Skip to content
bnsmag

Legal

Privacy Policy

Plainly: we don't make money selling your data, and we collect as little of it as we can. Here's the whole list, in one short page.

Last updated · May 1, 2026

What we collect

When you visit bnsmag.com, our server logs your IP address, browser type and the page you requested. That's standard for any website on the open internet, and we use it to keep the lights on, debug errors, and prevent abuse.

When you subscribe to the Sunday Letter, we collect your email address and the date you subscribed. That's it. No name, no address, no phone number.

When you write to us (the contact form, or a reply to a newsletter), we keep that email until the conversation is finished, then we archive it.

If you sign in as a writer or editor (staff only), we use Supabase Auth to manage your session. Supabase stores a hashed password and a session token; we do not see your password in plain text at any point.

Why we collect it

  • To deliver the newsletter you signed up for.
  • To reply to your messages when you write in.
  • To measure, in aggregate, how many people read which articles (via Google Analytics).
  • To serve display advertising through third-party ad networks. See who we share it with.
  • To protect the site from spam, scrapers and abuse.

We do not sell your personal data. We do not build a first-party profile of you. We do rely on third-party ad networks (Google, Mediavine) that may use cookies to personalise ads, and you can disable this in our cookie banner or in your browser at any time.

Who we share it with

The site relies on a small number of vendors, each of which sees only what they need to:

VendorWhat it seesPurpose
VercelServer logs, IP, request pathHosting and edge delivery
SupabaseYour email, hashed password (editors only)Database and authentication
Newsletter providerYour email, open/click eventsSending the Sunday Letter
Google AnalyticsPage views, referrer, device class, approximate locationMeasuring readership (aggregate, anonymised)
Google AdSense / Ad ManagerCookies, ad-interaction events, IPServing and measuring display advertising
MediavineCookies, ad-interaction events, IPProgrammatic ad delivery

Google Analytics, Google AdSense / Ad Manager and Mediavine are advertising and measurement vendors. They use cookies and similar technologies to recognise your browser across sites, build interest profiles, and serve relevant ads. We do not give them your name or email, but they are independent data controllers, review their own privacy policies for the full picture:

You can opt out of personalised advertising via Google Ads Settings and the Your Online Choices industry tool. Where required (EU/UK), our cookie banner gives you the choice before any of these vendors load.

We do not sell your personal data. Aggregate, non-identifying analytics about traffic patterns is the only data we share for measurement purposes.

Your rights

Wherever you live, you can ask us to:

  • Show you what we have about you.
  • Correct anything that's wrong.
  • Delete it (with limited exceptions, we have to keep accounting records, for example).
  • Export it in a portable format.
  • Stop getting the newsletter, one click in the email footer.

To exercise any of these, email hello@bnsmag.com with "Privacy" in the subject line. We respond within seven days, usually within one.

We're a UK publisher, so UK GDPR applies as a baseline. If you live in the EU, EU GDPR gives you the same rights, and you can lodge a complaint with your national data protection authority. UK residents can complain to the Information Commissioner's Office. If you live in California, CCPA gives you a "Do Not Sell" right, which is moot here, because we don't sell.

How long we keep things

  • Server logs: 30 days, then deleted.
  • Newsletter list: until you unsubscribe.
  • Contact emails: while the conversation is open, then 12 months in archive, then deleted.
  • Editor accounts: for the life of the role, then deleted within 30 days of departure.

How we keep it safe

Everything is served over HTTPS. Passwords are hashed with bcrypt at rest. Database access is restricted by row-level security and short-lived JWTs. We use a password manager and 2FA on every account that touches user data.

We're a small team and we're not infallible. If we discover a breach that affects you, we'll notify you within 72 hours and tell you exactly what happened.

Children's data

bnsmag is intended for readers 16 and over. We do not knowingly collect data from anyone younger. If you believe a child has submitted data to us, write to hello@bnsmag.com and we will delete it.

Changes to this policy

We update this page when our practices change. The "Last updated" date at the top is the source of truth. Material changes (new vendors, new categories of data) are announced at the top of the next Sunday Letter.

Contact

For privacy questions, email hello@bnsmag.com with "Privacy" in the subject line so it reaches the right pair of eyes.

All legal pages

Questions? Write to hello@bnsmag.com.