Privacy

Privacy policy

Last updated: June 1, 2026

This policy describes how Stephan Smith (“I,” “me,” “we”) handles personal information when you use stephansmith.me, subscribe to the Low Code CTO newsletter, manage your account, or interact with related emails and services.

This page is a policy statement for transparency and compliance. It is not legal advice. If anything here conflicts with applicable law, the law controls.

Who is responsible

Data controller: Stephan Smith, operating as Low Code CTO
Postal address: 55 Court Street, 2nd Floor, Boston, MA 02108, USA
Email: stephan@stephansmith.me

Information we collect

Depending on how you use the site, we may collect:

  • Contact and profile: email address, first name, optional role, topic or channel preferences, and similar details you submit on subscribe, account, or preference forms.
  • Account and authentication: sign-in identifiers, session tokens, and related data needed to operate passwordless login and your account (stored via our database and auth provider).
  • Newsletter and email activity: subscription status, confirmation and unsubscribe tokens, delivery status, and engagement signals—specifically whether you opened an email or clicked a link (see “Email open and click tracking” below).
  • Technical and usage data: IP address, browser type, device information, pages viewed, referring URLs, and similar analytics collected through cookies, tags, and server logs.
  • Inferred interests: segments or interests we infer from your topic choices, optional role, and email or site engagement (such as opens and clicks), used to personalize content and measure the audience.
  • Communications: messages you send us (for example feedback or support email).

We do not knowingly collect sensitive categories of data (such as health or financial account numbers) through this site.

How we use information

  • Send and manage the newsletter and related transactional email (confirmations, account links, unsubscribe).
  • Operate your account and save your topic preferences.
  • Measure email performance (open and click rates) and improve editorial content based on aggregate engagement.
  • Improve the site, content, and subscriber experience.
  • Measure traffic and interaction (analytics and, where enabled, session analytics such as heatmaps).
  • Personalize editorial content, email presentation, and—where enabled—sponsor or partner placements based on your interests and engagement (see below).
  • Protect the site against abuse, fraud, and security incidents.
  • Comply with law and respond to lawful requests.

Advertising, sponsorship, and personalization

Today, the newsletter is primarily editorial. We do not sell your email address or individual profile to sponsors or data brokers.

If and when we run sponsorships or advertising on the site or in email, we may use information you provide (such as topics and optional role) and engagement signals (such as opens and clicks) to:

  • Choose which sponsor messages or offers are shown to which audience segments.
  • Keep placements relevant to your stated interests.
  • Report aggregate audience composition to sponsors (for example, share of subscribers by topic or role)—not your name or email unless you separately choose to engage with a sponsor.

We do not give sponsors a list of subscribers to contact on their own, unless we clearly tell you otherwise at the time and you opt in.

You can limit personalization by adjusting topics in your account, unsubscribing, or contacting us to opt out of interest-based sponsor placement (see “Your choices”).

Automated tools and AI

We may use automated systems, including AI-assisted tools, to draft or adapt how content, sponsor messages, or on-site copy is presented to different audience segments. These tools use inputs such as your topic preferences, optional profile fields, and engagement patterns—not to make legal, financial, or employment decisions about you, but to improve relevance and clarity of what we publish or show.

When a vendor processes personal data on our behalf for these features, they are listed under service providers and are bound to use data only for our instructions.

Legal bases (EEA, UK, and Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process personal data on these bases:

  • Consent — for example when you subscribe or confirm your email.
  • Contract — to provide the newsletter or account features you request.
  • Legitimate interests — to secure and improve the site, measure aggregate site usage (including analytics), communicate with existing subscribers, and personalize content or sponsor placement where permitted, balanced against your rights.
  • Legal obligation — where we must retain or disclose data to comply with law.

Where required for marketing personalization or profiling, we rely on consent or legitimate interests and provide opt-out paths described below. You may withdraw consent at any time. Withdrawal does not affect processing already performed.

Email open and click tracking

Newsletter and automation emails are sent through Postmark. For those sends we enable open and link-click tracking so we can measure performance and improve what we publish.

  • Opens: Postmark may embed a small tracking pixel in HTML email. When the pixel loads, we record an open event tied to that send (not every mail client loads pixels, and some opens may be triggered by automated systems rather than a person reading the message).
  • Clicks: links in HTML and plain-text email may route through Postmark so we can record which link was clicked and when, before redirecting you to the destination.
  • Where it is stored: Postmark sends delivery and engagement webhooks to our internal systems (hosted on Supabase). We associate events with the relevant send and subscriber record so we can report open and click rates in the aggregate and, where needed, understand engagement at the subscriber level (for example, to personalize content or troubleshoot delivery).

Transactional messages (such as sign-in links or one-off confirmations) may use different tracking settings. Unsubscribing stops future marketing sends; it does not retroactively delete engagement history already collected (see “Retention”).

Cookies and similar technologies

We use cookies, local storage, and similar tools on the site. These include:

  • Strictly necessary: required for sign-in, security, and core site functions (including session storage used by our auth provider).
  • Analytics and performance: we use Google Tag Manager and related analytics tools that may set cookies or similar identifiers when you visit the site. We do not currently show a cookie consent banner; analytics load as part of normal page delivery.

