0GDPR & CPRA
Last updated: January 2, 2025Effective: January 15, 2025

Your Privacy Matters

This Privacy Policy explains how Nunterei, Inc. ("Nunterei," "we," "us," or "our") collects, uses, shares, and protects your personal information. We are committed to protecting your privacy and complying with applicable data protection laws including GDPR, CPRA, and other privacy regulations.

GDPR Article 13/14 CompliantCPRA §1798.100 CompliantAligned with ISO 27001

Table of Contents

  1. 1. Overview
  2. 2. Information We Collect
  3. 3. Legal Basis (GDPR)
  4. 4. How We Use Information
  5. 5. Information Sharing
  6. 6. CPRA Compliance
  7. 7. Your Rights (GDPR)
  8. 8. Data Retention
  9. 9. Data Security
  10. 10. Cookies & Tracking
  11. 11. Third-Party Services
  12. 12. International Transfers
  13. 13. Children's Privacy
  14. 14. Marketing Communications
  15. 15. Analytics & Tracking
  16. 16. Data Breach Procedures
  17. 17. Privacy by Design
  18. 18. Automated Decisions
  19. 19. Policy Changes
  20. 20. Contact Information
  21. 21. Controller & Processor Roles

§1Overview and Scope

1.1 Introduction. Nunterei operates a newsletter advertising marketplace that connects publishers with advertisers. This Privacy Policy applies to all personal information we process about you when you use our platform, visit our website, or interact with our services.

1.2 Data Controller. Nunterei, Inc., a Delaware corporation, is the data controller responsible for your personal information. Our registered office is located at c/o Registered Agent Solutions, 1000 N West Street, Suite 1200, Wilmington, DE 19801, United States.

1.3 Data Protection Officer. We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with privacy laws. You can contact our DPO at:

Email: dpo@nunterei.com

Phone: +1 (555) 123-4567

Mail: Attn: Data Protection Officer, Nunterei, Inc., c/o Registered Agent Solutions, 1000 N West Street, Suite 1200, Wilmington, DE 19801

1.4 Scope of Application. This policy applies to:

  • Visitors to our website and platform
  • Registered users (Publishers and Advertisers)
  • Newsletter subscribers
  • Business partners and vendors
  • Job applicants

1.5 EU/UK Representatives. As we don't have an establishment in the EU/UK, we have appointed representatives pursuant to Article 27 GDPR and UK GDPR:

EU Representative:

GDPR Local EU

Attn: Nunterei

1 Rue de la Paix

75002 Paris, France

Email: privacy-eu@nunterei.com

UK Representative:

GDPR Local UK

Attn: Nunterei

167-169 Great Portland St

London W1W 5PF, UK

Email: privacy-uk@nunterei.com

Notice at Collection (California)

We provide a detailed summary of data categories, purposes, and retention periods at the point of collection. View our comprehensive notice at nunterei.com/privacy-notice

§2Information We Collect

2.1 Categories of Personal Information. We collect the following categories of personal information:

Information You Provide Directly

Account Information

Name, email, username, encrypted password, phone number

Profile Information

Business name, newsletter details, audience demographics, bio

Payment Information

Billing address, tax ID, Stripe account details (no card numbers stored)

Communications

Messages, support tickets, feedback, reviews

Content

Newsletter content, campaign details, ad creatives, media kits

Verification Data

Government ID (when required), business documents

Information Collected Automatically

Usage Data

Pages visited, features used, click patterns, session duration

Device Information

IP address, browser type, OS, device ID, screen resolution

Location Data

Country, region, city (derived from IP address)

Analytics Data

Performance metrics, conversion rates, user journeys

Cookies & Tracking

Session cookies, authentication tokens, preferences, pixels

Log Data

Server logs, error reports, API calls, timestamps

Information from Third Parties

Authentication Providers

Profile information from Clerk (name, email, profile picture)

Payment Processors

Transaction details, payment status from Stripe

Analytics Services

User behavior data from PostHog

Public Sources

Publicly available business information, social media profiles

2.2 Sensitive Personal Information. We limit collection of sensitive personal information. We may process:

  • Government-issued ID numbers (only when legally required for tax purposes)
  • Financial account information (through secure third-party processors)
  • Precise geolocation (only with explicit consent)

