Privacy Policy

This Privacy Policy explains how personal data is collected, processed and stored when you visit this website (uncorporatebenefits.com) and when you subscribe to the newsletter. It is written in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG").

1. Controller

The controller responsible for the processing of personal data on this website within the meaning of the GDPR is:

Andrea Di Gaetano, c/o POSTFLEX PFX-638-547, Emsdettener Straße 10, 48268 Greven, Deutschland

E-Mail: hey@uncorporatebenefits.com

For questions about this Privacy Policy or to exercise any of your rights as a data subject, please contact me at the email address above.

2. Scope of this Policy

This Policy applies to all personal data processed in connection with:

Your visit to this website.
Your subscription to, and receipt of, the newsletter published from this website.
Any correspondence you initiate with me by email.

This Policy does not apply to third-party websites that may be linked from this website. Each linked website is governed by its own privacy policy.

3. Categories of personal data processed

3.1. Server log data and aggregate analytics (when you visit this website)

When you access any page on this website, the hosting infrastructure automatically records standard technical data, including:

Your IP address (typically pseudonymised or shortened by the hosting provider).
Date and time of the request.
The URL accessed and the HTTP status code returned.
Browser type and version, operating system, and referring URL (where applicable).

This data is processed by the hosting provider (see Section 5.1) for the purposes of operating the website, ensuring security, and preventing abuse.

In addition, Ghost's built-in Web Analytics (powered by Tinybird, see Section 5.2) records aggregate, anonymous traffic data — page views, approximate country, browser type and referring URL — to allow basic understanding of which content is being read. No cookies or persistent identifiers are used. No individual visitor is identified or tracked across sessions.

When you subscribe to the newsletter via the sign-up form on this website, the following data is collected:

Your email address (required).
The date and time of your subscription request.
The date and time of your double opt-in confirmation.
Your IP address at the moment of subscription (for proof of consent, as required by GDPR).

After successful double opt-in, your email address is added to the newsletter mailing list managed via MailerLite (see Section 5.3).

Purposes of processing your email address:

To send you the newsletter, with editorial content on the themes published from this website (work, careers, professional sovereignty, related topics).
To send you commercial communications about products and services of my own that are related to those themes — for example, paid newsletters, courses, paid memberships, books, workshops, or similar offerings I may launch in the future.

Both purposes are covered by the same consent given when you complete the double opt-in. Your email address is not used for any other purpose, and it is never sold, rented or shared with third parties for their own marketing.

You can withdraw consent at any time (see Section 8). Withdrawal applies to both purposes simultaneously.

3.3. Email correspondence

If you send me an email, the content of your message and any associated metadata (your email address, the date and time of the message) will be stored for the purpose of responding to your request.

3.4. Postal correspondence

If you send physical mail to the contact address shown in the Imprint, the letter will be received by the postal handling service Postflex (see Section 5.4), digitalised or forwarded to me, and the content will be processed for the purpose of responding to your communication. This includes your name and return address (if provided), the content of the letter (which may include any personal data you choose to share), and metadata of the postal item.

4. Legal basis for processing

The legal basis for each processing activity is as follows:

Processing activity	Legal basis
Operation of the website and server log data	Article 6(1)(f) GDPR — legitimate interest in operating a secure, functional website
Cookie-free aggregate web analytics	Article 6(1)(f) GDPR — legitimate interest in understanding aggregate site usage, balanced by the fact that no cookies or persistent identifiers are used and no individual visitor is tracked
Newsletter subscription, delivery, and related commercial communications about my own products and services	Article 6(1)(a) GDPR — your explicit consent, given via double opt-in, covering both editorial and commercial communications
Email correspondence	Article 6(1)(f) GDPR — legitimate interest in responding to your enquiry; or Article 6(1)(b) GDPR if pre-contractual
Postal correspondence received at the contact address	Article 6(1)(f) GDPR — legitimate interest in receiving and responding to written communication addressed to me; or Article 6(1)(c) GDPR if you are exercising a GDPR right in writing
Storage of consent records	Article 6(1)(c) GDPR — legal obligation to demonstrate consent under Article 7(1) GDPR

5. Recipients and processors

Personal data is processed by the following third-party service providers, who act as processors under Article 28 GDPR. Data Processing Agreements are in place with each of them.

5.1. Hosting provider — Ghost Foundation

This website is hosted on Ghost(Pro), operated by The Ghost Foundation, a non-profit organisation registered in Singapore. Ghost stores EU-origin data in data centres within the European Union, but may process EU data outside the EU under certain circumstances (specifically for support and maintenance of the service).

International transfers to non-EU countries are governed by the European Commission's Standard Contractual Clauses ("SCCs") under Article 46(2)(c) GDPR, as set out in the Ghost Data Processing Agreement available at: https://ghost.org/dpa/.

Data processed by Ghost: server log data (Section 3.1).

5.2. Web analytics processor — Tinybird

This website uses Ghost's built-in Web Analytics, which is a cookie-free, first-party analytics system powered by Tinybird (Tinybird Data, S.L., headquartered in Spain, with infrastructure operated globally). For sites hosted on Ghost(Pro), all analytics data is stored in EU regions.

The analytics system collects aggregate traffic data only (page URL, approximate country derived from IP, browser type, referring URL, and time of visit) and does not place any cookies or persistent identifiers in your browser. Unique visitors are counted within rolling 24-hour windows using anonymous, non-persistent identifiers.

Tinybird acts as a sub-processor of Ghost Foundation under the same Data Processing Agreement linked in Section 5.1. Tinybird's own privacy practices are available at https://www.tinybird.co/privacy.

Data processed by Tinybird: anonymised traffic events as described above.

