Legal

Privacy Policy

Last updated: June 7, 2026. Effective: June 7, 2026.

1. Summary

nathanmzumara.com (the "Site") is a personal publication. We collect only the minimum personal data needed to operate the Site and, if you choose to subscribe, to deliver the Discovery Digest newsletter. We do not sell personal data, we do not share personal data with advertisers, and we do not use personal data to train models. This page sets out, in plain language, what is collected, why, how long it is kept, and the rights you have under the EU and UK General Data Protection Regulations (GDPR and UK GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and other applicable laws.

2. Scope

This policy applies to personal data collected through the Site, the Discovery Digest newsletter, and email correspondence sent to addresses published on the Site. It does not apply to third-party services that operate under their own terms, such as the email client you use to read the newsletter or the browser you use to view the Site.

3. Data controller

The data controller for the purposes of GDPR, UK GDPR, and equivalent laws, and the business under the CCPA, is Nathan Mzumara (the "Operator"). For all data protection enquiries you may contact us at hello@nathanmzumara.com. If you reside in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your supervisory authority (in the UK, the Information Commissioner’s Office at ico.org.uk).

4. Information we collect

4.1 Information you provide directly

When you subscribe to the Discovery Digest we collect the email address you provide. If you contact us by email we receive your email address and the contents of the message.

4.2 Information collected automatically

When you visit the Site, our hosting provider (Vercel) automatically receives standard server log data including IP address, user agent, referrer, and request path. If you accept the cookie consent banner, we also collect aggregated analytics through Vercel Analytics, including pages viewed, referrer source, device type, browser, operating system, and country-level location. Vercel Analytics does not set advertising cookies and does not build cross-site profiles. If you decline or dismiss the consent banner, no analytics scripts are loaded.

4.3 Information we do not collect

We do not knowingly collect biometric, financial, health, precise geolocation, social security, passport, driver licence, or government identifier data. We do not collect information from children. We do not track you across other websites.

5. How we use information and lawful bases

The Operator processes personal data for the following purposes and on the following lawful bases under GDPR / UK GDPR Article 6:

  • Newsletter delivery: sending the Discovery Digest to subscribers. Lawful basis: consent (Art. 6(1)(a)). You may withdraw consent at any time using the unsubscribe link in any email.
  • Site operation and security: serving content, preventing abuse, and diagnosing errors. Lawful basis: legitimate interests (Art. 6(1)(f)) in running a functional and secure publication.
  • Aggregated analytics: measuring reach and improving content. Lawful basis: consent (where analytics scripts are loaded after acceptance of the cookie banner).
  • Correspondence: replying to enquiries sent to the Operator’s email address. Lawful basis: legitimate interests in answering you.
  • Legal compliance: responding to lawful requests from regulators or courts. Lawful basis: legal obligation (Art. 6(1)(c)).

6. Cookies, analytics, and consent

The Site does not set advertising or cross-site tracking cookies. We use a single localStorage key (named nm-consent-v1) to remember your choice on the cookie banner so you are not re-prompted on every visit.

Analytics scripts (Vercel Analytics) are loaded only when you click "Accept" on the cookie banner. If you click "Decline" or dismiss the banner, no analytics scripts run. You can change your choice at any time by clearing the localStorage entry above for this Site in your browser’s site settings.

We honour Global Privacy Control (GPC) signals sent by your browser as a request to opt out of the sale or sharing of personal information for cross-context behavioural advertising, where applicable. We do not sell personal information, so this signal does not change the way we process your data, but we acknowledge and respect it.

7. Sharing and processors

The Operator uses a small number of processors that handle personal data on documented instructions:

  • Vercel Inc. (hosting, edge delivery, and analytics). Vercel acts as a processor under GDPR and a service provider under CCPA. See vercel.com/legal/privacy-policy.
  • Email service providers used for sending the Discovery Digest. If you subscribe, your email address is processed by the provider on the Operator’s behalf.

