The short version

We collect the minimum amount of data needed to deliver Karostartup. We never sell your data. We use cookies for sign-in, preferences, and lightweight analytics. You can request a copy of your data, or delete your account, at any time via our contact form.

1. Who we are

"Karostartup" refers to the editorial publication operating at this domain. The data controller is the publisher named in the contact section below. If you are in the European Economic Area, the United Kingdom, or Switzerland, this policy is intended to comply with the General Data Protection Regulation (GDPR) and equivalent local laws.

2. What we collect

If you create an account: your email address, the name you provide, and any optional profile information you fill in (bio, social handles, avatar URL).

If you subscribe to a newsletter: your email address and the newsletter you subscribed to.

If you contact us: the name, email, phone (if provided), subject and message of your enquiry.

If you read articles: page-view counters, bookmarks (only if signed in), and the cookie-consent choice you made.

If you comment: your name (as on your profile), the comment text, and the article it was posted on.

We do not collect payment information directly; if you become a Plus member in the future, payment will be processed by a third-party PCI-compliant processor.

3. Why we collect it

4. Legal basis (for EEA / UK readers)

We rely on the following legal bases under GDPR Article 6: consent (newsletter subscriptions, optional analytics cookies), contract (account features), legitimate interest (operating and improving the publication, fraud prevention), and legal obligation (where we must retain data to comply with law).

5. Cookies

We use a small number of cookies. The full list, including third-party cookies and how to disable them, is in our Cookie Policy. The consent banner you see on first visit records your choice in your browser's local storage — it is not shared with us.

6. Who we share data with

We share data with: Supabase (our hosting and database provider, who stores your account and content), Google Fonts (which serves typefaces), and Unsplash (which serves some images). We do not sell, rent, or trade your data with anyone.

If you grant analytics consent, we may also use a lightweight first-party analytics tool. We do not use Google Analytics in its default configuration.

7. International transfers

Our database is hosted on infrastructure that may store data outside your country. Where this involves transferring personal data out of the EEA or UK, we rely on Supabase's standard contractual clauses with its sub-processors.

8. How long we keep it

Account data: until you delete your account. Newsletter subscribers: until you unsubscribe. Contact submissions: up to 24 months. Anonymous analytics: aggregated indefinitely; individual events are discarded within 90 days.

9. Your rights

If you are in the EEA, UK, India, or California you have legal rights to: access the personal data we hold about you, correct or update it, delete it, restrict or object to its processing, port it to another service, and withdraw consent at any time. Exercise any of these via our contact form. We will respond within 30 days.

If you are unhappy with how we have handled a request, you have the right to complain to your local data protection authority.

10. Security

All traffic to Karostartup is encrypted in transit (HTTPS). Passwords are hashed by Supabase Auth using industry-standard algorithms — we never see your password. Access to the production database is limited to a small number of editorial and engineering staff.

11. Children

Karostartup is not directed at children under 13. If you believe we have inadvertently collected data from a child, please contact us and we will delete it.

12. Changes

If we change this policy materially, we will notify subscribers by email and post a notice on the homepage at least 14 days before the change takes effect.

13. Contact

Questions, complaints, or data-subject requests: our contact form.