5.3. Email service provider — MailerLite

The newsletter is delivered via UAB "MailerLite", a company registered in Lithuania, European Union. MailerLite processes subscriber data on EU servers and acts as a data processor under Article 28 GDPR. Their privacy practices, sub-processor list and Data Processing Addendum are available at: https://www.mailerlite.com/legal.

Data processed by MailerLite: email address, subscription timestamps, IP address at the moment of subscription, double opt-in confirmation, open and click data from newsletter emails (if applicable, where MailerLite tracks email engagement).

No subscriber data is shared with any party other than the processors listed above. Personal data is not sold, rented, or otherwise transferred to third parties for marketing purposes.

5.4. Postal mail service — Postflex

The contact address published in the Imprint and in this Privacy Policy (Emsdettener Straße 10, 48268 Greven) is operated by Postflex GmbH as a commercial mail handling and delivery service under a Post- und Zustellungsvollmacht (postal power of attorney). If you choose to send physical mail to this address — for example to exercise a GDPR right in writing, or for any other reason — Postflex receives the mail on my behalf, processes it (digitalisation, forwarding, archiving) and passes it to me. In that role Postflex acts as a data processor within the meaning of Article 28 GDPR, and a Data Processing Agreement (Auftragsverarbeitungsvertrag) is in place between Postflex and me.

Data processed by Postflex when you send physical mail: sender name, sender address, content of the letter (which may include any personal data you choose to include, and may include personal data of third parties you mention in the letter), and metadata of the postal item (date received, recipient mailbox number).

Postflex operates exclusively within Germany. Postflex's own privacy practices are published at https://www.postflex.de/datenschutz.

Important: Postflex is not involved in the processing of your newsletter subscription, your website visits, or any other digital interaction with this site. It only enters the picture if you choose to send physical mail to the address shown in the Imprint.

6. International data transfers

As noted in Section 5.1, the hosting provider Ghost Foundation may process limited personal data outside the European Union (in particular for support and maintenance purposes). These transfers are protected by the European Commission's Standard Contractual Clauses, providing an adequate level of data protection in accordance with Articles 44–46 GDPR.

Tinybird operates analytics infrastructure with EU regions selected for Ghost(Pro) deployments (see Section 5.2). No transfer of analytics data outside the EU/EEA takes place under normal circumstances.

MailerLite operates within the European Union; no transfer of newsletter data outside the EU/EEA takes place under normal circumstances.

Postflex operates exclusively within Germany; no transfer of postal correspondence data outside the EU/EEA takes place.

7. Retention periods

Personal data is retained only for as long as necessary for the purposes for which it was collected, or for as long as required by law:

Server log data: typically deleted or anonymised within 7 to 30 days, depending on the hosting provider's standard retention practices.
Newsletter subscription data: retained for as long as you remain subscribed. If you unsubscribe, your email address is removed from the active mailing list. A record of your past consent (timestamp, IP address) may be retained for up to 3 years after unsubscription to demonstrate compliance with Article 7(1) GDPR.
Email correspondence: retained for as long as necessary to handle your enquiry, and thereafter for a reasonable period to allow for follow-up. In any case, deleted upon your request unless legal retention obligations apply.
Postal correspondence: physical letters are received by Postflex according to its own retention policy (typically scanned/forwarded within a few business days, then archived or destroyed in line with the Postflex AVV). On my side, digital copies of received mail are retained for as long as necessary to handle the matter, and thereafter according to the same logic as email correspondence.

8. Your rights as a data subject

Under the GDPR, you have the following rights with respect to your personal data:

Right of access (Article 15 GDPR): to obtain confirmation of whether your personal data is being processed and, if so, to receive a copy of that data.
Right to rectification (Article 16 GDPR): to have inaccurate personal data corrected.
Right to erasure (Article 17 GDPR): to have your personal data deleted, where one of the grounds in Article 17(1) applies.
Right to restriction of processing (Article 18 GDPR): to limit the processing of your data under certain conditions.
Right to data portability (Article 20 GDPR): to receive your data in a structured, commonly used and machine-readable format.
Right to object (Article 21 GDPR): to object to processing based on legitimate interests.
Right to withdraw consent (Article 7(3) GDPR): to withdraw your consent at any time, with effect for the future. For the newsletter, you can withdraw your consent at any time by clicking the unsubscribe link in any newsletter email, or by emailing me directly. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, the simplest channel is email — contact me at the address shown in Section 1. You may also exercise these rights in writing by sending postal mail to the contact address shown in Section 1; in that case your letter will be received by Postflex (see Section 5.4) and forwarded to me, which typically adds a delay of a few business days. Both channels are equally valid under GDPR; email is faster.

I will respond to any request within one month of receipt (Article 12(3) GDPR). If your request is particularly complex or if I receive a high volume of requests, this period may be extended by two further months, in which case I will inform you within the first month of the reasons for the delay.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR (Article 77 GDPR).

The competent supervisory authority for this website is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) Kavalleriestraße 2–4 40213 Düsseldorf, Germany Website: https://www.ldi.nrw.de

You may also lodge a complaint with the supervisory authority of the EU member state in which you habitually reside or work, if different from the above.

9. Data security

Reasonable technical and organisational measures are taken to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include TLS/SSL encryption of all data transmitted via this website, the use of processors that meet GDPR security standards, and minimisation of the data collected.

No transmission of data over the internet can be guaranteed to be 100% secure, however, and absolute security cannot be promised.

10. Children

This website is not directed at children under the age of 16. No data is knowingly collected from children. If you believe that a child has provided personal data without parental consent, please contact me and the data will be deleted.

11. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in the website, in the services used, or in applicable law. The "Last updated" date at the top of this page indicates when the Policy was last revised. Material changes will be communicated where appropriate.

12. Contact

For any questions about this Privacy Policy or about the processing of your personal data:

Andrea Di Gaetano