Skip to content
:iterator:
Sign up Log in

Privacy Policy

Effective and last updated: May 18, 2026.

In plain English (not part of this Policy). We collect the minimum we need to run a free, AI-assisted news site: your email and a few related records if you create an Account, plus standard request data and email-delivery records. We use that information to run Accounts, to send transactional and subscription emails, and to protect the Site from abuse. We do not sell personal information and we do not run ad-tracking cookies. We are a sole proprietor in Ontario, Canada, and we operate under PIPEDA. The paragraph you are reading is a summary only and is not part of this Policy; the legal text follows below.

Who this Policy applies to

  • This Policy applies to anonymous readers of the public pages of iterator.news (the Site) and to registered Account holders.
  • Capitalized terms used in this Policy and not defined here have the meanings given in our Terms of Service.

Who we are

  • We, us, and our mean Iterator News, a sole proprietorship registered in the Province of Ontario, Canada, operating the Service at iterator.news.
  • You can reach us at [email protected]. The same address is the privacy contact and the channel for individual access requests, correction requests, withdrawal-of-consent requests, deletion requests, and complaints under this Policy.
  • The sole proprietor is the person designated as accountable for the organization's compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

What we collect

We collect personal information in the following categories.

  • Information you give us when you create an Account. Your email address and a password (which we store only as a one-way salted hash). We do not ask for, and you should not provide, your real name, address, phone number, or other personal details.
  • Information you give us by subscribing to topics. The topics you have chosen to follow and a record that you affirmatively opted in (for purposes of Canada's Anti-Spam Legislation, or CASL).
  • Information you give us by writing to us. Anything you put in an email to [email protected], including takedown, access, correction, and deletion requests.
  • Information collected automatically when you visit or use the Site. Standard HTTP request metadata (IP address, user agent, referrer, requested URL) at the time of each request; cookies set by us (described under Cookies and similar technologies below); and limited browser storage used to preserve information you have entered while moving between related pages (for example, between signup and login).
  • Information collected for security-sensitive actions. When you request a password reset or an email-verification email, we record the IP address and user agent attached to the request for a short period.
  • Information about emails we send you. Queued message records (recipient, subject, and body) for a short window after sending, and delivery-event records from our email provider (such as delivered, bounce, spam, reject, and unsubscribe). We do not track email opens or link clicks.
  • Information generated by your interactions with the Service. Session records, subscription records, and request and operational logs.

Information we do not collect. We do not collect payment information (there is no paid tier today), real names, phone numbers, postal addresses, government IDs, precise geolocation, or biometric or health information. We do not buy personal information from data brokers, and we do not enrich Accounts with third-party data.

Why we collect it

  • To create and operate your Account (email address and password hash).
  • To send transactional email about your Account, such as signup confirmation, password reset, email verification, and deletion or deactivation notices. These are part of operating the Service; we send them regardless of email-verification status.
  • To send the topic notifications you have opted into (CASL express consent), once you have confirmed your email address.
  • To honour bounces, complaints, and unsubscribes (delivery events and suppression records).
  • To protect the Site from abuse, fraud, and automated attack through rate limiting, bot detection, brief request-metadata capture on sensitive requests, and other anti-abuse measures we do not describe in detail so as not to undermine them.
  • To diagnose problems, measure performance, and improve the Service (request and operational logs).
  • To comply with legal obligations (responding to lawful requests, breach reporting, and retaining records where required).

Limiting collection. We only collect personal information that is reasonably necessary for the purposes set out above.

Cookies and similar technologies

  • A session cookie that keeps you signed in, with a sliding lifetime of approximately 30 days.
  • Anti-forgery (CSRF) cookies that protect form submissions and API calls from being forged by another site; session-scoped.
  • A short-lived auth-flow cookie that binds signup and login redirects to your browser, with a lifetime of approximately one hour.

We do not set third-party advertising or tracking cookies. We do not currently respond to the Do-Not-Track header because there is no industry consensus on its meaning.

Analytics

We use Plausible Analytics (hosted at plausible.io), which is cookieless and IP-anonymized, to count visits and understand which posts are popular.

We do not use Google Analytics, Meta Pixel, or advertising-network pixels, and we do not use third-party analytics other than what is named in this section. If we add any future analytics or product-telemetry provider, we will list it here.

Email and communications

We send two kinds of email: transactional email, which is required to operate your Account, and topic-subscription notifications, which are commercial mail under CASL and are sent only after you have confirmed your email address. Every commercial email identifies us as the sender and includes a one-click unsubscribe link; you can also manage your subscriptions from your profile page. Unsubscribe requests are honoured within 10 business days. The full description of our email practices is in the Terms of Service.

Who we share information with

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising or targeted advertising. We do not share personal information with third parties for their own marketing.

