Velvet40

Velvet40 (“we,” “us,” or “our”) operates the website velvet40.com (the “Site”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our Site. It applies to visitors from the United States and the United Kingdom and has been drafted to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

By accessing the Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Site.

1. Information We Collect

1.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you interact with the Site, including:

Newsletter subscription: your email address when you subscribe to The Glow Report, our weekly newsletter.
Contact inquiries: your name, email address, and any message content you submit through our contact form.

Under GDPR Article 6(1)(a), we process this data on the basis of your explicit consent. Under CCPA §1798.100, you have the right to know what personal information we collect and why.

1.2 Information Collected Automatically

When you visit the Site, we may automatically collect certain technical data, including:

IP address (anonymized where required by law)
Browser type and version
Operating system
Referring URL and exit pages
Pages viewed and time spent on each page
Device type (desktop, tablet, mobile)
Approximate geographic location (country/region level only)

This data is collected through cookies and similar tracking technologies, as described in Section 3 below. Our lawful basis for this processing under GDPR Article 6(1)(f) is our legitimate interest in understanding how visitors use the Site so we can improve content and user experience.

1.3 Information From Third Parties

We do not purchase or obtain personal information from third-party data brokers. Any third-party data we receive is limited to aggregated, anonymized analytics provided by the services described in Section 4.

2. How We Use Your Information

We use the information we collect for the following purposes:

To deliver our newsletter: sending you The Glow Report and occasional editorial updates you have opted into.
To respond to inquiries: replying to questions or feedback you submit through our contact channels.
To analyze Site performance: understanding traffic patterns, popular content, and user engagement to improve the editorial experience.
To serve relevant advertising: displaying contextually appropriate ads through Google AdSense to support our free editorial content.
To support affiliate partnerships: when you click an affiliate link and make a purchase, our affiliate partners (such as Amazon) may share transaction data with us solely for commission tracking.
To comply with legal obligations: responding to lawful requests from regulatory authorities under GDPR Article 6(1)(c).

We do not sell your personal information. Under CCPA §1798.120, California residents have the right to opt out of the sale of personal information. Because we do not sell personal data, this right is already honored by default.

3. Cookies and Tracking Technologies

Cookies are small text files stored on your device when you visit a website. We use the following categories of cookies:

3.1 Strictly Necessary Cookies

These cookies are essential for the Site to function properly. They include cookies that remember your cookie consent preferences. These cookies do not require your consent under GDPR Recital 30 and the ePrivacy Directive, as they are necessary for the service you have requested.

3.2 Analytics Cookies

With your consent, we use Google Analytics 4 (GA4) to collect anonymized usage data. GA4 uses first-party cookies to distinguish unique users and sessions. We have configured GA4 with IP anonymization enabled and have disabled data sharing with Google for advertising purposes. Analytics cookies are only loaded after you provide consent through our cookie banner.

3.3 Marketing Cookies

With your consent, Google AdSense may place cookies on your device to serve ads relevant to your interests. These cookies are set by Google and its advertising partners. Marketing cookies are only loaded after you provide consent through our cookie banner.

3.4 Managing Your Cookie Preferences

When you first visit the Site, a cookie consent banner will ask you to choose which categories of cookies you accept. You can change your preferences at any time by clicking the “Cookie Settings” link in the Site footer. You may also configure your browser to block or delete cookies, although this may affect Site functionality.

4. Third-Party Services

We use the following third-party services that may process your data. Each service operates under its own privacy policy, which we encourage you to review.

4.1 Google Analytics 4 (GA4)

We use GA4 to analyze Site traffic and user behavior. GA4 collects data such as pages visited, session duration, and device information. Data is processed by Google LLC (US) and Google Ireland Limited (EU/UK). Google acts as a data processor on our behalf. For more information, see Google's Privacy Policy. Under GDPR Article 28, we have a data processing agreement with Google covering this service.

4.2 Google AdSense

We use Google AdSense to display advertisements on the Site. AdSense may use cookies and web beacons to serve ads based on your prior visits to this and other websites. You can opt out of personalized advertising by visiting Google Ads Settings. Google AdSense is subject to Google's Advertising Policies.

