Autonom.me
§Legal

Privacy policy

Last updated: 2026-06-11

What we collect

We collect analytics in three layers. The first is on by default; the other two are opt-in.

  • Basic visit data (always on, no consent needed).We keep a general, anonymized picture of our traffic — roughly what kind of device and browser people use and which country they’re in — so we understand our overall load. We don’t store your IP address or the pages you view, and none of it can be tied back to you. Kept on our own infrastructure for about 30 days. Legal basis: legitimate interest under GDPR — running the site and understanding our audience.
  • Analytics events (only if you accept). If you accept in the cookie banner, we also record anonymized pageviews and a few interactions (e.g. canvas events) on our own server. Same anonymization, same ~30-day retention. Legal basis: consent.
  • Google Analytics (only if you accept).If you accept, we additionally load Google Analytics for richer reporting (see “Third-party data processors” below). Legal basis: consent.

You can revoke consent at any time via Cookie settings. It takes effect immediately — the Google Analytics cookies are deleted and no further events are sent.

Raw analytics is kept for about 30 days; only anonymous daily totals (no per-visitor data) are kept longer. For the cookies we use, see the cookie policy.

Newsletter subscriptions

If you subscribe to the newsletter, we store the following on our own infrastructure:

  • Your email address (normalized to lowercase) and the source (which form on the site you submitted from).
  • A timestamp, your IP address, and your user-agent at the time of signup. These are kept as a record of your explicit consent and are never used for anything else.
  • A random unsubscribe token that we’ll embed in every email we send so you can unsubscribe in one click.

Legal basis: explicit consent (GDPR Art. 6(1)(a)). Sharing:none — we don’t share or sell the list to any third party. Retention:we keep the record until you unsubscribe, and afterwards we retain only the suppression entry (your email plus a status of “unsubscribed”) to make sure you don’t get re-added by accident if a bulk import is ever run. If you want the record fully deleted, contact the address listed in security.txt and we’ll remove it.

How to unsubscribe: every newsletter email carries a one-click unsubscribe link. You can also visit the unsubscribe page directly if you have your token.

Third-party data processors

We use one third-party processor, only after explicit consent:

  • Google Analytics (Google LLC, USA). Used for audience and engagement reporting. It receives standard analytics data about your visit to produce those reports. Data is transferred to the United States under the EU-U.S. Data Privacy Framework / Standard Contractual Clauses and retained for 14 months. Google Signals is off, so your Google account is not joined to your visit.

Google’s privacy policy: policies.google.com/privacy.

Your rights (EU/EEA visitors)

Our analytics is anonymous and not tied to your identity, so there’s no per-visitor record we could hand back or delete. If you have a newsletter subscription or an admin account, those records are tied to your email — contact us to access, correct, or delete them. For the newsletter, the easiest route is the unsubscribe link in any email; for full deletion, write to the address in security.txt.

Contact

For questions about this policy, see security.txt.

Updates to this policy are tracked in the site’s git history.