We use the following service providers (subprocessors) to operate the Service. Each is listed with its role, the jurisdiction in which it processes data for us, and what it receives.

  • SMTP2GO (United States): sends transactional and topic-notification emails on our behalf and reports delivery outcomes back to us. Receives the full content of the emails we send and the recipient address. Their privacy practices apply to their handling of that data.
  • Cloudflare (United States / global edge): provides the Turnstile bot-detection widget on the signup form. Cloudflare's infrastructure observes the browser request that loads the widget.
  • DigitalOcean (Canada/Toronto region): hosts the application, the database, and the file-storage buckets used by the Service.
  • Plausible Analytics (European Union, hosted at plausible.io): cookieless, IP-anonymized web analytics.

Future subprocessors. If we add paid features in the future, we will engage a payment processor and update this Policy to identify them and describe the data they receive at that time. The current subprocessor list does not include a payment processor.

Legal and safety disclosures. We may disclose information when we have a good-faith belief that it is required by law, by lawful order, or by legal process (such as a subpoena, search warrant, or production order); when needed to protect the safety, rights, or property of the Service, our users, third parties, or us; when needed to investigate or prevent fraud, abuse, or security incidents; or in connection with a sale, merger, or reorganization of the Service.

Aggregated and anonymized information

Aggregated or anonymized information means information from which an individual cannot be identified and from which there is no serious possibility that an individual could be re-identified, alone or in combination with other information available to us or reasonably available to a recipient. Information that meets that standard is not personal information for the purposes of this Policy.

Examples of uses we expect to make of aggregated or anonymized information include:

  • total number of subscribers to a Topic;
  • total number of emails sent in a given period;
  • counts of public-page visits;
  • internal product and cost analysis;
  • other audience or operational statistics that we may publish on the Site, in posts, or in operator communications.

We will not publish counts so small that they could allow an individual to be identified. We do not sell aggregated or anonymized information to third parties.

Where we store information

  • Primary storage in Canada. The application, the database, and the file-storage buckets are hosted on DigitalOcean in the Toronto (Canada) region.
  • Cross-border processing by subprocessors. Some of the subprocessors named above process personal information outside Canada for the purposes described:
    • SMTP2GO (United States): sending transactional and topic-notification email on our behalf and processing delivery outcomes for us. Receives the full content of the emails we send and the recipient address.
    • Cloudflare (United States / global edge): bot-detection on the signup form. Cloudflare's infrastructure observes the browser request that loads the Turnstile widget; we do not send your IP address to Cloudflare's verification endpoint ourselves.
    • Plausible Analytics (European Union): cookieless, IP-anonymized analytics of public-page visits.
  • Accountability after transfer. Under PIPEDA we remain accountable for personal information after it is transferred to a subprocessor for processing. We use contractual or other means to require each subprocessor to provide a level of protection comparable to what PIPEDA requires while the information is in their custody.
  • Residual risk. While personal information is in a foreign jurisdiction, it may be subject to access by that jurisdiction's courts, law-enforcement agencies, regulators, or government authorities under that jurisdiction's laws. This may include, for example, lawful access requests, production orders, or national-security requests. No contract that we put in place with a subprocessor can override the laws of the country to which the information is subject once it has been transferred.
  • Acceptance of transfer by use. If you create an Account, subscribe to topics, contact us, or otherwise use the Service, your personal information will be transferred to and processed in Canada and in the jurisdictions of the subprocessors named above. By using the Service you acknowledge and accept that transfer and the residual risk described above.

How long we keep it

  • Account record. Until you delete the Account, or we close it. After deletion, we retain a minimal anonymized placeholder record (with your email address and password removed) along with annonymized email usage records and other records for security, and analytics purposes.
  • Sessions. Up to approximately 30 days from last use.
  • Password-reset requests. The reset link is valid for 30 minutes; the request record is retained for up to approximately 30 days, then deleted.
  • Email-verification requests. Short-lived link and short retention, on the same shape as password-reset requests.
  • Outbound emails and their delivery outcomes. Approximately 7 days.
  • Records of deliverability problems and suppressions (used to avoid sending mail to addresses that have bounced, complained, or unsubscribed): retained from approximately 60 days up to 2 years, depending on the type and status of the record.
  • Short-lived sign-in flow data paired with the auth-flow cookie: approximately one hour.
  • Topic subscriptions. Kept while active. After a subscription ends, we keep a record that you previously consented to receive those emails, including when and why the subscription ended, for CASL evidentiary purposes.
  • Server logs and job logs. Retained for a short period for diagnostics; we do not commit to a specific number of days because the period depends on the hosting platform and on operational needs.
  • Backups. Cloud backups may extend beyond the active-data retention windows above; deletion in production propagates to backups on the backup provider's normal rotation schedule.

