New Metal Privacy Policy
Last updated: 10 June 2025
1. Who we are
New Metal LLC (“New Metal”, “we”, “us”) operates newmetal.com and publishes the weekly New Metal Newsletter. We are the data controller for information collected via the site. The public website is hosted on Firebase Hosting (Google LLC) with assets cached by Cloudflare.
New Metal LLC
Mountlake Terrace, WA, USA
privacy@newmetal.com
2. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Identity & contact | E-mail address, display name (optional) | You |
| Device info | IP address, browser/OS, timezone | Your device |
| Usage & engagement | Email opens, link clicks, unsubscribe events | Our email platform |
| Anti-spam signals | reCAPTCHA score, honeypot value, bounce & complaint data | Google reCAPTCHA v3, AWS SES |
We do not knowingly collect data from children under 16.
3. How we use your data & legal bases
| Purpose | Legal basis (GDPR Art.) | Details |
|---|---|---|
| Send newsletter & promos | Consent (6 (1)(a)) | Double opt-in; you may withdraw any time |
| Analytics & optimisation | Legitimate interest (6 (1)(f)) | Helps tune content & subject lines |
| Spam & abuse prevention | Legitimate interest | reCAPTCHA & rate-limiting |
| Legal compliance | Legal obligation (6 (1)(c)) | Tax, accounting, data-protection logs |
4. Cookies & similar tech
We use cookies and local storage to make the site work, protect against bots and measure traffic. Non-essential cookies are loaded only after you grant consent via our cookie banner.
| Type | Tool | Purpose | Lifespan |
|---|---|---|---|
| Essential | newsletter_session | Preserve form state | 30 min |
| Analytics (conditional) | Google Analytics 4 | Measure traffic & referrers | 14 months |
| Security (conditional) | reCAPTCHA v3 | Block bots | 6 months |
You can change or withdraw consent at any time via the Cookie settings link in the footer.
5. Sharing & processors
We never sell your data. We share it only with trusted processors under written DPAs:
| Processor | Location | Safeguard |
|---|---|---|
| AWS (SES, SQS, DynamoDB, Lambda) | USA/EU | Standard Contractual Clauses (SCCs) |
| Google LLC (Analytics, reCAPTCHA) | Worldwide | SCCs |
| Cloudflare Inc. (CDN/WAF) | Worldwide | SCCs (if enabled) |
6. International transfers
Data is hosted in the United States and Europe. Cross-border transfers rely on SCCs and encryption (TLS 1.3 in transit, AES-256 at rest).
7. Data retention
- Unconfirmed sign-ups: deleted after 7 days.
- Active subscribers: retained until you unsubscribe.
- Bounced/complained: deleted 30 days after event.
- Back-ups (PITR): 35 days max.
8. Your rights (EU/UK etc.)
You may request access, correction, erasure, restriction, portability, or objection at any time, and withdraw consent without penalty. Email privacy@newmetal.com. We respond within 30 days.
9. Marketing & unsubscribe
Every email includes an unsubscribe link and a mailto alternative. Requests are honoured instantly, always within 24 hours.
10. Security
- TLS 1.3 across the site
- SHA-256 hashed tokens
- IAM least-privilege & KMS encryption
- CloudWatch & SNS anomaly alarms
11. Changes to this policy
We'll post updates here and email subscribers if changes are significant. Version history is kept at the top of this page.
12. Contact
Questions, rights requests, or takedowns: privacy@newmetal.com
Stay brutal, stay in control of your data. 🤘