We do not share personal data with advertisers. We do not provide personal data to AI model training programmes. We may disclose personal data if required by law, court order, or to protect the rights or safety of the Operator or others.

8. International transfers

Our processors are based in the United States and may process data outside the EEA, UK, and Switzerland. Where transfers occur, they rely on the European Commission’s Standard Contractual Clauses, the UK Addendum to the SCCs, or equivalent safeguards, together with the recipient’s certifications under the EU-US Data Privacy Framework and the UK-US Data Bridge as applicable.

9. Retention

  • Subscriber email addresses: retained for as long as you remain subscribed, then deleted within thirty days of unsubscribe.
  • Email correspondence: retained for up to two years from your last message to maintain context for follow-up enquiries.
  • Server logs: retained by Vercel in accordance with their retention schedule, typically a short rolling window.
  • Aggregated analytics: retained in non-identifiable aggregate form.

10. Security

The Site is served over HTTPS with HTTP Strict Transport Security. Newsletter and correspondence data are stored with reputable providers that maintain industry-standard organisational and technical measures, including encryption in transit and at rest. No service is perfectly secure; we encourage you to use unique passwords and modern browsers when interacting with any service, including this one.

11. Your rights (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete personal data (Art. 16).
  • Erase your personal data (the "right to be forgotten") where applicable (Art. 17).
  • Restrict our processing of your personal data (Art. 18).
  • Receive your personal data in a portable format (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent where processing is based on consent (Art. 7(3)).
  • Lodge a complaint with a supervisory authority. In the UK that is the ICO (ico.org.uk). In Ireland, the DPC (dataprotection.ie). Other Member States: edpb.europa.eu/about-edpb/about-edpb/members.

To exercise any of these rights please email hello@nathanmzumara.com. We respond within thirty days, extendable by a further sixty days for complex requests.

12. Your rights (US state laws)

If you reside in a US state with a comprehensive consumer privacy law (currently including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, Florida, and others as they take effect), you have the following rights, subject to applicable exceptions:

  • Right to know / access: the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purpose, and the categories of third parties with whom we have shared it.
  • Right to delete personal information we have collected from you.
  • Right to correct inaccurate personal information.
  • Right to portability: receive your data in a portable, machine-readable format.
  • Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising.
  • Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
  • Right to limit use of sensitive personal information (CCPA).
  • Right to non-discrimination for exercising any of these rights.
  • Right to appeal a refusal of any rights request, where required by your state’s law.

You may use an authorised agent to submit a request on your behalf, provided you have given the agent written permission and we are able to verify your identity through email and the subscriber records we hold.

13. Do Not Sell or Share, sensitive data

We do not sell personal information for money, and we do not share personal information for cross-context behavioural advertising, as those terms are defined under California, Colorado, Connecticut, Virginia, and similar laws. We have not done so in the past twelve months. There is therefore no "Do Not Sell or Share My Personal Information" link required, but you may still exercise that right by emailing us and we will record your preference.

We do not process "sensitive personal information" (as defined under the CCPA) or "sensitive data" (as defined under the VCDPA, CPA, CTDPA, UCPA and similar laws) for the purpose of inferring characteristics about you.

14. Children

The Site is not directed to children under the age of 16 (or such higher age as required by applicable law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Automated decision-making

We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on you.

16. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or in the law. The "Last updated" date at the top of the page indicates when the most recent change took effect. Material changes will be highlighted at the top of the Site and, where appropriate, notified by email to active subscribers.

17. Contact and complaints

The fastest way to reach us about privacy is email: hello@nathanmzumara.com. We respond to all verifiable requests as quickly as we can, and in any event within the timeframes set out by applicable law.

If you reside in the EEA, UK, or Switzerland and remain unsatisfied with our response, you may lodge a complaint with your local supervisory authority. If you reside in California, you may also contact the California Privacy Protection Agency or the California Attorney General. If you reside in another US state, you may contact your state Attorney General.