Your choices and rights

  • Update your email or password from the profile page.
  • Manage subscriptions and unsubscribe from the profile page or via the unsubscribe link in any notification email.
  • Resend your email verification from the profile page.
  • Delete your Account at any time from the profile page. The Service-side effects of deletion are described in How long we keep it above.
  • Access. You can ask us what personal information we hold about you, how it is used, and to whom it has been disclosed. We will respond within a reasonable time (our target is thirty (30) days from receipt of a complete request) at minimal or no cost. If we cannot respond within that window, we will tell you why and give you a revised target.
  • Correction. If any of the information we hold about you is inaccurate or incomplete, you can ask us to correct it. Where we cannot agree, you can ask us to record your unresolved correction request.
  • Withdraw consent. You can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent for transactional email means we cannot operate the Account, so the Account will be closed.
  • How to make a request. Write to [email protected]. We may ask for enough information to verify that the request is from you.
  • Complaints. If you believe we have not handled your personal information properly, please write to us first at [email protected]. If we cannot resolve the issue, you may also complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca, 1-800-282-1376) or to your provincial regulator where applicable.

California and other US state privacy laws

We are a small Canadian operator and do not meet the applicability thresholds of the California Consumer Privacy Act (as amended by the CPRA), and we likewise do not meet the applicability thresholds of the other US state comprehensive privacy laws currently in force. The following commitments are a position statement, not a claim of compliance with those laws.

  • We do not sell personal information, and we do not share personal information for cross-context behavioral advertising or targeted advertising. We therefore do not provide, and are not required to provide, a "Do Not Sell or Share My Personal Information" link.
  • We do not use sensitive personal information to infer characteristics about you.
  • California residents and residents of other US states may exercise the same access, correction, withdrawal-of-consent, and deletion choices described above, on the same terms, by writing to [email protected].
  • We respect browser-level opt-out preference signals (such as Global Privacy Control) to the same extent: because we do not sell or share personal information, there is no third-party data flow for such signals to opt out of.

If our circumstances change such that one of these laws would apply to us, we will update this Policy to reflect our obligations under that law.

Children

  • Accounts are limited to users 14 years of age and older, consistent with the Terms of Service.
  • We do not knowingly collect personal information from children under 14.
  • If you believe we have collected information from a child under 14, please write to [email protected] and we will delete it.

Security

  • Transport. HTTPS in production, with secure cookies for sign-in and form protection.
  • At rest. Passwords are stored only as salted one-way hashes and never in plaintext. One-time-link secrets (password reset, email verification) are stored only as one-way hashes. The database is held on a managed hosted database service.
  • Access controls. Only the owner and a limited number of trusted employees or contractors have production access today.
  • Honest disclaimer. No system is completely secure. Please use a unique strong password, and tell us promptly at [email protected] if you suspect unauthorized access to your Account.

Breach notification

If we become aware of a breach of security safeguards involving personal information that poses a real risk of significant harm to affected individuals, we will:

  • report the breach to the Privacy Commissioner of Canada as soon as feasible;
  • notify the affected individuals as soon as feasible, by email to the address registered on the Account where applicable, with enough information to understand the significance of the breach and the steps you can take to reduce the risk of harm; and
  • keep a record of the breach as required by PIPEDA.

This commitment does not change our obligations under PIPEDA, which we will follow whether or not this Policy describes them.

Third-party links

Posts and emails may link to third-party sites. Those sites have their own privacy practices and we are not responsible for them.

Bots, scrapers, and automated access

Our position on automated access to the public Site is set out in the Terms of Service. For privacy purposes: requests from automated clients are subject to the same access logging as requests from human visitors.

Changes to this Policy

  • We may update this Policy at any time.
  • For material changes we will provide reasonable notice (for example, a site banner or an email to registered Account holders).
  • The "Effective and last updated" date at the top of this Policy reflects the most recent material change.

Contact

For all privacy-related requests, including questions, access requests, corrections, withdrawal-of-consent requests, deletion requests, and complaints, write to [email protected]. The same address is the operator's official channel under the Terms of Service, so general legal and operational correspondence and privacy correspondence land in the same place.

General

  • Governing law. This Policy is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein.
  • Relationship to the Terms. This Policy is incorporated by reference into the Terms of Service. The Terms control any direct conflict on contractual matters (warranties, liability limits, dispute resolution); this Policy controls the description of our information handling.
  • Language. This Policy is provided in English only, and the English version controls. The parties have expressly required that this Policy and all related documents be drafted in the English language. / Les parties ont expressément exigé que la présente Politique et tous les documents connexes soient rédigés en anglais. If we ever publish a French version of this Policy, the English version still controls.