Keyboard shortcuts

CryptolutCryptolut
BTC79,315-1.39%ETH2,254.86-0.85%SOL90.85-3.92%BNB669.27+2.22%XRP1.43-0.39%ADA0.2644-2.19%DOGE0.1125+3.62%AVAX9.75-0.42%LINK10.18-0.61%DOT1.34+1.07%BTC79,315-1.39%ETH2,254.86-0.85%SOL90.85-3.92%BNB669.27+2.22%XRP1.43-0.39%ADA0.2644-2.19%DOGE0.1125+3.62%AVAX9.75-0.42%LINK10.18-0.61%DOT1.34+1.07%
Legal

Privacy Policy

Last updated: 2026-04-28

Who we are

Cryptolut (“we”, “us”, “our”) is the independent digital newsroom operating cryptolut.com. This Privacy Policy describes what personal information passes through our systems, why it does, how long it stays, and the rights you have to inspect, correct, or remove it. We have written it to be read — in plain English, not legalese — because a privacy policy nobody can parse is not really a privacy policy at all.

We are a small editorial team. We do not sell personal data. We do not run third-party advertising. We do not embed tracking pixels from Meta, X, TikTok, LinkedIn, or any other social network. The information we handle is the minimum we genuinely need to publish a news website, deliver a newsletter to people who asked for one, and keep the site online and reasonably free of abuse.

Data controller. Cryptolut Editorial is the controller of the personal data described here. For privacy questions, contact our Data Protection Officer at dpo@cryptolut.com or our general privacy mailbox at privacy@cryptolut.com. Email reaches us faster than post.

What data we collect

We group the data we handle into three buckets: information collected automatically as you browse, information you actively give us, and information stored on your device through cookies or local storage.

Collected automatically

When your browser requests a page, our edge layer and origin server briefly see:

  • Your IP address, held transiently in request logs. We use it for rate limiting, to stop obvious abuse such as scraping or denial-of-service traffic, and to produce coarse aggregate country counts for our own planning. We do not attempt to identify individual readers from IP addresses.
  • User-agent string — the browser, operating-system, and device family reported by your client — used to debug rendering bugs, detect bots, and decide which version of an asset to send.
  • Referrer (the page that linked you to us), where your browser supplies it, used to understand which articles travel and where new readers come from.
  • Pages visited, response codes, and timings, recorded in operational logs for debugging, capacity planning, and abuse detection.
  • RSS click-through signals, where a reader follows an outbound headline link from Cryptolut to an original publisher. We record only that the click happened, not anything personal about the reader.

We use a privacy-preserving server-side analytics provider in the same category as Plausible — cookieless, no cross-site identifiers, no personal-data hand-off. Aggregate counts are computed from the same request stream rather than by injecting a tracker on your device.

Provided by you

  • Newsletter email address. If you sign up for our newsletter we store the email you gave us, the timestamp of subscription, and a confirmation token used to validate the address. Nothing else.
  • Contact and tip content. If you email us, submit a tip, or fill in a form, we retain the message and your reply-to address so that we can respond and, where relevant, follow up.
  • Career applications. If you apply through our careers page, we store your name, email, role of interest, portfolio link, and pitch for the duration of the hiring process.
  • Editorial account credentials— applicable only to the small number of editorial staff with a Cryptolut login. We store a salted password hash, a session identifier, and a record of the actions taken in the CMS for accountability.

Cookies and on-device storage

We use a small number of cookies, documented in detail on our Cookie Policy. In summary: a session cookie for logged-in editors, a preference cookie that remembers your chosen theme, and a consent cookie that remembers the choices you made in our consent banner.

Saved articles — the list of stories you bookmark with the “save” button — live in your browser’s local storage. They are not a cookie, they are not transmitted to our servers, and clearing site data in your browser removes them.

How we use it

We use the information above to:

  • Serve the pages you request and keep the site online.
  • Send you the newsletter you signed up for, and nothing else you did not ask for.
  • Reply to enquiries, corrections, and tip submissions.
  • Detect and mitigate abuse — scraping, automated account attempts, spam submissions to the newsletter or contact forms.
  • Understand which stories resonate with readers in aggregate, using privacy-preserving server-side analytics rather than third-party trackers.
  • Comply with legal obligations, where they apply.

Lawful basis (GDPR, UK GDPR, CCPA)

Under the EU General Data Protection Regulation (GDPR) and the UK GDPR, we rely on the following lawful bases:

  • Legitimate interest for operational logs, abuse prevention, and delivering the site you requested. We have weighed this against your rights under Article 6(1)(f) and consider the processing proportionate, expected, and limited to what is necessary.
  • Consent for the newsletter and any non-essential cookies. You may withdraw consent at any time by unsubscribing or by changing your preferences in the consent banner; withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Performance of contractfor editorial accounts and career applications — we need to process credentials and application content to let staff log in and to evaluate candidates.
  • Legal obligation where a specific law requires us to retain or disclose data, for example a tax record or a valid court order.

