Privacy Policy - Crisis.zone

Last Updated: November 6, 2025

Version: 1.0

1. Introduction

1.1 About This Policy

This Privacy Policy explains how Crisis.Zone. ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use Crisis.zone (the "Platform"). We are committed to protecting your privacy and being transparent about our data practices.

1.2 Data Controller

The data controller responsible for your personal data is:

Crisis.Zone.

• Chamber of Commerce (KvK): 83684514
• VAT Number: NL862957370B01
• Registered Office: Netherlands
• Contact Email: [email protected]
• Privacy Questions: [email protected]

1.3 Scope

This Privacy Policy applies to all users of Crisis.zone, including:

• Website visitors
• Free newsletter subscribers
• Paid members (Frontline Access)
• Anyone who contacts us

1.4 Legal Basis

We process personal data in accordance with:

• General Data Protection Regulation (GDPR) - EU Regulation 2016/679
• Dutch Personal Data Protection Act (Uitvoeringswet AVG)
• Dutch Telecommunications Act
• Other applicable Dutch and European privacy laws

2. Our Core Privacy Principles

2.1 We Will Never Sell Your Data

We will never sell, rent, or trade your personal data to third parties. This is a fundamental principle of how we operate. Your trust is more valuable to us than any potential revenue from data sales.

2.2 Right to Deletion

You can request deletion of your personal data at any time by contacting [email protected]. We will comply promptly, except where we are legally required to retain certain data (see Section 11).

2.3 Transparency

We are committed to being transparent about what data we collect, why we collect it, and how we use it.

2.4 Data Minimization

We only collect personal data that is necessary for providing our services.

2.5 Security

We implement appropriate technical and organizational measures to protect your data.

3. What Personal Data We Collect

3.1 Account Information

When you create an account, we collect:

• Email address (required)
• Name (optional, but recommended)
• Account creation date
• Subscription status (free or paid)

3.2 Payment Information

For paid subscriptions, we collect:

• Billing name
• Billing address (required for VAT compliance)
• Country

Note: We do NOT store credit card details. All payment processing is handled securely by Stripe. We only receive:

• Payment confirmation status
• Last 4 digits of card (for your reference)
• Card brand (Visa, Mastercard, etc.)
• Subscription status

3.3 Usage Data

We automatically collect:

• IP address
• Browser type and version
• Device type (desktop, mobile, tablet)
• Operating system
• Pages visited on Crisis.zone
• Time and date of visits
• Referring website (where you came from)
• Articles read (for members)
• Newsletter interaction (opens, clicks)

3.4 Cookie Data

We use cookies to improve your experience. See our Cookie Policy for details. Cookie data includes:

• Session cookies (for logged-in state)
• Analytics cookies (via Google Analytics)
• Preference cookies (for site settings)

3.5 Communication Data

When you contact us, we collect:

• Email correspondence
• Feedback and error reports
• Support tickets
• Any information you voluntarily provide

3.6 Newsletter Data

For newsletter subscribers:

• Email address
• Subscription preferences (which newsletters)
• Subscription date
• Email open rates and click rates

3.7 Data We Do NOT Collect

We do NOT collect:

• Social security numbers or national identification numbers
• Financial information beyond what's necessary for billing
• Health information
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Sexual orientation

4. How We Use Your Personal Data

4.1 Legal Bases for Processing

We process your personal data based on:

4.1.1 Contractual Necessity (GDPR Article 6(1)(b))

• To provide the services you've signed up for
• To process your subscription payments
• To deliver content you've purchased
• To send transactional emails (password resets, payment confirmations)

4.1.2 Legitimate Interests (GDPR Article 6(1)(f))

• To improve the Platform and user experience
• To analyze usage patterns and preferences
• To detect and prevent fraud or security issues
• To send service updates and important notifications
• To develop new features

4.1.3 Consent (GDPR Article 6(1)(a))

• To send marketing newsletters (you can opt out anytime)
• To use analytics cookies beyond essential ones
• To send promotional content

4.1.4 Legal Obligation (GDPR Article 6(1)(c))

• To comply with tax and accounting requirements
• To respond to legal requests
• To maintain records as required by law

4.2 Specific Uses

Account Management:

• Creating and maintaining your account
• Authenticating your identity
• Managing your subscription
• Processing cancellations

Content Delivery:

• Providing access to articles and analysis
• Personalizing content recommendations (for paid members)
• Sending newsletters you've subscribed to
• Delivering audio narrations

Payment Processing:

• Processing subscription payments
• Generating invoices
• Handling refunds (if applicable)
• VAT compliance

Platform Improvement:

• Understanding which content is most valuable
• Identifying technical issues
• Testing new features
• Analyzing user behavior to improve the Platform

Communication:

• Responding to your inquiries
• Sending service announcements
• Providing customer support
• Requesting feedback

Legal and Security:

• Preventing fraud and abuse
• Enforcing our Terms and Conditions
• Complying with legal obligations
• Protecting our rights and property

5. How We Share Your Personal Data

5.1 We Do NOT Sell Your Data

We will never sell your personal data to anyone for any reason.

