Effective Date: 30 September 2025

Introduction

Steven Wilson is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal information for the Mailing List hosted on Substack and accessible via stevenwilsonhq.com. We comply with GDPR, UK GDPR, CCPA, and global privacy laws, never selling your data and prioritising your control. This Policy supplements Substack’s Privacy Policy (substack.com/privacy). We act as data controller for Mailing List-specific processing; Substack handles technical operations.

1. Information We Collect

We collect minimal data to deliver the Services:

• Subscription Data: Email, name (optional), and preferences.

• Usage Data: IP address, device information, and interactions (e.g., email opens) via Substack analytics, used to improve content.

• Payment Data (if applicable): Handled by Substack/Stripe; we do not access full payment details.

• User Content: Comments or feedback you provide.

We avoid collecting sensitive data unless you voluntarily submit it (e.g., event enquiries). Address book syncing, if used, is opt-in and hashed for security.

2. How We Use Your Information

Your data supports the Services:

• Service Delivery: Sending newsletters and managing subscriptions.

• Improvement: Anonymised analytics to enhance content.

• Communication: Updates on relevant topics; opt-out available.

• Legal Compliance: Meeting legal obligations or protecting rights.

We use data solely to enrich your experience, reflecting our commitment to trust.

3. Sharing Your Information

We share data only as necessary:

• Substack: For hosting and delivery, under strict agreements.

• Service Providers: Analytics or email tools, bound by confidentiality.

• Legal Requirements: If required by law (e.g., court orders).

• Business Transfers: In mergers, with notice.

We do not sell data. International transfers (e.g., to Substack’s US servers) use safeguards like Standard Contractual Clauses.

4. Data Security and Retention

We use encryption, access controls, and audits to protect your data. Data is retained only as needed (e.g., whilst subscribed) and deleted upon request, per legal requirements.

5. Your Rights and Choices

You control your data:

• Access/Update/Delete: Request via rob@crystalspotlight.com or Substack settings.

• Opt-Out: Unsubscribe or withdraw consents at any time.

• GDPR/UK GDPR/CCPA Rights: Data portability, objection, or restriction.

• California Residents: No “sales” under CCPA; opt-out of “sharing” via Substack settings.

Requests are addressed within 30 days (extendable for complexity).

6. Cookies and Tracking

Substack uses cookies for functionality and analytics (opt-out via browser settings). We respect Do Not Track signals.

7. Children’s Privacy

The Services are not intended for those under 16; we delete any such data collected inadvertently.

8. International Users

Data may transfer globally; we ensure equivalent protections.

9. Changes to This Policy

Updates will be posted with notice; continued use implies acceptance.

10. Contact

For questions or rights requests: rob@crystalspotlight.com

Thank you for subscribing—your privacy is our priority.