Privacy policy.

What data Vestaris collects, why, who handles it, and how to get rid of it.

This page explains what personal data Vestaris collects, why, and what rights you have over it. It is written to be read, not to be filed away. If anything here is unclear, email hello@vestaris.io and we will explain it properly.

Who we are

Vestaris is published by Vestaris Ltd, a private limited company registered in England and Wales (company number 17168036), with its registered office at 124 City Road, London, EC1V 2NX. Vestaris Ltd is the data controller for the personal data described on this page. Vestaris Ltd is registered with the UK Information Commissioner's Office (ICO registration number ZC150300).

For any data-related question or request, the contact is hello@vestaris.io.

What we collect and why

Vestaris is a publication. It does not run paid advertising, does not have customer accounts, and does not sell anything. The data collected is correspondingly minimal.

If you subscribe to the newsletter

Vestaris collects your email address. This is used solely to send the quarterly notes, the monthly all-clear, and the occasional bulletin. The lawful basis is your consent, which you give by entering your email and confirming via the double opt-in email Beehiiv sends. Consent can be withdrawn at any time by clicking the unsubscribe link at the bottom of any email, which removes you from the list immediately.

If you write to us

If you send an email to hello@vestaris.io or any other Vestaris address, we store and read your message. Email contents are kept only as long as needed to respond and to keep useful context for future correspondence. The lawful basis is legitimate interest in handling correspondence.

When you visit the site

Vestaris uses Cloudflare Web Analytics, which collects aggregated, anonymised data about page views — pages visited, approximate country, referring site, browser type. It does not use cookies, does not track individual users across visits, and does not collect any personal data that could identify you. The lawful basis is legitimate interest in understanding which content readers find useful.

We do not run Google Analytics, advertising pixels, social-media trackers, or any other third-party tracking on this site.

Who else processes your data

To run the publication, we rely on a small number of third-party services. These are data processors — they handle data on our instructions and only for the purposes set out below.

• Beehiiv — Operates the newsletter platform. Stores subscriber email addresses, sends the notes, handles double opt-in confirmation and unsubscribes. Based in the United States; transfers protected by Standard Contractual Clauses and applicable data-transfer frameworks.
• Google Workspace — Provides the email inbox (Google Workspace Business, Google Ireland Ltd). Used for receiving and responding to reader correspondence at hello@vestaris.io.
• Cloudflare — Hosts the website and provides analytics. Cloudflare Web Analytics is cookieless and aggregated. Cloudflare's terms apply.
• Lovable — Site deployment platform. Processes site content and may handle visitor connection metadata necessary for serving the site.

Where any of these processors are based outside the UK or EEA, transfers are made under Standard Contractual Clauses or other appropriate safeguards. We do not transfer personal data to any country, organisation, or person other than via these processors.

Cookies and tracking

This site uses no analytics cookies. Cloudflare Web Analytics is cookieless by design.

The only situations in which cookies or similar storage may be set on your device are:

• Beehiiv subscription form — When you interact with the newsletter signup, Beehiiv may set short-lived cookies to remember that you submitted the form and prevent duplicate submissions. These are functional cookies essential to the form working.
• Cloudflare security — Cloudflare may set a single security cookie to protect the site from automated abuse. This is a strictly necessary cookie under UK PECR and does not require consent.

Because Vestaris uses no non-essential cookies, there is no cookie consent banner. If this changes in future — for example if we add a video embed or a tool that sets tracking cookies — the site will display a banner that lets you accept or reject those cookies before they are set, and this policy will be updated.

You can disable or delete any cookies through your browser settings. Doing so will not affect your ability to read the publication or subscribe.

How long we keep your data

• Email subscriber addresses — until you unsubscribe. When you unsubscribe, Beehiiv removes your address from the active list. We do not retain a separate copy.
• Correspondence sent to us — kept while it remains relevant. Conversations from many years ago that no longer have a clear purpose are periodically cleared from the inbox.
• Site analytics — Cloudflare retains aggregated data according to their stated retention policy. No personal data is involved.

Your rights

Under UK GDPR you have the following rights in respect of your personal data:

• Access — ask for a copy of the personal data we hold about you
• Rectification — ask us to correct anything inaccurate
• Erasure — ask us to delete your data (this is straightforward for the newsletter — unsubscribing achieves the same thing)
• Restriction — ask us to stop processing in specified ways
• Portability — ask for your data in a portable format (relevant mainly to the subscriber email, which Beehiiv exports on request)
• Objection — object to processing carried out on the basis of legitimate interest
• Withdraw consent — for anything we process based on your consent

To exercise any of these rights, email hello@vestaris.io with what you want and reasonable detail. We will respond within one month, typically much sooner.

Complaints

If you believe Vestaris has handled your data improperly, please write to hello@vestaris.io with the subject line Data protection complaint. We will acknowledge receipt within 30 days and work to resolve the issue directly.

You also have the right to complain to the UK Information Commissioner's Office. The ICO's contact details are at ico.org.uk/make-a-complaint. We would appreciate the opportunity to address your concern first, but the ICO route is always open to you.

Security

Personal data is held in services with industry-standard security: encrypted in transit, encrypted at rest, access protected by strong authentication and two-factor authentication on all administrative accounts. No data store is perfectly secure; if a breach occurs, we will notify affected subscribers and the ICO within the timeframes UK GDPR requires.

Children

Vestaris is intended for adult readers. We do not knowingly collect data from anyone under the age of 13, and the publication's content is not directed at children. If you believe a child has subscribed, please email us and we will remove the address.

Changes to this policy

If we change how Vestaris handles personal data — for example by adding a new analytics tool, introducing a paid tier, or adding any feature that involves cookies or tracking — this policy will be updated and the date at the top will be revised. Subscribers will be notified of any material change in the next newsletter.