5.2 Service Providers

We share data with trusted service providers who help us operate the Platform:

5.2.1 CMS (Content Management)

• Purpose: Platform hosting and content delivery
• Data Shared: Email, name, subscription status, content preferences
• Location: EU/EEA servers
• Privacy Policy: [Ghost.org Privacy Policy]

5.2.2 Stripe (Payment Processing)

• Purpose: Processing subscription payments
• Data Shared: Name, email, billing address, payment information
• Location: EU/EEA (with appropriate safeguards)
• Privacy Policy: [Stripe.com Privacy Policy]
• Note: Stripe is PCI-DSS Level 1 certified

5.2.3 Google Analytics (Website Analytics)

• Purpose: Understanding website usage
• Data Shared: IP address (anonymized), browser info, pages visited
• Location: EU/EEA servers (we use EU-based GA4)
• Privacy Policy: [Google Analytics Privacy Policy]
• Your Control: You can opt out using browser extensions

5.2.4 Email Service Provider

• Purpose: Sending newsletters and transactional emails
• Data Shared: Email address, name, subscription preferences
• Location: EU/EEA
• Note: Managed through Mailgun

5.2.5 AI Service Providers

• Purpose: Generating content analysis
• Data Shared: NO personal user data is shared with AI providers

5.3 Legal Requirements

We may disclose your data if required to:

• Comply with legal obligations
• Respond to valid legal requests (court orders, subpoenas)
• Protect our rights, property, or safety
• Investigate fraud or security issues
• Enforce our Terms and Conditions

5.4 Business Transfers

If Crisis.Zone is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.5 With Your Consent

We may share data with other parties if you give us explicit consent.

6. International Data Transfers

6.1 EU/EEA Focus

We primarily operate within the EU/EEA, and most of our data is stored on EU/EEA servers.

6.2 Third-Country Transfers

Some service providers (like Stripe, Google Analytics, and AI providers) may involve data transfers outside the EU/EEA. When this occurs, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions (for countries deemed to have adequate data protection)
• Privacy Shield successor frameworks where applicable
• Data Processing Agreements (DPAs) with all providers

6.3 Your Rights

Your rights under GDPR apply regardless of where data is processed.

7. How Long We Keep Your Data

7.1 Active Accounts

While your account is active, we retain your data to provide our services.

7.2 After Account Deletion

When you delete your account or request data deletion:

Deleted Immediately:

• Login credentials
• Usage preferences
• Newsletter subscriptions

Retained for Limited Period:

• Financial records: 7 years (Dutch tax law requirement)
• Payment information: Until subscription ends + 7 years
• Support correspondence: 2 years (for quality and legal purposes)
• Analytics data: Anonymized and retained indefinitely

7.3 Inactive Accounts

If your account is inactive for 3 years, we may:

• Send reminder emails
• Anonymize or delete your data if no response
• Retain only what's legally required

7.4 Legal Retention Requirements

We must retain certain data for legal compliance:

• Tax and accounting records: 7 years (Dutch law)
• Corporate records: As required by Dutch company law
• Legal dispute records: Duration of dispute + applicable limitation period

8. Your Rights Under GDPR

8.1 Right of Access (Article 15)

You have the right to know what personal data we hold about you. Request a copy by contacting [email protected]. We will provide this within 30 days.

8.2 Right to Rectification (Article 16)

If your data is inaccurate or incomplete, you can request corrections. You can update most information directly in your account settings.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data at any time. We will comply except where we must retain data for:

• Legal obligations (tax records, etc.)
• Establishing, exercising, or defending legal claims
• Compliance with legal retention periods

To request deletion: Email [email protected] with "Data Deletion Request" in the subject line.

8.4 Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data if:

• You contest the accuracy of the data
• Processing is unlawful but you don't want data deleted
• We no longer need the data but you need it for legal claims
• You've objected to processing and verification is pending

8.5 Right to Data Portability (Article 20)

You can request a copy of your data in a machine-readable format (JSON, CSV, or XML) to transfer to another service.

8.6 Right to Object (Article 21)

You can object to:

• Processing based on legitimate interests
• Direct marketing (including profiling)
• Processing for research or statistical purposes

8.7 Rights Related to Automated Decision-Making (Article 22)

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Note: Our AI content generation does not involve automated decisions about users. AI is used to analyze news events, not to make decisions about individuals.

8.8 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you can withdraw it at any time. This doesn't affect the lawfulness of processing before withdrawal.

