Privacy Policy

Last updated: September 10, 2025

Summary

We collect the minimum data needed to run deep.org, send our newsletter, and keep the site secure. We don't sell your personal data. You can unsubscribe or request deletion anytime.

Who we are

deep.org is an editorial site and newsletter focused on AI and the near future. Contact: privacy@deep.org.

What we collect

  • Email address when you subscribe.
  • Attribution fields you see or that are derived at signup (if present): utm_source, utm_medium, utm_campaign, utm_term, utm_content, the referrer URL, and the landing URL where you subscribed.
  • First-touch attribution stored in your browser (localStorage) on your first visit — e.g., initial source/medium/campaign, first landing URL, and a timestamp — and sent with your consent when you subscribe.
  • Technical metadata (e.g., IP address, user agent) captured by our hosting/security providers when you visit or submit forms.
  • Anti-bot signals from Cloudflare Turnstile if the widget is present on a form; we verify the Turnstile token on our server.

How we use your data

  • To send you emails you asked for (newsletter, announcements) via our email provider.
  • To operate and secure the site, including abuse/fraud prevention and performance.
  • To understand high-level audience interest and channel performance (e.g., which sources lead to subscriptions) using attribution fields.

Legal bases (EEA/UK)

  • Consent for email marketing (you opt in).
  • Legitimate interests for site operation, abuse prevention, and service improvement (including attribution and security verification).

Processors & services we use

  • Kit (ConvertKit): subscriber management and email delivery (we use Kit’s v4 API to create/upsert subscribers, add you to our form, and store attribution as custom fields).
  • Cloudflare: hosting/CDN and Workers (our subscribe endpoint runs on Cloudflare Workers), plus Turnstile for anti-bot verification.
  • Google Fonts: we load fonts from Google’s CDN, which may receive your IP address and user agent when fonts are fetched.
  • Email/Support: standard email services for inbound messages (if you contact us).

These providers process your data on our behalf under their terms and security controls.

Cookies, local storage & tracking

  • We currently avoid invasive analytics. We may store a small first-touch attribution record in your browser’s localStorage (source/medium/campaign, landing URL, timestamp) so that, when you subscribe, we can understand how you found us.
  • Cloudflare Turnstile may set or read cookies strictly for bot detection and verification.
  • You can clear localStorage/cookies in your browser at any time. If you prefer not to send UTMs, remove them from the URL before subscribing.

Data retention

  • Subscriber data is kept while you're subscribed. If you unsubscribe, we retain minimal suppression data to honor opt-outs.
  • Attribution fields stored with your subscriber profile are kept alongside your subscription record, or removed upon deletion requests where feasible.
  • Security logs (including Turnstile verifications) may be retained briefly for abuse prevention and troubleshooting.

Your choices & rights

  • Unsubscribe: Every email includes an unsubscribe link; you can also email privacy@deep.org.
  • Access, correction, deletion: Contact us to request a copy, fix errors, or delete your data.
  • EEA/UK: You may have additional rights under GDPR; you can also complain to your local data protection authority.
  • California: We don't sell or share personal information as defined by CCPA/CPRA. You can still email us with any requests.

International transfers

Our providers may process data in multiple regions. We use reputable vendors with appropriate safeguards (e.g., Standard Contractual Clauses where applicable).

Security

We use HTTPS, reputable processors, environment-stored API keys, and least-access practices. No system is perfectly secure; report concerns to security@deep.org.

Children

Deep.org is not directed to children under 13. If you believe a child provided personal data, contact us and we'll delete it.

Changes

We’ll update this policy as we evolve (for example, if we add analytics or change providers). Material changes will be noted on this page with a new “Last updated” date.