You can limit or block non-essential cookies through your browser settings or extensions. Blocking strictly necessary cookies or storage may limit sign-in and account features. If we change analytics providers or add an on-site cookie preference tool, we will update this policy.

Service providers

We use trusted vendors to run the site and newsletter. They process data on our instructions and only as needed to provide their services. Current categories include:

  • Hosting and CDN — Cloudflare (site delivery and security).
  • Database, authentication, and newsletter operations — Supabase (subscriber and account data, serverless functions, and our internal systems for newsletter scheduling, preferences, automations, and ingestion of Postmark open/click webhooks).
  • Email delivery and tracking — Postmark (sends newsletter and transactional mail; provides open pixels and link tracking that feed back into our internal systems).
  • Analytics — Google (via Google Tag Manager).
  • Automation and AI — providers we use to draft, test, or personalize content or sponsor presentation, when enabled (under contracts that limit use to our instructions).

We do not sell your personal information for money to data brokers or give sponsors your email for their independent marketing lists. Under some U.S. state laws, sharing identifiers with analytics or advertising partners may be treated as “sharing” for cross-context behavioral advertising. We use analytics to understand site use. If we enable ad pixels or partner tags in the future, we will disclose them here and honor opt-out rights. You may opt out of such sharing as described below.

Retention

We keep personal information only as long as needed for the purposes above. Retention varies by data type—we do not delete everything after a fixed short window.

  • Active subscribers and accounts: profile, preferences, and send history while you remain subscribed or maintain an account, plus a reasonable period afterward for support and operational continuity.
  • After you unsubscribe: we stop marketing email promptly (typically within a few days). We retain a suppression record (such as your email address and unsubscribe status) for an extended period so we do not accidentally re-add you or send again—this is a standard compliance requirement, not ongoing marketing use.
  • Email open and click events: individual open/click events are kept for a short measurement window (currently about two weeks after a send), then aggregated into campaign-level statistics; raw event rows for that send are deleted after rollup. Aggregate open/click metrics may be kept longer for reporting and editorial decisions.
  • Analytics and logs: site analytics, server logs, and similar technical data are retained for periods appropriate to security, debugging, and understanding traffic (often months, depending on the vendor and our settings).
  • Legal and security: we may retain certain records longer when required by law, to resolve disputes, or to protect against abuse.

You may request deletion at any time (see below). We will honor applicable rights subject to exceptions—for example, we may need to keep a minimal suppression record or information we are legally required to retain.

International transfers

We are based in the United States. If you access the site from outside the U.S., your information may be processed in the U.S. and other countries where our providers operate. Where required, we rely on appropriate safeguards (such as standard contractual clauses offered by vendors) for transfers from the EEA, UK, or Switzerland.

Your choices

  • Newsletter: unsubscribe via the link in any email or at stephansmith.me/unsubscribe.
  • Account: manage topics and profile at stephansmith.me/account.
  • Personalized sponsor or partner content: email stephan@stephansmith.me with “Opt Out of Personalized Sponsor Content.”
  • Cookies: limit or block analytics cookies through your browser settings or extensions (see “Cookies and similar technologies” above).

Your privacy rights

Depending on where you live, you may have the right to request access, correction, deletion, portability, or restriction of your personal information, to opt out of certain processing, or to object to processing based on legitimate interests. We will not discriminate against you for exercising these rights.

California (CPRA / CCPA)

California residents may request:

  • Categories and specific pieces of personal information we have collected about you.
  • Deletion of personal information we collected from you (subject to exceptions).
  • Correction of inaccurate personal information.
  • Opt-out of the “sale” or “sharing” of personal information (we do not sell; see opt-out below for sharing).

Do Not Sell or Share: to opt out of sharing for cross-context behavioral advertising, email stephan@stephansmith.me with the subject line “Do Not Sell or Share My Personal Information.”

Florida and other U.S. states

Residents of Florida and other states with consumer privacy laws may have similar rights to know, access, delete, correct, and opt out of certain processing (including targeted advertising or sale of personal data, where those laws apply). Submit requests using the contact details below. We will verify your request as required by applicable law.

EEA, UK, and Switzerland (GDPR)

In addition to the rights above, you may:

  • Object to processing based on legitimate interests, including profiling for marketing.
  • Withdraw consent where processing is consent-based.
  • Lodge a complaint with your local data protection authority.

How to make a request

Email stephan@stephansmith.me with the subject “Privacy Request,” describe what you need, and include the email address associated with your subscription or account. We may ask for information to verify your identity. We aim to respond within the timelines required by applicable law (for example, 45 days for many U.S. state requests, extendable where permitted).

You may use an authorized agent where your state law allows it; we may require proof of authorization.

Security

We use reasonable technical and organizational measures to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Children

The site and newsletter are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it.

Changes

We may update this policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may also be noted in the newsletter or on the site where appropriate.

Contact

Questions about this policy or your data:
stephan@stephansmith.me
Stephan Smith / Low Code CTO
55 Court Street, 2nd Floor, Boston, MA 02108, USA