8.9 Right to Lodge a Complaint

If you believe we've violated your privacy rights, you can file a complaint with:

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

• Website: autoriteitpersoonsgegevens.nl
• Email: [email protected]
• Address: Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands

9. How to Exercise Your Rights

9.1 Contact Methods

To exercise any of your rights:

• Email: [email protected]
• Subject Line: Specify your request (e.g., "Data Access Request" or "Data Deletion Request")
• Include: Your account email and enough information to verify your identity

9.2 Verification

To protect your privacy, we may ask for additional information to verify your identity before fulfilling requests.

9.3 Response Time

We will respond to your request within 30 days. If we need more time, we'll let you know and explain why.

9.4 No Fees

Exercising your rights is free, unless your request is manifestly unfounded, repetitive, or excessive.

10. Data Security

10.1 Technical Measures

We implement industry-standard security measures:

• Encryption: HTTPS/TLS for all data transmission
• Password Protection: Bcrypt hashing for password storage
• Secure Servers: EU-based servers with physical security
• Access Controls: Limited employee access to personal data
• Regular Backups: Encrypted backup systems
• Monitoring: Continuous security monitoring and logging

10.2 Organizational Measures

• Employee Training: Privacy and security awareness
• Data Access Policies: Strict internal policies on data access
• Vendor Management: Data Processing Agreements with all processors
• Incident Response Plan: Procedures for handling data breaches

10.3 Your Responsibilities

You are responsible for:

• Keeping your password secure
• Not sharing your account credentials
• Using strong, unique passwords
• Logging out on shared devices
• Keeping your contact information updated

10.4 Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

• Notify the Dutch Data Protection Authority within 72 hours (if required)
• Notify affected users without undue delay
• Provide information about the breach and steps being taken
• Offer guidance on protective measures you can take

11. Children's Privacy

11.1 Age Restriction

Crisis.zone is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

11.2 Parental Notice

If we become aware that we have collected data from a child under 16 without parental consent, we will delete it immediately.

11.3 Parental Rights

If you are a parent or guardian and believe your child has provided personal data to us, please contact [email protected].

12. Cookies and Tracking Technologies

12.1 Cookie Policy Reference

For detailed information about cookies, please see our separate Cookie Policy.

12.2 Summary

We use:

• Essential Cookies: Required for the Platform to function
• Analytics Cookies: To understand how you use the Platform (Google Analytics)
• Preference Cookies: To remember your settings

12.3 Your Control

You can:

• Disable cookies in your browser settings
• Opt out of Google Analytics using browser extensions
• Manage cookie preferences in your account settings

13. Third-Party Links

13.1 External Links

Crisis.zone contains links to external websites and sources. This Privacy Policy does not apply to those sites.

13.2 Your Responsibility

We are not responsible for the privacy practices of third-party websites. Please review their privacy policies before providing personal data.

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in applicable law
• New features or services
• Feedback from users or regulators

14.2 Notification

When we make changes:

• We'll update the "Last Updated" date at the top
• For material changes, we'll notify you via:
  • Email to registered users
  • Prominent notice on the Platform
  • Pop-up notification on your next visit

14.3 Your Acceptance

Continued use of the Platform after changes take effect constitutes acceptance. If you don't agree with changes, please contact us to delete your account.

14.4 Version History

We maintain a version history of this Privacy Policy. Previous versions are available upon request.

15. Additional Information

15.1 Data Protection Officer

As of November 2025, Crisis Zone. is not required to appoint a Data Protection Officer under GDPR Article 37. However, privacy questions can be directed to [email protected].

15.2 Automated Processing

We use automated systems for:

• Content delivery and personalization
• Analytics and platform improvements
• Fraud detection

We do NOT use automated processing to make decisions that significantly affect you.

15.3 Profiling

We do minimal profiling for:

• Content recommendations (based on reading history)
• Newsletter personalization

You can opt out of personalization in your account settings.

16. Contact Information

16.1 Privacy Questions

For any privacy-related questions or concerns:

• Email: [email protected]
• General Contact: [email protected]
• Data Requests: [email protected] (please use subject line: "GDPR Request")

16.2 Company Information

Crisis.Zone

• KvK: 83684514
• VAT: NL862957370B01
• Website: crisis.zone
• Legal Entity: Dutch private limited company (B.V.)

16.3 Response Time

We aim to respond to all privacy inquiries within 5 business days, and fulfill formal GDPR requests within 30 days.

17. Acknowledgment and Consent

By using Crisis.zone, you acknowledge that:

1. You have read and understood this Privacy Policy
2. You understand what personal data we collect and why
3. You understand your rights under GDPR
4. You consent to processing of your data as described in this Policy
5. You understand you can withdraw consent at any time
6. You are at least 16 years of age

Crisis.zone - Experimental AI Journalism
Operated by Crisis.zone.
Committed to Privacy and Transparency

Contact us: [email protected]

Last Updated: November 6, 2025
Version: 1.0

This Privacy Policy is provided in English. While translations may be available for convenience, the English version is the legally binding document.