Privacy Policy

Last updated: April 13, 2026

This Privacy Policy explains how Particle Post (“we”, “our”, “us”) collects, uses, stores, and protects personal information when you visit theparticlepost.com, subscribe to our newsletter, register an account, or otherwise interact with our services. It is written to comply with the European Union General Data Protection Regulation (GDPR), the UK GDPR, and the Quebec Act respecting the protection of personal information in the private sector (Law 25, formerly Bill 64).

1. Data controller

The data controller responsible for your personal information is Particle Post. You can contact us at contact@theparticlepost.com. The legal entity name and registered address are available on request and will be added here once incorporation is finalised. Until then, contact us by email for any privacy enquiry.

2. Personal data we collect

We collect the minimum amount of personal data needed to operate the service. The categories are:

  • Newsletter subscription. Email address and the timestamp of your subscription. Optional: first name if you provide one. We do not enrich subscriber data from third-party sources.
  • Account registration. Email address, hashed password (never stored in plain text — handled by Supabase Auth), and any profile fields you choose to fill in (display name, avatar URL). If you sign in with Google or GitHub OAuth, we receive your email and a provider-issued user ID.
  • Specialist profiles. If you register as a specialist via our directory, we collect the information you submit (name, headline, bio, location, languages, LinkedIn URL, optional avatar, optional rate range).
  • Analytics (only with your consent). When you opt in to analytics cookies, Google Analytics 4 collects anonymised usage data: pages viewed, referrer, approximate geographic region, device and browser type, and a randomly generated client ID stored in the _ga cookie. We do not enable advertising features or remarketing.
  • Server logs. Vercel, our hosting provider, keeps short-lived access logs containing IP addresses and request metadata for security and abuse-prevention purposes. These are retained for up to 30 days.
  • Cookies. A small set of essential cookies plus optional analytics cookies — described in detail in our Cookie Policy.
  • Marketplace data. If you use the AI Specialist Marketplace as a client, we store the project brief you submit (project description, categories, budget range, timeline, pre-qualification details, contact information). If you use it as a specialist, we store your application data (credentials, case studies, certifications, pricing, availability), your Stripe customer and subscription identifiers (not card details — those remain with Stripe), your delivered leads, and messages exchanged with clients through the platform.

3. Legal basis for processing (GDPR Article 6)

  • Newsletter subscription: your explicit consent (Article 6(1)(a)). You may withdraw consent at any time by clicking the unsubscribe link in any email.
  • Account creation and authentication: performance of a contract (Article 6(1)(b)) — we cannot give you a logged-in experience without storing the relevant credentials.
  • Analytics: your explicit, opt-in consent (Article 6(1)(a)), captured via the cookie consent banner. Without consent we do not load Google Analytics at all.
  • Server logs and security monitoring: legitimate interest in protecting the service (Article 6(1)(f)), balanced against your right not to be tracked.

4. How long we keep your data

  • Newsletter: until you unsubscribe, plus 30 days for compliance audit purposes, after which the record is permanently deleted.
  • Account and specialist profile: until you request deletion, after which the record is removed within 30 days.
  • Google Analytics: 14 months (the GA4 default for our property). We do not extend retention.
  • Server logs: up to 30 days at Vercel.
  • Marketplace project briefs: retained for 24 months after the brief is marked complete, expired, or cancelled, then permanently deleted.
  • Marketplace messages: retained for 12 months following the last exchange, then permanently deleted.
  • Specialist analytics events (lead deliveries, profile views, match notifications): retained for 24 months for performance reporting and refund dispute resolution.
  • Stripe payment records:retained as long as Stripe requires for financial reporting and taxation (typically 7 years) under Stripe’s own retention policy.

5. Third-party processors

We share personal data with the following processors, all bound by data processing agreements (DPAs) and appropriate safeguards for international transfers:

  • Supabase Inc. (United States) — database, storage, and authentication. Stores newsletter subscribers, accounts, specialist profiles. DPA in place; data resides in their US region.
  • Vercel Inc. (United States) — hosting, edge network, server logs. DPA in place.
  • Google LLC (United States) — Google Analytics 4 (only when you consent), Google Search Console for crawl reporting. DPA in place; reliance on the EU-US Data Privacy Framework certification.
  • Resend Inc. (United States) — transactional and newsletter email delivery. DPA in place.
  • Stripe Payments Europe Ltd. (Ireland) — payment processing, subscription billing, invoicing, and fraud detection for the AI Specialist Marketplace. Stripe acts as the data controller for payment card details, which never touch our servers. DPA in place; Stripe is PCI DSS Level 1 certified.

6. International data transfers

Because our processors are based in the United States, your data is transferred outside the European Economic Area, the United Kingdom, and Canada. We rely on the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses to ensure your data receives equivalent protection. You can request copies of the relevant safeguards by emailing contact@theparticlepost.com.

7. Your rights

You have the following rights under GDPR and Quebec Law 25. To exercise any of them, email us at contact@theparticlepost.com. We will respond within 30 days.

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: ask us to correct inaccurate or incomplete data.
  • Right to erasure:request deletion of your data (also known as the “right to be forgotten”).
  • Right to restriction of processing: ask us to pause processing of your data while a dispute is resolved.
  • Right to data portability: receive your data in a structured, commonly used, machine-readable format.
  • Right to object: object to processing based on legitimate interests.
  • Right to withdraw consent: at any time, with effect for the future, where processing is based on consent.
  • Right to lodge a complaint with the supervisory authority in your jurisdiction (see section 11).

8. Editorial standards and automated processing

Our editorial team uses modern research and writing tools, including AI assistants, to accelerate the work of our curators. Every article is reviewed and signed off by a named curator before publication. Editorial direction, sourcing standards, and final publication decisions are made by our human editorial team.

Importantly, we do not make automated decisions about individual users. We do not score, profile, or target you with personalised ads. The tools we use serve our curators, not your data.

9. Children’s data

Particle Post is not directed at children under 16 and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at contact@theparticlepost.com and we will delete it.

10. Security measures

We use HTTPS site-wide, modern security headers (Strict Transport Security, Content Security Policy, X-Frame-Options), Supabase row-level security on all user-data tables, and secure password hashing via Supabase Auth. Service-role keys and other secrets are never exposed to the client and are stored in encrypted GitHub Actions and Vercel environment variables.

11. Complaint procedures

  • EU residents may lodge a complaint with their national data protection authority. A list is maintained by the European Data Protection Board.
  • UK residentsmay complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
  • Quebec residentsmay complain to the Commission d’accès à l’information du Québec (CAI) at cai.gouv.qc.ca.
  • All other residents may contact us first at contact@theparticlepost.com and, if unresolved, escalate to your local supervisory authority.

12. Automatch algorithm

When a client submits a project brief through the marketplace, our automatch algorithm ranks approved specialists by relevance. The algorithm is deterministic and based entirely on the information you provide in the brief: it scores specialists using Jaccard similarity on category overlap, geographic preferences, language overlap, availability, and rating. It does notuse profiling, tracking cookies, demographic inference, or any sensitive category of personal data. The algorithm therefore does not constitute “automated individual decision-making” under GDPR Article 22. Specialists receive a match notification email containing only the brief data you chose to submit.

13. Updates to this policy

We may update this policy to reflect changes in our practices or legal requirements. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated via the newsletter (for subscribers) or via a banner on the site for at least 14 days before taking effect.

14. Contact

For any privacy enquiry, request, or complaint, email contact@theparticlepost.com. We aim to respond within five business days, and within 30 days at the outside as required by GDPR Article 12.