§4How We Use Your Information

4.1 Primary Purposes. We use your personal information for the following purposes:

Service Delivery

  • • Operating the marketplace platform
  • • Matching publishers with advertisers
  • • Processing bookings and payments
  • • Providing customer support

Security & Compliance

  • • Preventing fraud and abuse
  • • Ensuring platform security
  • • Complying with legal obligations
  • • Enforcing our policies

Communications

  • • Transactional notifications
  • • Service updates and announcements
  • • Marketing (with consent)
  • • Support responses

Improvement & Analytics

  • • Analyzing usage patterns
  • • Improving user experience
  • • Developing new features
  • • Conducting research

We Do NOT:

  • • Sell your personal information to third parties
  • • Use your data for purposes incompatible with this policy
  • • Share your data without legal basis or your consent
  • • Make automated decisions with legal effects without human review

§5Information Sharing and Disclosure

5.1 Categories of Recipients. We share your personal information with the following categories of recipients:

Other Platform Users

Publishers see: Advertiser campaign details, company information, contact for bookings

Advertisers see: Publisher profiles, newsletter metrics, media kits, pricing

All users see: Public profiles, reviews, ratings (when implemented)

Service Providers

Stripe

Payment processing, KYC/AML

Clerk

Authentication, user management

PostHog

Analytics, product insights

Convex

Database, real-time sync

Vercel

Hosting, CDN, edge functions

AWS

Cloud infrastructure, storage

Legal Disclosures

We may disclose your information when required by law or in good faith belief that disclosure is necessary to:

  • Comply with legal obligations, subpoenas, or court orders
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing
  • Protect the safety of users or the public
  • Protect against legal liability

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control.

5.2 Data Processing Agreements. We have entered into data processing agreements with all service providers who process personal data on our behalf, ensuring they maintain appropriate security measures and process data only on our instructions.

§6California Privacy Rights Act (CPRA) Compliance

6.1 CPRA Rights. If you are a California resident, you have the following rights under the CPRA:

Right to Know

Request disclosure of personal information we collect, use, disclose, and sell

Right to Delete

Request deletion of personal information we have collected from you

Right to Opt-Out

Opt-out of the sale or sharing of your personal information for cross-context behavioral advertising

Right to Correct

Request correction of inaccurate personal information

Right to Limit Use

Limit use and disclosure of sensitive personal information

Right to Non-Discrimination

Not be discriminated against for exercising your privacy rights

CPRA Disclosure Table

CategorySourcesBusiness PurposeShared WithSold/Shared?
IdentifiersYou, automatic collectionAccount management, communicationsService providersShared for analytics
Commercial InformationYou, transactionsTransaction processing, analyticsPayment processorsNo
Internet ActivityAutomatic collectionAnalytics, personalizationAnalytics providersShared for analytics
Geolocation DataIP addressFraud prevention, complianceSecurity providersNo
Professional InformationYou provideService delivery, matchingPlatform usersNo

Important Notice:

We do not "sell" personal information for monetary consideration. We may "share" certain identifiers with analytics partners for cross-context behavioral advertising purposes. We honor Global Privacy Control (GPC) signals as valid opt-out requests under the CPRA.

6.2 Exercising Your Rights. To exercise any of your CPRA rights, please:

  • Email us at privacy@nunterei.com
  • Call us at 1-800-PRIVACY
  • Submit a request through your account settings
  • Have your authorized agent submit a request with written permission

We will verify your identity before processing your request and respond within 45 days. If we deny your request, you may appeal by contacting privacy@nunterei.com.

§7Your Rights Under GDPR

7.1 Data Subject Rights. If you are in the European Economic Area (EEA), UK, or Switzerland, you have the following rights under the General Data Protection Regulation:

Right of Access (Article 15)

Obtain confirmation of whether we process your data and access to your personal data and processing information

Right to Rectification (Article 16)

Correct inaccurate personal data and complete incomplete data

Right to Erasure (Article 17)

Request deletion of your data when no longer necessary or processing is unlawful

Right to Restriction (Article 18)

Restrict processing while we verify accuracy or when you object to processing

Right to Portability (Article 20)

Receive your data in a structured, machine-readable format and transfer to another controller

