Personal data processing (privacy notice)

Dear fellow DPO/privacy & data protection enthusiast, this notice is kept intentionally brief because of who's reading this, so don't use it as a template for your customers.

Since you're GDPR savvy and already overwhelmed with limited time, I'll simply state that you're entitled to all GDPR rights, including access. Just reach out if you have any questions: your controller here is me, Rie Aleksandra Walle, at dpohub[at]noties.consulting.

The information below is for the DPO Hub. See the company privacy notice for processing related to general business operations and for the NoTies Community.


DPO Hub

When you sign up for the DPO Hub you must share your email address, payment details, name, billing address and, if you're purchasing as a business, Tax ID number (for VAT purposes). The purpose is to give you access to the DPO Hub and the data is required if you want to subscribe. The legal basis is contract. This data is kept for as long as you subscribe, and then for 3,5 years for accounting obligations. I use Stripe to process your payment securely and they retain certain personal data to comply with legal obligations, such as anti-terrorism and anti-money laundering laws.

If you're a Founding Member and opted in, you shared your address with your consent to receive the carefully prepared welcome gift. I'll keep it as long as there's a chance I might send you something by post. You can withdraw your consent at any time, and I'll delete the data promptly – no later than two weeks after your request.

Your email address is required to log in to the DPO Hub and receive news alerts, though you can unsubscribe from the alerts. You can also choose to add your name.

The platform powering the DPO Hub allows newsletter analytics, but this feature is disabled. However, statistics on sign-ups, logins, and emails received can’t be disabled and are considered part of the contract (where the purpose is to fulfill the contract). If you cancel your subscription, your profile and all related data are usually deleted immediately, and at the latest within a week.

Fathom Analytics is used for website analytics, designed with privacy at its core. Your IP address and User Agent are only processed in pseudonymised form for 24–48 hours (read more here). The purpose is to assess how the DPO Hub is used, such as identifying the most visited pages, in the most privacy-friendly way possible. The legal basis is legitimate interest, aimed at continually improving the DPO Hub to provide you with the best service possible.


Processors and third-country transfers

DPO Hub is built on a platform by Ghost Foundation Ltd, a "proud non-profit organisation building open source technology for journalism". Ghost confirms they store "all data in the EU." I use Stripe as described above and Zapier to automatically create your membership after payment.

The transfer tool for processors in third countries is either an adequacy decision, the EU Standard Contractual Clauses or your consent. Stripe and Zapier are based in the US and certified under the EU-US Data Privacy Framework. Fathom Analytics is based in Canada and falls under their adequacy decision.


This is Version 1.3, February 2025

Great! Next, complete checkout for full access to DPO Hub.
Welcome back! You've successfully signed in.
You've successfully subscribed to DPO Hub.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.