500k.io ("we", "us") respects your privacy. This page explains what we collect, why, how we keep it, and how you can control it. It's written in plain English. Where law requires more formality, we add the formal text under the relevant section.

1. Who we are

500k.io is operated by Maxime Le Morillon ("Data Controller"). Contact: maxime@500k.io.

2. What we collect

  • Email address if you subscribe to the newsletter or download a lead magnet. Stored in Beehiiv (newsletter) and Supabase (event log). Sent to Resend for confirmation/welcome emails.
  • Privacy-friendly analytics (page views, referrers) via Cloudflare Web Analytics — no cookies, no cross-site tracking.
  • Google Analytics 4 with privacy hardening: IP anonymization on, Google Signals off, ad personalization off, no user-id collection. We use GA4 to understand which articles work and which don't.
  • Microsoft Clarity (when enabled) for heatmaps and session recordings, anonymized.
  • Form submissions (contact, sponsor) — the message you send us.
  • Operational logs kept for security and debugging, retained 30 days.

3. What we don't collect

  • We don't show ads, run remarketing, or share data with ad networks.
  • We don't track you across other sites.
  • We don't sell your data, ever.

4. Why we collect it

  • Send you content you asked for (newsletter, lead magnets).
  • Improve articles (knowing which pages get read).
  • Comply with legal obligations.

Legal basis (GDPR Art. 6): your consent (newsletter opt-in), our legitimate interest (analytics), contract performance (lead magnets you requested).

5. Where we store it

  • Supabase (EU region) — primary database.
  • Beehiiv (US) — newsletter sends. Standard Contractual Clauses apply.
  • Resend (US) — transactional email. SCCs apply.
  • Cloudflare R2 — lead-magnet PDFs.

6. How long we keep it

  • Email + name: until you unsubscribe (1-click in every email) or request deletion.
  • After unsubscribe: deleted within 30 days, except where law requires retention (e.g. tax records).
  • Analytics: aggregated, no PII, kept 24 months.
  • Operational logs: 30 days.

7. Your rights (GDPR / CCPA / equivalent)

  • Access — request a copy of your data.
  • Rectification — correct any errors.
  • Erasure ("right to be forgotten") — we delete on request.
  • Portability — we'll send you your data in a machine-readable format.
  • Object / restrict — pause certain processing.
  • Lodge a complaint with your local Data Protection Authority (in France: CNIL; in the EU: your national DPA).

To exercise any right, email maxime@500k.io. Response within 30 days, no charge.

8. Cookies

500k.io does not use marketing or tracking cookies. Functional cookies (e.g. theme preference) may be set; these don't require consent under GDPR. See /cookies.

9. Sub-processors

  • Cloudflare — hosting, edge, CDN.
  • Supabase — database.
  • Beehiiv — newsletter.
  • Resend — transactional email.
  • Replicate — image generation (no PII sent).
  • Bright Data — public web scraping (no PII sent).

10. Children

500k.io is not aimed at minors and we don't knowingly collect data from anyone under 16.

11. Changes to this policy

We update this page when our practices change. Material changes get an email to all subscribers. Last update at the top of this page.

12. Contact

Questions, requests, or concerns: maxime@500k.io.