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes

Additional GDPR Rights

  • Automated Decision-Making: Right not to be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects
  • Lodge a Complaint: Right to lodge a complaint with your local supervisory authority. Find your authority at edpb.europa.eu(UK users: ICO)
  • Appeals Process: If we deny your request, you may appeal by contacting privacy@nunterei.com. EU/UK users may also complain to their supervisory authority (ICO for UK, local DPA for EU).
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal

7.2 How to Exercise Your Rights. To exercise any of these rights:

  1. Log into your account and use the privacy settings
  2. Email our Data Protection Officer at dpo@nunterei.com
  3. Submit a formal request at privacy@nunterei.com

We will respond to your request within 30 days. Complex requests may take up to 90 days with notice.

§8Data Retention Schedule

8.1 Retention Periods. We retain personal data only as long as necessary for the purposes outlined in this policy and to comply with legal obligations. Our retention schedule:

Data CategoryRetention PeriodReason
Account InformationDuration of account + 30 daysService provision, recovery period
Transaction Records7 yearsTax and accounting requirements
Marketing PreferencesUntil withdrawn + 3 yearsCompliance with opt-out requests
Support Communications3 yearsCustomer service quality, legal defense
Analytics Data26 monthsService improvement, trend analysis
Security Logs12 monthsSecurity monitoring, incident response
Legal Hold DataAs requiredLegal obligations, litigation

8.2 Data Minimization. We follow the principle of data minimization, collecting only what is necessary and deleting data when it is no longer needed. We conduct regular reviews to ensure compliance with our retention schedule.

8.3 Deletion Process. When data reaches its retention limit, it is either:

  • Permanently deleted from our systems
  • Anonymized so it can no longer identify you
  • Archived securely if required by law

Important Notes on Retention

  • Backup Retention: Deleted data may persist in backups for up to 90 days
  • Criteria-based: Retention periods are aligned with legal and operational requirements
  • Right to Erasure: You may request early deletion subject to legal obligations

§9Data Security Measures

9.1 Technical and Organizational Measures. We implement comprehensive security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Encryption

  • • TLS 1.3 for data in transit
  • • AES-256 encryption at rest
  • • Encrypted backups
  • • Encryption in transit (TLS 1.3) and at rest (AES-256)

Access Control

  • • Multi-factor authentication
  • • Role-based permissions
  • • Regular access reviews
  • • Principle of least privilege

Infrastructure

  • • SOC 2 certified data centers
  • • Aligned with ISO 27001 security practices
  • • Annual penetration testing
  • • Regular security audits
  • • DDoS protection
  • • Web application firewall

Monitoring

  • • 24/7 security monitoring
  • • Intrusion detection systems
  • • Automated threat response
  • • Security incident logging

9.2 Employee Training. All employees with access to personal data receive regular training on:

  • Data protection principles and regulations
  • Security best practices
  • Incident response procedures
  • Confidentiality obligations

Security Disclaimer: While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying you of any breaches affecting your personal data.

Vulnerability Disclosure Program

We welcome security researchers to report vulnerabilities responsibly. Please report security issues tosecurity@nunterei.com. We conduct annual penetration testing and will acknowledge valid reports within 48 hours.

§10Cookies and Tracking Technologies

EU/UK Cookie Consent

We obtain explicit consent before setting non-essential cookies. Essential cookies required for authentication and security may be set without consent. You can withdraw consent anytime via our cookie settings. We use a Consent Management Platform compliant with IAB TCF 2.2.

10.1 Types of Cookies. We use the following categories of cookies:

🍪 Essential Cookies

Required for the platform to function properly

__session: Authentication token

__clerk: User session management

csrf_token: Security protection

📊 Analytics Cookies

Help us understand how you use our platform

ph_*: PostHog analytics

_ga: Google Analytics (if enabled)

distinct_id: User tracking

⚙️ Preference Cookies

Remember your settings and preferences

theme: Light/dark mode preference

locale: Language preference

sidebar_state: UI preferences

10.2 Cookie Management. You can manage cookies through:

  • Browser settings - block or delete cookies
  • Cookie settings button - manage preferences
  • Do Not Track - we honor DNT signals

10.3 Other Tracking Technologies:

  • Local Storage: Stores preferences and temporary data
  • Session Storage: Temporary storage cleared when browser closes
  • Pixels: Track email opens and conversions
  • Device Fingerprinting: Limited to fraud prevention only (not for tracking or advertising)

