Privacy Policy

PaperWall Last Updated: May 10, 2026

1. Introduction

Welcome to PaperWall (“we”, “our”, or “us”). PaperWall is operated by an independent international collective of contributors and publishes news, articles, and blog content at our website (the “Site”).

This Privacy Policy explains how we collect, use, store, and protect information when you visit the Site. By using our Site, you agree to the practices described in this policy.

If you have questions about this policy or want to exercise any of the rights described below, contact us at [email protected].

2. Information We Collect

a) Automatically Collected Data When you browse our Site, the following technical data is collected through Google Analytics and standard server logs:

  • IP address (anonymized via Google Analytics IP anonymization)
  • Browser type and version
  • Device and operating system information
  • Pages visited, time spent, and interaction events
  • Referring URLs (how you arrived at our Site)
  • General geographic location (country / city level)

b) Information You Provide via Email If you contact us by email, we collect your email address, your name (if provided), and the content of your message.

c) Newsletter Subscription If you subscribe to our newsletter, we collect your email address and the date/time of your subscription. Subscription is opt-in only — you must actively confirm your subscription via a confirmation email (double opt-in). You can unsubscribe at any time using the link included in every newsletter email.

d) Social Sharing & Embedded Content Our articles may include social share buttons (e.g., X/Twitter, Facebook, LinkedIn) and embedded content from third-party platforms (e.g., YouTube, X). When such elements load on a page, the third-party provider may collect information about your visit, including your IP address. We have no control over data collected by these third parties — see Section 6.

3. Legal Basis for Processing (GDPR)

For users in the EU/EEA and UK, we rely on the following legal bases under Article 6 GDPR:

  • Consent (Art. 6(1)(a)) — for analytics cookies, newsletter subscription, and loading of third-party embedded content.
  • Legitimate interests (Art. 6(1)(f)) — for processing necessary to operate, secure, and improve the Site (e.g., server logs for security purposes), and to respond to your inquiries. You may object to processing based on legitimate interests at any time.

4. How We Use Your Information

We use the information we collect to:

  • Understand how visitors use our Site and improve content and performance
  • Respond to inquiries received via email
  • Deliver our newsletter to subscribers
  • Monitor and analyze traffic trends and user behavior
  • Ensure the security and stability of our Site
  • Comply with applicable legal obligations

We do not sell, rent, or share your personal information with third parties for marketing purposes.

We do not engage in any automated decision-making or profiling that produces legal effects concerning you.

5. Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our Site. When you first visit, a cookie consent banner lets you accept or reject non-essential cookies. Non-essential cookies (including analytics) will not be set until you give consent. You can change your preferences at any time via the cookie settings link in the footer.

Categories of cookies:

  • Strictly necessary cookies — required for the Site to function (e.g., remembering your cookie consent choice). These do not require consent.
  • Analytics cookies — set by Google Analytics (e.g., _ga, _gid) to help us understand site usage. Set only with your consent.
  • Third-party content cookies — set by embedded content (e.g., YouTube, social share widgets) when those features are loaded. Set only with your consent.

You can also control cookies through your browser settings, and opt out of Google Analytics specifically using the official add-on at https://tools.google.com/dlpage/gaoptout.

6. Third-Party Services & International Data Transfers

Some service providers we use process data in the United States. Where data is transferred from the EU/EEA or UK to the US, we rely on safeguards permitted under GDPR Chapter V, primarily the EU–US Data Privacy Framework (where the provider is certified) and/or Standard Contractual Clauses (SCCs).

Our Site is hosted on a virtual private server located in the United States, which means information you submit (including newsletter subscriptions and email correspondence) is processed in the US.

Providers we currently use:

  • Google Analytics (Google LLC, USA) — traffic analytics. IP anonymization is enabled. Privacy policy: https://policies.google.com/privacy
  • Newsletter delivery — Elastic Email Inc. (USA) — handles transactional and newsletter email delivery via SMTP. Subscriber email addresses are stored on Elastic Email’s servers. Privacy policy: https://elasticemail.com/resources/usage-policies/privacy-policy
  • Hosting — Virtual Private Server located in the United States — stores Site files and processes server logs.
  • Social platforms (X/Twitter, Facebook, LinkedIn, YouTube, etc.) — when their share buttons or embeds load, they may collect data per their own policies.

We have no control over data collected directly by third-party platforms. We encourage you to review their privacy policies.

7. Data Retention

  • Analytics data — retained for 14 months in Google Analytics, then automatically deleted.
  • Newsletter subscriptions — retained until you unsubscribe. After unsubscribing, we keep a minimal record (your email on a suppression list) so we don’t accidentally re-add you.
  • Email correspondence — retained only as long as necessary to handle your inquiry, then deleted (typically within 12 months).
  • Server logs — retained for up to 30 days for security purposes, then deleted.

8. Data Security

We take reasonable technical and organizational measures to protect your information, including HTTPS encryption for all Site traffic, restricted access to subscriber lists, and use of reputable service providers with their own security certifications. No internet transmission is 100% secure, however, and we cannot guarantee absolute security.

In the event of a personal data breach likely to result in a high risk to your rights, we will notify affected users and the relevant supervisory authority in line with GDPR Articles 33–34.

9. Your Privacy Rights

For EU / EEA / UK residents (GDPR / UK GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (without affecting prior lawful processing)
  • Lodge a complaint with your local data protection supervisory authority. A list of EU authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents can contact the ICO at https://ico.org.uk.

For California residents (CCPA/CPRA)

You have the right to:

  • Know what personal information we collect, the sources, the business purposes, and the categories of third parties we share it with
  • Delete personal information we have collected from you
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information — we do not sell or share personal information as defined by the CCPA
  • Non-discrimination for exercising your CCPA rights

Categories of personal information collected in the past 12 months: identifiers (IP address, email), internet/device activity (browser, pages visited), geolocation (general), and information you voluntarily provide (name, email, message content). Sources: directly from you, and automatically from your device. Business purposes: site operation, analytics, security, communications. Categories of third parties data is shared with: analytics providers, hosting providers, newsletter service provider.

How to exercise your rights

Email us at [email protected]. We may need to verify your identity before fulfilling certain requests. We aim to respond within 30 days. You may also use an authorized agent (proof of authorization required).

10. Children’s Privacy

PaperWall is not directed at children. We do not knowingly collect personal information from anyone under the age of 16 (the GDPR default age of digital consent — note that some EU member states set this lower, between 13 and 16; the US COPPA threshold is 13). If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last Updated” date at the top will reflect the most recent revision. For material changes, we will provide a more prominent notice on the Site (e.g., a banner) before the changes take effect.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy:

Email: [email protected]

We aim to respond within 30 days.

© 2026 PaperWall. All rights reserved.