4.3 Amazon Associates Program

Velvet40 is a participant in the Amazon Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by linking to Amazon.com and affiliated sites. When you click an Amazon affiliate link on the Site, Amazon places cookies on your device to track whether you complete a qualifying purchase. We receive only aggregated commission data and do not receive your personal purchase details. For more information, see Amazon's Privacy Notice.

4.4 Kit (ConvertKit)

We use Kit (formerly ConvertKit) to manage our newsletter mailing list. When you subscribe, your email address is stored on Kit's servers in the United States. Kit acts as a data processor on our behalf under GDPR Article 28. We use double opt-in to confirm your subscription. For more information, see Kit's Privacy Policy.

5. International Data Transfers

Some of our third-party service providers are based in the United States. Where personal data is transferred from the UK or the European Economic Area (EEA) to the US, we ensure that appropriate safeguards are in place, including:

The EU-US Data Privacy Framework (where the recipient is certified), per GDPR Article 45
Standard Contractual Clauses (SCCs) approved by the European Commission, per GDPR Article 46(2)(c)

UK transfers are additionally governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as appropriate.

6. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes described in this policy:

Newsletter subscribers: your email address is retained until you unsubscribe. You can unsubscribe at any time using the link in every newsletter email.
Contact inquiries: retained for up to 12 months after our last communication, then securely deleted.
Analytics data: GA4 data retention is set to 14 months, after which it is automatically deleted by Google.
Cookie consent records: retained for 12 months, at which point you will be asked to renew your preferences.

7. Your Rights

7.1 Rights Under GDPR (UK and EEA Residents)

Under GDPR Articles 15 through 22, you have the following rights regarding your personal data:

Right of access (Article 15): request a copy of the personal data we hold about you.
Right to rectification (Article 16): request correction of inaccurate or incomplete data.
Right to erasure (Article 17): request deletion of your personal data where there is no compelling reason for continued processing.
Right to restrict processing (Article 18): request that we limit how we use your data in certain circumstances.
Right to data portability (Article 20): receive your data in a structured, machine-readable format.
Right to object (Article 21): object to processing based on legitimate interests, including profiling.
Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing (Article 7(3)).

To exercise any of these rights, contact us at privacy@velvet40.com. We will respond within 30 days as required by GDPR Article 12(3). If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO).

7.2 Rights Under CCPA/CPRA (California Residents)

Under the California Consumer Privacy Act (§1798.100 et seq.), as amended by the California Privacy Rights Act, California residents have the following rights:

Right to know (§1798.100): request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to delete (§1798.105): request deletion of personal information we have collected from you.
Right to correct (§1798.106): request correction of inaccurate personal information.
Right to opt out of sale or sharing (§1798.120): we do not sell or share your personal information for cross-context behavioral advertising.
Right to non-discrimination (§1798.125): we will not discriminate against you for exercising any of your CCPA rights.

To submit a verifiable consumer request, contact us at privacy@velvet40.com. We will verify your identity and respond within 45 days as required by CCPA §1798.130.

8. Children's Privacy

The Site is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at privacy@velvet40.com and we will promptly delete such information in accordance with GDPR Article 8 and COPPA requirements.

9. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, as required by GDPR Article 32. These measures include HTTPS encryption for all Site traffic, secure storage of subscriber data by our third-party processors, and regular review of our data handling practices. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by law, notify you by email or through a prominent notice on the Site. We encourage you to review this policy periodically. In accordance with GDPR Article 13(3), where the purpose of processing changes, we will provide you with updated information before any new processing begins.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal information, please contact us:

Email: privacy@velvet40.com
General inquiries: editorial@velvet40.com

For GDPR-related inquiries, our data controller is Velvet40. We do not currently have a Data Protection Officer (DPO) as our processing activities do not meet the threshold requiring one under GDPR Article 37. Should this change, we will update this section accordingly.

For CCPA-related inquiries, California residents may also contact us using the email addresses above to submit verifiable consumer requests.