What we collect, why, and what we do with it.

Standard Poorly is a publication operated by Romulus Foundry LLC (“we,” “us,” “our”), a Delaware-formed limited liability company. This Privacy Policy explains what personal information we collect when you visit standardpoorly.com or subscribe to our communications, why we collect it, who we share it with, and what rights you have over it. Questions go to hello@standardpoorly.com.

Email address (if you give us one). If you subscribe to the newsletter or any future product communication, we collect your email address, a timestamp, and a tag indicating which signup form you used (e.g. midscroll, sidebar, footer). We also store a one-way hash of the IP address and user-agent string at signup, used only for spam mitigation — we do not store the raw values.

Server logs. Like every web server in existence, ours logs IP addresses, user-agent strings, request paths, response codes, and timestamps. Logs are rotated on a 30-day cycle. They are not joined to your email address or to any other identifier we hold.

One first-party preference cookie. We use one cookie (sp.mode + sp.lexicon) to remember which view modes you picked (Almanac vs. Terminal skin; Plain vs. Technical lexicon). The cookie is set in your browser's localStorage, not via Set-Cookie headers, and never leaves your device.

Anonymized analytics (Vercel Web Analytics). We use Vercel's built-in analytics to count pageviews and see where visitors came from (referrers like “newsletter,” “search,” “direct”). It is cookie-less, does not set any client-side identifier, does not follow you across other sites, and does not collect personal information. The country-level geography it shows us is derived from your IP at request time and is not stored against any identifier we hold. We use this only to understand which pages resonate and where readers find us — never to profile individuals. Vercel's privacy statement: https://vercel.com/legal/privacy-policy.

What we do NOT collect. No Google Analytics. No Meta Pixel. No third-party advertising trackers. No session-replay or heatmap tools. No browser fingerprinting. No demographic or interest-graph profiles. No retargeting pixels. No location data beyond what your IP implies. No payment information directly — payment processors handle that and we never see your card number.

Email: to send you the newsletter you signed up for. Server logs: to diagnose outages, debug abuse (rate-limiting, bot detection), and understand aggregate traffic patterns. Preference cookie: to remember your view mode so you don't have to re-toggle on every page load. IP/UA hash on signup: to prevent the same person from subscribing one address from a thousand bots. Anonymized analytics: to see which articles and indicators get read, where readers find us (newsletter vs. search vs. social), and what to prioritize editorially. Aggregate counts only — never tied to an identifier.

We use the following third-party services to operate the site. Each is contractually bound to use the data only to provide their service and not for their own purposes:

• Cloudflare (planned) — CDN + DNS + DDoS protection. Sees your IP and request paths. They keep edge logs for ~7 days. Privacy policy: https://www.cloudflare.com/privacypolicy/
• Supabase — database where your email address lives if you subscribe. Hosted in their US region. Their privacy policy: https://supabase.com/privacy
• Google Workspace — operates our staff email (hello@standardpoorly.com). Sees emails you send to us. Their privacy policy: https://workspace.google.com/terms/2020/2/privacy_policy.html
• Resend (planned, when we start sending newsletters) — the transactional email service that delivers the newsletter to your inbox. Sees your email address and the contents of what we send. https://resend.com/legal/privacy-policy
• Vercel — the hosting platform. Sees your IP and request paths via standard edge logs. We have Vercel Web Analytics enabled, which counts pageviews and referrers without cookies or cross-site tracking. Privacy statement: https://vercel.com/legal/privacy-policy

We will publish updated subprocessor lists if any of these change. Material changes will be summarized at the top of this page with a date.

Email subscribers: kept for as long as you remain subscribed. When you unsubscribe, we set a soft-delete flag (so we can suppress future sends) and the row is fully deleted within 90 days unless you ask us to accelerate that.

Server logs: rotated on a 30-day cycle. Older entries are permanently destroyed and not archived.

Hashed IP/UA from signup: kept for 12 months for spam mitigation, then nulled out.

We do not sell, rent, trade, or barter your personal data. Period. There is no “legitimate business interest” rationale we would invoke to justify monetizing your email address.

We share data with the subprocessors listed above only to the extent strictly necessary to provide the service (e.g. your email goes to Resend so it can deliver the newsletter to you).

If we are compelled by valid legal process — a subpoena, court order, or warrant — to share data, we will share what is required and nothing more. We will publish a transparency note within 90 days of compliance, redacted only to the extent the legal process requires.

Regardless of where you live, you have the following rights with respect to the personal data we hold about you:

• Access. Email hello@standardpoorly.com and we will send you a complete export of what we hold within 30 days.
• Deletion. Same address — request deletion and we will erase your data within 30 days. (Some legal-record retention may apply for up to 7 years on financial transactions; we'll explicitly call out anything that's exempted from immediate deletion.)
• Portability. Your data export comes in machine-readable CSV/JSON.
• Correction. Same email; we'll fix it within 30 days.
• Opt out of sale. N/A — we don't sell data. But if you want to be triple-sure, email us and we will confirm in writing.

For California residents (CCPA): you have all the above plus the right to know what categories of data we collect, the right to opt-out of sale (we don't sell), and the right to non-discrimination for exercising these rights. For EU/UK residents (GDPR): all of the above, plus the right to lodge a complaint with your local supervisory authority.

We use exactly one first-party preference cookie (sp.mode + sp.lexicon) to remember your view modes. It is set via browser localStorage, not server-side cookies, and is not used for tracking. We do not display a cookie banner because we do not need consent for strictly-necessary preference storage under GDPR/CCPA.

Standard Poorly is intended for adults. We do not knowingly collect personal data from anyone under 16 (the GDPR threshold). If you are a parent or guardian who believes your child has subscribed, email hello@standardpoorly.com and we will delete the data within 7 days.

The subscribers table in Supabase has row-level security enabled — the public anon key cannot read or write it. Writes happen only through a server action using the service-role key, which never leaves the server. Inbound traffic flows through TLS (HTTPS-only; HTTP is redirected). We do not store passwords or other authentication credentials yet because we do not have user accounts; once we ship Analyst / Trader tiers, this section will be updated to describe credential handling (hashing algorithm, rotation policy, etc.).

No system is perfectly secure. If we discover a breach affecting your data, we will notify you by email within 72 hours of discovery, in line with GDPR breach-notification timelines.

We will summarize material changes at the top of this page with the effective date. Non-material changes (typo fixes, restructuring) are made silently. Subscribers will receive an in-newsletter notice for material changes; for non-subscribers we update the date stamp on the page.

Privacy questions, data requests, or breach reports: hello@standardpoorly.com. Mailing address available on request.