For California residents, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you specific rights described under “Your rights” below. Cryptolut does not sell or share personal information as those terms are defined under the CCPA, and we honour Global Privacy Control signals where they are present.

Retention

We keep data only as long as it is useful and then we delete it. We do not warehouse data “just in case”. The following periods describe our default retention; specific records may be kept longer where a legal obligation applies (for example tax records).

  • Operational logs (IP, user agent, path, response code, timing): 30 days, then automatically discarded.
  • Newsletter subscriptions: kept until you unsubscribe. Unsubscribing removes your address from the active list within seven days.
  • Contact and tip correspondence: 12 months from the date of the last message, then deleted unless the conversation relates to an ongoing investigation or legal matter.
  • Career applications: 12 months from submission for shortlisted candidates, sooner on request, immediately on the close of an unsuccessful hiring process where the candidate has not opted into our talent pool.
  • Editorial accounts: kept while the account is active; deleted on departure or on request, with the related audit trail anonymised.

Sharing with third parties

We do not sell personal data. A small set of named processors handle data on our behalf so the site can run, each under a written data-processing agreement that constrains them to our instructions:

  • Hosting and infrastructure— the application and database run on Render. Render processes traffic on our behalf as a sub-processor.
  • Content delivery and edge security— Cloudflare fronts the site for caching and DDoS protection. In doing so it briefly observes request metadata including IP address.
  • Email delivery — newsletter issues and transactional emails are dispatched through a Mailgun-equivalent transactional-email provider. They process email addresses solely to deliver the message and produce delivery receipts.
  • Analytics — a server-side, cookieless analytics provider in the Plausible category aggregates page-view counts. No cross-site identifier is generated.
  • Original publishers— when you click an aggregated headline you are sent to the original publication. We do not pass any personal data with the click; your browser simply opens their URL under their own privacy terms.

We will disclose personal data if required to do so by a valid legal order, and we will push back on overbroad or fishing requests where we can. We publish a basic transparency note in our annual editorial report when government data requests are received.

International transfers

Our hosting and edge providers operate infrastructure across multiple regions, principally in the United States and the European Union. Depending on where your request is routed, your data may be processed outside the UK or the European Economic Area. Where transfers occur we rely on, in order of preference, a UK or EU adequacy decision; the EU Standard Contractual Clauses; the UK’s International Data Transfer Agreement or Addendum; or, as a residual safeguard, your explicit consent. A copy of the relevant transfer mechanism is available on request.

Your rights

Under GDPR, UK GDPR, the CCPA and similar laws, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erase data we hold, where we have no overriding legal obligation to keep it.
  • Port the data you provided to us, in a portable, machine-readable format.
  • Object to processing based on legitimate interest.
  • Restrict processing while a complaint is investigated.
  • Withdraw consent at any time, without affecting processing done before withdrawal.
  • Opt out of sale or sharingunder the CCPA — though we do not sell or share personal information as defined under that statute.

To exercise any of these, email privacy@cryptolut.com. We will acknowledge within a few working days and respond substantively within one calendar month, extendable to three months for unusually complex requests with notice. We may ask you to confirm you are the person whose data you are asking about, but we will not demand more identifying information than necessary.

Do Not Track and Global Privacy Control

The Do Not Track (DNT) header is supported in most browsers but has never had a clear, agreed-upon meaning. We treat a DNT signal as a request not to be subjected to cross-site tracking. Because we do not run cross-site trackers in the first place, the practical effect is the same as our default behaviour. We additionally honour the Global Privacy Control (GPC) signal as a valid opt-out under the CCPA.

Children

Cryptolut is written for an adult audience. Consistent with the Children’s Online Privacy Protection Act (COPPA) we do not direct our service at children under the age of 13, and we do not knowingly collect information from them. If you believe a child has provided us with personal data, write to privacy@cryptolut.com and we will delete it.

Security and breach notification

We encrypt traffic in transit with HTTPS, store passwords only as salted hashes, hold credentials in a secrets manager rather than in source control, and limit administrative access to the editors and engineers who need it. No system is perfectly secure, but we take reasonable steps proportionate to the scale of the site and the sensitivity of the data we handle.

If we ever experience a personal-data breach that creates a risk to the rights of affected readers, we commit to notifying the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33, and to communicating directly with affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Changes to this policy

If we make material changes to the way we handle personal data — for example adding a new category of data we collect, or a new third-party processor — we will update this page and display a banner at the top of the site for at least 14 days. Minor editorial tweaks to the wording may be made without notice; the “Last updated” date at the top always reflects the current version.

Supervisory authority

If you are in the United Kingdom and unhappy with how we have handled your personal data, you can complain to the Information Commissioner’s Office at ico.org.uk. If you are in the European Economic Area you may complain to your local data protection authority. California residents may raise a complaint with the California Privacy Protection Agency. We would very much prefer you contacted us first so we can put things right, but you are under no obligation to do so.

Contact

For any privacy question, write to privacy@cryptolut.com. For data-protection-officer matters specifically, dpo@cryptolut.com. For general editorial enquiries, see the Masthead.