You agree to the privacy policy below, and the Privacy Policy for Substack, the technology provider.
Privacy Notice for Substack Newsletter (Dr. Sarah E. Carter / Purposely Digital)
Last updated: December 9, 2025
1. Who we are (Data Controller)
We, Dr. Sarah E. Carter, operating as Purposely Digital, are the data controller for all personal data processed in connection with the Substack newsletter.
For any data‑protection questions, please email hello@purposely-digital.com.
2. Personal data we process
Essential data (required for newsletter subscription):
Name (if supplied)
Email address (used for subscription and delivery)
Additional data we may process:
Feedback voluntarily provided in response to newsletter content
3. Legal bases for processing
Contract performance – To deliver the newsletter and manage paid subscriptions
Legitimate interest – For internal record‑keeping
Consent – When you voluntarily provide feedback, testimonials, or contact us directly with questions. By following this newsletter, you also consent to receiving notifications of Purposely Digital events or services (included at the end of the newsletter). You can unsubscribe at any time.
Legal obligation – To retain financial records (invoices, receipts) for the statutory period required by Dutch law
4. How we use your data
Deliver the newsletter / blog – Each edition is sent to the email address you provided. This may include promotion for Purposely Digital events or services.
Process payments – If you subscribe to premium content, we use Stripe (EU) to handle payment data. Raw card numbers are never stored by us.
Improve the service – Aggregated analytics (open rates, click‑throughs) help us understand which content is valuable to you.
Comply with legal duties – We store invoices and tax‑relevant data for at least seven years, as required by Dutch legislation.
5. Third‑party processors we use
Substack – Hosts the newsletter and delivers email. Data processed: email address, subscription status, basic engagement metrics. Substack operates under Standard Contractual Clauses (SCCs) and provides GDPR‑compliant terms.
Stripe – Handles payment processing. Data processed: payment identifiers and invoice data. Stripe is PCI‑DSS compliant and uses SCCs.
Finom & Blue Umbrella – Manage payments, invoicing, and expense tracking. Data processed: invoice data from Substack (email, amount paid) and bank payment records. Both based in the Netherlands and both comply with EU data‑protection standards.
We share data with these providers only to the extent necessary for the services listed above. All processors are bound by contractual clauses that require GDPR‑compliant handling of your personal data.
6. Cookies & analytics
Substack automatically sets strictly necessary cookies for newsletter delivery, user authentication, and basic functionality. These cookies are essential for the service to operate and do not require consent under the ePrivacy Directive.
We do not install additional tracking cookies, analytics tools, or third-party trackers on our Substack newsletter beyond what is necessary for basic functionality.
Substack may collect basic engagement metrics (such as email open rates and link clicks) as part of their standard service. For details on Substack's own cookie practices, please refer to Substack's privacy policy.
If we decide to implement additional analytics or tracking in the future, we will update this privacy notice and, where required, obtain appropriate consent before doing so.
7. Data retention
Essential data (name, email, subscription status, invoices) is retained for a minimum of seven years to satisfy Dutch fiscal law.
Additional data (feedback, questions) is kept only as long as necessary for the purpose for which it was collected, or until you request deletion (maximum two years for promotional material).
8. Your rights under the GDPR
As an EU data subject you have the following rights, exercisable free of charge:
Right of access – Request a copy of the personal data we hold about you.
Right to rectification – Have inaccurate or incomplete data corrected.
Right to erasure ("right to be forgotten") – Request deletion of your data, subject to mandatory retention periods.
Right to restriction of processing – Limit how we use your data.
Right to data portability – Receive your data in a structured, commonly used format.
Right to object – Object to processing based on legitimate interests or direct marketing.
Right to withdraw consent – Revoke any consent you previously gave, without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at hello@purposely-digital.com. We will respond within one month, as required by the GDPR.
9. International data transfers
We may transfer personal data outside the European Economic Area only when Standard Contractual Clauses are in place (e.g., for Substack or any US‑based service providers).
10. Changes to this privacy notice
We may update this notice from time to time. Significant changes will be communicated to you via the newsletter or a dedicated email. The latest version will always be available on request.
11. Data protection by design & by default
Data minimization – We only collect the data strictly necessary for the newsletter and any coaching services you inquire about.
Regular reviews – We periodically audit our processes, contracts, and technical safeguards to maintain compliance.