Privacy Policy

This policy explains what personal data I collect, why, how I use it, who processes it, and what rights you have.

Data controller: Sandeep Mallareddy
Address: RK Beach, Visakhapatnam, Andhra Pradesh, India
Contact: [email protected]

1. What data I collect

If you subscribe to the newsletter, I collect:

Email address (required)
Name (optional, only if you provide it)
Subscription consent record — the date, time, and method of your opt-in (double opt-in confirmation)
Email engagement data — whether you opened an email and which links you clicked (see Section 4)

The website itself (sandeepmallareddy.com) does not use cookies, analytics, or any tracking scripts that I have added. However, the site is hosted on Cloudflare Pages — see Section 3 for details on what Cloudflare may collect.

2. Why I collect it

Email address — to send you newsletter emails when I publish new posts.
Lawful basis: Consent (GDPR Article 6(1)(a); double opt-in).

Name — to personalise emails (e.g., greeting you by name).
Lawful basis: Consent.

Consent record — to demonstrate that I obtained valid consent, as required by law.
Lawful basis: Legal obligation (GDPR Article 6(1)(c)); compliance with CASL and DPDPA.

Engagement data — to understand which content resonates so I can improve the newsletter.
Lawful basis: Consent.

I do not use your data for any purpose other than what is listed above. I do not run advertising. I do not build marketing profiles. I do not sell, rent, or share your data with anyone.

3. How emails are sent and who processes your data

Website hosting

The website (sandeepmallareddy.com) is hosted on Cloudflare Pages . Cloudflare operates as a CDN and security provider. When you visit the site, Cloudflare may automatically collect technical data such as your IP address, browser type, and request headers for security, performance, and abuse prevention purposes. This is standard for any Cloudflare-hosted website. I do not have access to individual visitor data from Cloudflare. For details, see Cloudflare’s Privacy Policy .

Newsletter infrastructure

Your subscriber data is stored and processed using two services:

Listmonk — an open-source, self-hosted newsletter platform. My instance is hosted on PikaPods (server located in Europe). PikaPods provides the hosting infrastructure but does not access your data.

Resend — an email delivery service (US-based). Resend acts as a data processor: it transmits emails on my behalf and does not use your email address for any purpose other than delivery.

None of these services are “third parties” in the advertising or marketing sense. They are infrastructure providers (data processors under GDPR) acting strictly on my instructions. No other party receives your data.

4. Email tracking

Each newsletter email contains:

Open tracking — a small, invisible image (tracking pixel). When your email client loads it, I can see that you opened the email.

Click tracking — links in the email are routed through my Listmonk instance before redirecting to the destination. This lets me see which links you clicked.

This engagement data is tied to your subscriber profile. Under GDPR, this constitutes profiling (Article 4(4)). The lawful basis is your consent, given when you subscribe.

If you do not want to be tracked:

Most email clients let you disable remote image loading, which blocks the open-tracking pixel.
You can copy link URLs instead of clicking them directly.
You can email me at [email protected] to request that I disable tracking for your subscriber profile, and I will do so manually.

5. International data transfers

I am based in India. My Listmonk instance is hosted in Europe (PikaPods). Emails are delivered through Resend (United States). This means your data may be transferred to and processed in:

India — where I access and manage the data
Europe — where the Listmonk instance is hosted
United States — where Resend processes email delivery

For subscribers in the EU/EEA: India and the United States are not currently recognised as having adequate data protection by the European Commission. The transfers are made on the basis of your explicit consent (GDPR Article 49(1)(a)) and, where applicable, standard contractual clauses with processors.

6. How long I keep your data

Active subscribers — I retain your data for as long as you remain subscribed.

After unsubscribing — your email address, name, and all engagement data are deleted within 30 days, unless I am required by law to retain certain records.

Consent records — I retain a record of when and how you subscribed for as long as needed to demonstrate compliance with consent requirements (GDPR, CASL, DPDPA). These records are deleted when they are no longer legally necessary.

7. Your rights

Everyone

Unsubscribe at any time. Every email contains an unsubscribe link. One click and you are removed. I will process this within 10 business days (as required by CAN-SPAM and CASL), though in practice it is instant.
Request data deletion. Email me and I will permanently delete all your data.
Request data export. Email me and I will send you a copy of all data I hold about you.

In addition to the above, you have the right to:

Access your personal data and obtain a copy (Article 15)
Rectify inaccurate data (Article 16)
Erase your data, also known as the right to be forgotten (Article 17)
Restrict processing (Article 18)
Data portability — receive your data in a structured, machine-readable format (Article 20)
Object to processing (Article 21)
Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Article 7(3))
Not be subject to automated decision-making (Article 22) — I do not make any automated decisions that produce legal or significant effects based on your data
Lodge a complaint with your local data protection supervisory authority (edpb.europa.eu )

Indian residents (DPDPA 2023)

Access information about what personal data I process and why (Section 11)
Correction and erasure of your personal data (Section 12)
Grievance redressal — contact me at [email protected] with any complaint. I will respond within 30 days. If unsatisfied, you may file a complaint with the Data Protection Board of India once it is constituted and operational.
Nominate another person to exercise your rights on your behalf in case of death or incapacity (Section 14)

Canadian residents (CASL)

You provided express consent to receive emails when you completed the double opt-in process.
You may withdraw consent at any time by clicking the unsubscribe link or by emailing me. I will process this within 10 business days.
Unsubscribe links in emails remain functional for at least 60 days after the email is sent.

US residents (CAN-SPAM)

You may opt out of future emails using the unsubscribe link in any email. I will process this within 10 business days.
I will never charge a fee, ask you to log in, or require any steps beyond a single email or click to process your opt-out.
I will not sell or transfer your email address to any other party after you opt out.

8. How to exercise your rights

Email me at [email protected] . You can also use the subscription management link included in every newsletter email to update your preferences, export your data, or delete your account.

I will respond to all requests within 30 days. For GDPR requests, I will respond within one calendar month as required by Article 12(3).

9. Children

I do not knowingly collect data from anyone under the age of 16. If you believe I have collected data from a minor, please contact me and I will delete it immediately.

10. Changes to this policy

If I make material changes to this policy, I will notify subscribers by email before the changes take effect. The date at the bottom of this page will always reflect the most recent revision.

11. Contact

Sandeep Mallareddy
RK Beach, Visakhapatnam, Andhra Pradesh, India
Email: [email protected]
Website: sandeepmallareddy.com

Last updated: March 31, 2026