§11Third-Party Services

11.1 Service Providers. We work with trusted third-party services to operate our platform:

Stripe

Payment Processor

US/EU data centers

Privacy Policy →

Clerk

Authentication Processor

US data centers

Privacy Policy →

PostHog

Analytics Processor

EU data centers (self-hosted option available)

Privacy Policy →

Convex

Database Sub-processor

US data centers

Privacy Policy →

Vercel

Hosting Sub-processor

Global CDN

Privacy Policy →

AWS

Infrastructure Sub-processor

Multi-region data centers

Privacy Policy →

11.2 Third-Party Integrations. When you connect third-party services to your account, you authorize us to access and use information as permitted by those services' terms and privacy policies.

§12International Data Transfers

12.1 Cross-Border Transfers. Your personal data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws than your jurisdiction.

Lawful Transfer Mechanisms

We rely on the following lawful transfer mechanisms for international data transfers:

  • EU Standard Contractual Clauses: Commission Implementing Decision 2021/914 for EU data transfers
  • UK IDTA/Addendum: UK International Data Transfer Agreement or UK Addendum to EU SCCs
  • Adequacy Decisions: Transfers to countries deemed adequate by relevant authorities
  • EU-U.S. Data Privacy Framework: DPF and UK Extension (when certified)
  • Transfer Impact Assessments: We perform TIAs and apply supplementary measures
  • Technical Safeguards: Encryption in transit (TLS 1.3) and at rest (AES-256)

12.2 Data Localization. Where required by law, we store and process data within specific jurisdictions. EU personal data is primarily processed within the EEA with appropriate safeguards for any transfers outside.

§13Children's Privacy (COPPA Compliance)

13.1 Age Restrictions. Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

Important Notice for Parents

If you believe your child has provided us with personal information without your consent, please contact us immediately at privacy@nunterei.com. We will take steps to remove such information and terminate the child's account.

13.2 Age Verification. We verify age during account creation and payment setup through:

  • Age declaration during signup process
  • Identity verification for payment processing
  • Automated checks during account creation
  • Immediate account deletion upon discovering users under 18

§14Marketing Communications

14.1 Marketing Preferences. We may send you marketing communications about our services, features, and promotions. You can manage your preferences:

Opt-In Communications

  • • Newsletter updates
  • • Product announcements
  • • Educational content
  • • Special offers

Always Sent (Transactional)

  • • Account notifications
  • • Payment receipts
  • • Security alerts
  • • Legal updates

14.2 Unsubscribe Options. You can opt-out of marketing communications by:

  • Clicking the unsubscribe link in any marketing email
  • Updating preferences in your account settings
  • Contacting us at unsubscribe@nunterei.com

EU/UK Marketing Compliance

EU/UK Users: We send marketing emails only with explicit consent or under 'soft opt-in' where you purchased similar services and were given opt-out at collection. We comply with Privacy and Electronic Communications Regulations (PECR) and ePrivacy requirements.

§15Analytics and Tracking Technologies

15.1 Analytics Services. We use analytics to understand how our Service is used and to improve user experience:

PostHog Analytics

What we track:

  • • Page views and navigation
  • • Feature usage
  • • User journeys
  • • Conversion funnels

What we DON'T track:

  • • Keystrokes or passwords
  • • Payment card details
  • • Private messages content
  • • Sensitive personal data

15.2 Do Not Track Signals. We respect Do Not Track (DNT) browser signals. When DNT is enabled:

  • We disable non-essential analytics tracking
  • We don't load third-party marketing pixels
  • We limit data collection to essential operations only

15.3 Social Media Features. Our Service includes social media features (share buttons, login options). These features may collect your IP address and set cookies. They are governed by the privacy policies of those platforms.

