Privacy

Privacy policy

Effective 2026-05-27. Plain language. The full list of what we collect and what we do with it.

Who runs this site

This site is operated by McGauley Labs (Brian McGauley). Postal address available on request via brian@imagi-narii.com.

What we collect — and why

We collect only what we need to run the publication.

1. When you subscribe to the newsletter

  • Email address (required) — to send you the briefings you asked for.
  • Display name (optional) — to greet you in emails.
  • A timestamp and source flag indicating where the subscription came from (web form, OAuth sign-in, manual import).
  • Verification and unsubscribe tokens — random strings used to confirm your email and to enable one-click unsubscribe per RFC 8058.
  • Email engagement signals from our email service (delivered / bounced / opened / clicked / unsubscribed) so we can maintain list hygiene and avoid sending to addresses that no longer want us.

2. When you sign in with Google or GitHub

  • The email address and display name your OAuth provider returns.
  • A provider-issued user ID, so we can recognize you on return visits.
  • Session cookies (JWT) so you stay signed in.

We do not receive or store your password. Authentication is handled by the provider.

3. When you visit the site

  • Standard server logs (IP, user agent, request path, timestamp) for security, debugging, and abuse mitigation. Retained for up to 30 days.
  • Aggregate, privacy-respecting analytics via Vercel Analytics and Ahrefs Web Analytics — these do not use cookies that identify you individually.
  • Anonymous view counts per article, so we can rank "Popular" sections.

What we do not collect

  • We do not sell your data.
  • We do not use third-party tracking cookies to follow you across other sites.
  • We do not collect financial information directly. If we ever take payment, we will use a PCI-compliant processor and update this policy.

Third parties we share data with

  • Vercel — hosting and analytics.
  • MongoDB Atlas — primary database.
  • Resend — transactional and newsletter email delivery.
  • Google and GitHub — OAuth providers, only if you choose to sign in with them.
  • Google AdSense — display advertising. Ads are served by Google and use their own cookies and identifiers; see Google's Ads policy for details.
  • Ahrefs — cookieless web analytics.
  • Google Gemini — used by our drafting agents. Source articles and our internal prompts are sent to Gemini for analysis. Your personal data is never sent to Gemini.

Cookies

We use a small number of cookies:

  • Session cookie (essential) — set when you sign in, so you stay signed in.
  • Theme preference (optional) — remembers your light/dark mode choice.
  • Advertising cookies — set by Google AdSense when ads load. You can manage Google's personalized ads at adssettings.google.com.

Email — what we send

If you subscribe, we send the briefing edition you requested. Every email includes a one-click unsubscribe link (and an RFC 8058 List-Unsubscribe header so mail clients can unsubscribe you with one click). We do not send promotional email from third parties.

Your rights

You can request access, correction, or deletion of any personal data we hold about you by emailing brian@imagi-narii.com. We will respond within 30 days.

If you are in the EU, UK, or California, you have additional rights under the GDPR, UK GDPR, and CCPA respectively, including the right to object to processing and the right to data portability. We honor those rights regardless of where you are located.

Children

McGauley Labs is not directed at children under 13 and we do not knowingly collect data from them. If you believe we have, please email brian@imagi-narii.com and we will delete it.

Data retention

  • Subscriber records: kept until you unsubscribe, then anonymized within 90 days (the email is hashed for suppression-list purposes).
  • Session data: expires with the session.
  • Server logs: up to 30 days.
  • Email engagement data: up to 12 months.

Security

We use industry-standard practices — HTTPS everywhere, hashed unsubscribe and verification tokens, principle-of-least-privilege database access, and monitored hosting. Report suspected vulnerabilities to brian@imagi-narii.com. See our security.txt.

Changes to this policy

We will update this policy when our practices change. Material changes will be summarized here with the effective date. This policy was last updated on 2026-05-27.

Contact

Privacy questions: brian@imagi-narii.com. See also our Terms and Editorial Policy.