§16Data Breach Response Procedures

16.1 Breach Response Plan. In the event of a data breach, we follow a comprehensive response plan:

72-Hour Response Timeline

1

0-24 Hours: Detection & Containment

Identify breach, contain damage, assess scope

2

24-48 Hours: Investigation & Assessment

Determine affected data and users, evaluate risk

3

48-72 Hours: Notification & Remediation

Notify authorities and affected users, implement fixes

16.2 User Notification. If a breach affects your personal data, we will:

  • Notify you within 72 hours of discovery
  • Describe the nature of the breach
  • Explain potential consequences
  • Outline steps we're taking
  • Provide recommendations for protection
  • Offer support and assistance

Regulatory Notification Requirements

  • EU/UK: We notify supervisory authorities within 72 hours and affected users without undue delay when high risk
  • US: We follow state breach notification laws with timelines ranging from immediate to 30 days
  • California: Notice to AG required if breach affects 500+ CA residents

§17Privacy by Design Principles

17.1 Our Commitment. We implement privacy by design principles throughout our platform:

🔒 Proactive Protection

Preventing privacy issues before they occur through careful system design

⚙️ Default Privacy

Maximum privacy protection by default without requiring user action

🔍 Full Transparency

Clear visibility into what data we collect and how we use it

🛡️ End-to-End Security

Secure data throughout its entire lifecycle

17.2 Data Minimization. We only collect data that is:

  • Adequate - sufficient to properly fulfill our stated purpose
  • Relevant - has a rational link to that purpose
  • Limited - not more than necessary

§18Automated Decision-Making and Profiling

18.1 AI-Powered Features. We use automated systems for certain platform features:

Automated Processing Areas

Newsletter-Advertiser Matching

AI analyzes compatibility between newsletters and campaigns

Human review available on request

Fraud Detection

Automated systems flag suspicious activities

Manual review before account actions

Content Moderation

Initial screening of user-generated content

Human moderators make final decisions

18.2 Your Rights. Regarding automated decision-making, you have the right to:

  • Request human intervention in automated decisions
  • Express your point of view about automated decisions
  • Contest decisions that significantly affect you
  • Opt-out of profiling for marketing purposes

Note: We do not make fully automated decisions with legal or similarly significant effects without human review.

§19Changes to This Privacy Policy

19.1 Policy Updates. We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

How We Notify You of Changes

Material Changes: Email notification and prominent website notice at least 30 days before effective date

Minor Changes: Update to this page with revised date

Legal Requirements: Immediate updates as required by law with notice as soon as possible

19.2 Version History. You can view previous versions of our Privacy Policy by contacting privacy@nunterei.com.

19.3 Continued Use. Your continued use of our Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you disagree with changes, please discontinue use of our Service.

§20Contact Information

20.1 How to Contact Us. For privacy-related questions, concerns, or to exercise your rights:

Data Protection Officer

dpo@nunterei.com

+1 (555) 123-4567

Available Mon-Fri, 9am-5pm EST

Privacy Team

privacy@nunterei.com

nunterei.com/privacy-request

Response within 48 hours

Mailing Address

Nunterei, Inc.
Attn: Privacy Department
c/o Registered Agent Solutions
1000 N West Street, Suite 1200
Wilmington, DE 19801
United States

Supervisory Authorities

EU residents may also contact their local data protection authority:

Find your local authority →

§21Data Controller and Processor Roles

21.1 When Nunterei is the Controller. We act as the data controller for:

  • Account registration and management data
  • Platform operations and service delivery
  • Payment processing and billing
  • Fraud prevention and security
  • Platform analytics and improvements
  • Marketing and communications (with consent)

21.2 When Nunterei is the Processor. We act as a data processor when:

  • Publishers share newsletter subscriber data for performance attribution
  • Processing data on behalf of publishers for campaign performance metrics
  • Handling data as directed by publishers for their business purposes

In these cases, the publisher remains the data controller and we process data according to their instructions.

Data Processing Agreement (DPA)

When we act as a processor, our Data Processing Agreement applies. The DPA includes:

  • Details of processing activities
  • Security measures and certifications
  • Sub-processor list and notification procedures
  • Data subject rights assistance
  • Audit and inspection rights

View our DPA at nunterei.com/dpa

Sub-processors

We use the following sub-processors to deliver our services:

View our current sub-processor list at nunterei.com/sub-processors

We notify customers of sub-processor changes with 30 days advance notice.

Privacy Policy Acceptance

By using Nunterei's services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein. If you do not agree with our practices, please do not use our services.

Version: 3.0Last Modified: January 2, 2025Effective: January 15, 2025

© 2025 Nunterei, Inc. All rights reserved.

Terms of ServiceCookie PolicyRefund Policy